A network of at least 72 bogus news sites in North America, Europe, the Middle East and Asia are part of a sprawling information operation pushing Chinese propaganda, researchers with the cybersecurity firm Mandiant said Thursday.
The network, which also includes fake social media accounts, remains active today and on Aug. 1 published articles critical of U.S. House Speaker Nancy Pelosi’s visit to Taiwan, a trip that deeply angered the Chinese government and heightened tensions between Beijing and Washington.
The operation is a reminder that although direct cyber retaliation to Pelosi’s trip was mild and potentially the work of pro-Chinese activists, sophisticated operations can be quickly redirected to react to evolving conditions.
The fake sites are designed to appear distinct and legitimate, but share technical infrastructure linked to Shanghai Haixun Technology Co., Ltd., a Chinese public relations firm that sells “positive energy packages,” a term that refers to positive portrayals of the Chinese Communist Party and its policies, the researchers said.
The researchers reported “at least some evidence” that the campaign failed to achieve substantial engagement, similar to recent revelations of a Chinese messaging operation dubbed “Dragonbridge” that targeted international rare earths mining companies in the U.S., Australia and Canada.
“This lack of amplification from external sources, not unlike what we typically observed with DRAGONBRIDGE, limited the campaigns’ ability to breakout, essentially forming an echo chamber,” the researchers said.
But more interesting than engagement was the link to the PR firm, which the researchers said “is suggestive of recent trends surrounding the continued outsourcing of [information operations] to third parties — ‘IO for hire.'” The researchers pointed to mid-2021 findings from Meta discussing the growing prevalence of public relations or marketing firms engaging in such activity.
This practice can be “used to lower the barrier to entry for some threat actors and to obfuscate the identities of more sophisticated ones,” the researchers said.
With names such as Egypt Daily, Finland Weekly and Austria Weekly, the network pushed common pro-Chinese messages: Criticisms of the U.S. and its allies, attempts to alter public opinions on its treatment of the Uyghur people in Xinjiang and positive messaging of pro-Chinese election reforms in Hong Kong. The network also promoted attacks on Chinese government critics, including Guo Wengui, a Chinese businessman close to Steve Bannon, and German anthropologist Adrian Zenz, who has done extensive work on Xinjiang.
The network and its infrastructure represent a distinct campaign the researchers dubbed “HaiEnergy.” The researchers said they don’t have sufficient evidence to determine the extent of the PR firm’s involvement, or if it is even aware of the overall campaign, but that the 72 site domains are hosted by the firm.
The websites associated with the campaign all display videos and images hosed on a server registered by the public relations firm. The researchers also found a now-unavailable spreadsheet hosted on one of the firm’s domains that featured Chinese and Russian text that appeared to be a distribution list for content.
“It’s a relief that the amplification of HaiEnergy was limited, but a stark reminder of adversary information operation capabilities considering our vulnerability to them as a society,” said Tom Hegel, a senior threat researcher with SentinelOne. Stories designed to stoke emotions in readers can “thrive” if engineered correctly, he added.
An additional long-term concern about the operation is that it’s “attempting to rewrite history by documenting inaccurate details benefiting the PRC agenda,” while also working “to sow distrust in U.S. democracy.”
Ultimately, Hegel said, this kind of operation has the potential to get worse.
“Outsourcing information operations is going to be a highly effective means to scaling up such campaigns, as we observed in Chinese espionage operations, if they continue to improve their ability to escape their own echo chamber.”