A new report examining a long-running series of Chinese Communist Party (CCP) sponsored social media botnets that pose as organic users found the network has begun to utilize smaller social media sites, including in multiple languages other than English and Chinese, and attempted to spur real users to participate in anti-Asian hate protests.
The information comes in a Sept. 8 update to cybersecurity analysts FireEye’s Threat Research Blog that focused on a “pro-People’s Republic of China (PRC) network of hundreds of inauthentic accounts on Twitter, Facebook, and YouTube” that first emerged during the 2019 anti-CCP protests in Hong Kong.
FireEye says over the last two years they have observed the network employ “the use of artificially generated photos for account profile pictures and the promotion of a wide variety of narrative themes related to current events, including multiple narratives related to the COVID-19 pandemic, narratives critical of exiled Chinese billionaire Guo Wengui and his associates, and narratives related to domestic U.S. political issues.”
The group says these activities have been widely reported on by other threat analysts. However, they found two recent evolutions in the network’s strategy that appear to have not yet been widely discussed.
The first was that the campaign, which originally focused only on YouTube, Facebook, and Twitter, had spread to 30 different social media platforms and 40 of what it described as “additional websites and niche forums.” The influence campaign has also evolved from using English and Chinese, to including the Russian, Korean, Japanese, German, and Spanish languages.
The second was they found the botnet had begun to attempt to mobilize real social media users to participate in on the ground protests, specifically an attempt to mobilize Asian Americans to participate in an April 24 event in New York City against racial discrimination.
“This direct call for physical mobilization is a significant development compared to prior activity, potentially indicative of an emerging intent to motivate real-world activity outside of China’s territories,” warned the report.
FireEye’s analysis found “thousands of identical text posts, images, and videos” shared by botnet accounts on TikTok, Vimeo, and Russia’s Vkontakte (VK), among others, that target Steve Bannon, Guo Wengui, and Chinese virologist Li Mengyan, all who have declared the Wuhan Institute of Virology the source of SARS-CoV-2, the virus that causes Coronavirus Disease 2019 (COVID-19).
“Videos featured characteristics typical of those promoted by the network historically, including Chinese and automated English-language voiceovers,” reads the report, which adds, “In some instances, accounts on one platform have directly provided their corresponding social media handles on other platforms in their bios.”
In some cases, FireEye found red flags such as Twitter accounts that only post in English, but are associated with bot accounts posting on LiveJournal in Russian and German.
“Different accounts across different platforms have also appropriated the same profile photos, including photos of models and stock photography. We also observed instances of forum posts linking to other accounts in the network.”
The organization also found the botnet had focused on disseminating a narrative in several other languages, which claimed the coronavirus emerged from the U.S. Biosecurity Level 4 lab at Fort Detrick in Maryland and that the virus had been found in America as early as December of 2019, predating most official Wuhan City timelines.
Some of the network’s influence attempts utilized VK to propagate Russian translations of what appeared to be authentic English tweets from individuals who claimed to have contracted symptomatic COVID in 2019.
Some of the accounts in the same network also claimed Hong Kong and Taiwan were territories of the Communist Party-controlled PRC.
A similar tactic was noticed in German and Spanish on LiveJournal and Argentina’s Taringa social media network.
“Notably, some of the Russian and German-language posts we observed contained recurring grammatical errors, a limited indication that they may have been authored by non-native speakers of those languages.”
“For example, we observed Russian-language LiveJournal posts by accounts purportedly operated by female bloggers use a masculine-tense verb for the phrase ‘Я увидел’ (Translation: ‘I saw’), which should read ‘увидела’ if written by a female Russian speaker.”
FireEye found in April of 2021 that, “Thousands of posts in languages including English, Japanese, and Korean, images, and videos were posted across multiple platforms by accounts we assess to be part of this broader activity set that called on Asian Americans to protest racial injustices in the U.S.”
The posts attempted to organize attendees to an April 24 protest in New York City after the media stirred the divisive narrative that anti-Asian hate was rife in America after a man battling with a sex addiction and mental illness killed several Asian prostitutes in Atlanta in March.
“We observed posts by accounts in the network portray the advocated April 24 New York City protest as a success, claiming that Asian Americans, other minority groups, and Caucasian protestors attended,” said the authors.
The botnet also made claims its attendees were physically assaulted by supporters of Guo Wenggui.
In one specific case, FireEye documented the botnet had taken a photo of four women who were standing and holding a small coroplast sign that said “YWCA is on a Mission: Stand Against Racism” and photoshopped it so the sign instead had a caricature of Dr. Li’s face crossed out against the backdrop of an American flag with multiple communist propaganda-style raised fists in the foreground.
While the threat analysts noted they found no evidence the botnet was successful in organizing attendees, they cautioned the emergence of the phenomenon, “Does provide early warning that the actors behind the activity may be starting to explore, in however limited a fashion, more direct means of influencing the domestic affairs of the U.S.”
“We believe it is important to call attention to such attempts and for observers to continue to monitor for such attempts in future.”
An August report by the Center for Information Resilience (CIR) found the CCP’s botnet on Twitter, Facebook, and YouTube had aggressively utilized StyleGAN, a form of adversarial artificial intelligence network, to generate convincing profile photos of faces that do not exist for their social media accounts in order to influence naive and unaware organic users.
One of the biggest tells the researchers found in the StyleGAN approach is that the eyes of the manufactured profile photos were all on the same horizontal axis, a fact which was painfully obvious in evidence demonstrated in the group’s 80-page report.
Additionally, CIR found China was employing dueling botnets that promulgated both a pro-CCP and an anti-CCP narrative.