This is the daily email newsletter of China Digital Times, a bilingual news site covering China from cyberspace.
Latest Updates from China Digital Times

  • From Narrative Consent to Narrative Warfare: China’s COVID-19 Messaging

  • China Joins in Global Hacking Spike Amid Pandemic

  • Using Moscow’s Playbook, Beijing Sows Doubt into COVID-19 Narrative


Photo: Labrang Tibetan Buddhist City (Gansu), by Bryon Lippincott

Labrang Tibetan Buddhist City (Gansu), by Bryon Lippincott (CC BY-NC-ND 2.0)

© Josh Rudolph for China Digital Times (CDT), get_post_time('Y'). | Permalink | No comment | Add to
Post tags:

Feed enhanced by Better Feed from Ozh

Like Photo: Labrang Tibetan Buddhist City (Gansu), by Bryon Lippincott on Facebookshare on TwitterGoogle Plus One Button

From Narrative Consent to Narrative Warfare: China’s COVID-19 Messaging

From Narrative Consent to Narrative Warfare: China’s COVID-19 Messaging

By Lukas Mejia and Marine Ragnet

An official press release by the Chinese embassy in France recently stated that Chinese methods for containing the COVID-19 pandemic in the mainland were seen by French health officials as an “interesting source of inspiration.” “It was the ‘dictatorship’ from which the world first sought help, and not the American flagship of democracy,” the release further read. This language predicates a narrative war currently being waged at the forefront of the epidemic and attempts to discredit the United States’ dominance over health governance. These efforts give way to new insights as to how Chinese information operations have begun to shift.

2008 was a decisive year for China, hosting its first-ever Olympics. The event served as a figurative maturation of the Chinese Communist Party’s (CCP) tenure over the country, which had ushered unprecedented economic growth and development. It was a signal that China was ready to take leadership in the Indo-Pacific region, while also conditioning foreign actors to acknowledge its narrative on issues including human rights, extraterritorial maritime claims, and economic programs.

But in the weeks before the event, and as the torch journeyed through other parts of the world, protests broke out in Lhasa and descended into riots. The torch’s passage through London and Paris was then marred by further protests. And in facing a reality check of its global image, which was still tainted by oppression and crackdowns, the Chinese government began to aggressively pursue the laundering of its reputation worldwide.

In the run-up to the Olympics, orchestrating pro-Beijing demonstrations, blackmailing activists, and threatening to exclude foreign actors from economic offerings became par for the course in Chinese foreign policy. As many have noted, Chinese information operations have since been characterized by the co-opting of political elites, economic institutions, the media, public opinion, civil society, technology, and academia — blurring the covert and the diplomatic, in an effort to engineer global consent of its brand, until now.

As the world now confronts the COVID-19 Pandemic, the Chinese state has shifted its approach. A Russianization of tactics now permeates information operations in face of shaping the narrative behind the blame, figures, and containment of the virus. Reports highlight Beijing’s presence on western social media platforms and a more confrontational approach to information manipulation that draws from Russian tactics. Among these, Chinese officials have been amplifying messaging from Russian and Iranian propaganda outlets. The Alliance for Securing Democracy (ASD) suggests such actions demonstrate that China has “confidence in its brand.”

In recent months, Chinese government officials’ presence on social media has increased exponentially–despite many platforms being banned in the mainland. ASD estimates that Twitter accounts connected to Chinese embassies, consulates, and ambassadors have increased by more than 250 percent. The official account of China’s Embassy in France has positioned itself as a model and mediator in the crisis, in an effort to demonstrate the effectiveness of China’s political system and showcase itself as a factor of stability, in comparison to the United States.

In examining the Chinese government’s official Twittersphere, our research has found that narratives being promulgated vary from praising the CCP for its efforts to combat the outbreak, to openly criticizing Donald Trump’s handling of the pandemic. A recent public statement from the Chinese Embassy in Paris–retweeted hundreds of times–goes as far as comparing European political systems with that of China. These narratives are often retweeted by Chinese embassies based in francophone Africa.

In addition to social media accounts, the CCP also makes use of more traditional sources of information such as TV. The success of the English version of Russia Today inspired CCP propaganda officials to launch CCTV-News in 2010, renamed China Global Television in 2017, and present today in most Western European countries. Like Russia Today, the news broadcaster has hired foreign journalists and experts to report on issues around the world. These efforts are part of China’s wider strategy of engaging foreign audiences. General Secretary Xi Jinping urged state media to “use methods that overseas readers enjoy and accept, and language that they can understand, to explain the China story, [and] transmit China’s voice.”

We further found that messages emanating from these outlets aim to put forward China’s efforts in combating the outbreak while discrediting the United States. In doing so, CGTN’s French channel has disseminated the claim that the United States might be at the origin of the virus, propagating information backed by false academic evidence. CGTN France’s podcast series also maintains that Xi Jinping is leading the fight against COVID-19, asserting that he “personally guided and deployed the Chinese people to lead the interception battle, which is also the people’s joint battle against the COVID-19 epidemic.” Episodes of the podcast shared on Twitter are then retweeted by official Chinese government accounts such as consulates or embassies across France and francophone Africa.

This overall shift in the way that it conducts influence operations means that China is not only sufficiently confident in its global narrative but is also sufficiently armed to launch an international debate upon the global health community–a domain mostly dominated until now by the West. Gravely affected by the pandemic, European states are caught in the middle of a battle of narratives, pushing nations to eschew multilateralism in favor of their own responses. In a context where globalization is in retrenchment, Chinese help may feel welcome. But as China seeks to further its influence and reshape global institutions to its liking, the issues of human rights and transparency are likely to be neglected.
Lukas Mejia is an open-source analyst that has worked with New York University, the UN CTED, and the US State Department’s Global Engagement Center in furthering research and developing tools around the field of counter-disinformation — understanding the threat actors, methods, and trends.

Marine Ragnet (@marineragnet) is a public and international affairs professional that has previously conducted research for the French Ministry of Foreign Affairs, the European Commission, and presently for a US State Department mandated platform. She has worked in India, France, the United States, the UAE and Jordan across the public, private and NGO sectors and is intimately aware of the technical aspects of narrative warfare and disinformation which she encountered throughout her career.

© Sophie Beach for China Digital Times (CDT), get_post_time('Y'). | Permalink | No comment | Add to
Post tags: , , , , ,

Feed enhanced by Better Feed from Ozh

Like From Narrative Consent to Narrative Warfare: China’s COVID-19 Messaging on Facebookshare on TwitterGoogle Plus One Button

China Joins in Global Hacking Spike Amid Pandemic

Last week, U.S. cybersecurity firm FireEye published a report on "one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years," identifying its alleged perpetrator "APT41" as "one of the most prolific threats that FireEye currently tracks." From Christopher Glyer, Dan Perez, Sarah Jones, and Steve Miller:

[…] Between January 20 and March 11, FireEye observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central at over 75 FireEye customers. Countries we’ve seen targeted include Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, UK and USA. The following industries were targeted: Banking/Finance, Construction, Defense Industrial Base, Government, Healthcare, High Technology, Higher Education, Legal, Manufacturing, Media, Non-profit, Oil & Gas, Petrochemical, Pharmaceutical, Real Estate, Telecommunications, Transportation, Travel, and Utility. It’s unclear if APT41 scanned the Internet and attempted exploitation en masse or selected a subset of specific organizations to target, but the victims appear to be more targeted in nature.

[…] There is a lull in APT41 activity between January 23 and February 1, which is likely related to the Chinese Lunar New Year holidays which occurred between January 24 and January 30, 2020. This has been a common activity pattern by Chinese APT groups in past years as well.

[…] We did not observe APT41 activity at FireEye customers between February 2 and February 19, 2020. China initiated COVID-19 related quarantines in cities in Hubei province starting on January 23 and January 24, and rolled out quarantines to additional provinces starting between February 2 and February 10. While it is possible that this reduction in activity might be related to the COVID-19 quarantine measures in China, APT41 may have remained active in other ways, which we were unable to observe with FireEye telemetry. We observed a significant uptick in CVE-2019-19781 exploitation on February 24 and February 25. The exploit behavior was almost identical to the activity on February 1, where only the name of the payload ‘un’ changed.

[…] This activity is one of the most widespread campaigns we have seen from China-nexus espionage actors in recent years. While APT41 has previously conducted activity with an extensive initial entry such as the trojanizing of NetSarang software, this scanning and exploitation has focused on a subset of our customers, and seems to reveal a high operational tempo and wide collection requirements for APT41. [Source]

FireEye released a detailed report on APT41 last August, describing it as "a prolific Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations."

[…] APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain. Explicit financially-motivated targeting is unusual among Chinese state-sponsored threat groups, and evidence suggests APT41 has conducted simultaneous cyber crime and cyber espionage operations from 2014 onward.

[…] Like other Chinese espionage operators, APT41 espionage targeting has generally aligned with China’s Five-Year economic development plans. The group has established and maintained strategic access to organizations in the healthcare, high-tech, and telecommunications sectors. APT41 operations against higher education, travel services, and news/media firms provide some indication that the group also tracks individuals and conducts surveillance. For example, the group has repeatedly targeted call record information at telecom companies. In another instance, APT41 targeted a hotel’s reservation systems ahead of Chinese officials staying there, suggesting the group was tasked to reconnoiter the facility for security reasons.

[…] Like other Chinese espionage operators, APT41 appears to have moved toward strategic intelligence collection and establishing access and away from direct intellectual property theft since 2015. This shift, however, has not affected the group’s consistent interest in targeting the video game industry for financially motivated reasons. The group’s capabilities and targeting have both broadened over time, signaling the potential for additional supply chain compromises affecting a variety of victims in additional verticals.

APT41’s links to both underground marketplaces and state-sponsored activity may indicate the group enjoys protections that enables it to conduct its own for-profit activities, or authorities are willing to overlook them. It is also possible that APT41 has simply evaded scrutiny from Chinese authorities. Regardless, these operations underscore a blurred line between state power and crime that lies at the heart of threat ecosystems and is exemplified by APT41. [Source]

In a blog post later in August, the company described coming "toe-to-toe with APT41" following "suspicious activity on a publicly-accessible web server at a U.S.-based research university." In October, FireEye reported the apparent involvement of APT41 and "separate threat groups with suspected Chinese state-sponsored associations" in targeted tapping of text message conversations and phone call metadata from "political leaders, military and intelligence organizations and political movements at odds with the Chinese government." This was achieved by compromising network infrastructure, but "beyond telecommunication organizations, other client verticals that possess sensitive records related to specific individuals of interest, such as major travel services and healthcare providers, were also targeted by APT41. This is reflective of an evolving Chinese targeting trend focused on both upstream data and targeted surveillance." APT41 has also been linked to an attacker called Winnti Group, which has been accused elsewhere of "highly targeted" invasion of computers at two or more Hong Kong universities late last year amid the city’s long-running anti-extradition turned pro-democracy protests.

Over the past year, U.S. officials have complained that "since the announcement of Made In China 2025, the Department [of Justice] has brought trade secret theft cases in eight of the ten technologies that China is aspiring to dominate," claiming "probably about a thousand plus investigations" ongoing into actual or attempted theft of American IP, "almost all leading back to China." As FireEye alluded in its August report on APT41, such direct theft subsided following an agreement on commercially-motivated hacking between China and the Obama administration in 2015, but was later reported to have revived. The carefully narrow terms of the 2015 agreement somewhat complicate this picture, however.

In the realm of non-commercial espionage, meanwhile, the U.S. Department of Justice brought charges against four Chinese military officers in February for their alleged involvement in the 2017 breach of credit reporting agency Equifax. Reporting on politically driven hacks against Apple iPhone users and Australian political bodies last year suggested that some victims are choosing to keep quiet to avoid antagonizing China.

The attacks attributed to APT41 are just part of a spike in reported activity by both Chinese-sponsored and other government-linked and criminal hacking groups around the world amid the ongoing pandemic, which has prompted a coordinated response from the security community. Other recent incidents include attacks on the World Health Organization, including some tentatively linked to "Dark Hotel," an entity suspected to be linked with the South Korean government with "a long history of hacking North Korean and Chinese victims, with a focus on espionage." NBC’s Kevin Collier reported earlier this month on the prolific use of outbreak-related information as bait in phishing attacks.

“We’ve seen Russia use it against Ukraine, China use it against Southeast Asia, North Korea against South Korea,” said Ben Read, the senior manager for cyberespionage analysis at the cybersecurity firm FireEye.

FireEye analyzed emails from Chinese hackers to Vietnamese targets, and in one purporting to be reassurances from Vietnamese Prime Minister Nguyen Xuan Phuc that the government was doing everything in its power to contain the spread of the virus FireEye found malware that would compromise the computer of any user who downloaded it.

“These lures have really authentic branding, like they pretend to be from the CDC or the WHO or other really credible groups, and then target people based on ‘this seems like a really interesting thing offering me more information in a time that has so much information,’” said Lindsay Kaye, who also researched coronavirus phishing emails for the cybersecurity company Recorded Future.

[…] “The story started in Asia, and has kind of migrated, so the threat actors are following the virus,” said Adam Meyers, CrowdStrike’s vice president of intelligence. “They go from China to surrounding areas around China, they start targeting Japan, they start targeting South Korea, they start targeting Europe.” [Source]

More from Patrick Howell O’Neill at MIT Technology Review:

Two hacking groups aligned with the Chinese government targeted Vietnam, the Philippines, Taiwan, and Mongolia, the cybersecurity firms FireEye and Check Point reported today. The hackers are sending email attachments with genuine health information about coronavirus but laced with malware such as Sogu and Cobalt Strike, according to Ben Read, a senior intelligence analyst at FireEye.

[…] “You expect to get information from government sources, so it’s most likely that you will open and execute documents to see what it says,” said Lotem Finkelstein, head of threat intelligence at Check Point. “It makes it very useful to trigger an attack. The coronavirus outbreak serves threat actors very well, especially those that rely on phishing attacks to ignite attacks.”

[…] In addition to ongoing activity by government-sponsored hackers, cybercriminals are taking advantage of the chaos of current events. Hackers have previously used anxiety surrounding Ebola, Zika, and SARS to make money. 

[…] “Attackers are also subverting internal businesses’ credibility in their attacks,” researchers from the cyber firm Proofpoint wrote. “We have seen a campaign that uses a Coronavirus-themed email that is designed to look like an internal email from the company’s president to all employees … This email is extremely well-crafted and lists the business’ president’s correct name.” [Source]

The Washington Post examined the explosion in online scams on Thursday. Security issues such as phishing have become all the more pressing as information workers move en masse toward online remote work, putting many at greater risk than they might be on closely guarded corporate networks. This week, product recommendation site The Wirecutter published its first guide to "The Best Security Key for Multi-Factor Authentication," which offer "the strongest protection against phishing attacks" for accounts with platforms like Google, Facebook, and Twitter. Google’s own Titan security keys, whose Chinese manufacturing has provoked some suspicion, were not The Wirecutter’s top choice, for unrelated reasons. For more on security keys and how to use them, see user guides at

© Samuel Wade for China Digital Times (CDT), get_post_time('Y'). | Permalink | No comment | Add to
Post tags: , , , , , ,

Feed enhanced by Better Feed from Ozh

Like China Joins in Global Hacking Spike Amid Pandemic on Facebookshare on TwitterGoogle Plus One Button

Using Moscow’s Playbook, Beijing Sows Doubt into COVID-19 Narrative

When the novel coronavirus first began circulating in Wuhan, Chinese authorities were quick to censor news and to punish doctors and others who shared information about the deadly new virus. The government’s obfuscation and censorship of news about the virus’ risk has been widely blamed for contributing to its later spread throughout China and around the world, where it has now infected close to a million people and killed more than 45,000. Now that COVID-19 cases have slowed in China following stringent containment measures, and cases are currently exploding throughout Europe and the U.S., Chinese officials have launched a disinformation campaign seeding a conspiracy theory that the virus was created and spread by the U.S. military. The Chinese charge was notably levied by Zhao Lijian, deputy director of Foreign Ministry Information Department, on his Twitter account:

Cui Tiankai, Chinese Ambassador to the U.S., later disavowed these claims, but Zhao’s initial statements appear to be part of a broader and often covert campaign being waged from Beijing. Vanessa Molter and Graham Webster track the origins of the Chinese disinformation campaign around COVID-19 for Stanford’s Cyber Policy Center:

Groundless speculation about the origins of the pandemic did not begin with Zhao, but the case of his eye-catching tweets reveals how China’s changing propaganda tactics have interacted with mangled news reporting, social media conspiracy theorizing, and underlying U.S.-China tensions—all resulting in high-profile misinformation about a public health crisis.

An examination of social media posts across Weibo, Facebook, Instagram, Twitter, YouTube, and Reddit in English, Chinese, and Japanese reveals the context and pathways that brought this particular conspiracy theory to Chinese state media and diplomatic channels. Weeks of speculation and online conspiracy theorizing about military links to the virus’ origins or emergence, combined with a broadening uncertainty about the circumstances of Wuhan’s outbreak and increasingly brittle U.S.-China rhetoric, laid the groundwork for Zhao’s inflammatory tweets and the reaction that followed.

[…] Speculation or conspiracy theory writings about a potential role for the U.S. military in Wuhan’s outbreak circulated weeks before Zhao, the Foreign Ministry spokesperson, amplified the idea on Twitter. [Source]

While Zhao Lijian’s Twitter campaign was in no way covert or even subtle, the Chinese government’s use of Twitter, which is banned in China, to spread propaganda and disinformation through fake or hacked accounts has gained attention in recent months, especially during Hong Kong pro-democracy protests last year and now again during the coronavirus outbreak. Jeff Kao and Mia Shuang Li reported on such use of Twitter for ProPublica:

ProPublica’s research tracked how the government-linked influence accounts that had targeted political dissidents and the Hong Kong protests turned their focus to the coronavirus outbreak. During the height of the epidemic in China, many of them became cheerleaders for the government, calling on citizens to unite in support of efforts to fight the epidemic and urging them to “dispel online rumors.”

With the epidemic spreading across the world, these accounts have sought to promote the Chinese government’s image abroad and shore up its support at home. One typical recent tweet in Chinese proclaimed: “We were not scared during the outbreak because our country was our rearguard. Many disease-fighting warriors were thrust to the front lines. Even more volunteers helped in seemingly trivial yet important ways.”

[…] We found a pattern of coordinated activity among the fake accounts that appeared to be aimed at building momentum for particular storylines. Central accounts with more legitimate-looking histories such as Keegan’s would make eye-catching posts; for example, a political message accompanied by a bold graphic or a meme, or a provocative video. An army of obvious fake accounts would then engage the posts with likes, reposts and positive comments, presumably to boost their visibility in Twitter’s algorithms.

Posts also used hashtags about trending topics such as the coronavirus outbreak or the Hong Kong protests to gain visibility for an account that had few followers. Other posts would use hashtags unique to the influence network, presumably to try to make them trend on Twitter. Remarkably, some of the fake accounts accumulated hundreds, and, in a few cases, thousands of followers (It’s not clear whether the fakes were being followed by real people or other fake accounts.) [Source]

The COVID-19 pandemic has revealed new Chinese government tactics in pushing questionable conspiracy theories abroad along with specific propaganda and disinformation narratives, similar to techniques long used by Russia. Julian E. Barnes, Matthew Rosenberg, and Edward Wong report for The New York Times:

China has a long history of propaganda and efforts to cajole the world into following its own narrative on geopolitical issues like Taiwan, Tibet or Hong Kong. While it pushes its policies and views, some openly anti-American, it rarely puts enormous resources behind fringe conspiracy theories.

But that has changed during the pandemic, intelligence officials and outside experts said. In a highly coordinated campaign, Chinese officials and institutions have spread talking points centered on two narratives: that the United States is to blame for the origins of the virus and that the Communist Party has successfully contained the virus after a hard-fought campaign, affirming the superiority of its system.

[…] After remaining relatively quiet early in the year, Chinese Foreign Ministry officials have in recent weeks amplified conspiratorial stories as the coronavirus outbreak has spread globally while China has claimed to have wrested it under control in the city of Wuhan where it originated.

[…] The tactics are “a significant departure from how the Chinese have operated in the past,” said Laura Rosenberger, the director of the Alliance for Securing Democracy, a project of the nonpartisan German Marshall Fund of the United States.

“Russia has long spread multiple, seemingly contradictory disinformation narratives and then said, ‘How can we know for sure what happened, how can we know the truth?’” she added. “We have never really seen China do that externally before. But now we see Chinese officials and media trying out those typically Russian tactics.” [Source]

The Alliance for Securing Democracy has added a feature on Chinese government disinformation to its Hamilton 2.0 Dashboard, which “captures content from more than 150 Chinese diplomatic and media accounts on Twitter, five state-sponsored news websites, CGTN America and CCTV+’s channels on YouTube, and official statements made by the Permanent Mission of China to the United Nations. […] Collecting data since November 2019, the China section of the dashboard has captured official government messaging on topics like the Hong Kong protests, Xinjiang, the trade war with the United States, the implementation of Huawei technology in Europe, and, most notably, the global outbreak of COVID-19.” Jessica Brandt and Bret Schafer of the ASD wrote up some of their initial findings in “Five Things to Know About China’s Disinformation Campaign”. Like other researchers and reporters, they found that Beijing’s tactics are becoming increasingly similar to Moscow’s, focusing more on pushing forward the government’s own narratives rather than just censoring others that they disagree with:

China’s more confrontational posture on COVID-19 represents a clear departure from its past behavior and signals a move toward a style of information manipulation more like Russia’s.

In the early stages of the outbreak, official Chinese messaging largely focused on human-interest stories and on Beijing’s efforts to respond to the crisis. But as the virus spread rapidly to Europe and the United States over the past month, that approach shifted. From February 27 to March 26, four of the ten most engaged-with articles on Facebook from China’s state media outlets featured content that was critical of the Trump administration’s handling of the outbreak. This appears to be one component of Beijing’s broader information strategy, which entails highlighting the chaotic nature of democratic political systems, in contrast to its own.

Meanwhile, on Twitter, Chinese diplomatic and embassy accounts promoted conspiracy theories from fringe websites and China’s Embassy in Brazil engaged in a public spat with Brazilian President Jair Bolsonaro over statements he made about China’s role in the pandemic.

Using official channels to amplify conspiracy theories and to sow doubt about established facts in the context of major political events is a tactic often used by Moscow — whether to deflect blame, dent democracy’s appeal, or both. Beijing, which has long tended to be more risk averse in its approach to information manipulation, has tended to focus on censoring criticism — suppressing critical content rather than seeding conspiratorial material that is false, polarizing, or misleading. Beijing’s more confrontational posture surrounding COVID-19 could signal a broader shift in its approach. [/">Source]

A report from European External Action Service which tracks disinformation aimed at Europe during the COVID-19 outbreak from both China and Russia says that Chinese “state media and government officials promote not proven theories about the origin of COVID-19. Chinese coverage highlights displays of gratitude by some European leaders in response to Chinese aid.” Propaganda and disinformation about COVID-19 has also been found in advertisement features from Chinese state media in newspapers including the U.K.’s Daily Telegraph.

© Sophie Beach for China Digital Times (CDT), get_post_time('Y'). | Permalink | No comment | Add to
Post tags: , , , ,

Feed enhanced by Better Feed from Ozh

Like Using Moscow’s Playbook, Beijing Sows Doubt into COVID-19 Narrative on Facebookshare on TwitterGoogle Plus One Button

Download our free iOS app

Please follow us on:  Twitter | Facebook | Tumblr I Instagram

Support CDT with your Amazon purchases through AmazonSmile

2020 Copyright © China Digital Times
 Powered by WordPress

unsubscribe from this list | update subscription preferences 

This email was sent to <<Email Address>>
why did I get this?    unsubscribe from this list    update subscription preferences
China Digital Times · 2512 Telegraph Ave · Berkeley, CA 94704 · USA