Ben Nimmo Profile picture
4 Feb, 30 tweets, 11 min read
JUST OUT: Update on pro-China op Spamouflage Dragon.

Still spammy, but prolific and persistent, and getting some traction for the first time.

Over 1,400 videos in the last year.

Including geopolitical rivalry with the US.

@Graphika_NYC report: graphika.com/reports/spamou…
Spamou works on YouTube, Twitter, Facebook.

Mainly videos in Mandarin, Cantonese, or Mandarin + English.

Low quality, high volume, on:

Guo Wengui (from 2018)
Hong Kong protests (2019)
Chinese achievements (Feb 2020)
US crises (early 2020)
US-China rivalry (mid-2020)
We don’t have attribution on this op yet.

It’s persistent, well enough resourced to produce over 1,400 videos in a year, and closely tracks Chinese state messaging.

But who exactly is running it remains a question.
That said, a lot of the amplification it achieved (which was still modest) came from Chinese government accounts, including "wolf warriors" like @zlj517.

That's insufficient for attribution, but Spamouflage often promoted, and was promoted by, Chinese officials.
Spamou's prolific but profligate. The platforms have taken down tens of thousands of assets since we exposed it in 2019.

That’s kept its impact generally low, and forced it into a tactical shift, experimenting with fewer accounts with more persona.

blog.google/threat-analysi…
Recently, though, its most valuable asset has been division in America.

So much of its content points at events in the U.S. and says: “See? You don’t want to be like this.”

It doesn’t need to make bad stories up, just cherry-pick the worst ones.
As @craigtimberg pointed out, that also tracks with Chinese government messaging, e.g. over the Capitol riot.

washingtonpost.com/technology/202…
Don’t make the mistake of thinking this is the “Russian playbook”.

Spamou doesn’t pretend to be American, and we’ve seen no attempt to polarise US audiences.

Main audiences so far: Hong Kong, Taiwan, Venezuela, Pakistan.

Main message: China’s rising, America's fallen.
This looks like geopolitical competition for the 21st century: point to all the bad things you can find about your rival, in places where the rivalry’s acute or there’s a chance to make inroads.
Spamou has always been low quality, low impact.

The quality hasn't improved. These images were used to illustrate a video on COVID problems in the U.S.

Comunidad de Madrid?
You might fairly ask why it's worth studying an operation that never seems to break out of its bubble.

Answer: because there's always the danger that they might one day get something *right*, and then it'll be important to identify and expose quickly.
Case in point: Russian operation Secondary Infektion. Nearly six years with no breakout worthy of the name. Then it interfered in the UK 2019 election.

But we, and the great @jc_stubbs, caught it before the vote, because we already knew how SI works.

reuters.com/article/britai…
And Spamouflage has finally started getting some breakout in some areas. Limited and sporadic, but more than it's ever had before.

Here's the Venezuelan foreign minister retweeting a Spamouflage fake account.

(No indication he knew this was a fake.)
And George Galloway, quote-tweeting and following.

Again, no evidence he knew this was a fake.
This was one of a handful of persona accounts that Spamouflage began running in mid-2020.

Stock profile picture of a young lady, tweeting about geopolitical issues. Quite a few different accounts followed that pattern.
This account, screen name "李若水francisw ", had a significant following from Chinese official accounts.

I would love to know how exactly they found "her".
It's been through seven iterations so far. The earlier ones lasted up to two months each. Recent ones, just days.

Each time it re-spawned, it reached out to potential amplifiers, trying to get their attention.
Same with this persona. Again, apparently a young lady posting about geopolitics. The call for follows is overt here.
This persona stole its "personal" pics from a Weibo user.

Note how the Twitter image is cropped to remove the Weibo handle.
On YouTube, there were also persona channels amplifying Spamouflage videos - and often then deleting them a week or so later.

Unclear whether the people whose identities they claimed were actually involved in the amplification, or whether this was Spamou borrowing their names.
These channels have thousands of followers, and primarily focus on Hong Kong and Taiwan. Some of their videos get views in the hundreds or low thousands.

Still not massive, but more than Spamouflage has ever achieved before.

Note the messaging on US "democracy export".
Breakouts like these were a small minority of the total output, though. The great bulk of Spamouflage posts failed to get any attention at all.

The fakeness of their accounts is one likely explanation. The clunky execution is another.

Someone broke the space bar?
In fact, there's an incompetence to this operation that's sometimes almost endearing.

Voice-overs that pronounce "U.S." as "us". Mediaeval headlines ("Chinese sword!")...
... headlines that read like something straight out of CCP propaganda manuals...
... headlines that are trying really hard, but somehow, just don't quite get there...
... I'm not even sure what to say about this headline.
But there's a nasty edge to its content too. Finding the very worst moments of American news, and trying to portray them as typical.
The good thing is, this operation has come under sustained pressure. Tens of thousands of fake assets taken down. Repeated exposures by the team at @Graphika_NYC, and by @FireEye.

That helps curb the spread, because it makes it harder to build any audience or momentum.
But this is a persistent threat actor, apparently well resourced, capable of some adaptation.

Don't overstate its reach, but don't assume that historical incompetence automatically means future ineffectiveness - especially with Chinese state amplification.
The best way to stop operations like this achieving their goals is to keep the pressure on, keep exposing and disrupting them, and catch any tactical shifts early on.

Keep calm. But keep watch.

graphika.com/reports/spamou…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Ben Nimmo

Ben Nimmo Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @benimmo

5 Feb
Some personal news: today’s my last day at @Graphika_NYC.

My team did amazing investigative work and research into influence ops from Russia, Iran, China and many other places.

We’ve broken new ground, and I couldn’t be more proud of the team @camillefrancois and I built.
Next week, I’m starting at Facebook, where I’ll be helping to lead global threat intelligence strategy against influence operations.

I’m very excited to join one of the best IO teams in the world to study, catch and get ahead of the known players and emerging threats.
As a community - platforms, researchers and journalists - we’ve all come a long way since the dawn of this field of research.
Read 11 tweets
4 Feb
Well this is big.

UK telecoms regulator @Ofcom just revoked the licence of Chinese state broadcaster CGTN to broadcast in the UK, arguing the licence is held by an entity which doesn't have editorial control, in breach of UK rules.

ofcom.org.uk/about-ofcom/la…
Important to underline this is not about content.

Ofcom found that the company which held the CGTN licence, Star China Media, didn't have editorial control.

CGTN offered to transfer to a different entity, but it's ultimately controlled by the CCP, and therefore disqualified.
On the content side, though, CGTN *was* found guilty last year of breaking the rules on due impartiality with its coverage of the Hong Kong protests.

Turns out they didn't give the protesters a fair hearing.

ofcom.org.uk/__data/assets/…
Read 5 tweets
29 Jan
And this, just out from @MsHannahMurphy and @SVR13: questions about the hundreds of thousands of followers that the same Huawei Western Europe execs have.

ft.com/content/0411bc…
I'll leave it to others to analyse the 800k+ accounts involved in these followings, but one anecdotal sidelight on the fake network of accounts that attacked Belgium: some of its other amplification came from glambots from a network that also boosted Huawei Europe.
Glambots = automated accounts that use profile pictures taken from glamour shoots and similar sources.
Read 7 tweets
29 Jan
Great report by @satariano on a fake network that @Graphika_NYC (and others) found in December.

Twitter accounts with GAN faces, boosting Huawei, boosted by Huawei execs, and attacking Belgium's 5G policies.

Not enough evidence to prove who ran them.

nytimes.com/2021/01/29/tec…
We found this network when it was boosted by Spamouflage, a pro-China operation.

Independently, @mvanhulten of @TI_EU and @ArbiterOfTweets of @Knack found it with different methods.

It's not a friendly environment for fake campaigns, folks.

graphika.com/reports/fake-c…
This was the first account we found.

"Alexandre, PhD", apparently a CEO.

But no surname, no indication of what he's a CEO of, and a GAN-generated profile pic.
Read 23 tweets
23 Jan
One sidelight on the Russian protests today: #Navalny is probably the single most consistent target of Russian disinfo and influence operations.

He's been a target for at least 8 years, by ops including the Internet Research Agency, Secondary Infektion, and the Kremlin.
Way back in September 2013, @Soshnikoff investigated the then newly founded Internet Research Agency, and reported that it had been trolling Navalny when he ran for Mayor of Moscow.

mr-7.ru/articles/90769/
January 2014: op Secondary Infektion set up its most prolific persona, with a pic of Navalny’s face painted blue. It started out by attacking the Russian opposition.

The username, bloger_nasralny, is a toilet pun on his name.
Read 11 tweets
23 Jan
Question for the #OSINT community: can anyone else find TikTok videos about protests for Navalny that become unavailable if you watch via a Russian server?

I’ve got 8 so far on #свободунавальному and #23января2021.

Nearly 2 million likes between them.

#DigitalSherlocks Image
Background: the Russian telecoms authority, Roskomnadzor, said it’s got platforms to take down calls for minors to join the protests.

facebook.com/roskomnadzor.o…
If you check TikTok for key hashtags about Navalny and the protests, some of the most popular videos don’t show up when browsing through a Russian VPN.

Four of the nine most popular on #свободунавальному, for example. Image
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!