Welcome to Memetic Warfare.

Chinese cyber attribution as IO is back at it yet again, in this case seemingly becoming even more overtly politically-driven.

As always, the Global Times covered the actual indictment, see an archived link here.

To make a long story short, the first paragraph summarizes the case well: the Guangzhou branch of the Public Security Bureau attributed a series of alleged cyber operations not only to Taiwan, but to the DPP specifically.

For those who don’t follow this stuff, the DPP is a pro-independence party in contrast to the Guomindang, which espouses a one-China stance, which is the stance that China promotes. There is no link to the actual attribution statement, which is consistent with this stuff from China - guys, please add links going forward. Let’s look at the Global Times coverage as I’m too lazy to dive deep into the original report, if it even exists:

So far, the level of Chinese attribution from the MPS (not the MSS, which has claimed to have attributed individual units and operators in the past) is getting more specific. The MPS here is calling out a “hacker group” backed by the DPP.

Some other tropes of Chinese attribution, such as referencing internet scanning platforms appear, and most interestingly, this attribution actively downplays the sophistication of the adversary:

These operations reflect extremely malicious intent as per the MPS, and they further call their "operations “crude and unsophisticated”.

They of course mention and identify that proxies are used, though interestingly they claimed that VPN proxies were employed, perhaps meaning VPSes? Certain countries here are interesting hop points not commonly seen, such as Israel, making me even more skeptical of the claims.

The best part of the article is the interview with Zheng Jian, a Chinese academic at the Taiwan Research Institute of Xiamen University. Zheng’s quotes seemingly purposefully signal Chinese intentions very well, stating that China is active in “cyberspace” to combat Taiwanese independence at the cognitive and technical level.

Zheng decries alleged Taiwanese use of the internet for IO purposes to promote independence while harming Chinese interests. Furthermore, Zheng states that Chinese authorities have embarked on a countermeasure campaign, releasing “related information” on DPP cyber operations to combat these alleged DPP operations.

This is an excellent example of China utilizing selective disclosure for not only policy purposes but for IO - targeting global audiecnes to make Taiwan look bad while attempting to instill fear in the Taiwanese by making them think that they’ve been compromised. Zheng overtly states this in the next section:

So, a lot to unpack here. Both Chinese ministries, the MPS and MSS, are increasingly engaging in cyber attribution and selective disclosure of operations that may not have ever happened, or happened as described. The story develops even further, as on June 5th the Chinese police announced that they’ve offered a bounty for information leading to the arrest of 20 suspects involved in the aforementioned alleged hacking incident:

At this rate we’ll see full on Rewards for Justice-style documents and indictments by next month!

The story mentions a report on the topic by the CVERC, put out in Chinese:

I have to hand it to them - they went really hard with this picture and the chengyu, I’m a fan. The report then is a few dozen pages of analysis in Chinese, but it gets really interesting on the final page, which includes information on the alleged Taiwanese operators, including images.

This is the first time that we’ve seen this amoutn of information and at this scale, and I believe the first time we’ve seen this type of attribution from an MPS-affiliated organization and not the MSS. We even get alleged photos of bases and senior officers:

So this is a precedent-setting report, and I’m going to have to invest some serious time in this one - I’ll be watching this space closely going forward.

This is a rapidly developing topic that has very little to do with actual cyber and much more to do with IO. I hope to have something out on this in a longer form in the next few months.

That’ll be it for this week, if you have any questions, comments, complaints or jokes, feel free to leave them in the comment section or message me on Substack. As always, check out telemetryapp.io. Next week we’ll be discussing the latest Open AI report.