header banner

Analysis | A pro-China influence operation penetrates the US S webpages with news

Table of Contents

Welcome to The Cybersecurity 202! Tim here. If you’re remotely interested in boxing, or maybe even if you aren’t, you’ll definitely want to be watching Saturday night. Errol Spence Jr. versus Terence Crawford is one of the best matchups of the century: two unbeaten fighters, both extra-skilled, fast and powerful. 

Below: A contested surveillance tool was used on a senator, and a recent Microsoft hack may have exposed other data. First:

Pro-China influence campaign infiltrates U.S. news websites

A Chinese marketing firm that has counted state police and other government bureaus as clients is leveraging newswire services to place pro-Beijing stories on the websites of almost three dozen news outlets across America in an apparent effort to help Beijing improve its image abroad.

The Shanghai-based firm — Shanghai Yihuan Cultural Communication Co., Ltd., which goes by the brand name Haixun Press — says on its website that it can plant news articles globally, and can boost the content by providing paid inauthentic social media likes on platforms including Twitter, Facebook and Instagram.

  • Haixun is a private company but has links to Chinese government actors, according to its own publicity and government media coverage of the firm. 
  • It’s not clear whether the content published on U.S. news websites is paid for by Chinese state actors. However, much of it is directly reproduced from Chinese state media reports or state-funded think tanks. 

The articles — which have appeared in financial news subdomains of at least 32 websites including the Arizona Republic and the Pittsburgh Post-Gazette — include Chinese state media stories and scathing critiques of U.S. policymakers, academics and others critical of Beijing. 

Haixun has placed the articles using a newswire distribution service called CloudQuote.io, which is run by the California-based firm FinancialContent and provides financial and market content to small news outlets across America, according to a new report by cybersecurity firm Mandiant, which is owned by Google. The articles were still visible last week on sites that use CloudQuote.io content.

While the articles have so far garnered few views compared with the outsize presence of China’s state media outlets on Western social media, they highlight the expanding array of tactics deployed to overhaul Beijing’s image abroad and undermine its political opponents.

These actors are trying to blur the line between fiction and fact by placing these pro-[China] articles onto legitimate U.S. news outlets, likely without their knowledge,” said Ryan Serabian, senior analyst at Mandiant, which first shared its latest investigation into a campaign it calls HaiEnergy with The Cybersecurity 202. “So, I think it’s very important for us to shine a spotlight on that so that measures are taken to prevent this from happening.”

After being asked about the articles by The Post and Mandiant, the Arizona Republic and the Pittsburgh Post-Gazette redirected visitors of the pages where Haixun content appears to other pages on their website.

The Pittsburgh Post-Gazette’s subdomain began redirecting to its main website after Mandiant contacted the organization with questions in April. Allison Latcheran, director of marketing for the Post-Gazette, told The Post that “we aren't able to comment on this at this time.”

The Arizona Republic began redirecting the subdomain to its main website after a reporter contacted the news outlet’s owner, Gannett. “These pages no longer include the Arizona Republic branding and we have informed [FinancialContent] of the misinformation,” said a spokesperson, Lark-Marie Anton.

  • Anton did not answer additional questions, such as who within the company operated the subdomain, when the newspaper began using the services or how much traffic the subdomain got.

Mark Dierolf, founder and CEO of FinancialContent, hung up on a reporter when reached by phone. Neither he nor anyone at the company responded to subsequent requests for comment.

Haixun did not respond to requests for comment.

The Haixun articles

Mandiant previously reported in August 2022 that Haixun was responsible for a network of 72 inauthentic news sites hosting pro-Beijing news content. However, its discovery of the Haixun-linked newswire represents the first time the Haixun’s content has appeared on the subdomains of legitimate U.S. journalism companies.

The Haixun-linked effort also highlights the difficulties in tracking the scope of Beijing’s overseas influence efforts, which at times take a scattergun approach, employing a mix of rapidly changing tactics despite varying levels of success. 

Articles visible on the subdomains of the U.S. newspapers cover a broad range of topics but often have a common theme: highlighting China’s successes while casting doubt on American culture and politics.

  • The articles criticized a speech by President Biden about China and then-House Speaker Nancy Pelosi’s (D-Calif.) visit to Taiwan, as well as U.S. policy on fentanyl, human rights, democracy, race and press freedom.
  • In all, between the Haixun-affiliated Times Newswire and WorldNewswire, the subdomains have carried approximately 2,000 of their articles at any given time, some of which dated back to at least August 2021.

Although it’s not clear that Haixun placed the articles for Chinese government entities, the firm appears to have worked for Chinese institutions.

In online sales material and social media postings from Haixun’s website and social media accounts, the company said it works with over 150 clients that include Chinese government departments, police and state media.

During the coronavirus pandemic, the state media articles and blogs from Haixun show that local Chinese police have used analytical software developed by the firm to surveil people’s movements as part of health control restrictions. According to other state media and marketing material, Haixun provides “public opinion management” services to government agencies.

Making it a habit

Campaigns to purchase positive media are not new in China. However, Chinese state and private propaganda operations have since 2017 increasingly focused on turning those operations outward to counter negative narratives about Beijing abroad.

Every government agency in Beijing has a budget to promote its image abroad, said an employee of a public opinion management firm in Beijing that works with the central government. The employee, who spoke to The Post on the condition of anonymity because they were not authorized to speak to reporters, said that agencies “need to prove” they are achieving results, including in English-speaking countries.

The employee said that government bureaus and state-owned enterprises allocate funds for [positive] propaganda work abroad, including positive mentions in foreign media. 

The funds also pay for inauthentic social media activity to promote China and its government, and agencies frequently purchase bot services from groups outside China, in Southeast Asia and the United States, said the employee, who does not work directly with Haixun but is familiar with the firm. 

“It’s becoming a requirement,” the employee said.

The keys

FBI used surveillance authority on senator, other officials, court opinion says

FBI personnel improperly searched a surveillance database using the names of a U.S. senator and state senator, as well as the Social Security number of a state judge, according to an April court opinion released Friday. 

That was one of several developments related to so-called Section 702 surveillance authorities. The surveillance powers are set to expire at the end of this year and are used to target foreigners, but under certain restrictions intelligence officials can use them to obtain information on communications involving Americans. U.S. officials have been pushing for Congress to re-up Section 702, but many experts say they’d make changes to the spy powers.  

  • FBI Director Christopher A. Wray wrote in a letter to congressional leaders that for the first half of this year, “97 percent of the FBI's raw technical reporting on malicious cyber actors” came from Section 702.
  • A March opinion from the Foreign Intelligence Surveillance Court (FISC) concluded that the FBI’s steps to improve its compliance with rules for querying the 702 database had been effective. A 2021 FISC opinion issued before the FBI’s remedial measures detailed years of compliance problems.

Critics of how the government has used Section 702 reacted to Friday’s news with displeasure. 

“The FBI continues to break the rules put in place to protect Americans, running illegal searches on public officials including a U.S. senator, and it’s long past time for Congress to step in,” said Patrick Toomey, deputy director of the American Civil Liberties Union’s National Security Project. “As Congress debates reauthorizing Section 702, these opinions make clear why fundamental reforms are urgently needed.”

Sen. Ron Wyden (D-Ore.) criticized not only the breadth of Section 702 spying but how much of the court orders had been blacked out: “While I commend the administration for these releases, it remains the case that information the public needs in advance of 702 reauthorization has been unnecessarily redacted.”

Microsoft hack that exposed key government officials’ emails could have jeopardized other files

The hackers that breached the Microsoft email accounts of high-ranking U.S. government officials may have pilfered other documents and files protected by Microsoft login information, our colleague Joseph Menn reports, citing research from cloud security company Wiz.

  • “The hack … alarmed officials because the attackers used a stolen or forged Microsoft signing key of the kind that the company uses to authenticate customers,” Joseph writes, adding that, with the key, “they could masquerade as any Microsoft Exchange or Outlook email customer and approve access to employee inboxes.”

The Wiz researchers claimed that “anyone with the signing key could have extended their access and signed into other widely used Microsoft cloud offerings including SharePoint, Teams and OneDrive,” as Joseph writes.

While Microsoft revoked that authentication key, the researchers say that the hackers may have built in backdoor access to applications, and that some software could still approve a session with an expired key.

  •  Microsoft downplayed the research. “Many of the claims made in this blog are speculative and not evidence-based,” said Jeff Jones, a Microsoft spokesperson.
  • The Cybersecurity and Infrastructure Security Agency similarly said it had not seen any the hackers go beyond email. (They reportedly targeted Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns).

Despite the hack, Raimondo still plans to make a scheduled trip to China later this year, Reuters reported. 

Couple accused of laundering billions of bitcoin from 2016 hack set to plead guilty

A couple accused of laundering billions of bitcoin linked to the 2016 hack of the Bitfinex cryptocurrency exchange are poised to plead guilty, Cyrus Farivar reports for Forbes, citing federal court records.

  • Farivar writes: “The two were arrested in February 2022 at their Manhattan apartment, and their wild tale captivated the world. Shortly after their arrests the world quickly discovered Heather Morgan’s rap alter ego as ‘Razzlekhan’” where she sang in the 2019 song “Versace Bedouin.”

Morgan and husband Ilya Lichtenstein each face “one count of money laundering conspiracy,” and Morgan “also faces one count of conspiracy to defraud the United States,” according to the report. They are expected to plead guilty in D.C. next month. 

  • Prosecutors are asking the couple forfeit some $3 billion pilfered in cryptocurrency, the report adds. The stolen crypto was worth about $71 million at the time it was stolen but appreciated so much it was worth around $4.5 billion when they were arrested.

Government scan

Industry report

Global cyberspace

Cyber insecurity

Encryption wars

Privacy patch


Secure log off

Thanks for reading. See you tomorrow.


Article information

Author: Caleb Monroe

Last Updated: 1699968722

Views: 1229

Rating: 4.1 / 5 (98 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Caleb Monroe

Birthday: 1988-01-07

Address: 914 Greene Plains, Thomaschester, KS 61515

Phone: +4302058700581350

Job: Article Writer

Hobby: Playing Piano, Rowing, Horseback Riding, Arduino, Skydiving, Pottery, Telescope Building

Introduction: My name is Caleb Monroe, I am a vivid, striking, Adventurous, skilled, honest, unguarded, irreplaceable person who loves writing and wants to share my knowledge and understanding with you.