Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[CB20] Dissecting China’s Information Operations with Threat Intelligence by Che Chang and Silvia Yeh

In this talk, we will focus on Information Operations (InfoOps) on social media platforms. InfoOps involve a coordinated dissemination of propaganda and disinformation aiming to influence a region’s politics. TeamT5 Inc., as a cyber security firm based in Taiwan, has been investigating China’s InfoOps since 2016.
By adopting the mindset of threat intelligence, we have managed to illustrate the InfoOps threat landscape in Taiwan as well as identify several threat actors on SNS. We summarized China’s InfoOp tactics into an attack graph. The authoritarian regime’s InfoOps tactics span a wide range of approaches, including: (1) propaganda by state media; (2) political content farm and spam botnet operated by marketing firms; and (3) mobilization of patriotic netizens (a.k.a Little Pink) to conduct verbal attack or doxxing against dissidents.
More importantly, we believe APT actors might have entered the InfoOps threat landscape. In 2020 July, we identified an InfoOp that can be linked to a notorious Chinese APT group.
Due to the fast-changing nature of SNS, it is often difficult to identify the threat actors before they cause widespread disinformation that can wreak havoc. In this case, we believe threat intelligence can provide instant insight into actor methodologies and exposes potential risks.

  • Be the first to comment

  • Be the first to like this

[CB20] Dissecting China’s Information Operations with Threat Intelligence by Che Chang and Silvia Yeh

  1. 1. Dissecting China’s Information Operations (InfoOps) with Threat Intelligence Speaker: Che Chang, Silvia Yeh
  2. 2. Speakers’ Bio Che Chang is TeamT5 Cyber Threat Analyst and the co-author of “TeamT5 Information Operation Whitepaper.” Research interest: Information Operation, underground markets research. Experience: 2020 April vGCTF workshop, 2019 Cybersec in Taiwan, etc. Silvia Yeh is a TeamT5 Cyber Threat Analyst and the co-author of “TeamT5 Information Operation Whitepaper.” Research interest: Information Operation, cyber policies in Asia-Pacific countries. Experience: Taiwan Academia Sinica closed-door meeting, etc.
  3. 3. 1. Introduction 2. InfoOps in Taiwan’s 2020 General Election 3. TTPs of China’s InfoOps 4. Conclusion 5. QA Session Today’s Outline
  4. 4. Introduction: What is Information Operation?
  5. 5. Information Operation (InfoOp) AKA: Influence Operation, Information Warfare Definition by U.S. Defense Department: “the integrated employment during military operations of information-related capabilities (IRCs), in concert with other lines of operation to influence, disrupt, corrupt, or usurp the decision making of adversaries...” Source: https://dod.defense.gov/Portals/1/Documents/pubs/DoD- Strategy-for-Operations-in-the-IE-Signed-20160613.pdf
  6. 6. China’s InfoOps Covert Operation An operation conducted with concealment of the sponsor’s identity Disinformation Doxxing Key Opinion Leaders (KOL) Content farms Spam Botnet Marketing Firms Overt Operation An operation conducted openly and without concealment Misinformation Propaganda State media Diplomats and embassies United Front Work Department (UFWD) Communist Youth Party
  7. 7. 2018 Nov Taiwan Local Elections 2019 Jun – Hong Kong Pro-Democracy Protest 2020 Jan Taiwan General Elections 2020 Feb – COVID-19 Pandemic 2020 Nov U.S. Presidential Elections China’s InfoOps Research Timeline
  8. 8. InfoOps during Taiwan’s 2020 General Election Taiwan’s CEC (Central Election Commission): 128 disinformation was identified before the election day.
  9. 9. Where did the disinformation come from? Our research discovered that many disinformation were started from China. Source of content:
  10. 10. TTPs* of China’s InfoOps 1. Propaganda machine 2. Political Content Farm and Spam Botnet 3. Mobilization of Patriotic Netizens *TTPs: Tactics, Techniques and Procedures
  11. 11. 1. Chinese propaganda machine has built significant presence across social media platforms
  12. 12. Comparison of Facebook Followers Between Chinese State Media with Other Media Outlets * Data as of 2020 September 20th
  13. 13. Chinese state media, embassies, and diplomats propagating propaganda, misinformation and conspiracy theories.
  14. 14. 2. Political Content Farm and Spam Botnet as the amplifier of propaganda machine
  15. 15. URL: http://www.xinhuanet.com/world/2020-08/15/c_1126371867.htm Xinhua News (新华社): “Politicization of COVID-19 Gets U.S. Trapped in Deep Trouble” 2020/08/15
  16. 16. 2020/08/16 2020/08/17 2020/08/19 2020/08/24 2020/08/26 2020/09/03
  17. 17. Spam botnet profile pictures are mugshots which can be purchased from online forums and dark web.
  18. 18. Cross-platforms activities Source of content: (A national news site controlled by a party media outlet.)
  19. 19. 3. Mobilization of Patriotic Netizens
  20. 20. Case Study: Doxxing Campaign against Hong Kong Protesters • Anonymous website hkleaks[.]ru published information of HK protesters • First registered: 2019 August • Email: hkleaks@yandex.com • Alternative Domains • hkleaks[.]pk • hkleaks[.]org • Hkleaks[.]cc • hkleaks[.]pw
  21. 21. #IDareYouToPullOffYourMask# #TakeOffYourMaskMovement# Chinese state media CCTV promoted the site
  22. 22. China’s “Digital Propaganda Formula”
  23. 23. Worst Case-Scenario: APT+InfoOp • Operation Juiker on “PTT” • Goal: To discredit Taiwan’s intelligence agency and government-backed research institute • 20 Taiwanese IPs and 50 PTT accounts were controlled. • One of the IPs overlaps the Command and Control (C2) servers of a Chinese APT group
  24. 24. Apply threat intelligence to identify and prioritize threats. • Threat actors keep evolving and changing their tactics over times. • Threat intelligence provides instant insight into actor methodologies and exposes potential risks.
  25. 25. Thanks for listening

×