In June 2019, Mandiant Threat Intelligence first reported to customers a pro-People’s Republic of China (PRC) network of hundreds of inauthentic accounts on Twitter, Facebook, and YouTube, that was at that time primarily focused on discrediting pro-democracy protests in Hong Kong. Since then, the broader activity set has rapidly expanded in size and scope and received widespread public attention following Twitter’s takedown of related accounts in August 2019. Numerous other researchers have published investigations into various aspects of this activity set, including Google’s Threat Analysis Group, Graphika, the Australian Strategic Policy Institute, the Stanford Internet Observatory and the Hoover Institution, and the Centre for Information Resilience.

Since we began tracking the campaign in mid-2019, we have observed multiple shifts in its tactics, many of which have been reported on publicly elsewhere, including the use of artificially generated photos for account profile pictures and the promotion of a wide variety of narrative themes related to current events, including multiple narratives related to the COVID-19 pandemic, narratives critical of Chinese dissident Guo Wengui and his associates, and narratives related to domestic U.S. political issues. However, other evolutions in the network’s activity do not appear to have been reported widely, and our aim with this blog post is to provide early warning of two significant developments that we believe are important to monitor despite the limited impact of the network so far:

• The scope of activity, in terms of languages and platforms used, is far broader than previously understood. Most reporting has highlighted English and Chinese-language activity occurring on the social media giants Facebook, Twitter, and YouTube. However, we have now observed this pro-PRC activity taking place on 30 social media platforms and over 40 additional websites and niche forums, and in additional languages including Russian, German, Spanish, Korean, and Japanese. While some platforms have hosted hundreds or thousands of accounts in the network, other platforms have hosted a smaller number. Collectively, these observations suggest the actors behind this campaign have significantly expanded their online footprint and appear to be attempting to establish a presence on as many platforms as possible to reach a variety of global audiences.
• Accounts in the network have actively sought to physically mobilize protestors in the U.S. in response to the COVID-19 pandemic, though we have seen no indication that these attempts motivated any real-world activity. While previous public reporting has highlighted limited instances of organic engagement with the network on Twitter and we have continued to track similar instances of organic engagement on both social media and niche online forums, this direct call for physical mobilization is a significant development compared to prior activity, potentially indicative of an emerging intent to motivate real-world activity outside of China’s territories. While this attempt did not appear to achieve any success, we believe it is critical that observers continue to monitor for such attempts in case greater degrees of organic engagement are later realized by the network.

Activity Expands to Dozens of Social Media Platforms, Websites, and Forums in at Least Seven Languages

Similar to previously reported activity that has spanned Facebook, Twitter, and YouTube, we have observed coordination between suspected accounts in the network across 30 social media platforms and over 40 other websites and online forums. These accounts have posted similar, and in many cases identical messaging and engaged in the coordinated sharing, commenting on, and liking of text, image, and video content. For example:

• We have observed thousands of identical text posts, images, and videos promoted by accounts on Vimeo, Vkontakte, TikTok, and a number of other platforms claiming that Chinese dissident Guo Wengui, former White House Chief Strategist Steve Bannon, and Chinese virologist Dr. Li-Meng Yan are “liars” in response to Dr. Yan’s Claim that the coronavirus was created in a Chinese lab (Figure 1). Videos featured characteristics typical of those promoted by the network historically, including Chinese and automated English-language voiceovers.
• In some instances, accounts on one platform have directly provided their corresponding social media handles on other platforms in their bios. For example, we have observed accounts on LiveJournal posting in Russian, English, and German provide handles for corresponding Twitter accounts that all posted in English (Figure 2). Different accounts across different platforms have also appropriated the same profile photos, including photos of models and stock photography (Figure 3). We also observed instances of forum posts linking to other accounts in the network (Figure 4).

Figure 1: Vimeo account (left) shares identical video as TikTok account (right)

Figure 2: LiveJournal account (left) linking to Twitter account (right); accounts use identical profile photo and display name

Figure 3: Tumblr account (top) uses same profile photo as LiveJournal account (bottom)

Figure 4: A forum post links to a Twitter account in the network

We have observed extensive promotion of Russian, German, Spanish, Korean, and Japanese-language content on U.S. and non-U.S.-based platforms, in addition to the typical English and Chinese-language activity that has been widely reported on. This represents a significant development in our collective understanding of this pro-PRC activity set. For example:

• We observed Russian-language posts on LiveJournal claim that U.S. Ft. Detrick was the source of the coronavirus and that China was “not the source” of the virus, a long-promoted and extensively reported narrative of this activity set that has also been promoted by Chinese state-run media outlets since early 2020 (Figure 5). Additionally, we have observed Russian-language posts on both LiveJournal and VKontakte by accounts we have tied to the network cite unconfirmed studies to claim COVID-19 may have appeared in the U.S. as early as December 2019.
• We have observed several instances of multiple inauthentic VKontakte accounts reposting Russian translations of posts by what appear to be authentic English-language Twitter accounts belonging to individuals who claim to have contracted COVID-19 in late 2019 in the U.S. and other locations outside China (Figure 6). We also observed a small number of Russian-language posts by VKontakte accounts in the network state that Taiwan and Hong Kong are Chinese territories.
• We observed German and Spanish-language content on LiveJournal and the Argentine social media site Taringa that also attempted to cast doubt about the origins of COVID-19. Posts in German on LiveJournal cited unconfirmed studies to claim that COVID-19 may have appeared in the U.S. before January 2020, while posts in Spanish on Taringa claimed that U.S. Ft. Detrick was the source of COVID-19 and linked to third-party articles that claimed that the virus appeared in the U.S. and Europe before China (Figures 7 and 8).
• Notably, some of the Russian and German-language posts we observed contained recurring grammatical errors, a limited indication that they may have been authored by non-native speakers of those languages. For example, we observed Russian-language LiveJournal posts by accounts purportedly operated by female bloggers use a masculine-tense verb for the phrase "Я увидел" (Translation: "I saw"), which should read "увидела" if written by a female Russian speaker (Figure 9).

Figure 5: LiveJournal accounts promote identical text in Russian claiming that "U.S. Ft. Detrick was the source of COVID-19" and that "China is not the source of the virus"

Figure 6: Inauthentic VKontakte accounts (top) repost in Russian a post from what appears to be an authentic English-language Twitter account (bottom)

Figure 7: LiveJournal accounts post identical text in German claiming that COVID-19 may have appeared in the U.S. before Jan. 19, 2020

Figure 8: Spanish-language Taringa accounts post articles and text to cast doubt about the origin of COVID-19

Figure 9: LiveJournal accounts post identical, grammatically incorrect messages in Russian implying that American netizens believed they were infected with COVID-19 in late 2019 and early 2020

Attempts to Physically Mobilize Protestors in the U.S.

In April 2021, thousands of posts in languages including English, Japanese, and Korean, images, and videos were posted across multiple platforms by accounts we assess to be part of this broader activity set that called on Asian Americans to protest racial injustices in the U.S. (Figure 10). The accounts specifically called on Asian Americans to protest on April 24 in New York City and “fight back” against the purported “rumors” caused by Dr. Li-Meng Yan, Guo Wengui, and Steve Bannon, and in some instances provided an address that they claimed Guo lived at.

Figure 10: Twitter account calls for physical protests in Japanese (left), Korean (middle), and English (right) (Note: We have censored the address listed by the accounts)

Subsequently, we observed posts by accounts in the network portray the advocated April 24 New York City protest as a success, claiming that Asian Americans, other minority groups, and Caucasian protestors attended (Figure 11). Other posts claimed that these protesters were met by Guo Wengui’s “supporters”, who “violently assault[ed]” them. As part of this claim of success, we observed a manipulated image in which the face of Dr. Yan was superimposed onto a sign held by a purported protestor and shared across nearly all the social media platforms and forums that we have seen leveraged as part of this broader activity set. We identified the image to be a manipulation of a picture taken at a rally against racial discrimination that took place in Jamestown, NY, on or around April 23, 2021 (Figure 12).

Figure 11: A Medium account (left) and an Underlined account (right) post identical text claiming Asian Americans protested racial violence in the U.S. The sign being held in the picture on the left has been photoshopped

Figure 12: Photoshopped image of Dr. Yan's face on a sign (left), shared across nearly all platforms (original photo on the right)

Despite these claims, we have not observed any evidence to suggest that these calls were successful in mobilizing protestors on April 24. However, it does provide early warning that the actors behind the activity may be starting to explore, in however limited a fashion, more direct means of influencing the domestic affairs of the U.S. We believe it is important to call attention to such attempts and for observers to continue to monitor for such attempts in future.

Conclusion

Our aim with this blog post is to provide early warning of two significant developments that we believe are important to monitor for despite the limited impact of this pro-PRC campaign thus far. First, the activity is taking place not just on the big three social media giants, but on at least 30 social media platforms and dozens of additional websites and forums, and in languages including not just English and Chinese, but also German, Russian, Spanish, Korean, and Japanese. This suggests that the actors behind the campaign have significantly expanded their online footprint and appear to be attempting to establish a presence on as many platforms as possible to reach a variety of global audiences. Second, the attempt to physically mobilize protesters in the U.S. provides early warning that the actors responsible may be starting to explore more direct means of influence and may be indicative of an emerging intent to motivate real-world activity outside of China’s territories.