Glass Onion
Peeling Back the Layers of a Pro-China Online Ecosystem
- Graphika has uncovered a network of 43 domains and 37 subdomains that pushed pro-China messaging while posing as the New York Times, the Guardian, the Wall Street Journal, and other legitimate media outlets.
- We identified technical links connecting this network to two Chinese companies that Google’s threat analysis group previously determined ran a pro-China campaign dubbed HaiEnergy. The tactics, techniques, and procedures (TTPs) used by the network closely resemble HaiEnergy and similar activity sets, including Paperwall, DuringBridge, and BayBridge.
- These domains and subdomains hosted advertisements, Chinese state media content, and pro-Communist Party of China (CPC) messaging pulled from external websites. We linked the hosted content to 30 Chinese companies and three Chinese individuals involved in public relations (PR) and digital marketing.
- We identified evidence that these companies and/or individuals leveraged these domains in contracts to promote the activities undertaken by CPC-linked entities. It is unclear whether these entities were aware that the promotion involved domains that spoofed English -and Chinese-language media outlets.
- The domains copied specific design elements directly from the websites of legitimate outlets in an effort to make their impersonation more convincing. Many also shared the same content management system (CMS) template.
- After Chinese marketing and PR firms placed content on the spoofed websites, the likely clients often promoted the material on Chinese platforms and websites, claiming it as evidence that influential news outlets had covered their company.
- On Western platforms, Spamouflage-linked accounts amplified content from these domains, demonstrating overlaps between the Chinese influence operation and this ecosystem of Chinese PR and marketing companies.
Margot Fulde-Hardy researches Chinese online influence operations targeting global audiences. Additionally, she conducts investigations related to foreign information manipulation and interference campaigns targeting electoral contexts. Margot is also a FIMI-ISAC member and co-chair of OASIS Open source project DAD-CDM technical steering committee, where she supports the research on creating a common data model for FIMI campaigns, drawing on her expertise on STIX, TTPs, and OpenCTI.
Lili specializes in tracking and analyzing Chinese influence operations targeting global audiences and democratic processes. Additionally, she has expertise in tracking AI-enabled inauthentic behavior, platform abuse, and nation-state cyber threats. At Graphika, she has led investigations into networks of fake news domains and threats to commercial interests.
Download the complete PDF
The full report includes the complete network graph maps, raw attribution indicators, cross-platform topology analysis, and the full takedown timeline with platform-level data.
- Full network graph visualizations
- Attribution indicators with confidence scores
- Raw behavioral modeling data
- Takedown coordination timeline
Related Reports
Summit Old, Summit New
Russia-Linked Actors Leverage New and Old Tactics in Influence Operations Targeting Online Conversations About NATO Summit
Read the Report
Lights, Camera, Coordinated Action!
A Network of Fake Media Outlets Paid Actors and Journalists to Spread Political Narratives Supporting Pakistan’s Government and Military
Read the Report
Falsos Amigos
Network of Domains and Social Media Accounts Uses AI Tools to Launder Reports From Chinese State Media Outlet CGTN in Multiple Languages
Read the ReportSee How Graphika Can Help Your Team Act on This Intelligence
This report is one of 600+ investigations Graphika’s team has published. Our platform gives your analysts continuous access to the same intelligence — plus the tools to apply it to your specific threat environment.