In 2020, we noticed that the Taiwan Government Service Network (GSN) had attack traffic to extranet. After notification, it was confirmed that the affected units were peripheral government agencies, and the attack was promptly stopped, leaving a deep impression on us. Generally, if an APT infiltrates a system, it usually lurks and waits for an opportunity to carry out specific malicious activities, and does not behave like a botnet, where the infected new bots immediately become attackers and launch attacks. However, we must recognize that if a botnet can infiltrate a system, APTs or targeted attacks may also be able to infiltrate it, but we may not have the opportunity to observe it. This study will reveal the network attack behaviors collected from Taiwan and critical infrastructure from around the world (including oil, water, electricity, government agencies, etc.). By analyzing this information, which is suspected to have been invaded and used as an attack tool, we can gain insight into the possible weaknesses of critical infrastructure in various countries and use this knowledge to assist in constructing our own possible defense mechanisms.