TeamT5 Information Operation White Paper III: China’s Social Manipulation outside the Great Firewall

In the final part of our Information Operation White Paper, we will demonstrate China's Information Operations (InfoOps) targeting the global audience. The first part of the report displays a brief overview of its overt operations which are carried out by state media, embassies, and diplomats. Then we look into the covert operations, which can be observed in pro-China fan pages, content farms, and spam botnet. Last but not least, we provide the case study of "Operation Juiker" on Taiwan's largest forum PTT, which suggests the possibility of the APT (Advanced Persistent Threat) actors entering the threat landscape.

Chinese state media, diplomats, and embassies are the main actors of Chinese overt InfoOps. They shoulder the task to polish the image of the regime and propagate the narrative of the Chinese Communist Party (CCP). It is noteworthy that their official accounts have obtained an unexpected number of followers in recent years. For instance, four Chinese state media are included in the top 20 most-followed pages on Facebook. Their main audience, apart from the Chinese citizens, are overseas Chinese diaspora, which many of them have rights to vote in countries such as the U.S., Canada, and Australia, thus having the ability to influence a country's politics.

2020 is a year which has set many records. This year, the takedowns of covert Chinese social media accounts by Facebook, Twitter, and Google are more frequent than ever. However, even with such efforts, we observed that there are new covert actors emerging across the platforms, while the banned actors keep coming back to the scene by registering new domains and new accounts. We spotted that there is a huge number of Facebook pages with admins located in China dedicated to disseminating Chinese propaganda content originated from Chinese social media platform, Weibo. Besides, there are sophisticated actors that create websites and subtle content to help the Chinese government shaping the narrative for the Hong Kong protest. We also detected numerous networks of pro-China political accounts that demonstrated strong signs of automated behavior.

The situation is become more alarming as we discovered that the Advanced Persistent Threat (APT) actors might have entered the InfoOps threat landscape. APT actors, typically a state-sponsored group, usually conduct prolonged and targeted cyberattacks to mine highly sensitive data. However, in mid-2020, we identified an InfoOp that can be linked to a notorious Chinese APT group which TeamT5 intelligence team has tracked for years. We discovered that the threat actors had disseminated disinformation about "Juiker," a messaging app developed by Taiwan's research institute and widely used by government units, on Taiwan's largest forum PTT. The operation, which we dub as "Operation Juiker," aimed to discredit Taiwan's intelligence agency and government-backed research institute by spreading disinformation of the messaging app being hacked.

The abovementioned Operation Juiker has well demonstrated the possibility of "APT + InfoOp" attack model, which involves targeted social media campaigns disseminating disinformation based on highly confidential data. Such situation is super tricky, and it could pose a great threat to democratic countries. In this case, threat intelligence can help provide instant analysis of actor methodologies, suspicious indicators, and potential risks. We suggest that it is crucial for government units, critical infrastructure operators, and major business vendors to apply threat intelligence to combat this issue.

If you are interested in this white paper, please fill out the form below and get the full-text PDF.

And don't miss our blog updates! Follow us on Twitter.