Middle Kingdom Memetic Warfare Weekly 5
Top Middle Kekdom Memery
Welcome to Memetic Warfare Weekly’s 5th post!
China (by far the most interesting topic in the world of IO, sorry Russia) will be the main focus of this week’s post, and going forward I will aspire to have China be the main focus of this newsletter anyway. Chinese IO is still in many ways misunderstood and underappreciated, and I hope to change that.
In that vein, let’s start this week with the practical utilization of ad-trackers embedded in domains in our OSINT/CTI investigations.
Tracking the Trackers
The recent WSJ article revelations regarding the presence of TikTok trackers on US government sites are a great opportunity to discuss the importance of trackers for OSINT and CTI. What are these trackers, and how can we use them?
Trackers - be they from Google, TikTok, Meta, Amazon or otherwise - are code snippets embedded in the HTML of domains. These trackers are unique codes that enable the domain in which they're embedded to track users for legitimate analytics and advertising purposes.
While this may seem to be a net-negative for users, trackers can be a goldmine for investigators. Trackers are unique identifiers that can be embedded in numerous websites, and tracking the trackers can uncover wider networks of domains, further expanding our network investigation attack surface and potentially enabling us to attribute domains.
The most commonly-used trackers historically in the counter-IO field are Google Adsense and Analytics trackers (pub-XXX and UA-XXXX) respectively. Craig Silverman has published numerous articles on how to best use these for OSINT.
Some tools, such as DNSLytics, enable the automatic extraction and reverse-querying of Google Adsense and UA codes, and includes historical data.
While Google Adsense and Analytics are historically the main trackers used, the industry has since changed. Google Tag Manager (GTM) codes have since become increasingly popular, and other trackers for sites are often used - see a very short list of snippets below (X's are stand-ins for alphanumeric strings):
- Google Tag Manager: “GTM-XXXX”
- Google Analytics: “UA-XXXX”
- Google Adsense Published ID: “Pub-XXXX”
- Facebook Custom Audience (pixel): “facebook.com/tr?id=”
- Amazon: "&tag="
- Addthis: "#pubid/pubid"
- Yandex.metrika: "mc.yandex/ym"
The very presence of certain tracker types can also be indicative. Ben Heubl exposed the use of Yandex Metrika trackers on a German-language news site suspected to be created by Russia as part of an information operation targeting Germany -
867-5309/Epieos
Continuing our OSINT updates, let’s discuss Epieos. Epieos has always been (in my opinion) the best email checker out there, and now - praise be - its much-vaunted phone module has finally been released.
The new phone module includes support for a variety of platforms and accounts, and phone number resolution will be much more affordable and easier as a result.
Gravatar On Ice
Lastly, Jake Creps has been doing the lord’s work by investigating ways that APIs and URLs can be manipulated to investigate email addresses. His recent discovery about identifying whether or not an email address has been registered on Wordpress should go without saying as being useful for OSINT investigation of domains as part of IO and even CTI investigations.
Consider, if you will, the power of this when combined with Gravatar.
WordPress sites create Gravatar accounts for the email addresses used to register the site and those that serve as users on the site, with the Gravatar account URL for the account actually utilizing an MD5 hash of that email address as the account ID.
This means that we can hash the given email address via MD5 and then check to see if the user account has an available Gravatar account.
We can then insert that hash into this URL: https://en.gravatar.com/avatar/XXXXXXXXXX and see if that email address has a Gravatar account.
Two Hearings, One System
Full disclosure: I won’t have finished viewing all of the sessions by the time this is published, so all of what is posted here is based upon partial information.
The US-China Commission held a hearing on “China’s Global Influence and Interference Activities” on March 23rd. There’s a lot of stuff in the hearing (and you can read the convenient Twitter thread below), and frankly most of it isn’t super fascinating or things you haven’t heard before, so I won’t subject you to endless hot takes on it.
What I will say is that the session in my opinion really worth viewing (link to who’s who of speakers and sessions here) is the last session with Alex Joske, who wrote the excellent book “Spies and Lies: How China’s Greatest Covert Operations Fooled the World”.
This hearing, however, was not the biggest event in Washington this week. TikTok’s CEO, Shou Zi Chew, was thoroughly chewed-out by bipartisan representatives who continued the grand American tradition of publicly exposing themselves as luddites with zero understanding of technology on national TV.
For actual analysis, I’ll defer to Jordan Schneider’s ChinaTalk podcast and Substack which discussed this topic at length.
For humorous content, please look at the below content from Mashable’s article on TikTok users’ favorite moments:
Let 1000 Newspapers Bloom
Chinese state media in the US has always been an interesting endeavor. The China Media Group (a must-follow organization for anyone in our weird, niche field) recently published an excellent overview of China Daily activity in the US.
Source: https://chinamediaproject.org/2023/03/16/the-ins-and-outs-of-the-china-daily-usa/
I won’t steal the article’s thunder (you should just read it instead), but we should discuss FARA filings.
The article refers to FARA filings, or Foreign Agent Registration Act. This act mandates that all paid actors working on behalf of foreign entities and states register as such with the Department of Justice. The Department of Justice then makes this information accessible to the public via what may a UI that would not be out of place in say an old X-Files episode.
Feast your eyes on what glorious UIs US tax dollars can buy
While the UI may not be so great or immediately understandable, it isn’t so bad when one wants to actually search a specific individual or entity or even filter by country or location. FARA filings can be an important part of overt and even covert influence investigations, and can even aid with out-of-US investigations on occasion.
The Prodigal Chinese Lady Influencer
Vice created a pretty reasonable video providing an overview of China’s use of real/authentic “influencers” online as part of its influence apparatus. As Clint Watts once stated, the “Chinese Lady Influencer” is a real phenomena in which Chinese media coopts conventionally attractive, often ethnically diverse women to serve as mouthpieces in its propaganda content.
Utilizing real people for the vast soft-propaganda apparatus that China operates makes sense for a number of reasons:
Why not use real people for soft propaganda? No need to be subtle.
It’s more effective: people relate to real people, especially those that look and/or sound like them. Women also are probably more effective than men in appealing to wider audiences.
It’s cheaper and enables consistency and the building of personal “brands”.
It’s harder to action these entities on platforms as they are, by definition, authentic.
Developing these real brands then enables these individuals to promote hard disinformation content more effectively and believably.
Miburo also published a great piece on this on their own, now unfortunately defunct, Substack. I’ll share the main infographic below:
Jokes aside about the archetypal Chinese Influencer Lady, there is no doubt in my opinion that the utilization of real people as influencers is the future of the world of influence/information operations. The now-famous video below of Russian influencers reading from the same hymnal shows how Russia has also pivoted towards using influencers and real people.
There’s a lot more to say about real-life influencers and actors tweeting in the name, but for now we can leave it here and revisit this topic in future posts.