- A researcher following chatter about a political extremist movement based in China digs a little deeper. He wants to find out who is behind messages that are seeking to discredit the movement on social media. He discovers a group based in China, which hides a network of disinformation-themed social media posts behind a legitimate marketing website. The site delivers positive-messaging campaigns for well-known Chinese companies like Huawei for consumption in Europe and the United States. But in the background, it appears to be operating on behalf of the Chinese government for reasons that are much more sinister. This is the ninth episode of "Know Your Adversary." - Why I started doing the research is I've been tracking Chinese IO personally a lot, even before Nisos. - I'm talking with Nisos researchers Zeshan Aziz. He's going to take us on a trip, a story about some remarkable detective work that he and his team have been able to do, finding a way behind the curtain of what looks like a legitimate marketing company to discover nation-state level disinformation being broadcast to consumers and media, through automated tools, boosting algorithms, bots, and fake personas. But before we go there, I want to give us some background on what he does as an investigator and how his skills contributed to this hunt. - So Nisos, we have a lot of different processes and methodologies for how we do disinformation investigations. For this investigation, we did one specific flow, which is narratives at stage one, trying to find the topic that we know we can search and we can find a high chance of finding content that's probably fake or automated or violates terms of service. Then step two is content, which is finding the actual activity on platform. Step three is tying that activity to a specific company, marketing firm, organization that's doing it all together. And then step four is attribution, finding the ultimate sponsor of that content, which in this case is the Chinese government. How Nisos does disinformation, you gotta keep in mind that every client request is different. There's a common denominators in disinformation investigations, and typically we're vendor agnostic and we'll even create tools when we need to, but Nisos operators and Nisos investigators will have a big toolkit of tools and data sources to go through, and as long as you know what those are, then you can pivot and use different methodologies and workflows to find disinformation on platform. - This type of process to combat disinformation is a toolkit. It doesn't just happen by chance. Zeshan and his team deploy different tools for different investigations depending on the adversary. In the world of disinformation, this can be nation states, competitors, even surveillance for higher private companies. - So these are your social media listing tools such as Meltwater. There are tools that look at outlets, outlets being like domains, corporate registration history, include anything to do with the DNS analysis as well. Then we have tools that look at accounts. These tools can do stuff such as social media network analysis, making those link charts between social media accounts. They include tools that can look at different digital platforms and try to find if there's any data leakage. There are tools that look at infiltrating private groups and communities and seeing what you can pull from that relevant to your investigation, and the last category of tools we have are for signatures. Signatures can be those signals, those common heuristics between accounts, pages, websites, and exploiting those. Those could be IP addresses for internet activity, those can be email analysis and tools that can pull more information on emails. These are those core identifiers that you'll find in investigations, and then you'll later pivot to or pivot off of, so you need to be very sure that these are solidly proven to be tied to your target accounts and that you can upload it into a specific tool or process where you can enrich it and get more information out of it. - This is the type of operation that demands a sophisticated set of tools to do attributable digging, and at the same time, the people operating these tools have to know what they're looking for and who they're dealing with. - I have a lot of background in Chinese geopolitics and their internal politics as well and how they want that to be perceived externally to places like in the US and in the Western world. Even with the news on the daily, a skilled operator like we have at Nisos can pretty naturally go from reading the news, thinking about adversaries, and coming up with some theories on how to find them conducting active campaigns on different social media sites, so this was just one of those evenings where I was curious about specific Chinese narratives that were trending in the media, on news, on Twitter, and just played with some tools, and my theory worked. I found some Chinese IO pretty immediately that led to this whole presentation and rabbit hole on this firm. - This is an activity that picks up keywords and chatter. Sometimes the terms are obvious, but other time there's a lot of sifting involved. Zeshan and his team have to apply some critical thinking to deduce what it is that they might be seeing. - My theory was, so the chatter online at the time was about the East Turkistan Islamic Movement, which is a former Uyghur extremist organization. It was delisted as a terrorist organization by the US at the time, and I had thought about how important that is to the Chinese government to justify their crackdown on the Uyghur population so my theory was if there's gonna be anyone talking about this online, as most by quantity and volume is gonna be people from China and like the Chinese state information operations apparatus, and if anyone's talking about this in a negative sense, as in to call out the US, it's gonna be Chinese government or Chinese government affiliated marketing firms, so I wrote some queries that I could test that theory out and theory was proven right. I showed these in some of the slides that I presented publicly at CYBERWARCON, but it was a simple search of seeing who was talking about ETIM. - ETIM is the East Turkistan Islamic movement, a Uyghur Islamic extremist organization found in Western China. Its stated goals are to establish an independent state called East Turkistan replacing Xinjiang. The Chinese government has long been suppressing their human rights. - So that was one keyword, just that four character word, and the other word was China, and just trying to see who was talking about that in the past week that had prominence on different social media sites like Facebook and Twitter. So in the first five, 10 results was the page that led us to the firm, so that's how we did it, very tactically and very like step by step, but it's as simple as knowing two terms, knowing which language to search in, and then using a specific tool to test that out. - So the research starts out with keywords just like you're doing a Google search, but instead of aggregating open web, these tools aggregate social media, but then the researcher sixth sense has to come in as something just looks odd. - From the tool, I saw one specific page that wasn't a mainstream media outlet in the US or Europe that had a lot of prominence. It had like several million likes and follows, but I didn't recognize it, which is uncommon since operators here at Nisos that work on the IO team are very familiar with global media, so went down the rabbit hole and saw that the page was relatively new. It had millions of followers and it had mostly pro China content, and on the page transparency for this page, it listed that it was run and managed by a firm out of China with a Mandarin name and the English name OneSight. - OneSight. Sounds like a very Western style name, nice and positive. It kinda gives you that impression right off the bat that whatever they can do, they'll take care of it for you. - And then curiosity, what's this OneSight organization and the Mandarin name for it? End up Googling it and found that they're a overseas marketing firm that's based out of China that does marketing on different social media platforms and websites. Going on their website, you could see that they do a lot of social media for different retail clients, commercial clients, and they had some feeds that were showing what they were trending on different websites, and there's a lot of content that I could surmise was definitely government propaganda or the people interested in pushing that would've been the Chinese government or departments within the Chinese government. - It's totally normal for a marketing company to push the messages of regular corporate clients on social media, but the more you look, the more you get to see a pattern, something about the messaging that goes beyond commercial brand awareness. This is where you start to climb down the rabbit hole, and sometimes they leave clues by mistake. - They were trying to hide any marketing work that they did for governments. On their website, they talk about a lot of their commercial customers like Huawei and other Chinese retail giants and technology companies, but they make zero mention of any government customers in any of their public facing marketing where they describe about what their company does. They inadvertently leaked that the had government customers by just having a raw feed of what hashtags were trending and what pages were they controlling that were trending, specific hashtags and content. Later, when you do look into Chinese government corporate records and government contract award databases, you'll find that they do a lot of work for the Chinese state and the Chinese state media. - Despite working under the cover of a social media marketing company, the group behind this gave away their position by releasing a list of hashtags and pages they were controlling. So from this, it became easier to connect the dots to see that OneSight was propagating an anti-Uyghur campaign. This leads to the next question in the investigation, could they also be running other disinformation campaigns? - So OneSight was managing the pages that contained posts, which we're doing anti-Uyghur campaigns. These pages are run by Chinese state media, or they claim to be run by Chinese state media, and those Chinese state media that have multitude of narratives that they push out, not just anti-Uyghur media, so just wanted to be a little more precise. If you look at the other pages that OneSight was running, they pushed other narratives that are of interest to the Chinese state such as talking positively about Carrie Lam. - Carrie Lam is the leader of Hong Kong, soon to be retiring, and is seen by many as a divisive figure in terms of her close relationship to Beijing. - They push her a lot on International Women's Day posts and content, and they also pushed other development projects that are of interest to the Chinese state, even domestically, such as there was one called Two Sessions, which barely any Western analysts even at the time were talking about, but the hashtag had to do with a Chinese internal development project. - Two Sessions is like a Chinese government congressional meeting to lay out a five year plan, another opportunity for further consolidation of power moving forward. - The post that I had found from the tool, it was not just an anti-Uyghur post, it had a video with a British actor who claimed to be Muslim that was justifying China's persecution of Uyghurs so there was another sign from us as investigators that something with this high production had a lot of money behind it and organization, so that goes to show the sophistication and the organizational effort behind pushing these narratives. They are well developed, they have people represent themselves that they may not be who they say they are, and they're filming videos in front of Western landmarks and places like the UK. OneSight, where they come in is they're helping manage or propagate content inauthentically. - The next question, when it comes to an organization posting government propaganda while still operating as a marketing company for the world, would be to ask where they're doing it from. - OneSight has infrastructure in China as far as I could read. If you look at some of their infrastructure online, like servers, you'll see that they're based in other places in Asia too, which I won't say specifically which other countries, but what they market themselves as is, "Hey, if you are a Chinese company, a retail, commercial, technology, and you need to market your products to non-Chinese users, you need to go through us because those social media platforms are banned within China, so you need to go to an 'overseas' marketing firm." That's what they specialize in so they're primarily based outta China, most of their employees are outta China. They may have some infrastructure and some employees that go around the whole world maybe to talk with customers or to set up some servers and digital infrastructure overseas, but mostly in China. Our research was limited to mostly the IO part of the investigation. Within that scope, there was a lot of government contracts, so in the US we have Fed Biz Ops or GSA, which are some of the largest government contracting websites and platforms where you can see which government agencies are sponsoring what services or products. China has something similar, and if you go to their government contracting portal, you'll see that there's many contracts between different Chinese state media enterprises and OneSight so that means as Chinese government sponsoring tenders for social media hosting and activity. There may be more connections when it comes to the leadership of OneSight with people in the Chinese communist party, but that wasn't something I investigated within the scope of this research. I'll defer that to other investigators. I believe ProPublica may have looked into that, but I can't say for certain. - And being in China or working for the Chinese government from a place outside of China is not going to go unnoticed by social media platforms that they post to. We know that in China, domestic usage of social media platforms is very limited if not banned outright, so these firms have special VPN access that the Chinese government whitelists for them to exit the great firewall. - Additionally, I suspect that these firms also have liaisons and representatives that talk to platform companies, social media companies directly to let them know that they're doing overseas marketing and that's why they have traffic coming outta specific endpoint, or ISP on different social media platforms. I'm also pretty certain that OneSight, to comply with Chinese regulations, they likely do some KYC, know your customer, due diligence on their own clients to just make sure that they're following all Chinese laws and regulations that the Chinese government expects them to follow. - OneSight is not unique in this position. - There's at least two more. There's Nullysis and You Run Big Data, and they do similar work or social media monitoring and analysis. They exist within a certain framework that the Chinese government allow, legally and technically. - As sophisticated as this operation appears to be, it's difficult to hide tracks from dedicated investigators, and in this case, there was one big clue that had been left behind by another hacking organization. - When I identified OneSight, there was a lot that I could pull from their website, 'cause they had very bad, bad for them, good for us, 'cause we were able to find a lot of their pages and infrastructure just from their website, 'cause they're leaking data. Investigating the company more using research databases and looking through news sources, I found that there was a hacktivist group called CCP Unmasked which had hacked OneSight and two other Chinese marketing firms in the past 12 months at the time of research, and they really least a bunch of data on these companies, and that's the data that I used to find the tool. So talking about that data, they had several gigabytes of leaked data that they ascribed as leaking, they claim it was a total 40 gigabytes of data. The data that I used for this investigation, since CCP Unmasked, they leaked data on a bunch of file sharing websites. - In total about 40 gigabytes of data had been leaked across various file sharing sites in social media. This leak had caused some platforms to shut down their accounts, but were left untouched by a popular video sharing site. - The social media had several videos. Specifically, they had four videos on how the tool worked and operated and that channel had barely any views, and so did those videos so we used those videos and sorted through them frame by frame to understand the tool, how it works, and where to find remnants of the operations online. The way the tool works is it has one main function, and that is to manage hundreds if not thousands of social media accounts as a master controller, so kind of like a KVM switch or a puppet master. If you have a thousand accounts, you can't have a thousand people and a thousand computers, posting things manually, you need to automate that, so one part of the tool has all these lists of accounts that they control, what social media site they're on, when is the last time they logged in or operated, and other attributes like how many posts have they made what customers for, or what kind of payments metric is associated with it, implying that people that if they're using operations they get paid a certain amount. The tool has a long list of accounts that we looked into, and the tool also has a page where you can help create a persona step by step, and they have some other features that implies social media surveillance such as on Facebook, but the videos were limited in which features they showed and didn't show. I think just out of convenience, I don't think it was deliberate. I think whatever the hackers thought was most important they just showed. It'd be pretty difficult for them to show every single feature in a quick couple minute video. - This application essentially is almost a basic lining block chart of different personas using different platforms and the different message. The question becomes whether is it more of a project management tool or a dissemination tool where an easy click button that propagates the messages to the different platforms. - It's both. It needs to be an organization tool first in order to manage thousands of accounts, and then it needs to also be able to post content so that you don't need a thousand people at a thousand computers to make a thousand posts. - It probably comes as no surprise to learn that an organization can't just simply push information out infinitely. There have to be people behind the messages, supposed real people. This means creating personas, and this too means more clues waiting to be discovered by people who know how to read between the lines. - The personas have at least a email tied to them, a phone number, an origination IP address, a timestamp when all that is created, a name, and the personas can be either a single standalone account or it could be an entity identity like a company or an individual would have, you know, multiple social media accounts, even though they're one person or one company. - These personas benefit from some amount of automation. It's not like they have to log into one social media platform under one persona, prepare the message and hit send, and then go to another one under a different persona and hit send again. That's way too time consuming. Everything can be done through a portal. - Yes, it can be done in the portal as a batch across multiple platforms, and there's a lot of legitimate use cases for this type of tool, just like if a company wants to push some new press release, they might want to time it all at the same time and they can have a person in marketing just do it all manually, but if they're a big company with different marketing campaigns, they're gonna wanna do that automatically, which reminds us that OneSight has a lot of legitimate customers that uses for legitimate marketing purposes as well. - It's a legitimate way to market, putting out messages tied back to a bonafide account, but with every account, patterns can emerge. and that's what the Nisos team found. - So we were able to look at a lot of the profiles that were in the video, so we had the emails for them, we had the links to their profiles. We saw that they were being used to push pro-China, pro-CCP propaganda, and a lot of the propaganda matched with or rhymed with other findings by other researchers on Spamouflage Dragon, which was the name of a generalized Chinese IO campaign a couple years ago. So since we're able to get the raw selectors, like the email addresses, links to profiles in this video that wasn't supposed to be public ever. We know for sure that these were used for propaganda. - These patterns weren't able to hide themselves, even when generic images were being used on persona accounts. - On again, you'll have profiles here and there with fake pictures. This goes down a whole rabbit hole of how to like make fake accounts that stay alive on social media websites. Some other profiles have like generic Chinese art or Chinese cartoons as their profile pictures or like pictures of stuff, not of people. The thing that does stay consistent across these accounts are specific narratives, such as deflecting from Chinese origin of COVID-19 or blaming the US for COVID 19. That was one of the narratives. You'll see that across profiles, even if it's not said in the same way or the message doesn't have to be copy and pasted. That is the commonality between most of the accounts. They are doing pro CCP talking points, and generally the stuff you'd expect if you keep up with Chinese information operations, especially from 2018 onwards. We were able to find a lot of test pages across the internet that showed them playing with a different scraping and posting tools, and I don't think they intended for this to be publicly posted online. - The result of this research was it allowed Zeshan and the Nisos team to ultimately tell some of the social media platform companies how to find the appropriate signatures to disrupt this activity. - All the research that we do for clients and for the work, the ultimate purpose should be okay, this is cool, so how can we stop this? So to stop it, you need to look for specific signals and patterns that you can report to different social media companies and patterns that are repeatable or common among the whole campaign across social media networks, so we did provide a lot of that to a lot of social media platforms pro bono, just because that's the right thing to do when you publish IO research to give them pre publication notice, so they can also investigate, but yes, we found a lot of commonalities and reported them appropriately to people that can take down content at scale way more than what we can just as outside investigators. - This type of disinformation campaign seems way too easy, which means that every organization or movement or company anywhere in the world could potentially have a target on its back. It's like a parallel universe to hacking. Instead of people stealing data or sabotaging networks, they can be out there spreading all types of damaging information. This is something that enterprises need to be thinking about. - So the "So what? Is it easy to do?" That's a relative term. With enough money and resources, you can do a lot on the social media exploitation side, especially with an objective like the CCP has of influencing narratives globally, because that is what they rely on as a state to do trade. OneSight is one of few companies that does overseas marketing at this scale, so is it easy to do? Kind of. Is it expensive? Yes, and you need a lot of resources and connections and relationships to get it done. Additionally, this also means that if the audience is a normal person that just uses social media, be careful about stuff that you find posted by non-mainstream outlets, even if they have a check mark, even if they have an organization name. If they're saying something that just validates your previous belief or just opposite of US media or opposite of something that has been investigated thoroughly, there's a chance that that organization may be a front for some other organization or a government over the pushing propaganda. As investigators and social media companies are concerned, for Nisos, finding companies like this doing activity, we've found generally success by focusing on specific talk areas first, and then finding what companies show up. We can also do the workflow in a way that if we're given a company, we can investigate it and find what they're doing on platforms and on the web. I think trust and safety teams at different social media companies need to be aware that the way that they think about things are always signatures and signals. That's not how you're gonna find these things at first, 'cause you're just biased towards looking for specific patterns that you can scale in like a monitoring service when you have all that backend data and traffic. That doesn't really capture what kind of activity may be happening in the method that a normal social media user sees your platform. - One of the key messages that needs to come from this is one of deterrents, but this goes both ways. It's difficult to convince hackers not to hack, or in this case to post disinformation, but it might be easier to speak directly to the victims of the social media companies, as well as any organization who might be an unwitting target in the next campaign. - Social media platforms can be very clear about what policies they expect of companies, marketing firms, and marketing firms that do marketing on behalf of states and governments. They should make it clear to them if you are doing work for governments. You need to relay that to the social media company first and then to the users second. If companies like OneSight are not clear and they, first of all, deceive platform companies and then deceive users, social media companies can have a very tough line and ban firms like OneSight altogether. Like we had said, OneSight does a lot of business, not just for the Chinese communist party and Chinese state media enterprises, so they're motivated by financial outcomes. They wanna make money. If their whole company is banned by Facebook or Twitter or other social media sites, their owners are gonna not be happy. The IRA was a cutout for Russian IO specifically, so their consequences are different. Their consequences are they just close their office and just make a new entity that does all this operations. They're not doing a lot of legitimate marketing work, but cutting out or actors like the IRA is gonna be more challenging since they're already built as front companies, and their objective are only to do illegitimate, inauthentic, covert influence campaigns. - This can come down to policy and regulation. The FARA Act, for example, or Foreign Agents Registration Act. - Just like on, we have the FARA regulations in the US, where Foreign Agent Registry Act that was introduced around the 1980s so that US public could know which US companies and individuals are working on behalf of foreign governments. That has been a lot harder to implement and enforce today with the advent of social media. It's not like in the eighties and nineties that a foreign government could approach a DC firm and ask them to run a ad campaign in a newspaper. There's a lot less transparency and loopholes with FARA. From policy point of view, FARA would have to be updated or there would need to be some sort of new legislation to combat foreign government influence to US audiences through US firms or non-US firms. If those are made very clear and FARA violations when they are enforced are enforced pretty strictly, often leads to people were being deported or sent back to their countries or banned from doing business with the federal government. That I think may be a good deterrent. It may be a good deterrent, but the law either needs to be changed or there needs to be a new law introduced to combat foreign social media influence specifically for that to be effective. - This has worked before. - So on FARA and influence campaigns, there still is social media IO operations that are captured on FARA. Axios reported on April 2022 that China had an influence campaign around the Olympic games that just happened this year, and they paid a US marketing firm to do this marketing. The Chinese Consulate of New York paid a commercial firm, commercial marketing firm, $300,000 to get an army of social media influencers to reach Americans, and all this was captured on the FARA documentation, and that's how the journalists at Axios were able to uncover this and go down the rabbit hole of what kind of thought intent was being targeted to whom all while it wasn't very clear on the ads that this was sponsored ultimately by the Chinese government, so FARA does work in some cases, but I think this is more along the lines of above or around this operation from the Chinese embassy side or Chinese diplomatic side, they are lazy about OPSEC. There's definitely ways to do this and not have it come up from FARA. Like we've seen in other client cases, there's a lot of IO campaigns that happen where because FARA is so specific in what it regulates and who's considered a foreign principle or entity, you're not gonna find influence campaigns, you're not gonna be able to use FARA data to uncover influence campaigns all the time. - So the responsibility lies between the application of regulations like FARA, but also with organizations like Nisos to ferret through the information operations, looking for evidence of disinformation campaigns. - Just another way things are happening, I don't think it's one way or another that like IO happens. It happens in multitude of ways. It just depends who's paying for it, how they want to get it done, are they doing themselves? Are they paying someone? You know, but that's why you have investigators like us. - A web of misinformation walking in lockstep with legitimate media campaigns. A hostile government gets its embassy to hire a media company to run a Madison Avenue campaign or an online equivalent that appears to be legitimate, because it is, but directly behind these actions, like a shadow, is the true mission. One whose goals are not so friendly and whose footprint simply vanishes. Thank you to Nisos' Zeshan Aziz for joining "Know Your Adversary." I have to say the most interesting part of this conversation has to be the pattern identification, picking out word patterns from thousands of anonymous or made up personas to draw a bigger picture of the operation. It was pretty clever investigative work that led to the discovery of the automated tool that spread these campaigns, and this allowed us to inform the platform companies so their controls can better detect these types of automated tools. The disruption battle continues. Thanks for joining us. Thank you for listening to "Know Your Adversary." Every other week, we will bring you a new cyber crime attribution investigation that is representative of the work of Nisos operators past, present, and future. If you have any good stories to pitch, please reach out as no two investigations are the same, and simultaneously fascinating how digital clues come together to bring context to crimes that victimize enterprise. For more information, please visit www.nisos.com. Thank you for listening.