Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists. China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace. In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace. We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.

1. Che Chang Silvia Yeh
From Parroting to Echoing:
The Evolution of
China’s Bots-Driven InfoOps
targeting Taiwan

2. Che Chang
Senior Cyber Threat Analyst @TeamT5
Research interests
Chinese cybercrime underground market and Information
Operation
Speaking Engagement
Black Hat Asia, HITCON Pacific, Code Blue, SANS CTI
Summit, 2020 vGCTF Workshop and Cybersec in Taiwan.
Silvia Yeh
Cyber Threat Analyst @TeamT5
Research interests
APTs and InfoOps in APAC region
Speaking Engagement
Black Hat Asia, CODE BLUE, SANS CTI Summit, CyberSec, HITCON
Pacific, etc.

3. Outline
• Intro: China-nexus Bot Networks
• From “Parroting” to “Echoing”
• Case Study: Operation ChinaRoot
• Outlook and Conclusion

4. Our Methodology
• CTI Mindset
• Actor
• Attribution
• TTPs
• Diamond Model

5. Intro: China-nexus
Bot Networks

6. Previous Observation
• Limited influence, no organic engagement
• Mechanical parroting of Chinese state media
• Operations remain persistent for years
• New bots are spawned within a short period of time
• Notable case: Spamouflage network

7. Mechanical
parroting of
Chinese state
media

8. - Caption +
meme
- Limited
influence,
no organic
engagement

10. From “Parroting”
to “Echoing”

11. Nuanced Changes in TTPs (1):
Hijacking pro-democracy narratives
• Blogs/forums → mainstream social media
platforms
• Create a false appearance that the content is
being echoed across the cyberspace
• Victims
• Milk Tea Alliance
(Online democracy and human rights movement)
• Intrusion Truth
(Anonymous group)
• Safeguard Defenders
(pan-Asian human rights NGO)

12. Hijacked Identity Trigger Point/Motivation Amplified
Narrative
Date
Milk Tea Alliance Unknown Covid-19 origin conspiracy
theory (Fort Detrick)
2022 FEB – 2022 MAY
Safeguard Defenders Published a report on Chinese
transnational policing
Pro-Chinese police content 2022 SEP – 2022 OCT
Intrusion Truth 1. Intrusion Truth published an
article on APT41
2. Following accusations of NSA’s
attack against Northwestern
Polytechnical University
- APT41 is funded by the U.S.
government
- APT41 is operated by NSA
TAO
2022 JUL - Ongoing
Nuanced Changes in TTPs (1):
Hijacking pro-democracy narratives

13. kaskus.co.id ID
ameblo.jp JP
vk.com RU
dnyhr.com ASEAN
nanyangmoney.com VN/SG/MY
mhwmm.com MM
xiaoxq.net NAM
careerengine.us NAM
6parkbbs.com NAM
nairaland.com NG
hswh.org.cn CN
teamilk951.tumblr.com
teamilk115.livejournal.com

14. • Famous “Fort Detrick” conspiracy theory

16. • Shared infra
• Narrative overlap:
• Taiwan
• Xinjiang
• Journalist
• Lynas Rare Earths
(Operation
DragonBridge)
• Guo Wengui

19. Shared infra

24. Nuanced Changes in TTPs (2):
From “Parroting” to “Echoing”
• Local forums → social media platforms → local
forums
• Create a false appearance that the content is
being echoed across the cyberspace
• Online communities of different purposes
(lifestyle, politics, local community, pets,
cryptocurrency, live streaming, marketplace)

25. Operation ChinaRoot (マツホド)

26. Operation ChinaRoot (茯苓有點兒甜)
• 茯苓 (マツホド)
• Over 200 fan pages and bot accounts identified
• Botnets overlapped in DRAGONBRIDGE and Spamouflage
• Status: ongoing since mid-2021
• Target: Taiwanese online users
• Aim: Attack Taiwanese pro-independence
politicians
• Platforms: Taiwan’s local forums
• (卡提諾論壇 Ck101, BabyHome, etc.)
Source: Taiwan Ministry of Justice Investigation Bureau (MJIB)

27. Operation ChinaRoot: Key Narratives
Defeatism
• “PLA is ready to attack Taiwan, Tsai Ing-wen
has escaped,”
Attack pro-democracy U.S. politicians
• “Pelosi’s trip to Taiwan is for financial gain,”
Attack Taiwanese government policies
• “Taiwanese government covered up Covid-
19 death cases,”
• “Taiwan’s Covid measures caused
widespread death among children,”
• “Taiwan’s own Vaccine is causing people
dead.”

28. Multi-Layer Amplification

29. ①
②
③
④

31. Narrative
during
Pelosi’s visit
to Taiwan

32. Narrative during Pelosi’s visit to Taiwan

33. Outlook
and
Conclusion

34. Strategic Overview: Overt Operation
• China’s overt operations are always there during every major political
event:
• Hong Kong pro-democracy protest in 2019
• Taiwan’s major elections
• COVID outbreaks
• Ukraine war
• More collaboration between Chinese and Russian state media outlets
and propaganda machine
• China’s propaganda machine was amplifying Russia’s disinformation during
the Ukraine invasion

35. Strategic Overview: Covert Operation
• Operation ChinaRoot
• Bot networks may be a shared asset among Chinese nation-state
actors
• Bot accounts repeatedly deployed in different influence campaigns
• Guo Wengui, Xinjiang, Hong Kong, US Covid policies, Taiwan, Ukraine

36. Future Outlook
• Social media platforms: critical battlefields for threat actors to launch
InfoOps
• China’s Overt InfoOp will be more sophisticated.
• China’s Covert InfoOp will be more advanced.
• Political events are the key driver for InfoOp campaigns.
• Mobilization of online netizens
• Doxxing: Create harassment against journalists
• Protest: Incite protests in the physical world
• Strategic Distraction: Breed cynicism, distrust, and defeatism

37. Future Outlook (cont.)
• We have seen the covert InfoOp in the times of crises.
• Especially in times of war and elections
• People on social media will be targeted and exploited by
authoritarianism government in major political events
• Threat actors react rapidly to current affairs
• Upcoming events
• 2022 Taiwanese local elections
• 2022 U.S. midterm elections

39. Mitigation
• To mitigate InfoOp on social media needs all stakeholders.
Public Sector
#Cyber Governance
#Law enforcement
#Foreign interference
Civil Society
#Fact Checking
#Media literacy
Global Firms
#Platform Support
#Technical Support

40. Mitigation (For the Law and Policy Track)
1. Review international and domestic laws
2. Start from human Security
3. Build understanding of technology
4. Maintain the collaborative Mechanisms
*An approach of cyber threat intelligence
CTI approach can provide a better understanding of the threat
landscape by connecting dots, hunting down actors, and swiftly detecting
suspicious accounts during the early stage
• Swift detection of malicious narrative
• Detect and Flag the amplifiers and their botnets
• Immediate removal and blockage before viral

41. Welcome to visit our booth!
TeamT5は日本人セキュリティアナリスト募集中です。
興味がある方は当社ブースにお立ち寄り下さい。
Thank You.