Welcome to Memetic Warfare Weekly.

My name is Ari Ben Am, and I’m the founder of Telemetry Data Labs - a Telegram search engine and analytics platform available at Telemetryapp.io - and Glowstick Intelligence Enablement. Memetic Warfare Weekly is where I share my opinions on the influence/CTI industry, as well as share the occasional contrarian opinion or practical investigation tip.

This week, we’ll take a look at some interesting China-related activity.

The US State Department’s Global Engagement Center’s report on Chinese influence activity is a good primer in activity in general, but had one particularly interesting piece of previously unknown (publicly, at least) information.

An apparently fictional writer, Yi Fan, has been writing on behalf of Chinese state interests and narratives in newspapers globally under the auspices of an “MFA analyst” and later a correspondent in Chinese state media, to later being independent.

The GEC went to creating some colorful infographics:

But how might an individual recreate such work, you might ask?

This leads me to one of my favorite OSINT tools, Muckrack. Muckrack tracks outlets and journalists, including state media, aggregating relevant data on publications across outlets. Below is Yi Fan’s - note that there are some false positives, but we can already see a number of relevant outlets:

Looking at specific articles published online shows that Yi Fan is quite prolific, posting the same guest opinion article across a broad network of newspapers internationally:

Sampling content from some of these shows that these sites are news aggregators which repost news content from a variety of sources, including Xinhua, with a notable emphasis on Chinese content as taken from the Barcelona News domain:

Everyone knows that Catalonians are very interested in handicraft wooden fans from eastern China:

Looking at one of these, "dublinnews(.)net”, on VirusTotal has retrieved some interesting results in its passive DNS lookups:

Some of these have been detected as hosting malign activity, but let’s take a look at the first hosting IP and what it hosted:

The above domains were resolved in some cases on the same or consecutive days, but have the same naming conventions. This is without even going in to the suspicious domain registered on the IP address recently. We can now assume that this is a server controlled by a given individual or organization.

Looking at the site shows that it’s run by Mainstream Media Ltd :

They appear to run a comprehensive network of global news sites, and are themselves owned by Big News Network.

Big News Network is, unsurprisingly, quite big:

Luckily for us, the UK Companies House is one of the most transparent registries out there:

We can further check by other appointments of the owner of the above firm to see previous incarnations of this firm:

Why did I do all of the above, you might ask? It’s important to identify who owns or stands behind a given network in most cases, as although it’s all legal and up-front here, that isn’t always the case.

Additionally - simple syndication by this network by no means implies that the Big News Network is in any way aware of or responsible for this specific content.

Going back to the domains run by BNN, interestingly, a number of their affiliated Twitter accounts have been suspended by Twitter for violating Twitter’s rules, below are two examples:

This may be related to their past, alleged involvement in a suspected Indian information operation as alleged by EU Vs Disinfo, report available with BNN’s response here.

Again - this shows primarily that newswire services can be exploited by IO actors, not that the given service or company is aware of such exploitation, and in no way am I implying that any given newswire, network or firm is aware of such exploitation and actively participating in it.

Back to the point at hand.

Looking up any mention of Yi Fan and Big News Network shows that BNN covered Yi Fan’s content on at least one occasion via Xinhua (that I’ve checked), in this case - the article we saw earlier on Muckrack and shown below.

So it appears that the newswire/syndication services provided by BNN are what lead to the prodigious amount of articles written by Yi Fan, at least in this case.

Does this mean that BNN is necessarily responsible or aware of this? No, many services are utilized or exploited unknowingly, Mandiant published a report on a similar case recently.

What is interesting is that newswires and syndication services can be utilized by influence actors to great effect, and that this has been done in the past only on a few occasions. The unknowing exploitation of paid PR and newswire services i

Who knows, perhaps we’ll see more of this smart utilization going forward. There’s no question that this is a comparatively cost-effective method to get the word out, but on the other hand these networks of domains and entities don’t often have large, authentic readerships.

This further reinforces my claim that much of today’s IO is in fact done to pump up numbers to make the operators themselves look good, at the expense of actual quality.

That’s it for this week - there may not be any posts at all for the coming few weeks until early November, as I’ll be on vacation.