Welcome to Memetic Warfare.

This week will be a bit lengthier than usual and focus on one of my favorite topics: Chinese cyber attribution.

We’ll start off by checking out a recent article shared with me by a friend of the blog. The article, published by the First Research Institute, a think tank affiliated with the Chinese Ministry of Public Security, focuses on one of my favorite topics: attribution.

The article "A Study and Analysis of the Cognitive Shaping Mechanism of the US’s Construction of the “China Cyber ​​Threat” Narrative” (it’s cut off due to the translation) gets down to business quickly, providing a convenient executive summary in the grey box:

The Chinese love to project in IO, StratComs and cyber attribution, and we see them doing so in one of the first paragraphs. They begin by decrying a variation on the now played-out “China Threat Theory”, coining the phrase “China Cyber Threat”.

They call out the US for having developed a “highly institutionalized policy discourse framework”, which uses “attribution” to provide a “cognitive legitimacy basis for strategic positioning, multilateral sanctions and alliance mobilization”.

While the US of course does use cyber attribution to do the above things that China said - China Cyber Threat aside - China does the exact same things with its own “highly institutionalized policy discourse framework” via the CVERC and other groups. It’s great to see the projection so clearly and to have them really lay down the bullet points for us.

They really give the US a lot of credit for having a coherent, mutlilayered strategy here:

It’s very funny to me that they point out that US attribution relies on three tenets: behavioral pattern attribution, the “narrative of covert technology” (used to explain the lack of samples or evidence) and the presentation of “black box” evidence.

The irony of China saying PCAPs or it didn’t happen shouldn’t be lost on anyone, and is made especially funny by the fact that they essentially make up a term for PCAP, calling them “Packet Capture Approval Files”, instead of just regular Packet Capture files (hence the PCAP).

I’ve been critical of past US advisories and reports not providing enough information, Volt Typhoon being a great example of that. There are realy downsides of not providing them: firstly, it enables China via its menagerie of outfits to put out reporting that tries to debunk the reports. Secondly, it doesn’t really enable industry to take action. Thirdly, it’s boring for me as someone who would kill to pivot off of that data.

The US doesn’t publish enough, but most US partners do, and regardless - US government agencies are trusted and have earned that trust. Industry partners often provide much more detail and are a part of it as well, but the stuff that they don’t provide, presumably to avoid disclosure of sensitive data, is the same logic that China uses to do the same when its organs publish.

The best is yet to come though.

We get to the crux of China’s strategy on cyber attribution of American activity here as they project it quite effectively:

We get this further elaborated below. The article’s description of the US “matrix of government, military, enterprise and media” perfectly mirrors China’s: the MPS and MSS publishing attribution via their own attribution mouthpieces such as the CVERC.

We also see a throwback reference to FISA and previous Volt Typhoon reporting (specifically, report number 3) from the CVERC:

These govenrment outfits collaborate with private industry and use their technical chops as an “endorsement” for the government statements and attribution. The article also targets joint attributions, claiming that their very nature is meant to make them appear more legitimate:

Lastly, the article brings up media outlets as the amplifiers to shape public opinion and broadcast the reports, including adding their ow nadditional selective reporting.

This is all supposed to coalesce into a “self-reinforcing “closed-loop narrative””:

In short, this mirrors China’s approach perfectly as I’ve written about here ad nauseum.

Beyond the stuff we’ve seen before, we see some interesting discussion on the cognitive side. The article claims that the US seeks to generate real impact by “weaving a web of cognition and rules that is difficult to escape from”, centered around three tenets - law, discourse and technology.

The first is the use of “discursive art” to create “cognitive anchors”, for example by using scary codenames like Volt Typhoon to make Chinese threat actors appear intimidating.

The US’ legal strategy is brought up but is a bit garbled:

Lastly we have the technical component, claiming that the US uses technical terminology and classified information to make its attributions appear truthful:

The section concludes here, summarizing the final points of the alleged US approach:

There’s a bit more, but I don’t want to belabor the point.

This was a fascinating look at Chinese perspectives on cyber attribution and cognitive warfare. Not only is it representative of China’s views, it also projects Chin'a’s influence efforts worldwide with its own cyber attribution apparatus.

China’s perspectievs on cyber attribution in that article were made sharper by a new publication from Antiy, one of China’s leading information security companies with an active threat intelligence wing. This was first discussed by Three Buddy Problem, check it out here.

In short, SentinelOne’s Juan Andrés Guerro Saade and Vitaly Kamluk discovered some now ancient malware with some truly fascinating characteristics used against Iran and other targets pre-Stuxnet. Check out the full article here, I’d do it an injustice to further summarize.

Antiy took this and ran with it, publishing a long look at SentinelOne’s analysis, titling SentinelOne’s report “psychological warfare”.

This becomes a bit clearer in the background component, claiming that the “timing and motives behind their publication clearly align with the U.S. side’s efforts to conduct “psychological warfare” in the Middle East.

We’ll now skip a LOT of exposition to get to the interesting components.

We’ll pick up again where Antiy describes their ongoing fight with SentinelOne online. Here we see the same narratives and claims made by the CVERC and other Chinese organs, referring to a post from Guancha on the “Anti-China Chorus” of “U.S. Cybersecurity Think Tanks” that seek to manipualte “anti-China public opinion”. Antiy quotes the article at length, claiming that Dakota Cary of Sentinel One and other figures are responsible for “demonizing” Chinese companies.

It gets more interesting after, where we see that Antiy claims that growth in SentinelOne’s US orders is “highly correlated with teh company’s anti-China actions”. This, of course, is the same thing we see ad nauseum from the CVERC and the Volt Typhoon series.

Enmity between the two aside, the report then moves on to claim that the publication of the report was timed strategically as part of psychological warfare:

The report posits that SnetinelOne is sending a “clear strategic signal” that the US has more cyber capabilities than publicly known. This, of course, should intimidate the adversaries of teh US.

Hysterically, Antiy calls this “spiritual warfare”, stating that it weakens the enemy’s fighting will.

It gets contrived after this, claiming that the report uses intimidating adjective such as “imperceptible” to send a “psychological hint” to adversaries, for some reason calling out Iran especially, that the US has more advanced capabilities.

Antiy also accuses SentinelOne of evading the “fundamental fact” that the FAST16 malware is a “cyberspace operation initiated and led by the U.S. govenrment against the critical infrastructure of a sovereign state”, with “no ethical or international-law-based assessment of this fact”.

SentinelOne did not clearly attribute it as they presumably don’t have enough information to conclusively do so, but it is discussed by one of the authors on the Three Buddy Problem podcast where the US is discussed as the most feasible actor behind it.

This is a clear reach and projection from Antiy, accusing Sentinel One of what they themselves are doing: publishing a biased technical report in service of a political goal.

In typical fashion, this projection is summarized well by the report as a “textbook example of weaponizing technical reports to advance a geopolitical narrative" - building professional credibility through an accumulation of technical details, then using political implications to steer the reader’s value judgments”.

Before we conclude, I’d like to share the new page for my services. If you’re interested in learning more and learning from and/or working with me, just check the link out below.

That’s it for this week, thanks for reading.