Since Russia bombarded the 2016 election with Twitter trolls and astroturfed lies, election watchers have been on guard against social media “influence operations.” Four years later, Iran took a stab at meddling in the 2020 presidential election, with more mixed results. Now, the People's Republic of China—or, at least, a group with a long-running pro-Chinese government agenda—seems to be trying out its own political influence operation just ahead of this year's US midterm elections. And while that operation seems to have largely failed this time, the campaign represents the growing boldness of a new adversary in the fight against organized disinformation.
On Wednesday, cybersecurity and threat intelligence firm Mandiant published new findings about a group it calls Dragonbridge, which it's seen for years promoting pro-Chinese interests in fake grassroots social media campaigns designed to influence politics in Taiwan and Hong Kong. Now, Mandiant's analysts have tied Dragonbridge to a series of more US-focused influence campaigns. The group claimed that a notorious hacking spree carried out by known Chinese state-sponsored hackers was actually carried out by US intelligence, falsely blamed the sabotage of the Nord Stream pipeline on the US government, and—perhaps most brazenly—seeded hundreds of posts on social media designed to demoralize voters and reduce turnout ahead of the November midterms.
“This actor has been rapidly growing and hyper-aggressive. They went from carrying out limited campaigns focused on Hong Kong to a global operation on dozens of platforms,” says John Hultquist, Mandiant's VP of intelligence analysis. “Interfering in our elections is just another line that they're clearly willing to cross.”
Mandiant declined to reveal in its report or to WIRED the full collection of disinformation posts that it's tied to Dragonbridge, but the company says the posts numbered in the thousands. Nor would Mandiant name all the platforms where Dragonbridge had created accounts. But it describes posts published by these accounts arguing that American democracy was being taken over by extreme partisanship, as well as posts pointing to episodes of confrontations and violence between political groups and against the FBI as instances of “civil war.” The group also published a video, Mandiant says, that discourages Americans from voting, making claims about political gridlock and inaction and showing images of the January 6, 2021, insurrection at the US Capitol Building. “The solution to America’s ills is not to vote for someone,” the video argues at one point, according to Mandiant, but “to root out this ineffective and incapacitated system.” All of the content Mandiant identified in its report as part of the Dragonbridge operations has since been deleted, the company says.
Other simultaneous influence campaigns from the group tie it more evidently to Chinese government interests. Pseudonymous Twitter accounts that Mandiant says were controlled by Dragonbridge posted claims in both English and Mandarin stating that espionage campaigns carried out by the prolific China-linked hacker group APT41 were really the work of the NSA and CIA. “For at least ten years, the American hacker group [APT41] has repeatedly carried out cyber attacks, espionage activities, cyber piracy and cyber crimes against other countries,” reads one tweet in October from a seemingly fictional person named Karen Diaz.
In fact, the US Department of Justice indicted seven Chinese men in 2020 as members of APT41, tying them to a contractor working on behalf of China's Ministry of State Security known as Chengdu 404. The indictment accuses the men of hacking hundreds of targets around the globe, both to carry out espionage on behalf of the MSS and to profit from their own cybercrime operations.
In an attempt to shift that blame, Dragonbridge's influence campaign went so far as to create spoofed posts from Intrusion Truth, a mysterious pseudonymous Twitter account that has previously released evidence tying multiple hacking campaigns to China, including those of APT41. The fake Intrusion Truth posts instead falsely tie APT41 to US hackers. Dragonbridge also created an altered, spoofed version of an article in the Hong Kong news outlet Sing Tao Daily pinning APT41's activities on the US government.
In a more timely example of Dragonbridge's disinformation operations, it also sought to blame the destructive sabotage of the Nord Stream natural gas pipeline—a key piece of infrastructure connecting European countries to Russian gas sources—on the United States. Mandiant says that claim, which echoes statements from Russian president Vladimir Putin and Russian disinformation sources, appears to be part of a larger campaign designed to sow divisions between the United States and its allies that have opposed and sanctioned Russia for its unprovoked and catastrophic military invasion of Ukraine.
None of those campaigns, Mandiant emphasizes, was particularly successful. Most of the posts had single-digit likes, retweets, or comments at best, the company says. Some of its spoofed tweets impersonating Intrusion Truth have no signs of engagement at all. But Hultquist warns nonetheless that Dragonbridge demonstrates a new interest in aggressive disinformation from pro-China sources, and possibly from China itself. He worries, given China's widespread cyber intrusions around the world, that future Chinese disinformation campaigns might include hack-and-leak operations that blend real revelations into disinformation campaigns, as Russia's GRU military intelligence agency has done. “If they get their hands on some real information from a hacking operation,” Hultquist says, “that's where they become especially dangerous.”
Despite Dragonbridge's occasional pro-Russian messages, Hultquist says that Mandiant has little doubt of the group's pro-China focus. The company first spotted Dragonbridge engaged in a fake grassroots campaign to disparage Hong Kong pro-democracy protestors in 2019. Earlier this year, it saw the group pose as Americans protesting against US rare-earth metal mining companies that competed with Chinese firms.
That doesn't mean Dragonbridge's campaigns are necessarily the work of a Chinese government agency or even a contractor firm like Chengdu 404. But they're very likely at least located in China, Hultquist says. “It's hard to imagine their activity, in its totality, being in any other country's interest,” says Hultquist.
If Dragonbridge is working directly for the Chinese government, it may mark a new phase in China's use of disinformation. In the past, China has largely stayed away from influence operations. A Director of National Intelligence report on foreign threats to the 2020 election declassified last year stated that China “considered but did not deploy influence efforts designed to change the outcome of the US Presidential election.” But just last month Facebook, too, says it spotted and removed campaigns of Chinese political disinformation posted to the platform from mid-2021 to September 2022, though it didn't say if the campaigns were linked to Dragonbridge.
Despite the apparent resources put into Dragonbridge's long-running operations, its new foray into election meddling looks remarkably ham-fisted, says Thomas Rid, a professor of strategic studies at Johns Hopkins and author of a history of disinformation, Active Measures. He points to abstract phrases, like its call to “root out this ineffective and incapacitated system.” That kind of dull language fails to effectively exploit real wedge issues to exacerbate existing divisions in US society—often best identified by local agents on the ground. “It seems like they didn’t read the manual,” Rid says. “It seems like a remote, amateurish affair done from Beijing.”
But both Rid and Mandiant's Hultquist agree that Dragonbridge's relative lack of success shouldn't be seen as a sign of Americans' growing immunity to influence operations. In fact, they argue that the deep political divisions in American society may mean that the US is less equipped than ever to distinguish fact from fabrication in social media. “Authoritative sources are no longer trusted,” says Hultquist. “I'm not sure that we're in a great place right now, as a country, to digest that some major information operation is attributable to a foreign power.”
