In this talk, we will focus on Information Operations (InfoOps) on social media platforms. InfoOps involve a coordinated dissemination of propaganda and disinformation aiming to influence a region’s politics. TeamT5 Inc., as a cyber security firm based in Taiwan, has been investigating China’s InfoOps since 2016. By adopting the mindset of threat intelligence, we have managed to illustrate the InfoOps threat landscape in Taiwan as well as identify several threat actors on SNS. We summarized China’s InfoOp tactics into an attack graph. The authoritarian regime’s InfoOps tactics span a wide range of approaches, including: (1) propaganda by state media; (2) political content farm and spam botnet operated by marketing firms; and (3) mobilization of patriotic netizens (a.k.a Little Pink) to conduct verbal attack or doxxing against dissidents. More importantly, we believe APT actors might have entered the InfoOps threat landscape. In 2020 July, we identified an InfoOp that can be linked to a notorious Chinese APT group. Due to the fast-changing nature of SNS, it is often difficult to identify the threat actors before they cause widespread disinformation that can wreak havoc. In this case, we believe threat intelligence can provide instant insight into actor methodologies and exposes potential risks.

1. Dissecting China’s
Information Operations
(InfoOps)
with Threat Intelligence
Speaker:
Che Chang, Silvia Yeh

2. Speakers’ Bio
Che Chang is TeamT5 Cyber Threat
Analyst and the co-author of “TeamT5
Information Operation Whitepaper.”
Research interest:
Information Operation,
underground markets research.
Experience:
2020 April vGCTF workshop, 2019
Cybersec in Taiwan, etc.
Silvia Yeh is a TeamT5 Cyber Threat
Analyst and the co-author of “TeamT5
Information Operation Whitepaper.”
Research interest:
Information Operation,
cyber policies in Asia-Pacific countries.
Experience:
Taiwan Academia Sinica closed-door
meeting, etc.

3. 1. Introduction
2. InfoOps in Taiwan’s
2020 General Election
3. TTPs of China’s InfoOps
4. Conclusion
5. QA Session
Today’s
Outline

4. Introduction:
What is
Information Operation?

5. Information Operation (InfoOp)
AKA: Influence Operation,
Information Warfare
Definition by U.S. Defense Department:
“the integrated employment during
military operations of information-related
capabilities (IRCs), in concert with other
lines of operation to influence, disrupt,
corrupt, or usurp the decision making of
adversaries...”
Source:
https://dod.defense.gov/Portals/1/Documents/pubs/DoD-
Strategy-for-Operations-in-the-IE-Signed-20160613.pdf

6. China’s InfoOps
Covert Operation
An operation conducted
with concealment of the sponsor’s identity
Disinformation
Doxxing
Key Opinion Leaders (KOL)
Content farms
Spam Botnet
Marketing Firms
Overt Operation
An operation conducted
openly and without concealment
Misinformation
Propaganda
State media
Diplomats and embassies
United Front Work Department (UFWD)
Communist Youth Party

7. 2018 Nov
Taiwan
Local Elections
2019 Jun –
Hong Kong
Pro-Democracy
Protest
2020 Jan
Taiwan
General Elections
2020 Feb –
COVID-19
Pandemic
2020 Nov
U.S. Presidential
Elections
China’s InfoOps
Research Timeline

8. InfoOps during
Taiwan’s
2020 General Election
Taiwan’s CEC (Central Election Commission):
128 disinformation was identified before the election day.

9. Where did the disinformation come from?
Our research discovered that many disinformation
were started from China.
Source of content:

10. TTPs* of China’s InfoOps
1. Propaganda machine
2. Political Content Farm and Spam Botnet
3. Mobilization of Patriotic Netizens
*TTPs: Tactics, Techniques and Procedures

11. 1. Chinese propaganda machine
has built significant presence
across social media platforms

12. Comparison of Facebook Followers
Between Chinese State Media with Other Media Outlets
* Data as of 2020 September 20th

13. Chinese state media, embassies, and
diplomats propagating propaganda,
misinformation and conspiracy theories.

14. 2. Political Content Farm and Spam Botnet
as the amplifier of propaganda machine

15. URL: http://www.xinhuanet.com/world/2020-08/15/c_1126371867.htm
Xinhua News (新华社):
“Politicization of
COVID-19 Gets U.S.
Trapped in Deep
Trouble”
2020/08/15

16. 2020/08/16
2020/08/17
2020/08/19 2020/08/24
2020/08/26
2020/09/03

17. Spam botnet profile pictures
are mugshots which can be
purchased from online
forums and dark web.

18. Cross-platforms activities
Source of content: (A national news site controlled
by a party media outlet.)

19. 3. Mobilization of
Patriotic Netizens

20. Case Study:
Doxxing Campaign against Hong Kong Protesters
• Anonymous website hkleaks[.]ru
published information of HK
protesters
• First registered: 2019 August
• Email: hkleaks@yandex.com
• Alternative Domains
• hkleaks[.]pk
• hkleaks[.]org
• Hkleaks[.]cc
• hkleaks[.]pw

21. #IDareYouToPullOffYourMask#
#TakeOffYourMaskMovement#
Chinese state media CCTV promoted the site

22. China’s “Digital Propaganda Formula”

23. Worst Case-Scenario:
APT+InfoOp
• Operation Juiker on “PTT”
• Goal: To discredit Taiwan’s intelligence
agency and government-backed
research institute
• 20 Taiwanese IPs and 50 PTT accounts
were controlled.
• One of the IPs overlaps the Command
and Control (C2) servers of a Chinese
APT group

24. Apply threat intelligence
to identify and prioritize threats.
• Threat actors keep evolving
and changing their tactics over times.
• Threat intelligence provides
instant insight into actor methodologies
and exposes potential risks.

26. Thanks for listening