Memetic Warfare Weekly Taiwan Emergency Edition: We're Go-Ing to Wen so Much, You'll be Tired of Wen-Ing
Welcome to Memetic Warfare Weekly.
My name is Ari Ben Am, and I’m the founder of Telemetry Data Labs - a Telegram search engine and analytics platform available at Telemetryapp.io - and Glowstick Intelligence Enablement.
Memetic Warfare Weekly is where I share my opinions on the influence/CTI industry, as well as share the occasional contrarian opinion or practical investigation tip.
We’ll start this week with a fascinating, suspected Chinese influence operation targeting Taiwan just days before its general elections. I’ll take a moment to get on my high horse also and exhort other OSINT, IO and CTI analysts - start learning Chinese! Not only is it practical and fun, it’s also a core skill that pays off across all fields.
It also lets you make condescending memes, as shown below:
Let’s get into it then.
Chinese threat actors are suspected of having written and published a disinformation-laden biography of Tsai Ing Wen, the president of Taiwan, in an attempt to discredit her and the DPP.
The book is being dutifully promoted across the internet as shown below:
The book is titled “蔡英文秘史”, or the “secret history” of Tsai Ing Wen.
This is a 10/10 opportunity for us though to reverse engineer a network - one of the best ways to learn OSINT and investigation in general.
Let’s start off by querying the book’s title in Chinese on any platform finds results easily:
These posts link to a site hosting the files themselves, Zenodo.
Let’s take a minute and give it up for the authors here - this document is 318 pages long. This is the kind of dedication I want to see from threat actors to keep this space interesting.
All of the above in only 6 days too as per file metadata:
This situation - in which we have a link hosting 100% indicative content - is a 10/10 situation in which one should use Crowdtangle:
Crowdtangle is an incredible tool in general, but it’s especially great at showing suspicious patterns of sharing:
I’ve saved copies of the files and archived the domain, so don’t worry. In some cases we see even consecutive posting of the link in the same groups:
This would be an amazing starting point for an investigation, not only into this topic specifically, but as a starting point for adjacent networks that may amplify this topic while not being part of the core cluster.
Let’s take a look at a few other interesting things going on here:
Virtual hosts, potentially AI-generated, are also used, including, funnily enough, Santa Claus:
Unsurprisingly:
As Wenhao of VOA tweeted, this book makes some spurious claims about Tsai Ing Wen:
Wenhao also brings up Wikipedia activity, as shown below:
Note that Wikipedia is great as it shows not only usernames, but also IP addresses if no username is provided - always fun to look at.
The book has also been promoted by Ye Ping, a prominent pro-China account on Weixin, mentioning also that apparently the book has been promoted by bots via private messaging - a fascinating TTP in of itself.
We’ll know more about this soon, but this is a fascinating case. We really have a greatest hits of IO investigation here - linguistic analysis, inauthentic accounts and amplification, forging content, and even some other unique TTPs - for example, this is the first time I’ve heard of Chinese accounts mass-messaging others online to amplify IO content.
That’s it for this week!