Gaming public opinion
The CCP’s increasingly sophisticated cyber-enabled influence operations
What’s the problem?
The Chinese Communist Party’s (CCP’s) embrace of large-scale online influence operations and spreading of disinformation on Western social-media platforms has escalated since the first major attribution from Silicon Valley companies in 2019. While Chinese public diplomacy may have shifted to a softer tone in 2023 after many years of wolf-warrior online rhetoric, the Chinese Government continues to conduct global covert cyber-enabled influence operations. Those operations are now more frequent, increasingly sophisticated and increasingly effective in supporting the CCP’s strategic goals. They focus on disrupting the domestic, foreign, security and defence policies of foreign countries, and most of all they target democracies.
Currently—in targeted democracies—most political leaders, policymakers, businesses, civil society groups and publics have little understanding of how the CCP currently engages in clandestine activities online in their countries, even though this activity is escalating and evolving quickly. The stakes are high for democracies, given the indispensability of the internet and their reliance on open online spaces, free from interference. Despite years of monitoring covert CCP cyber-enabled influence operations by social-media platforms, governments, and research institutes such as ASPI, definitive public attribution of the actors driving these activities is rare. Covert online operations, by design, are difficult to detect and attribute to state actors.
Social-media platforms and governments struggle to devote adequate resources to identifying, preventing and deterring increasing levels of malicious activity, and sometimes they don’t want to name and shame the Chinese Government for political, economic and/or commercial reasons.
But when possible, public attribution can play a larger role in deterring malicious actors. Understanding which Chinese Government entities are conducting such operations, and their underlying doctrine, is essential to constructing adequate counter-interference and deterrence strategies. The value of public attribution also goes beyond deterrence. For example, public attribution helps civil society and businesses, which are often the intended targets of online influence operations, to understand the threat landscape and build resilience against malicious activities. It’s also important that general publics are given basic information so that they’re informed about the contemporary security challenges a country is facing, and public attribution helps to provide that information.
ASPI research in this report—which included specialised data collection spanning Twitter, Facebook, Reddit, Sina Weibo and ByteDance products—reveals a previously unreported CCP cyber-enabled influence operation linked to the Spamouflage network, which is using inauthentic accounts to spread claims that the US is irresponsibly conducting cyber-espionage operations against China and other countries. As a part of this research, we geolocated some of the operators of that network to Yancheng in Jiangsu Province, and we show it’s possible that at least some of the operators behind Spamouflage are part of the Yancheng Public Security Bureau.
The CCP’s clandestine efforts to influence international public opinion rely on a very different toolkit today compared to its previous tactics of just a few years ago. CCP cyber-enabled influence operations remain part of a broader strategy to shape global public opinion and enhance China’s ‘international discourse power’. Those efforts have evolved to nudge public opinion towards positions more favourable to the CCP and to interfere in the political decision-making processes of other countries. A greater focus on covert social-media accounts allows the CCP to pursue its interests while providing a plausibly deniable cover.
Emerging technologies and China’s indigenous cybersecurity industry are also creating new capabilities for the CCP to continue operating clandestinely on Western social platforms.
Left unaddressed, the CCP’s increasing investment in cyber-enabled influence operations threatens to successfully influence the economic decision-making of political elites, destabilise social cohesion during times of crisis, sow distrust of leaders or democratic institutions and processes, fracture alliances and partnerships, and deter journalists, researchers and activists from sharing accurate information about China.
What’s the solution?
This report provides the first public empirical review of the CCP’s clandestine online networks on social-media platforms.
We outline seven key policy recommendations for governments and social-media platforms (further details are on page 39):
- Social-media platforms should take advantage of the digital infrastructure, which they control, to more effectively deter cyber-enabled influence operations. To disrupt future influence operations, social-media platforms could remove access to those analytics for suspicious accounts breaching platform policies, making it difficult for identified malicious actors to measure the effectiveness of influence operations.
- Social-media platforms should pursue more innovative information-sharing to combat cyber-enabled influence operations. For example, social-media platforms could share more information about the digital infrastructure involved in influence operations, without revealing personally identifiable information.
- Governments should change their language in speeches and policy documents to describe social-media platforms as critical infrastructure. This would acknowledge the existing importance of those platforms in democracies and would communicate signals to malicious actors that, like cyber operations on the power grid, efforts to interfere in the information ecosystem will be met with proportionate responses.
- Governments should review foreign interference legislation and consider mandating that social-media platforms disclose state-backed influence operations and other transparency reporting to increase the public’s threat awareness.
- Public diplomacy should be a pillar of any counter-malign-influence strategy. Government leaders and diplomats should name and shame attributable malign cyber-enabled influence operations, and those entities involved in their operation (state and non-state) to deter those activities.
- Partners and allies should strengthen intelligence diplomacy on this emerging security challenge and seek to share more intelligence with one another on such influence operations. Strong open-source intelligence skills and collection capabilities are a crucial part of investigating and attributing these operations, the low classification of which, should making intelligence sharing easier.
- Governments should support further research on influence operations and other hybrid threats. To build broader situational awareness of hybrid threats across the region, including malign influence operations, democracies should establish an Indo-Pacific hybrid threats centre.
Key findings
The CCP has developed a sophisticated, persistent capability to sustain coordinated networks of personas on social-media platforms to spread disinformation, wage public-opinion warfare and support its own diplomatic messaging, economic coercion and other levers of state power.
That capability is evolving and has expanded to push a wider range of narratives to a growing international audience with the Indo-Pacific a key target.
The CCP has used these cyber-enabled influence operations to seek to interfere in US politics, Australian politics and national security decisions, undermine the Quad and Japanese defence policies and impose costs on Australian and North American rare-earth mining companies.
- CCP cyber-enabled influence operations are probably conducted, in parallel if not collectively, by multiple Chinese party-state agencies. Those agencies appear at times to collaborate with private Chinese companies. The most notable actors that are likely to be conducting such operations include the People’s Liberation Army’s Strategic Support Force (PLASSF), which conducts cyber operations as part of the PLA’s political warfare; the Ministry of State Security (MSS), which conducts covert operations for state security; the Central Propaganda Department, which oversees China’s domestic and foreign propaganda efforts; the Ministry of Public Security (MPS), which enforces China’s internet laws; and the Cyberspace Administration of China (CAC), which regulates China’s internet ecosystem. Chinese state media outlets and Ministry of Foreign Affairs (MFA) officials are also running clandestine operations that seek to amplify their own overt propaganda and influence activities.
- Starting in 2021, a previously unreported CCP cyber-enabled influence operation has been disseminating narratives that the CIA and National Security Agency are ‘irresponsibly conducting cyber-espionage operations against China and other countries’. ASPI isn’t in a position to verify US intelligence agency activities. However, the means used to disseminate the counter-US narrative— this campaign appears to be partly driven by the pro-CCP coordinated inauthentic network known as Spamouflage—strongly suggests an influence operation. ASPI’s research suggests that at least some operators behind the campaign are affiliated with the MPS, or are ‘internet commentators’ hired by the CAC, which may have named this campaign ‘Operation Honey Badger’. The evidence indicates that the Chinese Government probably intended to influence Southeast Asian markets and other countries involved in the Belt and Road Initiative to support the expansion of Chinese cybersecurity companies in those regions.
- Chinese cybersecurity company Qi An Xin (奇安信) appears at times it may be supporting the influence operation. The company has the capacity to seed disinformation about advanced persistent threats to its clients in Southeast Asia and other countries. It’s deeply connected with Chinese intelligence, military and security services and plays an important role in China’s cybersecurity and state security strategies.
Introduction
This report explores the growing challenges posed by China’s globally focused and increasingly sophisticated cyber-enabled influence operations, which ASPI defines broadly as planned actions to influence individuals, communities and governments using the cyber domain.
Those actions include a range of state-sanctioned activities targeting foreign countries (sometimes individually or as a region) that seek to guide and interfere in their public discourse, to promote disinformation and to threaten and harass individuals and groups. Those activities are typically conducted on social-media platforms, where they’re also referred to by industry and national security stakeholders as coordinated inauthentic behaviour,1 information operations,2 cognitive domain operations,3 information warfare or public opinion warfare.4
In the first section of this report, which starts immediately below, we review the existing evidence of clandestine cyber-enabled influence operations originating from China to provide an assessment of the CCP’s evolving capabilities. By analysing datasets disclosed by social-media platforms and other publicly available sources, we map the CCP’s online networks and expose the wide range of Chinese state actors operating covertly on social media and other platforms.
In the second section (from page 11), we present original, empirical research about a recent coordinated CCP propaganda campaign named ‘Operation Honey Badger’ (蜜獾行动) by Chinese government-linked entities.
As of April 2023, this campaign continues to attribute cyber-espionage operations to the US Government. We uncover new evidence to suggest that the MPS, with the support of cybersecurity company Qi An Xin,5 may be involved in this campaign. This section is highly technical and detailed and sets out an evidence base for subsequent strategic assessments.
In the last section (from page 37), we explain how the CCP’s cyber-enabled influence operations are part of a broader strategy to achieve its objectives on social media. This section and our recommendations will be most relevant to policymakers. Our methodology and its limitations can be found in Appendix 1.
Download full report
Readers are warmly encouraged to download the full report, which contains;
- What’s the problem?
- What’s the solution?
- Key findings
- Introduction
- China’s cyber-enabled influence operations
- The evolution of Spamouflage
- What we think we know about Chinese covert networks online
- Case study: Operation Honey Badger (蜜獾行动)
- Coordinated inauthentic behaviour alleging US cyber hegemony
- Spamouflage accounts on Chinese social-media platforms
- Connections with Qi An Xin
- Qi An Xin’s links with CCP cyber-enabled influence operations
- Qi An Xin’s links to other influence operations
- The CCP’s online influence objectives on social media
- Policy recommendations
- Appendixes
- Appendix 1: Methodology and limitations
- Appendix 2: Case history of CCP cyber-enabled influence operations
- Appendix 3: Possible Spamouflage linkages to APT41
- Appendix 4: Qi An Xin (奇安信)
- Notes
- Acronyms and abbreviations
26 Apr 2023