Google Exposes GLASSBRIDGE: A Pro-China Influence Network of Fake News Sites

Avatar
Government agencies and non-governmental organizations in the United States have become the target of a nascent China state threat actor known as Storm-2077. The adversary, believed to be active since at least January 2024, has also conducted cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services across the world, Microsoft said.

Government agencies and non-governmental organizations in the United States have become the target of a nascent China state threat actor known as Storm-2077.

The adversary, believed to be active since at least January 2024, has also conducted cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services across the world, Microsoft said.

The activity cluster, the company added, overlaps with a threat group that Recorded Future’s Insikt Group is tracking as TAG-100.

Attack chains have involved targeting various internet-facing edge devices using publicly available exploits to gain initial access and drop Cobalt Strike as well as open-source malware such as Pantegana and Spark RAT, the cybersecurity company noted back in July.

“Over the past decade, following numerous government indictments and the public disclosure of threat actors’ activities, tracking and attributing cyber operations originating from China has become increasingly challenging as the attackers adjust their tactics,” Microsoft said.

Storm-2077 is said to orchestrate intelligence-gathering missions using phishing emails to harvest valid credentials associated with eDiscovery applications for follow-on exfiltration of emails, which could contain sensitive information that could enable attackers to advance their operations.

“In other cases, Storm-2077 has been observed gaining access to cloud environments by harvesting credentials from compromised endpoints,” Microsoft said. “Once administrative access was gained, Storm-2077 created their own application with mail read rights.”

The disclosure comes as Google’s Threat Intelligence Group (TAG) shed light on a pro-China influence operation (IO) called GLASSBRIDGE that employs a network of inauthentic news sites and newswire services to amplify narratives that are aligned with the country’s views and political agenda globally.

The tech giant said it has blocked more than a thousand GLASSBRIDGE-operated websites from showing up in its Google News and Google Discover products since 2022.

“These inauthentic news sites are operated by a small number of stand-alone digital PR firms that offer newswire, syndication and marketing services,” TAG researcher Vanessa Molter said. “They pose as independent outlets that republish articles from PRC state media, press releases, and other content likely commissioned by other PR agency clients.”

This includes companies known as Shanghai Haixun Technology (which includes the HaiEnergy cluster), Times Newswire/Shenzhen Haimai Yunxiang Media (aka the PAPERWALL campaign), Shenzhen Bowen Media, and DURINBRIDGE, the last of which is a commercial firm distributing content for Haixun and DRAGONBRIDGE.

Shenzhen Bowen Media, a China-based marketing firm, is also said to operate World Newswire, the same press release service used by Haixun to place pro-Beijing content on the subdomains of legitimate news outlets, as revealed by Google’s Mandiant in July 2023.

Some of the subdomains identified were markets.post-gazette[.]com, markets.buffalonews[.]com, business.ricentral[.]com, business.thepilotnews[.]com, and finance.azcentral[.]com, among others.

“The inauthentic news sites operated by GLASSBRIDGE illustrate how information operations actors have embraced methods beyond social media in an attempt to spread their narratives,” Molter said. “By posing as independent, and often local news outlets, IO actors are able to tailor their content to specific regional audiences and present their narratives as seemingly legitimate news and editorial content.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

North Korean Hackers Steal $10M with AI-Driven Scams and Malware on LinkedIn

Next Post

Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections

Related Posts

New UEFI Secure Boot Vulnerability Could Allow Attackers to Load Malicious Bootkits

Details have emerged about a now-patched security vulnerability that could allow a bypass of the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems. The vulnerability, assigned the CVE identifier CVE-2024-7344 (CVSS score: 6.7), resides in a UEFI application signed by Microsoft's "Microsoft Corporation UEFI CA 2011" third-party UEFI certificate, according to a new
Avatar
Read More

⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [20 January]

As the digital world becomes more complicated, the lines between national security and cybersecurity are starting to fade. Recent cyber sanctions and intelligence moves show a reality where malware and fake news are used as tools in global politics. Every cyberattack now seems to have deeper political consequences. Governments are facing new, unpredictable threats that can't be fought with
Avatar
Read More