China-linked fake news site shows disinformation on the rise

A Beijing-backed PR firm has been accused of being behind at least 72 fake-news websites and social media accounts pushing pro-China propaganda and criticizing the US and its allies. 

This, according to security researchers at Mandiant, comes as US House speaker Nancy Pelosi visited Taiwan amid a barrage of cyberattacks and faux articles posted August 1 insisting she should "stay away" from the island nation.

But the misinformation campaign began well before Pelosi's trip. Other scam articles from late June pushed anti-America storylines in the wake of the US Supreme Court's decision to overturn Roe v. Wade. In one of these, posted on June 30, the threat intel team observed an English-language article – purportedly written by an American woman living outside the US – who claimed that pro-choice protesters had been attacked by US law enforcement.

These are two examples from an ongoing information operations (IO) campaign Mandiant said involves services and servers belonging to Chinese public-relations firm Shanghai Haixun Technology. This includes 59 domains and 14 subdomains hosted by Haixun, which the campaign used to target audiences across North America, Europe, the Middle East and Asia, according to the researchers. 

Additionally, the PR firm's for-sale services include bogus content – such as the "Europe and US Positive Energy" package and the "Positive Energy Project Edition," which features specialized videos and campaign impact monitoring.

Mandiant dubbed the campaign HaiEnergy – a nod to the Haixun link as well as the "positive energy" focus. We're told this is a favorite phrase among friends of Xi Jinping and one used to portray the Chinese Communist Party in a glowing light.

• Taiwanese military reports DDoS in wake of Pelosi visit
• Nancy Pelosi ties Chinese cyber-attacks to need for Taiwan visit
• China is trolling rare-earth miners online and the Pentagon isn't happy
• UK Parliament bins its TikTok account over China surveillance fears

"While we do not currently have sufficient evidence to determine the extent to which Haixun is involved in, or even aware of HaiEnergy, our analysis indicates that the campaign has at least leveraged services and infrastructure belonging to Haixun to host and distribute content," Mandiant researchers Ryan Serabian and Daniel Kapellmann Zafra wrote in their analysis of the campaign.

HaiEnergy websites all display images and videos hosted on a particular server (02100.vip) registered by Haixun, they noted. Plus, the researchers found two other domains (haixunpr.com and haixunpr.org) in Chinese and English that describe Haixun's services with the same IP address and content from 02100.vip.

However, despite the campaign's global reach, there's "at least some evidence to suggest that HaiEnergy failed to generate substantial engagement outside of the inauthentic amplification that we have identified," Serabian and Kapellmann Zafra added.

"We find the campaign's use of infrastructure linked to Haixun to be more interesting, as it is suggestive of recent trends surrounding the outsourcing of IO to third parties, which can make IO more accessible and help obfuscate the identities of an actor," the researchers wrote.

While HaiEnergy sounds similar to another Beijing-linked IO campaign called Dragonbridge – also recently uncovered by Mandiant – the security firm said it tracks the two separately because they use different tactics, techniques and procedures. 

HaiEnergy primarily relies on a network of fake news sites with a smaller number of social media accounts. Meanwhile, Dragonbridge leverages "thousands" of social media and forum accounts. Additionally, Dragonbridge's narratives, while similar to HaiEnergy in their pro-PRC bent, don't promote fake content from HaiEnergy's sites.

"It is possible that these overlaps could be a result of shared tasking or group overlap, but we do not have evidence to make an assessment," the researchers noted. ®