Enter the 912 Working Group (34 Indictments)
Welcome to Memetic Warfare Weekly!
My name is Ari Ben Am, and I’m the founder of Glowstick Intelligence Enablement. Memetic Warfare Weekly is where I share my opinions on the influence/CTI industry, as well as share the occasional contrarian opinion or practical investigation tip.
Thanks for reading Memetic Warfare (bi)Weekly! Subscribe for free to receive new posts and support my work.
I also provide consulting, training, integration and research services, so if relevant - feel free to reach out via LinkedIn or ari@glowstickintel.com. This week we’ll discuss how the Chinese government uses OSINT and carries out IO as shown by recent DOJ indictments, move to further indictments against American citizens supporting Russian IO activity, and finish off with Google TAG’s latest update on Russian cyber/IO activity.
Justice, Take the Wheel
The DOJ took advantage of the past week to publicize two absolute banger indictments against Russian and Chinese malign influence and foreign interference.
Let’s talk about the indictment summary against Chinese actors first - available here. Most coverage of this indictment has understandably focused on the covert Chinese police station in Manhattan, but insomuch as we focus primarily on online activity in this blog, we’ll focus on their online IO.
This indictment is massive, with over 30 Chinese agents suspected of running IO and carrying out other acts of “transnational repression” being charged and exposed.
The indictment, exposing the “912 Special Project Working Group” operated by the Ministry of Public Security (MPS) is available here in its entirety, but be warned - it’s about 90 pages.
The indictment claims that the 912 group carried out IO against the US and harassed dissidents via networks of thousands of accounts on Western platforms such as Facebook, Twitter and YouTube. This is the first time, of which I’m aware, in which a specific sub/working group in the MPS has been attributed publicly. According to the indictment, the 912 group is a national project for the MPS, with representation from across the MPS’ regional bureaus.
Most Chinese IO is attributed to the MSS and the UFWD, with some others to the CCP Youth League and the PLA. Much IO is also carried out by outsourced actors, such as Hong Kong-based digital marketing firms or front organizations.
The MPS often gets short shrift as it is usually associated with domestic monitoring and interference with ethnic minorities inside of China. The indictment interestingly showed also that the UFWD and MPS collaborated on project 912, with one of the 912 members complaining even about having to cooperate so closely with the UFWD.
More recently, the MPS has received media coverage due to the infamous Chinese “police stations” in the US and Canada, run by regional MPS bureaus, so it’s interesting to see that its activity extends beyond that and into offensive IO.
The indictment has tons of interesting main points, so I’ll pull out my top favorites below.
Let’s start with the internal MPS document describing their online monitoring efforts. Online monitoring is one of the biggest challenges of OSINT in general, and it’s fascinating to see how the MPS approaches it. I’ll put a block quote below:
“Recommendations in an MPS proposal from March 2020 obtained in the investigation reflect the broad reach of the PRC government’s censorship efforts. Noting that most foreign reports about the PRC are negative (which purportedly reflects backlash against the PRC’s global ascent), and that Twitter content accounts for approximately 80 percent of the attacks on the PRC and the CCP, the proposal recommends instituting countermeasures to monitor dissent on foreign social media platforms, including Twitter.
The proposal’s main goal is the construction of an Internet data mining system to monitor for Chinese-language Twitter users who make political comments, to promptly survey their activities, and uncover and track the identities of related individuals and covert political organizations and groups through a database of email and telephone identifiers. Notably, the proposal recommends collecting and categorizing relevant political posts, as well as conducting real-time monitoring of overseas Chinese-language account data to promptly discover political tweets and major public opinion events.”
What can we learn from the above?
The MPS sees Twitter as a key platform due to it hosting the vast majority of attacks on the PRC/CCP.
The MPS is interested in monitoring overseas Chinese and investigating them thoroughly, as well as carrying out horizon scanning via an OSINT system.
The first point above may partially explain why so much of exposed Chinese IO is Twitter-centric, although it may also simply be because Twitter is easy to exploit.
The group is also responsible for carrying out IO, as shown below:
“As more fully detailed below, the investigation has revealed that the Group has created and used a host of accounts under false names on U.S. social media platforms to disseminate and amplify messages as part of a broad effort to influence and shape public perceptions of the PRC government, the CCP and its leaders in the United States and around the world.
The Group uses its misattributed social media accounts to accomplish this mission both by disseminating and amplifying messages that promote what the PRC government and CCP perceive to be favorable attributes of the PRC’s CCP-dominated political system, and by seeking to undermine and discredit the systems and policies of perceived adversaries (including the United States government), democracy, and open societies generally”.
There were numerous cases of tasking handed down to the group as well:
“In or about August 2021, the 912 Project received a tasking to “expose and criticize the United States for wasting their effort to provoke conflicts in the South China Sea in order to drive a wedge between China, Vietnam and Singapore; and to ridicule the United States’ retreat from Afghanistan having a major impact on its international reputation. As a responsible country, China has the responsibility to maintain peace, stability and development in the region and the world.”
“In or about May 2022, the 912 Project received a tasking to “take advantage of the second anniversary of the [George] ‘Floyd’s death’ incident in the United States to reveal the law enforcement brutality in the U.S., racial discrimination and other social problems.” Subsequently, an account controlled by the Group made numerous 11 posts about George Floyd’s death and accusing U.S. law enforcement institutions of racism.”
These networks, according to the indictment, also served to target and harass dissidents. This harassment went beyond just online posts, however: ABC News has claimed that the American telecommunications firm infiltrated by Chinese agents, mentioned by the indictment, is Zoom, and that the insider enabled the Chinese government to “disrupt meetings” on Zoom.
The DOJ also provides images of secret MPS documents delineating the structure and purposes of the 912 working group:
The team’s work schedule is also delineated. They work in shifts, with a fully-equipped office environment with beds and so on for 24/7 operations:
“The Group’s work is carried out in the “Duty Room” at the Group’s Dongcheng District location by one of approximately five duty teams. Each of the duty teams typically is comprised of approximately four to ten Group officers, with certain sensitive time periods staffed with more officers. The duty teams are scheduled in rotating shifts of on-call duty assignments. The schedule with the Group’s on-call duty assignments is typically published to the Group’s officers and posted monthly. Each duty shift is led by a duty team leader, who supervises the duty team’s operations and directs its activities. The duty team leaders generally include the Group captain and other experienced First Bureau officers indefinitely assigned to the Group”.
The indictment also claims that: “The Group has, for example, caused an Internet service 38 provider headquartered in the United States to terminate meetings and accounts associated with critics of the PRC government, including meetings and accounts of U.S.-based users.” It would be interesting to know which, but also, crucially, this shows that at least some of their efforts were impactful.
The 912 group at least has a sense of humor also, showing reasonable skills in English-language memery:
The indictment further describes the group’s OpSec and operational capabilities:
“New Group members also receive policy guides and instructional documents, including operational best practices and metrics for evaluating performance. One policy guide contains step-by-step instructions for establishing and maintaining multiple social media accounts on a specific platform.
The instructions contain techniques and tactics for the registration of multiple accounts using temporary email addresses. After the accounts are registered, Group members are directed to change the profile icons and download translation tools to their browsers, find articles from approved websites, translate the content, post the translated content on the social media accounts, conduct daily checks for replies to the posts, and interact with the users replying to their posts to avoid the appearance of “flooding” the site.
Other instructions advise the “linking” or use of common email addresses for accounts created on different social media platforms. These instructions contain tips and video tutorials on tools to help increase the number of followers for each of the accounts, for example the “Mass Follow” plug-in for Twitter accounts. Still other instructions provide 912 Project officers with assistance on websites they can visit to find “real, ordinary” persons to use in newly registered account profiles.”
I see it quite frequently still, but it’s hard to believe that state actors utilize low-level translation tools and haven’t moved on to GPT-based tools, or even DeepL.
The network utilized common “astroturfing” by not only creating inauthentic accounts for American citizens, but also attempted to provide more comprehensive coverage of the population of the US:
“Some of the Group’s Facebook accounts ostensibly belong to users living in locations outside of large coastal metropolitan areas in the United States, in an apparent attempt to show widespread support for the PRC government and the CCP across U.S. socioeconomic and locational demographics.”
Some other measures used by the group to avoid detection by platforms, as well as avatar-development are also fascinating:
“Indeed, to demonstrate that the positions of the PRC government enjoy a broad degree of support across nations, races, ethnicities and genders, the purported users of the social media accounts are based on selected traits and demographics, such as a woman based in Hong Kong, a woman based in Russia, or a person of Hispanic ethnicity based in the United States. For example, on or about August 31, 2020, one of the Group’s Google accounts ran Internet searches for frequently used characters in female names in Hong Kong. Similarly, on or about September 6, 2020, BAI YUNPENG created a Facebook account with the Cyrillic username “Фая Сорокина.
This practice of creating numerous fake accounts with purportedly diverse subscribers helps Group members to avoid detection by the social media platform moderators that seek to ensure that active accounts are linked to authentic users, and the pseudonymous accounts provide the PRC government with a veneer of deniability for the Group’s efforts to harass and threaten dissidents and critics abroad….
Group members seek to enhance the bona fides of the purported U.S.- based user accounts by having the accounts join Western religious groups, such as the Facebook groups “Jesus Is the Light Of The World,” “Bible Daily,” “I love GOD & Jesus our Saviour. Join,” and “Honest Quotes.” Other accounts have joined Facebook groups dedicated to pop culture and/or more mundane topics, such as “Movies FAN” or “Cramps.”
This indictment is incredibly detailed and full of new, relevant information for research; it reminds me of similar indictments of Chinese APTs in the past. It’s great to see foreign interference taken as seriously as malign cyber activity, and I imagine that we’ll see more indictments like this as China-US relations continue to decline.
This indictment showcases some of the differences between Chinese state IO and outsourced or low-investment efforts.
State actors can have more advanced capabilities and utilize more resources, such as utilizing ISPs based in the US, working in shifts, creating video and other content, and even targeted harassment and harassing online dissident meetings.
However, state actors also suffer from some of the most common and easily solvable problems: low quality machine translation, OpSec issues and - of course - interoffice politics.
It’ll be interesting to see to what degree, if at all, we see multi-purpose Chinese APT groups beginning to operate similarly to Russian groups that carry out both cyber and IO attacks.
It seems that the FBI’s decision to create a counter-foreign interference task force in 2017 - the Foreign Influence Task Force, or FITF - is beginning to pay off.
There’s quite a bit more to the indictment on transnational repression, but for now we need to cut it short.
Black Hammer Time
Let’s move on to Russia. The indictment levies charges against American citizens suspected of conspiring with Russian agents to influence the American public over a period of years.
The Russian indictment been covered in the past by mainstream media, so I won’t delve too deeply into the details. To jog your memory - the Russian operation was run by the FSB via an “anti-globalization” front organization.
The FSB utilized its agent, Aleksandr Ionov, to serve as the president of the front organization and to attempt to influence local elections in - funnily enough - Saint Petersburg, Florida. Ionov and his associates also discussed their desires to influence the presidential elections later. Ionov didn’t focus exclusively on American elections - he also worked to promote other secession movements, including in the US and beyond.
Ionov was active in the US from 2014 to 2022, and got to work recruiting from America’s foremost civil organizations: Black Hammer, the African People’s Socialist Party and the Uhuru movement, and an unnamed organization in California. While unnamed, Ionov has been exposed as having supported a California-based secession movement.
These organizations are extremist and fringe, to say the least. Black Hammer is most famous for its viral anti-Anne Frank tweet, and the other organizations have some pretty out-there views as well.
The new indictment moves past Ionov and focuses on his alleged American agents:
Hopefully more details on their activity will be released as their trials begin.
TAG, You’re It
Google TAG's April update focuses on GRU combined APT/APMs: FROZENBARENTS (Sandworm) and additional actors attributed to the GRU promoting a campaign titled "Bio_Genie".
Sandworm carried out offensive cyber operations against Ukrainian critical infrastructure, but also used Telegram to amplify their IO, such as hack and leaks and even targets for DDoS attacks.
The Bio_Genie campaign, run from infrastructure affiliated with Sandworm and focusing almost exclusively on the infamous "Bio-lab" disinformation narrative, centers on (surprise) a Telegram channel and a Substack blog which has only uploaded one post. The only potentially worse thing to come otu of this would be if they were to pivot to crypto.
The actors behind the campaign also reached out to journalists to promote the campaign. The post is still up on Substack and archived here.
A few lessons:
- Almost any online entity from any platform can be used for cyber operations, be it Discord servers for C2 or hosting content for hack and leaks, Telegram channels to disseminate leaked content as well as promote DDoS targets and more.
- Platform Trust and Safety/CTI/InfoSec teams should begin to conceptualize their platforms not only as end-targets for malign cyber/IO activity, but also as potential cogs in any operation.
- The decline of Twitter and rise of Substack and other, newer platforms will change the way operations are carried out, with new inter-platform operational dynamics being utilized. Investigative and collaboration capabilities shouldn't be developed by the "big" platforms exclusively, and newer platforms must be more proactive in their approach to CTI/IO.
That’s it for this week’s Memetic Warfare Weekly. Questions, comments or jokes? Send them to ari@glowstickintel.com.