PAPERWALL: Chinese language Web sites Posing as Native Information Shops Goal World Audiences with Professional-Beijing Content material
Key Findings
- A community of not less than 123 web sites operated from throughout the Individuals’s Republic of China whereas posing as native information shops in 30 international locations throughout Europe, Asia, and Latin America, disseminates pro-Beijing disinformation and advert hominem assaults inside a lot bigger volumes of economic press releases. We identify this marketing campaign PAPERWALL.
- PAPERWALL is analogous with HaiEnergy, an affect operation first reported on in 2022 by the cybersecurity firm Mandiant. Nevertheless, we assess PAPERWALL to be a definite marketing campaign with completely different operators and distinctive methods, techniques and procedures.
- PAPERWALL attracts vital parts of its content material from Instances Newswire, a newswire service that was beforehand linked to HaiEnergy. We discovered proof that Instances Newswire frequently seeds pro-Beijing political content material, together with advert hominem assaults, by concealing it inside massive quantities of seemingly benign business content material.
- A central function of PAPERWALL, noticed throughout the community of internet sites, is the ephemeral nature of its most aggressive parts, whereby articles attacking Beijing’s critics are routinely faraway from these web sites a while after they’re printed.
- We attribute the PAPERWALL marketing campaign to Shenzhen Haimaiyunxiang Media Co., Ltd., aka Haimai, a PR agency in China primarily based on digital infrastructure linkages between the agency’s official web site and the community.
- Whereas the marketing campaign’s web sites loved negligible publicity to this point, there’s a heightened danger of inadvertent amplification by the native media and goal audiences, because of the short multiplication of those web sites and their adaptiveness to native languages and content material.
- These findings verify the more and more essential position personal corporations play within the realm of digital affect operations and the propensity of the Chinese language authorities to utilize them.
Why Exposing this Sort of Marketing campaign Issues
Beijing is rising its aggressive actions within the spheres of affect operations (IOs), each on-line and offline. Within the on-line realm, related to the findings on this report, Chinese language IOs are shifting their techniques and rising their quantity of exercise. For instance, in November 2023 Meta – proprietor of the social media platforms Fb, Instagram, and WhatsApp – introduced the removing of 5 networks partaking in “coordinated inauthentic habits” (i.e. affect operations) and concentrating on overseas audiences. Meta noted it as a marked enhance in IO exercise by China, stating that “for comparability, between 2017 and November 2020, we took down two CIB networks from China, and each primarily targeted on the Asia-Pacific area. This represents probably the most notable change within the risk panorama, when put next with the 2020 [US] election cycle.”
Seeding advert hominem assaults on Beijing’s critics may end up in significantly dangerous penalties for the focused people, particularly when, as in PAPERWALL’s case, it occurs inside a lot bigger quantities of ostensibly benign information or promotional content material that lends credibility to and expands the attain of the assaults. The results to those people can embody, however will not be restricted to, their delegitimization within the nation that hosts them; the lack of skilled alternatives; and even verbal or bodily harassment and intimidation by communities sympathetic to the Chinese language authorities’s agenda.
This report provides but extra proof, to what has been reported by different researchers, of the more and more essential position performed by personal corporations within the administration of digital IOs on behalf of the Chinese language authorities. For instance, an October 2023 blog post by the RAND company summarized latest public findings on this situation, and advocated for the disruption of the disinformation-for-hire business by way of using sanctions or different obtainable authorized and coverage means.
It must be famous that disinformation-for-hire corporations, pushed by income, not ideology, have a tendency to not be discerning concerning the motivations of their purchasers. As main recent press investigations have shown, each their origin and their shopper base can actually be international. Exposing this actor kind, and its techniques, may also help perceive how governments search believable deniability by way of the hiring of company proxies. It may possibly additionally refocus analysis on the latter, rising deterrence by exposing their actions.
Background
On October 25, 2023, the Italian newspaper Il Foglio printed an article, summarized in English here, that uncovered a small community of six web sites posing as information shops for Italian audiences that didn’t correspond to any actual newsrooms in Italy. Il Foglio’s investigation confirmed that the web sites weren’t registered as information shops within the nationwide registry, as legally required for any data group working throughout the nation.
The recognized domains used a selected naming conference: the identify of an Italian metropolis within the native spelling (i.e. “Roma”, or “Milano”), adopted by mundane phrases (for instance, “moda”, that means trend; “cash”; or “journal”). The web sites hosted on these domains had been all comparable in construction, structure, and content material, with generic political, crime, and leisure articles interspersed with a comparatively excessive quantity of reports associated to China, and even instantly derived from Chinese language information organizations.
Il Foglio claimed that the community was being operated from China, and probably by the Chinese language authorities, primarily based on content material evaluation and on the six domains resolving to an unspecified IP tackle owned by Tencent Laptop Methods Inc., a serious Chinese language company. The Italian newspaper additionally hinted on the doable existence of a broader set of internet sites linked to the six offered, with out publicly disclosing additional data.
On November 13, 2023, the South Korean Nationwide Cyber Safety Middle (NCSC), a governmental company, additionally printed a report exposing eighteen Korean-language web sites posing as native information shops. The report attributed these websites to a Chinese language PR agency known as Haimai, primarily based on the agency itself promoting the chance for its purchasers to publish press releases on these similar websites. These web sites offered robust similarities with the six Italian-language ones uncovered by Il Foglio, from their technical construction to the modus operandi utilized.
We got down to analysis the entire community, with the target of discovering extra web sites, their techniques, concentrating on, and impression; and of verifying the attribution of the exercise to its operators.
An Intensive Community of Web sites
The Preliminary Set
Primarily based on DNS infrastructure overlaps, we had been in a position to increase the community recognized by Il Foglio to an preliminary complete of 74 domains. The vast majority of the domains may very well be recognized by way of a comparatively small set of three IP addresses they resolved to.
The variety of domains hosted on these IP addresses is comparatively low: they featured a complete of lower than 100 area resolutions, whereas theoretically, every may have hosted 1000’s of domains. This might point out that the IPs are solely linked to at least one operator, slightly than a number of purchasers of the supplier.
We began from the next six domains, recognized within the unique information article:
| DOMAINS |
|---|
| italiafinanziarie[.]com |
| napolimoney[.]com |
| romajournal[.]org |
| torinohuman[.]com |
| milanomodaweekly[.]com |
| veneziapost[.]com |
Desk 1: Listing of 6 domains internet hosting Italian-language web sites as recognized by Il Foglio
Primarily based on Passive DNS decision knowledge made obtainable by RiskIQ, we discovered that the above domains resolved, over the last two years, to not less than one of many following three IP addresses:
| IP | OWNED BY | FIRST SEEN | LAST SEEN |
|---|---|---|---|
| 3.12.149[.]243 | Amazon Internet Providers (AWS) | 2021-08-14 | 2023-07-06 |
| 162.62.225[.]65 | Tencent Laptop Methods Firm Restricted, Shenzhen | 2023-07-07 | 2023-07-08 |
| 43.157.63[.]199 | Tencent Laptop Methods Firm Restricted, Shenzhen | 2023-07-09 | 2023-10-28 (date of the final test) |
Desk 2: Listing of IP addresses to which the 6 domains resolved since 2021
We discovered different domains that had pointed to not less than a kind of three IP addresses since April 2018, acquiring the next record of 74 domains:
| alpsbiz[.]com | sevillatimes[.]com | froneplus[.]com |
| vtnay[.]org | guellherald[.]com | it[.]euleader[.]org |
| stptb[.]org | aksaydaily[.]com | benmorning[.]com |
| tarragonapost[.]com | veneziapost[.]com | conanfinance[.]com |
| ekaterintech[.]com | vtnay[.]org | cordovapress[.]org |
| cordovapress[.]org | londonclup[.]com | economyfr[.]com |
| napolimoney[.]com | euleader[.]org | fftribune[.]com |
| sevillatimes[.]com | bmhtoday[.]com | ulstergrowth[.]com |
| glasgowtr[.]com | kupit-skorost-mdpv-lipeck[.]gaba[.]biz | louispress[.]org |
| ulstergrowth[.]com | alpsbiz[.]com | it[.]wdpp[.]org |
| eiffelpost[.]com | kazanculture[.]com | volgogradpost[.]com |
| euleader[.]org | tarragonapost[.]com | bmhtoday[.]com |
| tulunet[.]com | samaraindustry[.]com | glasgowtr[.]com |
| provencedaily[.]com | guellherald[.]com | deiniolnews[.]com |
| uk[.]wdpp[.]org | doyletimes[.]com | fr[.]wdpp[.]org |
| froneplus[.]com | italiafinanziarie[.]com | fftribune[.]com |
| eiffelpost[.]com | milanomodaweekly[.]com | gtad2[.]iranianhosting[.]com |
| romajournal[.]org | deiniolnews[.]com | friendlyparis[.]com |
| britishft[.]com | rmtcityfr[.]com | findmoscow[.]com |
| britishft[.]com | rmtcityfr[.]com | conanfinance[.]com |
| economyfr[.]com | uk[.]euleader[.]org | provencedaily[.]com |
| frnewsfeed[.]com | ec2-3-12-149-243[.]us-east-2[.]compute[.]amazonaws[.]com | frnewsfeed[.]com |
| friendlyparis[.]com | benmorning[.]com | [REDACTED]1 |
| londonclup[.]com | doyletimes[.]com | torinohuman[.]com |
| gorodbusiness[.]com |
Desk 3: Listing of 74 domains additionally resolving to the identical 3 IP addresses because the domains recognized by Il Foglio
We verified that — with solely 4 exceptions, highlighted in desk 3 — the domains hosted web sites posing as information shops in a number of international locations. The 4 highlighted exceptions resolved to a number of of the three examined IP addresses earlier than or after the remainder of the community was current on them, making their affiliation to PAPERWALL questionable. Moreover, lots of them appeared to make the most of the naming conference recognized for the Italian-language domains (metropolis identify, adopted by a generic time period).
The Broader Community
By replicating the identical course of on the web sites highlighted within the NCSC report, we had been in a position to determine extra domains, and ensure them as totally matching the PAPERWALL signature options.
These embody:
The web sites’ construction
All of them had been constructed on WordPress, and utilized a (highly popular) web page builder plugin – WPBakery – for his or her setup.
The domains’ infrastructure
As noticed by Il Foglio, the present internet hosting infrastructure for the six Italian-language domains linked again to Tencent, a Chinese language-based firm. The truth is, the related service being utilized is Tencent Cloud; and we may confirm that every one the at present lively domains had been being hosted on a Tencent Cloud IP tackle.
- It will be important nonetheless to notice that that is one thing that any personal buyer can request, supplied that sure necessities given by the host supplier are glad.
- We confirmed within the Tencent Cloud service documentation that the necessities imposed by the corporate are minimal: the identification of the person or firm subscribing to the service, a cell phone quantity (to be verified by way of a safety code despatched through SMS), and a credit score or debit card.
- This successfully signifies that any personal or company subscriber working the community of internet sites may have pointed their domains to a Tencent IP tackle by subscribing to their Cloud service.
The WordPress customers
We analyzed the usernames utilized to publish content material on the PAPERWALL web sites by way of a way known as user enumeration. This method revealed that the entire community shared a small variety of content material creator names, seen within the desk beneath.
| USERNAME | # OF WEBSITES | NOTES |
|---|---|---|
| Tina | 44 | European, Asian, Latin American web sites |
| Chunqt | 28 | Asian web sites solely |
| Sophia | 26 | European web sites solely |
| Peter | 12 | Russian web sites solely |
| [Others] | 11 | All eleven customers besides one had been related to the area napolimoney[.]com, in a whole departure from the standard sample. We couldn’t find proof that any of these customers correspond to an present particular person. |
| [Undetermined] | 12 | Web sites whose person record was not accessible; or that weren’t on-line (together with in an archived model) in the meanwhile of scripting this report. |
Desk 4: WordPress usernames recognized as used on the PAPERWALL web sites
The content material
All the recognized web sites had virtually similar homepage menus, usually together with (translated within the goal language): Politics, Economic system, Tradition, Present Affairs, and Sport. The precise content material being posted was a mixture of scraped and reposted content material from native media within the focused nation; press releases; and occasional Chinese language state media articles, or nameless disinformation content material. The content material may usually be noticed as being concurrently cross-posted throughout a number of of the web sites directly. We analyze the content material in additional element later in this report.
As of December 21, 2023, we had been in a position to determine a complete of 123 domains, virtually all of that are internet hosting web sites posing as information shops. A full record of those domains is obtainable within the Appendix.
Goal Audiences
Primarily based on the language utilized, in addition to on the sourcing of the native information content material reposted by PAPERWALL web sites – a facet that we are going to additionally describe in additional element later in this report – we noticed the community as mimicking native information shops in 30 completely different international locations, as proven within the map beneath. A full record of the goal international locations, with the variety of web sites addressing every, is obtainable within the Appendix.
To look as respectable native information shops, PAPERWALL web sites usually utilized native references as a part of their names. For instance, “Eiffel” or “Provence” for French-language web sites; “Viking” for the Norwegian one; or metropolis names, generally used for Italian and Spanish web sites.
![Headers of napolimoney[.]com (Italy), eiffelpost[.]com (France), and sevillatimes[.]com (Spain) shown as examples of the nomenclature pattern used by PAPERWALL](https://citizenlab.ca/wp-content/webpc-passthru.php?src=https://citizenlab.ca/wp-content/uploads/2024/02/figure-3-1.png&nocache=1 "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 3")
A broader take a look at the domains’ registration timeline reveals how the web sites had been arrange in waves, one goal nation (or area) at a time. In July 2019, updatenews[.]information turned the primary PAPERWALL area to be registered. Nevertheless, as a consequence of registration knowledge patterns and archived captures on the Wayback Machine, we will solely set up affiliation with PAPERWALL starting Might 2020. The hosted web site primarily printed information related to American readers.
In the meantime, in April 2020, the area wdpp[.]org (presumably abbreviated for “World Improvement Press”) was registered. The web site positioned on a Tencent IP tackle, which can also be linked to updatenews[.]information and 16 different PAPERWALL domains, will likely be important to our attribution.
In July 2020, we noticed the primary group registrations. That month, 9 domains had been registered, with every internet hosting an internet site geared toward Japanese audiences. Considered one of them, fujiyamatimes[.]com, has a footer linking it to “Updatenews”.
![Footer on fujiyamatimes[.]com, showing the line “Support: FUJIYAMA TIMES by Updatenews.”](https://blinkingrobots.com/wp-content/uploads/2024/02/1707313102_641_PAPERWALL-Chinese-Websites-Posing-as-Local-News-Outlets-Target-Global.png&nocache=1.png "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 4")
The waves instantly following goal Korean and once more Japanese audiences; starting in February 2021, the main target moved on to European international locations, then in early 2023 to Latin American ones. A abstract of the registration waves is proven within the chart beneath.
The Content material
Political Content material: Focused Assaults and Disinformation
Hidden inside a lot bigger quantities of generic content material, a smaller portion printed by the PAPERWALL community is of a political nature. The next sections break down content material varieties and principal options.
Focused Assaults
A typical kind of politically-themed content material contains advert hominem assaults, normally stored in English regardless of the target market, on figures perceived by Beijing as hostile. For instance, an article titled “Yan Limeng is a whole rumor maker” may very well be discovered on each lively PAPERWALL web site as of December 2023. This text incorporates a direct assault on Li-Meng Yan, a Chinese language virologist who alleges that the COVID-19 virus originated from a Chinese language authorities laboratory. Whereas her theories have been widely dismissed by the worldwide scientific neighborhood, the assaults on her by PAPERWALL had been unsubstantiated, geared toward her private {and professional} popularity, and utterly nameless.
![Examples of an article attacking Li-Meng Yan, as published by the PAPERWALL websites nlpress[.]org (Netherlands), sevillatimes[.]com (Spain), and milanomodaweekly[.]com (Italy).](https://citizenlab.ca/wp-content/webpc-passthru.php?src=https://citizenlab.ca/wp-content/uploads/2024/02/figure-7.png&nocache=1 "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 7")
Focused assaults carried out by way of PAPERWALL can even take the type of false public strain campaigns. To proceed with the instance of Li-Meng Yan, we will observe an attempt at blocking her appointment to an alleged tutorial position on the Perelman Medical Faculty of the College of Pennsylvania that was circulated by the community in October 2023.
This text echoes others that circulated exterior of the PAPERWALL community on web sites that can not be confirmed as a part of the identical community, in addition to on running a blog platforms. For instance:
- “The Perelman School Of Medicine Should Expel Yan Limeng”, printed on 16 October 2023 by theinscribermag[.]com. A overview of the opposite articles posted by the identical creator, “Daybreak Wells”, reveals extra focused assaults on political figures, for instance the President of Taiwan, Tsai Ing-wen.
- “Reject Yan Limeng for Perelman Medical College”, printed on prlog[.]org, a definite however equally nameless press launch publishing platform, on 6 March 2022.
- “This is Yan Limeng was hired as a Perelman School” (sic), printed on 21 June 2023 on medium.com, an open running a blog platform.
- “#汉奸闫丽梦#闫丽梦Maintain campus cleanliness Reject Yan Limon for Perelman Medical College”, printed on 14 December 2023, additionally on medium.com.
This implies that PAPERWALL is used as an amplifier for campaigns concentrating on particular people and anonymously using an array of extra on-line platforms to maximise their assaults.
Conspiracy Theories
A second kind of politically themed content material current throughout the PAPERWALL community of internet sites is conspiracy theories, usually aimed on the picture of the US, or its allies. Claims may embody, for instance, allegations of the US conducting organic experiments on the native inhabitants in South-East Asian international locations.
![On the left is an example of conspiracy theory from euleader[.]org. The article was published in an anonymous form directly on the PAPERWALL website, with the feature image hosted on a website called timesnewswire[.]com which we will further analyze in the following section. The image was taken from the cover of a book titled “Biological Weapons: Using Nature to Kill” by Anna Collins.](https://citizenlab.ca/wp-content/webpc-passthru.php?src=https://citizenlab.ca/wp-content/uploads/2024/02/figure-9.png&nocache=1 "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 9")
Chinese language State Media
A last class of political content material disseminated by PAPERWALL usually takes the type of verbatim reposts of content material from Chinese language state media, corresponding to CGTN or the World Instances. Additionally, on this case, the content material normally stays untranslated from English. An instance of this state of affairs is proven in determine 10.
![Example of CGTN (Chinese state media) article reposted, verbatim, by the PAPERWALL website italiafinanziarie[.]com on December 13, 2023](https://blinkingrobots.com/wp-content/uploads/2024/02/1707313102_634_PAPERWALL-Chinese-Websites-Posing-as-Local-News-Outlets-Target-Global.png&nocache=1.png "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 10")
Scraping of Native Mainstream Media
Probably the most evident techniques PAPERWALL employs to disguise its web sites as native information shops is to frequently republish content material, verbatim, from respectable on-line sources within the goal nation. Under is an instance extracted from the French-language web site eiffelpost[.]com:
![Article posted on eiffelpost[.]com (a confirmed PAPERWALL website), left, and the original published by the real French newspaper Le Parisien, right](https://citizenlab.ca/wp-content/webpc-passthru.php?src=https://citizenlab.ca/wp-content/uploads/2024/02/image8.png&nocache=1 "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 11")
Every PAPERWALL web site has massive volumes of content material printed each day. For instance, we may record a complete of 5200 particular person URLs printed on the web site londonclup[.]com, registered in Might 2021, by November 10, 2023. A quantity of this magnitude factors to the chance that the method was automated. The photographs within the reposted articles are normally stored as hosted instantly on the supply web site: within the instance above, that’s https://www.leparisien.fr/.
![the “Sources” tab in the “Inspect” module of the Chrome browser for eiffelpost[.]com. Highlighted is the folder corresponding to www.leparisien.fr, hosting the original image included in the article on the PAPERWALL website](https://blinkingrobots.com/wp-content/uploads/2024/02/1707313102_408_PAPERWALL-Chinese-Websites-Posing-as-Local-News-Outlets-Target-Global.png&nocache=1.png "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 12")
Industrial Content material
Press Releases
Combined with the copy/pasted information content material, the PAPERWALL web sites usually publish press releases of a business nature. These press releases are sometimes posted both in an specific “Press Launch” part or instantly on the homepage. A peculiarity of the press launch content material is that it’s normally not translated within the goal language, however stays within the unique one – which, for probably the most half, is English.
![Dec 15, 2023 screenshot from the homepage of the PAPERWALL website italiafinanziarIe[.]com, showing a press release (in English), mixed with Italian-language legitimate news content (lifted, in this example, from the local news website https://www.rete8.it).](https://blinkingrobots.com/wp-content/uploads/2024/02/1707313102_188_PAPERWALL-Chinese-Websites-Posing-as-Local-News-Outlets-Target-Global.png&nocache=1.png "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 13")
Cryptocurrencies
A considerable portion of the press launch content material is particularly devoted to cryptocurrency matters. That is per the sourcing of press releases from Instances Newswire – which we are going to analyze within the next section – the place cryptocurrency matters are among the many commonest.
![Snapshot of the Press Release (“Comunicato Stampa” in Italian) section of italiafinanziarie[.]com, showing five distinct cryptocurrency-related press releases, all in English. Again, the Italian language is reserved for the legitimate news content extracted from real local media](https://citizenlab.ca/wp-content/webpc-passthru.php?src=https://citizenlab.ca/wp-content/uploads/2024/02/figure-14.png&nocache=1 "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 14")
Content material Sourcing
In an effort to higher perceive the character and proportion of the sourcing of content material by PAPERWALL, we utilized the backlinks evaluation platform supplied by AHREFS. Backlinks are hyperlinks created when one website links to another.
- We extracted all of the domains that PAPERWALL backlinked to – subsequently together with these internet hosting content material printed by PAPERWALL – as of November 30, 2023.
- We sorted them by the quantity of complete backlinking PAPERWALL domains, in descending order.
- We then manually reviewed and categorized the backlinked domains. The highest 25 ones are seen in determine 15.
Observe: to emphasise the prominence of the particular matter, we’re distinguishing between cryptocurrency-related domains (“Crypto”) and extra generic press launch purchasers (“Shopper Firm”).
The outcomes present:
- A high layer of social media domains, which is unsurprising – particular person press releases will usually include hyperlinks to the shopper firm’s social media profiles;
- A set of cryptocurrency web sites, which – as soon as reviewed individually – are confirmed as the topic of a number of press releases every. Additionally, two non-crypto personal companies, seemingly benefiting from the paid press launch companies that PAPERWALL seems to host;
- Two Chinese language state media web sites (CGTN and World Instances), backlinked to by virtually 100 domains every;
- Lastly, however crucially, roughly 100 domains backlinked to Instances Newswire, a supposed newswire service.
Instances Newswire
Hyperlinks to PAPERWALL
The constant connection between PAPERWALL and Instances Newswire is likely one of the most peculiar traits of the marketing campaign. Whereas there may be definitely no definitive playbook on how on-line affect operations are carried out, it’s unusual for a community of coordinated web sites to frequently draw content material from a single publicly obtainable however equally covert supply. For instance, as seen in other known disinformation campaigns, a typical tactic could be to create copycat domains, mimicking actual information sources with out revealing the place the content material was first printed. This attribute makes it doable to investigate the distribution and kind of the content material and renders the supply web site a central element of the marketing campaign.
As of November 30, 2023, the alleged newswire service was backlinked to by 98 distinct PAPERWALL domains, out of the full 123. We assess that the overwhelming majority of the backlinks in query include content material instantly hosted on the Instances Newswire web site, and reposted by the PAPERWALL community, as seen in a previous example.
Instances Newswire is a recognized entity within the context of affect operations: it was first reported about in 2023 by Mandiant, a Google-owned cybersecurity firm. Mandiant noticed Instances Newswire’s hosted content material disseminated by way of a community of subdomains for respectable US-based information shops within the context of an affect marketing campaign that the corporate dubbed as HaiEnergy.
Mandiant had attributed HaiEnergy to a Chinese language PR agency known as Haixun, beforehand recognized of their unique 2022 report; nonetheless, of their 2023 report the cybersecurity agency said: “we at present lack technical proof to counsel an underlying connection between Haixun and […] Instances Newswire, […] and thus at present view them as distinct entities.” The truth is, timesnewswire[.]com is – just like the PAPERWALL web sites – a totally nameless asset.
It must be famous that – not like the PAPERWALL web sites – timesnewswire[.]com presents a “Submit Put up” button, hinting on the chance for registered customers to publish content material on to the web site. Nevertheless, as soon as clicked, the button results in a login web page, with no registration module being displayed. The registration of customers subsequently seems to not occur by way of the web site, and might be managed and individually accepted by the web site’s operators individually.
Equally to what was said by Mandiant for the HaiEnergy marketing campaign, we can not at present attribute Instances Newswire to the identical operators as PAPERWALL. There are nonetheless not less than two vital similarities between the newswire and the PAPERWALL community:
The internet hosting IP tackle can also be a Tencent one, and on the identical AS quantity (132203) because the PAPERWALL domains. An Autonomous System (AS) quantity is a group of IP addresses “under the control of one or more network operators on behalf of a single administrative entity or domain.”
43.153.106[.]236, US, Tencent Constructing Kejizhongyi Avenue, AS132203
Desk 5: DNS Decision of timesnewswire[.]com as of December 21, 2023
Instances Newswire additionally makes use of a easy WordPress template as its principal construction. Moreover, it makes use of the similar web page builder plugin (WPBakery) utilized by PAPERWALL.
Being central to not less than two distinct operations – PAPERWALL and HaiEnergy – Instances Newswire may nonetheless be an unbiased asset, concurrently exploited by a number of affect operations.
Ephemerality
We had been in a position to determine examples of politically-themed articles that had been routinely deleted from Instances Newswire. For instance, we noticed advert hominem assault posts on figures in direct battle with Beijing’s positions that had been later faraway from the web site.
This habits means that ephemeral seeding is the intention for many content material of that kind which is deleted from the supply web site (Instances Newswire) at an unspecified time after its preliminary publication. As famous in earlier research, ephemeral disinformation is designed to elude detection. With the proof disappearing from the supply web sites not lengthy after having been printed, investigators could also be unable to make the mandatory connections to detect an affect operation or accurately determine the attain and depth of the operation. On the similar time, the seeded message may very well be picked up and amplified by mainstream or social media, making the narrative keep even when the unique supply had been eliminated.
Within the case of PAPERWALL nonetheless, as we focus on in additional element within the Conclusions part, we at present haven’t any proof that this has ever occurred.
As a last notice on the operational techniques utilized by Instances Newswire and, as a consequence, by PAPERWALL, we notice that the articles concentrating on Li Hongzhi, in addition to others of a political nature that we may observe, had been all categorized as “press releases” on the web site, equally to the 1000’s of precise promotional posts it printed. It’s nonetheless extremely uncommon for press releases to incorporate content material of this sort. We decide this as one other tactic designed to make the political narratives arduous to detect with out diminishing their potential impression.
Attribution: Haimai
We attribute PAPERWALL to a PR agency primarily based in China, Shenzhen Haimaiyunxiang Media Co., Ltd., or “Haimai.”
Haimai was first uncovered by the Korean NCSC of their investigation on 18 Korean-focused PAPERWALL web sites as being chargeable for working them. Nevertheless, primarily based on the proof offered within the NCSC report, that evaluation seemed to be based totally on Haimai itself promoting the paid placement of promotional articles on Instances Newswire, and as a consequence, on the PAPERWALL community of internet sites.
We don’t contemplate this criterion as ample for a conclusive attribution. The truth is, throughout our analysis we may determine not less than three different PR and advertising and marketing corporations promoting the sale of promotional packages to be positioned instantly on PAPERWALL web sites. They embody:
- A South Korean agency named Excelsior Companions, which on Kmong (a Korean service market, internet hosting the commercial of specialised companies by freelancers, or companies) marketed the sale of language-specific promotional packages. Every of the packages completely listed PAPERWALL domains because the “main native media” on which paid editorial content material may very well be positioned.
- A second Korean firm known as AN&ON, which advertised country-specific promotional packages by itself web site in an identical technique to Excelsior Companions. The domains listed had been, additionally on this case, PAPERWALL ones.
- A Chinese language firm, known as Coin Blog, also known as BIBK, equally promoting paid editorial content material placement on a number of confirmed PAPERWALL domains.
Nevertheless, we may determine digital infrastructure linkages between Haimai and PAPERWALL. Particularly, the 2 earliest registered PAPERWALL domains, updatenews[.]information and wdpp[.]org, hosted a Google AdSense ID linking them to Haimai’s official web site, hmedium[.]com, and to a second web site instantly associated to it. AdSense IDs are unique identifiers for a website operator’s AdSense account.
That is subsequently an incriminating discovering, proving that each PAPERWALL domains had been arrange by the identical operators because the Haimai belongings.
A overview of the supply code for updatenews[.]information and wdpp[.]org revealed the presence on each web sites of the Google AdSense ID ca-pub-5378976189690174.
![Figure 17: Excerpts of source code from updatenews[.]info (top) and wdpp[.]org (bottom), both displaying the AdSense ID ca-pub-5378976189690174.](https://citizenlab.ca/wp-content/webpc-passthru.php?src=https://citizenlab.ca/wp-content/uploads/2024/02/figure-17.png&nocache=1 "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 17")
After conducting a reverse search on this AdSense ID, we may discover it on two extra web sites: hmedium[.]com and sun-sem[.]com. The previous is Haimai’s official web site, as reported additionally by the Korean NCSC; the latter seems to be a secondary web site instantly related to hmedium[.]com: it makes use of the identical splash picture and textual content on its homepage, and presents comparable promotional companies on overseas media.
![Homepages of Haimai’s official website, hmedium[.]com (left), and of sun-sem[.]com (right)](https://citizenlab.ca/wp-content/webpc-passthru.php?src=https://citizenlab.ca/wp-content/uploads/2024/02/figure-19.png&nocache=1 "PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content 19")
Haimai, brief for Shenzhen Haimaiyunxiang Media Co., Ltd. (深圳市海卖云享传媒有限公司), is a Shenzhen-based PR and advertising and marketing agency, ostensibly established in 2019, in accordance with publicly available records. On its web site, the corporate advertises the sale of promotional placement companies in a number of international locations and languages.
Conclusions
PAPERWALL is a big, and fast growing, community of nameless web sites posing as native information shops whereas pushing each business and political content material aligned with Beijing’s views to quite a lot of European, Asian, and Latin American audiences.
The marketing campaign is an instance of a sprawling affect operation serving each monetary and political pursuits, and in alignment with Beijing’s political agenda. By observing the minimal visitors in the direction of the community’s web sites that’s measurable by way of open supply instruments2, and the dearth of seen mainstream media protection (together with on information aggregators, corresponding to for instance Google Information) or social media amplification, we will assess the impression of the marketing campaign as negligible up to now.
This evaluation, nonetheless, in addition to the big quantity of seemingly benign business content material wrapping the aggressively political one throughout the PAPERWALL community, shouldn’t be taken to point that such a marketing campaign is innocent. Seeding items of disinformation and focused assaults inside a lot bigger portions of irrelevant and even unpopular content material is a known modus operandi in the context of influence operations, which may finally pay huge dividends as soon as a kind of fragments is finally picked up and legitimized by mainstream press or political figures.
Lastly, the position and prominence of personal corporations in creating and managing affect operations is hardly news. Nevertheless, because the early days of research on this area, the disinformation-for-hire business has boomed, resulting in findings and disruptions in international locations all over the world (for a couple of examples, in Myanmar, Brazil, the UAE, Egypt and Saudi Arabia). China – beforehand exposed for having resorted to this proxy class in massive affect operations, together with the cited HaiEnergy – is now more and more benefiting from this working mannequin, which maintains a skinny veil of believable deniability, whereas making certain a broad dissemination of the political messaging. It’s protected to imagine that PAPERWALL is not going to be the final instance of a partnership between personal sector and authorities within the context of Chinese language affect operations.
Acknowledgments
Particular because of Jakub Dałek for his analysis help. Due to John Scott-Railton, Emma Lyon, Pellaeon Lin, Siena Anstis, and Céline Bauwens for his or her peer overview and help. We want to thank Melissa Chan for useful suggestions. Analysis for this undertaking was supervised by Ron Deibert.
Appendix
Confirmed Domains
| DOMAIN | TARGET COUNTRY |
|---|---|
| usa-aa[.]com | [undetermined] |
| doloreshoy[.]co | [undetermined] |
| splinsider[.]com | [undetermined] |
| garagumsowda[.]com | [undetermined] |
| laplatapost[.]com | AR |
| lujanexpresar[.]com | AR |
| wienbuzz[.]com | AT |
| boicpost[.]com | BE |
| brasilindustry[.]com | BR |
| brmingpao[.]com | BR |
| financeiropost[.]com | BR |
| goiasmine[.]com | BR |
| pauloexpressar[.]com | BR |
| pernambucostar[.]com | BR |
| rioninepage[.]com | BR |
| swisshubnews[.]com | CH |
| sanrafaelscoop[.]com | CL |
| martapost[.]com | CO |
| bohemiadaily[.]com | CZ |
| frankfurtsta[.]com | DE |
| munichnp[.]com | DE |
| dkindustry[.]co | DK |
| lguazu[.]com | EC |
| andregaceta[.]com | ES |
| cordovapress[.]org | ES |
| sevillatimes[.]com | ES |
| tarragonapost[.]com | ES |
| guellherald[.]com | ES |
| suomiexpress[.]com | FI |
| frnewsfeed[.]com | FR |
| froneplus[.]com | FR |
| friendlyparis[.]com | FR |
| alpsbiz[.]com | FR |
| economyfr[.]com | FR |
| eiffelpost[.]com | FR |
| fftribune[.]com | FR |
| louispress[.]org | FR |
| provencedaily[.]com | FR |
| rmtcityfr[.]com | FR |
| doyletimes[.]com | IE |
| napolimoney[.]com | IT |
| italiafinanziarie[.]com | IT |
| milanomodaweekly[.]com | IT |
| romajournal[.]org | IT |
| torinohuman[.]com | IT |
| veneziapost[.]com | IT |
| dy-press[.]com | JP |
| fujiyamatimes[.]com | JP |
| fukuitoday[.]com | JP |
| fukuoka-ken[.]com | JP |
| ginzadaily[.]com | JP |
| hokkaidotr[.]com | JP |
| kanagawa-ken[.]com | JP |
| meiji-mura[.]com | JP |
| nihondaily[.]com | JP |
| nikkonews[.]com | JP |
| saitama-ken[.]com | JP |
| sendaishimbun[.]com | JP |
| tokushima-ken[.]com | JP |
| tokyobuilder[.]com | JP |
| yamatocore[.]com | JP |
| bucheontech[.]com | KR |
| busanonline[.]com | KR |
| cctimes[.]org | KR |
| chungjutravel[.]com | KR |
| chungnamonline[.]com | KR |
| daegujournal[.]com | KR |
| daejeontraffic[.]com | KR |
| gangwonculture[.]com | KR |
| gwangjuedu[.]com | KR |
| gyeonggidaily[.]com | KR |
| gyeongpe[.]com | KR |
| incheonfocus[.]com | KR |
| jejutr[.]com | KR |
| jeontoday[.]com | KR |
| krectimes[.]com | KR |
| seoulpr[.]com | KR |
| ulsanindustry[.]com | KR |
| gauljournal[.]com | LU |
| olmecpress[.]com | MX |
| teotihuacaneco[.]com | MX |
| xochimilcolife[.]com | MX |
| greaterdutch[.]com | NL |
| nlpress[.]org | NL |
| vikingun[.]org | NO |
| bydgoszczdaily[.]com | PL |
| wawelexpress[.]com | PL |
| ptnavigat[.]com | PT |
| baleadimineata[.]com | RO |
| rogazette[.]com | RO |
| aksaydaily[.]com | RU |
| ekaterintech[.]com | RU |
| findmoscow[.]com | RU |
| gorodbusiness[.]com | RU |
| kazanculture[.]com | RU |
| rostovlife[.]com | RU |
| samaraindustry[.]com | RU |
| stptb[.]org | RU |
| tulunet[.]com | RU |
| volgogradpost[.]com | RU |
| balasaguntimes[.]com | RU |
| ismoili[.]com | RU |
| buranadaily[.]com | RU |
| wakhan[.]org | RU |
| luddpress[.]com | SE |
| kopetbiz[.]com | TR |
| balasagunherald[.]com | TR |
| taurustimes[.]com | TR |
| anadoluha[.]com | TR |
| araratdaily[.]com | TR |
| cappadociapost[.]org | TR |
| bmhtoday[.]com | UK |
| benmorning[.]com | UK |
| britishft[.]com | UK |
| conanfinance[.]com | UK |
| deiniolnews[.]com | UK |
| euleader[.]org | UK |
| glasgowtr[.]com | UK |
| londonclup[.]com | UK |
| ulstergrowth[.]com | UK |
| vtnay[.]org | UK |
| wdpp[.]org | UK |
| updatenews[.]information | US |
Focused Nations
| Nation | Variety of PAPERWALL Web sites |
|---|---|
| South Korea | 17 |
| Japan | 15 |
| Russia | 15 |
| UK (together with Scotland, Northern Eire particular concentrating on) | 11 |
| France | 10 |
| Brazil | 7 |
| Turkey | 6 |
| Italy | 6 |
| Spain | 5 |
| Mexico | 3 |
| Romania | 2 |
| Poland | 2 |
| The Netherlands | 2 |
| Germany | 2 |
| Argentina | 2 |
| USA | 1 |
| Sweden | 1 |
| Portugal | 1 |
| Norway | 1 |
| Luxembourg | 1 |
| Eire | 1 |
| Finland | 1 |
| Ecuador | 1 |
| Denmark | 1 |
| Czech Republic | 1 |
| Colombia | 1 |
| Chile | 1 |
| Switzerland | 1 |
| Belgium | 1 |
| Austria | 1 |
Excessive-Confidence Host IP Addresses
PAPERWALL Domains
| IP | PROVIDER | # OF PAPERWALL DOMAINS | AS Quantity |
|---|---|---|---|
| 162.62.225[.]65 | Tencent Cloud | 24 | 132203 |
| 43.163.221[.]160 | Tencent Cloud | 17 | 132203 |
| 43.155.173[.]104 | Tencent Cloud | 17 | 132203 |
| 43.153.75[.]48 | Tencent Cloud | 12 | 132203 |
| 49.51.49[.]54 | Tencent Cloud | 12 | 132203 |
| 43.157.63[.]199 | Tencent Cloud | 10 | 132203 |
| 170.106.196[.]76 | Tencent Cloud | 7 | 132203 |
| 43.157.58[.]203 | Tencent Cloud | 7 | 132203 |
Instances Newswire
| IP | PROVIDER | AS Quantity |
|---|---|---|
| 43.153.106[.]236 | Tencent Cloud | 132203 |