Google has mounted a massive takedown, but Dragonbridge's extensive capabilities for generating and distributing vast amounts of largely spammy content calls into question the motivation behind the group.

5 Min Read
person looking at a back-end server
Source: DragonImages via Adobe Stock Photo

Google's Threat Analysis Group (TAG) spent 2022 working to disrupt the online presence of pro-Chinese influence operation (IO) Dragonbridge (aka Spamoflage Dragon) in 2022, wiping out more than 50,000 instances of activity across Twitter, YouTube, Blogger, and other channels.

The report added that despite producing plenty of content, Dragonbridge failed to attract an organic audience, mainly due to the low-quality, nonsensical nature of the content, which mostly consists of apolitical, spammy, often nonsensical clips of sports, food, or animals.

Also, "blurry visuals, garbled audio, poor translations, malapropisms, and mispronunciations are also common," the report noted. "The content is often hastily produced and error-prone — for example, neglecting to remove Lorem Ipsum text from a video."

Of the 56,771 YouTube channels created by Dragonbridge and deactivated by TAG last year, nearly 60% of the channels had zero subscribers and 42% of the videos posted on these channels had zero views.

Roughly 95% of Blogger blogs received 10 or fewer views, and more than 96% of the posts had zero comments.

The report said it has closed 100,960 accounts across multiple channels, including YouTube, Blogger, and AdSense over the operation's lifetime.

The group does generate some pro-China, anti-US messaging, in Mandarin, English, and other languages: For instance, while the pro-China content praises the country's COVID-19 pandemic response, it criticizes the US for meddling in international affairs, with one video portraying voting as useless. But these themes represent a small fraction of the content.

Despite the nearly nonexistent levels of engagement, Dragonbridge continues to experiment with content formats and attempts to improve the general low quality of its efforts, the report noted.

Dragonbridge joins other China-based IO campaigns, including HaiEnergy, a fake-news influence campaign leveraging at least 72 inauthentic news sites to push content strategically aligned with the political interests of the country.

These operations can be dangerous: In the US, for instance, disinformation campaigns were deployed around last year's midterm elections in an attempt to change attitudes of undecided voters and energizing supporters to get out and vote.

Google TAG researchers say that Dragonbridge likewise has the capability to become a more potent threat.

Ramping Up Activity During Political Flashpoints

Dragonbridge activity ramped up in July 2022 following US House Speaker Nancy Pelosi's announcement of a possible visit to Taiwan, with the group's rhetoric growing more belligerent as the Chinese People’s Liberation Army (PLA) prepared drills around the island.

Dragonbridge "displayed unusually coherent behavior in using uniform hashtags and titles across channels, while swiftly and repeatedly uploading topical, high-production-value content that was not interspersed with the usual misdirecting spam," the report noted.

Despite the lack of community engagement and seemingly slipshod content, Dragonbridge manages an extensive network of Google accounts that it likely obtains from bulk account sellers, which had been previously acquired for financially motivated activity before going dormant.

The report also noted that Dragonbridge is experimenting with higher-quality forms of content with real human voices instead of computer-generated narration, more sophisticated "news-like" chat formats, and animated political segments.

The persistent level of content distribution and the network's attempts at innovation when it comes to tactics and techniques are a continued cause for concern, TAG noted.

Dragonbridge to Nowhere?

"What's interesting is that nobody is questioning the volume of resources expended to address this," says Andrew Barratt, vice president at Coalfire, a provider of cybersecurity advisory services. "This could be mechanism used as part of a bait-and-switch style scam, keeping Google busy with lots of takedowns — this content is clearly not being watched."

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of software-as-a-service (SaaS) for enterprise cyber-risk remediation, adds while it may not appear successful, there are plenty of people out there who will fall for even the most outrageous misinformation.

"While these appear ineffective, even against the gullible, there's a good probability that there are a lot of them out there that are more successful and have managed to evade deletion," he says.

Parkin adds there are multiple possible reasons for doing what the group seems to be doing, from simply wasting resources to using these obviously spammy accounts for training a machine learning model on how to avoid being identified and removed.

Barratt agrees Dragonbridge's relentless onslaught could just be an indication of capability, showing that the group can find ways to drain Google's resources using its own tools against it.

"The level and depth of effort here goes way beyond the traditional script-kiddie disruptions, indicating it could even be a group looking to show off capabilities," he adds. "Nobody seems to be saying directly that it's a state-sponsored endeavor, which could perhaps be to wave off further political tensions."

Parkin cautions that while It looks like the threat is "script-kiddie level", that may be a mask for something more subtle.

"While it may not be an actively state-sponsored group, the sheer volume does imply more resources than the typical script kiddies can pull together," he says.

Barratt points out that with access to major cloud providers, scale is easily achievable by anyone — but the interesting piece of this is that a lot of the real cost is absorbed by the platforms being focused on.

"Custom bot development can spin up accounts, drop content, and then move to promote it; [it is really a small expense for Dragonbridge] compared with the cost of hosting the video, reviewing it, and taking it down," he says. "It's a very high return on investment if you measure your returns in the cost your adversary faces."

From his perspective, this is more likely to be a disinformation equivalent of performing military maneuvers at the border.

"Someone is showing someone else what they can do and how hard it is to stop," he says.

Parkin adds it's possible to programmatically create multiple accounts, post videos, and cross-link them all in the comments.

"If that’s how it's being done, then it doesn't take massive resources, and it's possible a small group with the right skills could pull it off," he says. "But without looking at Google's data, it's hard to say whether that's what was done here."

Dark Reading reached out to Google TAG for clarification, and will update this post with any additional information.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights