Chinese hackers turn to AI to meddle in elections
Hacking groups linked to the Chinese government are increasingly turning to deepfakes and other forms of AI-generated content when seeking to interfere in foreign elections, according to new research from Microsoft published Thursday.
Beijing’s influence campaigns still rely on old standbys, such as using fake social media and news accounts, to spread state-backed propaganda, inject false information into online discourse and attempt to amplify real divisions in American society. But China is also experimenting with newer tools to spread its preferred narratives abroad, including in Taiwan and the United States.
Notably, Microsoft observed disinformation actors linked to China posting AI-manipulated imagery to stoke conspiracy theories that the U.S. government intentionally caused a train derailment in Kentucky and wildfires in Maui, Hawaii in 2023. Some of the posts used AI-generated images of what Thursday’s report described as “burning coastal roads and residences to make the content more eye-catching.”
To be sure, Thursday’s report does not conclude that AI represents a game-changer for disinformation as some experts fear.
Recent elections in Taiwan demonstrate the versatility of the technology in the realm of disinformation. There, Microsoft observed Chinese propaganda groups creating AI-generated news broadcasts complete with fake anchors to influence the island’s elections. Some of these clips were generated using CapCut, an AI-powered editing tool owned by ByteDance.
“This was the first time Microsoft Threat Intelligence has witnessed a nation state actor using AI content in attempts to influence a foreign election,” the report notes.
Microsoft observed a “a notable uptick” in content featuring Taiwanese political figures, and the most prominent politician targeted was Lai Ching-te, Taiwan’s president-elect and a member of Taiwan’s ruling pro-independence party. Lai was the subject of multiple AI-enabled deceptions, including AI-generated memes charging him and his party of corruption and AI-manipulated videos of a woman claiming Lai had multiple mistresses and illegitimate children.
Terry Gou, a billionaire businessman, dropped out of the presidential race in November, but on election day audio of his voice emerged online purporting to endorse another candidate. Gou denied the authenticity of the audio, and Microsoft attributed the posting of the file, as well as a false letter attributed to Gou circulated days earlier, to the Chinese influence operation known as Spamouflage.
In the U.S., Chinese influence campaigns have utilized sockpuppet social media accounts to conduct online polls on divisive issues, such as climate change, immigration and U.S. funding for Israel and Ukraine, and to impersonate American voters online. The use of online polls has increasingly focused on U.S. political issues, something Microsoft said may be an effort to better understand the American electorate and identify possible areas of exploitation ahead of the 2024 elections.
Last year, an annual report by the Office of the Director of National Intelligence claimed that the Chinese government “tacitly” approved influence operations targeting a handful of races in the 2022 U.S. midterm elections, attempting to boost candidates in both parties seen as friendly to Chinese interests and disparage those seen as critical.
U.S. national security officials have pointed to the emergence of generative AI tools as a key difference between this election and past cycles, arguing that they can help generate disinformation content in greater volume and help bad actors overcome cultural barriers.
“A lot of the actors who would want to do malign influence aren’t native English speakers, and so there will be things in their messaging that don’t catch cultural errors, that don’t catch grammatical errors,” Rob Joyce, former director of cybersecurity at the NSA, told reporters last month. “And now GPT tools fix all of that, right? They can have one person cranking out a lot of material that sounds plausible and believable at scale.”
China’s intelligence-related hacking is expanding
Outside of influencing elections, Microsoft’s report highlights how Beijing has expanded its hacking operations linked to intelligence collection. These operations aim to better understand the political processes of both friendly and hostile nations and steal sensitive technologies.
One espionage hacking group, tracked by Microsoft as Gingham Typhoon (also known as APT40, TEMP.Periscope and Kryptonite Panda), was observed targeting a South Pacific island country in the summer of 2023. It’s a region where the Chinese government has worked to build up economic and security partnerships as it seeks to expand its influence, and the group was seen targeting governments, IT companies, international organizations and critics with “complex” phishing campaigns.
The group, which threat intelligence professionals have linked to the Chinese Ministry of State Security, also has a history of targeting the United States. In 2021, the Department of Justice indicted four Chinese nationals alleged to be part of APT40 for conducting broad hacking operations across the U.S. and other countries since 2011. U.S. officials accused the individuals of pilfering sensitive or valuable technologies from businesses and government organizations in the aviation, defense, education, government, maritime and health care sectors.
Two other groups linked to China, tracked by Microsoft as Raspberry Typhoon and Flax Typhoon, have targeted and compromised telecommunications companies located in countries surrounding the South Asian Sea, including Taiwan. A report last year from Microsoft described Flax Typhoon as “the most prominent threat group targeting the island of Taiwan,” using its own bespoke VPN software to gain a foothold into victim telecommunications networks as well as Taiwanese aerospace contractors.
“Chinese state-affiliated cyber actors appeared particularly interested in targets related to the numerous US military drills conducted in the region,” the new Microsoft report notes.
Between June and December 2023 another espionage group, Nylon Typhoon (also known as APT15) was seen targeting government entities and IT companies in South America and Europe.
Meanwhile another group, which Microsoft calls Storm-0062, has been behind a “surge” in hacking activity targeting U.S. defense companies. At the same time Storm-0062 was seen exploiting a critical vulnerability in Atlassian’s work collaboration tool Confluence in late 2023, Microsoft said the group was also hacking into U.S. companies that provide technical engineering in the aerospace, defense and natural resources sectors. During this time, Storm-0062 also targeted American military organizations, but it’s not clear if they were successful.
