A pro-Chinese government information operation is “aggressively targeting the United States” across a variety of fronts, including by attempting to discredit the U.S. democratic process and “discourage Americans from voting in the 2022 U.S. midterm elections,” researchers said Wednesday.
The influence campaign represents an escalation of both tactics and rhetoric designed to “sow division both between the U.S. and its allies and within the U.S. political system itself,” said researchers with Google’s Mandiant.
The activity represents a continued escalation from the 2020 elections, when top U.S. intelligence officials assessed that China did not deploy interference efforts and had “considered but did not deploy influence efforts” in an attempt to shape the outcome of election.
The activity emanates from a pro-Chinese government influence operation Mandiant has referred to as “Dragonbridge,” which has been active since at least June of 2019.
“We have seen DRAGONBRIDGE criticize American society via narratives regarding racial strife and social injustice,” the researchers said. “However, its targeting of the U.S. political system through attempts to discourage Americans from voting shows a willingness to use increasingly aggressive rhetoric.”
Last month Meta, the parent company of Facebook and Instagram, removed a small Chinese influence operation that used fake personas posing as Americans and promoting politically conservative causes while criticizing President Biden.
The campaign exposed Wednesday also pushed nonpolitical narratives, such as attempting to label a prolific and prominent pro-China hacking group as actually American, and alleging that the U.S. was responsible for the Nord Stream gas pipeline explosions in October 2022, the researchers said, mirroring Russian President Putin’s claims.
A request for comment sent to the Chinese embassy in Washington, D.C. Wednesday morning was not returned.
In April 2021, the Drawbridge campaign sought to physically mobilize protesters in the U.S. against racial injustices in the U.S. Then, in June 2022, Mandiant exposed another one of its effort to mobilize U.S. protesters, this time against an Australian rare earths mining company planning an expansion in Texas, prompting a public U.S. Department of Defense response. That effort remains ongoing, the researchers said.
And in August, Mandiant exposed a sprawling network of at least 72 bogus news sites spread across North America, Europe, the Middle East and Asia designed to push Chinese propaganda and included criticism of U.S. House Speaker Nancy Pelosi’s visit to Taiwan.
“The recent Dragonbridge analysis by Mandiant shows an influence operation adrift, looking for something to stick to the walls of discourse,” said Dakota Cary, China Analyst for Krebs Stamos Group, a technology consulting firm. The changes in tactics “suggest an iterative process where management is looking for ways to increase engagement with the content.”
Dragonbridge’s operators have “a clear directive to play into social divisions in the US and try to change the narrative around past PRC hacking campaigns,” Cary said. “It’s unclear whether a lack of engagement will eventually cause this group to stop its attempts to connect with real people in the US.
Dragonbridge struggles to garner engagement in its campaigns, the Mandiant researchers said Wednesday, but the attempts to mobilize protesters are a “demonstration of the campaign’s boldness and interest in influencing real-world activity.”
John Hultquist, Mandiant head of threat intelligence, said the campaign “is not the most effective operation and they are still a distant third behind Russia and Iran. However, what’s troubling is their aggressive growth.”
‘But does voting really matter that much?”
An English-language video posted in September across multiple social media platforms attempted to discourage Americans from voting in the upcoming elections by criticizing an “ineffective and incapacitated system,” asserting that political infighting, partisanship, polarization and vision had become “fundamental aspects of American democracy, said researchers at cybersecurity firm Mandiant.
The video also pointed to the frequent mentions of “civil war” on social media and referenced politically motivated violence, including the Jan. 6 attack on the Capitol by supporters of President Trump and physical attacks on the FBI. “The solution to America’s ills is not to vote for someone,” the video said, but rather “to root out this ineffective and incapacitated system.
The video also included an image of Biden behind the messages “Can voting make America a better place?” and “But does voting really matter that much?
In 2018, Trump accused the Chinese government of meddling in that year’s midterm elections by placing ads in Iowa newspapers criticizing his policies.
The latest campaign would represent a significantly more direct form of interference, highlighting an area of concern for observers.
“The aggressive targeting of U.S. midterm elections remains highly concerning — targeting of election infrastructure by multiple nation-state actors is a top area of focus for many of us in the field,” said Tom Hegel, a senior threat researcher at SentinelOne. “While attempts like DRAGONBRIDGE have generally remained unsuccessful at scale, it is showing the continued experimentation and interest from China to influence US election results and grow public distrust in our government.”
Changing the hacking narrative
The Dragonbridge campaign also sought to portray Chinese-aligned hacking activity tracked as APT41 as a U.S.-based group, the researchers said Wednesday, by using social media personas to plagiarize, alter and characterize research from Mandiant and other cybersecurity firms to support the claims.
Another effort sought to plagiarize and alter a news article to promote the claim that in July 2021, the French government warned against a cyberattack allegedly conducted by “U.S. hacking group APT31,” which Mandiant tracks as a Chinese-aligned cyber espionage group.
Dragonbridge also used eight Twitter accounts to impersonate Intrusion Truth, a shadowy group that has exposed the operators and tactics behind a range of Chinese-linked cyber operations. The accounts — created in September — plagiarized and slightly altered original Intrusion Truth tweets. The authentic Intrusion Truth Twitter account saw the tweets and blamed it on APT41.
Cary said the campaign’s efforts to discredit reporting and “change the narrative around PRC hacking teams” stood out.
“Attempts to impersonate Intrusion Truth or redirect attribution of APT41 and APT31 to the US are new lines of inquiry for the Dragonbridge campaign,” Cary said.
Along with Dragonbridge activities, Chinese cybersecurity firms such as Qihoo360 and Qi An Xin have been aggressive at pointing out alleged U.S. government hacking activity in China, all of which occurred after the U.S., U.K. and the European Union and other allies condemned Chinese-aligned hackers targeting Microsoft email servers in March 2021, Cary added.
“While the campaign is ineffective and useless, it does signal that the CCP has decided to push back against the narrative that China hacks other nations,” Cary said. “This narrative’s inclusion in the Dragonbridge campaign is the clearest sign to date that a political mandate to change and challenge the ‘China hacks’ narrative.”
Updated Oct. 26, 2022: This story was updated to reflect the fact that the Chinese Embassy in Washington did not immediately respond to a request for comment.