COVID-19 , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime
Pro-China Operatives Push Protests, Pandemic ConspiraciesReport: Network of Fake Social Media Accounts Growing, Targets Dissidents
Researchers say a pro-China influence operation leveraging a network of fake social media accounts has expanded in size and scope, promoting in-person protests and narratives around COVID-19 and U.S. domestic policy, according to a new report from Mandiant. The researchers, however, do not definitively attribute the activity to the Chinese government.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Researchers Ryan Serabian and Lee Foster say the network - monitored since June 2019 and originally focused on discrediting pro-democracy protests in Hong Kong - is now "broader" across its languages and platforms. It is active on 30 social media platforms and over 40 additional websites and niche forums - in Russian, German, Spanish, Korean and Japanese, they say.
Its operators have reportedly shifted tactics, using artificially generated photos for account profile pictures and peddling narratives about the ongoing pandemic and about exiled Chinese billionaire businessman, Guo Wengui - who fled China in 2014 and is linked to several high-profile conservative figures in the U.S. - along with other political issues.
Researchers also say this network has attempted to physically mobilize protesters in the U.S. in response to the pandemic and other social issues - to no avail.
John Hultquist, vice president of analysis for Mandiant Threat Intelligence, tells Information Security Media Group, "This operation likely [involves] a lot of people. We anticipate up to dozens, maybe more."
James A. Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies, a Washington, D.C.-based think tank, notes, "After 2016, the Chinese studied Russian influence operations with an eye to copying them. They've become very active, but they haven't quite figured out how to make it work."
Hultquist adds: "They're using a lot of spam and they're luckily not getting a lot of engagement. Resources are clearly being invested [though], which means they will get better. … [And] the intent worries me the most. They're already trying to cross serious lines by trying to manipulate people to hit the streets. … We are fortunate that we [had] an early warning and that social media companies are already aware of this."
In August 2019, Twitter detected and later suspended 936 reportedly state-backed accounts it said were "deliberately and specifically attempting to sow political discord in Hong Kong."
The social media platform said many of these operators accessed Twitter using virtual private networks, since the site is blocked in mainland China. Twitter also said a "larger, spammy network of approximately 200,000 accounts … were proactively suspended before they were substantially active."
Doubting COVID-19 Origins
The researchers say thousands of posts promoted on Vimeo, the Russian social media channel Vkontakte, TikTok and other video platforms claimed that Wengui, former White House chief strategist Steve Bannon and Chinese virologist Dr. Li-Meng Yan are "liars" - in response to the latter's 2020 claim that the coronavirus was created in a Chinese lab.
According to the researchers, Russian-language posts suggest that Fort Detrick - a command installation located in Frederick, Maryland, that is home to the U.S. biological defense program - was the actual source of the coronavirus. That narrative was also promoted by Chinese state-run media.
Lewis, of the Center for Strategic and International Studies, adds, "What needs a closer look [here] is how effective [these disinformation posts] have been in developing countries. The Fort Detrick line - lifted from old Soviet propaganda - might play better outside the U.S."
Calls to Protest
Mandiant says in April 2021, thousands of posts in several languages attempted to mobilize Asian Americans to protest "racial injustices" - specifically at an April 24 gathering in New York City. Other posts reportedly claimed to disclose addresses for Bannon, Wengui and Yan - to "fight back" against purported "rumors" detrimental to China.
Other posts, researchers say, portrayed the April event as successful - with protesters clashing with Wengui's "supporters." Operators reportedly went as far as to superimpose Yan, the virologist, onto a sign held by a supposed protester, though the photo was manipulated and from a different gathering in Jamestown, New York.
Despite the campaign's "limited impact," the researchers warn that its rapid expansion across platforms and languages hints at wider propaganda efforts and more "direct means" to influence U.S. public opinion.
And Lewis adds that while Russians - not the Chinese - have a deeper understanding of Western audiences, companies should still do more to "ferret out" and block Chinese operators.
'Ripe for Disinformation'
Since the onset of the pandemic, the social media landscape has been "ripe for disinformation campaigns," says Austin Merritt, a former Russian linguist and intelligence collector for the U.S. Army who is now a threat intelligence analyst at the security firm Digital Shadows. "In this campaign, the extent of the PRC's influence … is difficult to determine because it evolved into multiple misleading narratives on dozens of platforms."
Kayne McGladrey, an advisory board member for the Technology Alliance Group NW and cybersecurity strategist for the firm Ascent Solutions, adds, "We can anticipate that any nation-state with a propaganda department or agency is working to right-size their capabilities to spread disinformation." It's especially true, he adds, among nation-states with larger budgetary allocations since they can use automation and "office employees" to distribute the narratives.
Shane Huntley, director of Google's Threat Analysis Group, which assisted on Mandiant's report, notes, "We anticipate [this actor] will continue to experiment to drive higher engagement, and encourage others in the community to continue tracking [related activity]."