China-linked threat group sowing discord ahead of US elections, analyst warns

Updated on: 27 October 2022

Damien Black
Senior Journalist

Footage of the Capitol Hill riots in January 2021 — Image by Shutterstock

With the midterms looming, an information operations (IO) campaign allegedly backed by the Asian superpower is trying to exploit political disenchantment in the US to derail the democratic process, says Mandiant.

The US-based cyber watchdog claims the Chinese-linked IO campaign or group, known as Dragonbridge, is using “increasingly aggressive rhetoric” to discourage citizens from voting in the upcoming elections. Mandiant says it has been monitoring the group for months.

These tactics range from the bizarre – doctoring articles on the web to present Chinese-affiliated hacker groups as, in fact, US-backed – to the more subtle, issuing content that appears to endorse the Capitol riots and criticizing American democracy and lawmaking in general.

One authentic news portal caught up in the latest salvo of crossfire was Hong Kong-based Sing Tao Daily, which ran an article in March citing previous Mandiant research into APT41, previously identified by the analyst as a China-affiliated threat group. Mandiant found that Dragonbridge had altered the original Sing Tao article to make it look like the portal claimed APT41 was a “US hacking group” that had attacked “at least six countries” the previous year.

It added: “While we have previously observed Dragonbridge themes involving alleged malicious US cyber activity, fabrications regarding APT41 as American in origin appear to be an escalation in the degree of implied US operations.”

Screenshot of fake article claiming US bombed Nord Stream — Original Chinese-language article (top) that cited Mandiant and the doctored version (below)

Twitter leveraged again

In a tactic recorded during a previous IO campaign, Dragonbridge used ‘dummy’ Twitter accounts that appeared to belong to Western citizens to make lurid claims about APT41, again falsely referred to as a “US government network.”

“The hacking activities of APT41 are also secretly accepting the help of the CIA [...] to meet the political goals of the United States,” claimed one tweet, attributed to a “Kimberly Allen” – believed by Mandiant to be in fact an operative working for Dragonbridge.

Another similar case identified by Mandiant saw Dragonbridge attack the hacktivist group Intrusion Truth – a mysterious online entity that targeting hackers affiliated with Chinese espionage operations since 2017 – in an apparent reprisal.

In one example, a tweet posted by Intrusion Truth that appeared to accuse China of hacking or spying with the hashtag #AllRoadsLeadToChengdu was altered to read #usahacker instead, with the last letter of the anti-China group’s Twitter account name changed as well.

“Dragonbridge accounts have also replied to tweets posted by the original Intrusion Truth, questioning the veracity of the group’s information while highlighting alleged malicious US cyber activities,” said Mandiant. “Such posts demonstrate that Dragonbridge is aware of and responsive to Intrusion Group messaging.”

Fake tweets claiming Chinese threat group APT41 is American-backed — Tweets posted from 'dummy' accounts claiming Chinese threat group APT41 is US-backed

Exploiting a troubled democracy?

Perhaps more disturbingly, Dragonbridge was found to be behind video content that ran footage of the Capitol storming by Trump supporters in January last year, while narrating: “The solution to America’s ills is not to vote for someone [but] to root out this ineffective and incapacitated system.”

This kind of narrative is all the more unsettling because, while it may be linked to a Chinese threat group in this case, it appears to echo rhetoric employed by the Trump camp, which repeatedly used slogans such as “drain the swamp” in reference to perceived endemic corruption in Washington DC.

Other Dragonbrige ‘productions’ identified by Mandiant included footage of incumbent president Joe Biden with the taglines “Can voting make America a better place?” and “But does voting really matter that much?”

Whether this is intended to play on American disenchantment with the democratic system, or subtly promote China’s authoritarian alternative, or both, is unclear. Other parts of footage studied by Mandiant and attributed to Dragonbridge “cast doubt on the productivity of US lawmakers and of the legislative process in having a tangible impact on Americans’ lives.”

“Dragonbrige posted content asserting that political infighting, partisanship, polarization, and division had become fundamental aspects of American democracy,” said Mandiant.

The analyst added that the suspected IO campaign cited “frequent mentions of ‘civil war’ on social media and incidents of politically motivated violence, including confrontations between supporters of opposing parties and acts against the FBI, as evidence of the deterioration of the political process and its impending demise.”

Mandiant claims that Dragonbridge’s efforts constitute “attempts to sow discord and dissatisfaction within US society” – though some might argue it is merely exploiting homegrown and pre-existing socioeconomic problems in America that conveniently fit its own narrative.

“We have seen Dragonbridge criticize American society via narratives regarding racial strife and social injustice,” said the analyst. “However, its targeting of the US political system through attempts to discourage Americans from voting shows a willingness to use increasingly aggressive rhetoric.”

Real tweet from anti-China group Intrusion Truth with a faked version besides — Real tweet from anti-China group Intrusion Truth next to doctored anti-US version (left)

In sync with the Kremlin?

Dragonbridge was also found to be toeing the Kremlin line on the geopolitical turmoil that has erupted in the wake of the Russia-Ukraine conflict, either promoting or composing stories that claimed the US was responsible for the Nord Stream pipeline failure earlier this month.

“We also observed Dragonbridge accounts promoting the narrative that the US had ‘bombed’ the offshore Nord Stream gas pipelines for its own economic benefit, at the expense of its European and NATO allies,” said Mandiant.

The ‘article’ cited by Mandiant begins with the tagline: “The United States bombed Nord Stream to harvest European wealth. NATO allies have regarded the United States as a thief.”

“The Nord Stream pipelines were built to provide Russian natural gas to the European market via Germany,” said Mandiant. “Accounts claimed that the alleged US sabotage was driven by its desire to replace Russia as Europe’s energy supplier, and that they precluded the possibility of Russian and European reconciliation over energy issues.”

Such a narrative “mirrored” Vladimir Putin’s own statements that Nord Stream had been sabotaged by the US, said Mandiant, adding that Dragonbridge had “previously echoed narratives promoted by Russian state-owned media and influence campaigns.”

Image of US president used in antidemocratic propaganda — Screenshot taken by analyst Mandiant of anti-democratic propaganda attributed to Dragonbridge

Top marks for effort – nil for execution?

“We consider these narratives to be earlier attempts to sow division between the US and its allies and portray the US as an aggressor, acting in its own self-interest,” said Mandiant.

It added that despite all these apparent efforts, Dragonbridge appears to be enjoying little success with its IO – although the social malaise it seeks to play on might be very real and persistent.

“As with Dragonbridge activity we have previously observed, the campaign continues to fail to garner significant engagement by seemingly real individuals, and its effectiveness remains encumbered by poor execution,” said Mandiant.

All of this might lead one to wonder whether the US is its own worst enemy when it comes to generating voter apathy and political disenchantment.