PAPERWALL: Chinese Websites Posing as Local News Outlets Target Global Audiences with Pro-Beijing Content – The Citizen Lab

Key Findings

• A network of at least 123 websites operated from within the People’s Republic of China while posing as local news outlets in 30 countries across Europe, Asia, and Latin America, disseminates pro-Beijing disinformation and ad hominem attacks within much larger volumes of commercial press releases. We name this campaign PAPERWALL.
• PAPERWALL has similarities with HaiEnergy, an influence operation first reported on in 2022 by the cybersecurity company Mandiant. However, we assess PAPERWALL to be a distinct campaign with different operators and unique techniques, tactics and procedures.
• PAPERWALL draws significant portions of its content from Times Newswire, a newswire service that was previously linked to HaiEnergy. We found evidence that Times Newswire regularly seeds pro-Beijing political content, including ad hominem attacks, by concealing it within large amounts of seemingly benign commercial content.
• A central feature of PAPERWALL, observed across the network of websites, is the ephemeral nature of its most aggressive components, whereby articles attacking Beijing’s critics are routinely removed from these websites some time after they are published.
• We attribute the PAPERWALL campaign to Shenzhen Haimaiyunxiang Media Co., Ltd., aka Haimai, a PR firm in China based on digital infrastructure linkages between the firm’s official website and the network.
• While the campaign’s websites enjoyed negligible exposure to date, there is a heightened risk of inadvertent amplification by the local media and target audiences, as a result of the quick multiplication of these websites and their adaptiveness to local languages and content.
• These findings confirm the increasingly important role private firms play in the realm of digital influence operations and the propensity of the Chinese government to make use of them.

Why Exposing this Type of Campaign Matters

Beijing is increasing its aggressive activities in the spheres of influence operations (IOs), both online and offline. In the online realm, relevant to the findings in this report, Chinese IOs are shifting their tactics and increasing their volume of activity. For example, in November 2023 Meta – owner of the social media platforms Facebook, Instagram, and WhatsApp – announced the removal of five networks engaging in “coordinated inauthentic behavior” (i.e. influence operations) and targeting foreign audiences. Meta noted it as a marked increase in IO activity by China, stating that “for comparison, between 2017 and November 2020, we took down two CIB networks from China, and both mainly focused on the Asia-Pacific region. This represents the most notable change in the threat landscape, when compared with the 2020 [US] election cycle.”

Seeding ad hominem attacks on Beijing’s critics can result in particularly harmful consequences for the targeted individuals, especially when, as in PAPERWALL’s case, it happens within much larger amounts of ostensibly benign news or promotional content that lends credibility to and expands the reach of the attacks. The consequences to these individuals can include, but are not limited to, their delegitimization in the country that hosts them; the loss of professional opportunities; and even verbal or physical harassment and intimidation by communities sympathetic to the Chinese government’s agenda.

This report adds yet more evidence, to what has been reported by other researchers, of the increasingly important role played by private firms in the management of digital IOs on behalf of the Chinese government. For example, an October 2023 blog post by the RAND corporation summarized recent public findings on this issue, and advocated for the disruption of the disinformation-for-hire industry through the use of sanctions or other available legal and policy means.

It should be noted that disinformation-for-hire companies, driven by revenue, not ideology, tend not to be discerning about the motivations of their clients. As major recent press investigations have shown, both their origin and their client base can truly be global. Exposing this actor type, and its tactics, can help understand how governments seek plausible deniability through the hiring of corporate proxies. It can also refocus research on the latter, increasing deterrence by exposing their actions.

Background

On October 25, 2023, the Italian newspaper Il Foglio published an article, summarized in English here, that exposed a small network of six websites posing as news outlets for Italian audiences that did not correspond to any real newsrooms in Italy. Il Foglio’s investigation confirmed that the websites were not registered as news outlets in the national registry, as legally required for any information organization operating within the country.

The identified domains used a specific naming convention: the name of an Italian city in the local spelling (i.e. “Roma”, or “Milano”), followed by mundane terms (for example, “moda”, meaning fashion; “money”; or “journal”). The websites hosted on those domains were all similar in structure, layout, and content, with generic political, crime, and entertainment articles interspersed with a relatively high amount of news related to China, or even directly derived from Chinese news organizations.

Il Foglio claimed that the network was being operated from China, and possibly by the Chinese government, based on content analysis and on the six domains resolving to an unspecified IP address owned by Tencent Computer Systems Inc., a major Chinese corporation. The Italian newspaper also hinted at the possible existence of a broader set of websites linked to the six presented, without publicly disclosing further information.

On November 13, 2023, the South Korean National Cyber Security Center (NCSC), a governmental agency, also published a report exposing eighteen Korean-language websites posing as local news outlets. The report attributed these sites to a Chinese PR firm called Haimai, based on the firm itself advertising the opportunity for its clients to publish press releases on these same sites. These websites presented strong similarities with the six Italian-language ones exposed by Il Foglio, from their technical structure to the modus operandi utilized.

We set out to research the whole network, with the objective of discovering additional websites, their tactics, targeting, and impact; and of verifying the attribution of the activity to its operators.

An Extensive Network of Websites

The Initial Set

Based on DNS infrastructure overlaps, we were able to expand the network identified by Il Foglio to an initial total of 74 domains. The majority of the domains could be identified through a relatively small set of three IP addresses they resolved to.

The number of domains hosted on these IP addresses is relatively low: they featured a total of less than 100 domain resolutions, while theoretically, each could have hosted thousands of domains. This could indicate that the IPs are only linked to one operator, rather than multiple clients of the provider.

We started from the following six domains, identified in the original news article:

Table 1: List of 6 domains hosting Italian-language websites as identified by Il Foglio

Based on Passive DNS resolution data made available by RiskIQ, we found that the above domains resolved, during the last two years, to at least one of the following three IP addresses:

Table 2: List of IP addresses to which the 6 domains resolved since 2021

We found other domains that had pointed to at least one of those three IP addresses since April 2018, obtaining the following list of 74 domains:

We verified that — with only four exceptions, highlighted in table 3 — the domains hosted websites posing as news outlets in several countries. The four highlighted exceptions resolved to one or more of the three examined IP addresses before or after the rest of the network was present on them, making their affiliation to PAPERWALL questionable. Additionally, many of them appeared to utilize the naming convention identified for the Italian-language domains (city name, followed by a generic term).

The Broader Network

By replicating the same process on the websites highlighted in the NCSC report, we were able to identify additional domains, and confirm them as fully matching the PAPERWALL signature features.

These include:

The websites’ structure

All of them were built on WordPress, and utilized a (highly popular) page builder plugin – WPBakery – for their setup.

The domains’ infrastructure

As spotted by Il Foglio, the current hosting infrastructure for the six Italian-language domains linked back to Tencent, a Chinese-based company. In fact, the relevant service being utilized is Tencent Cloud; and we could verify that all the currently active domains were being hosted on a Tencent Cloud IP address.

• It is important however to note that this is something that any private customer can request, provided that certain requirements given by the host provider are satisfied.
• We confirmed in the Tencent Cloud service documentation that the requirements imposed by the company are minimal: the identity of the individual or company subscribing to the service, a mobile phone number (to be verified through a security code sent via SMS), and a credit or debit card.
• This effectively means that any private or corporate subscriber operating the network of websites could have pointed their domains to a Tencent IP address by subscribing to their Cloud service.

The WordPress users

We analyzed the usernames utilized to post content on the PAPERWALL websites through a technique called user enumeration. This technique revealed that the whole network shared a small number of content author names, visible in the table below.

Table 4: WordPress usernames identified as used on the PAPERWALL websites

The content

All of the identified websites had almost identical homepage menus, typically including (translated in the target language): Politics, Economy, Culture, Current Affairs, and Sport. The actual content being posted was a mix of scraped and reposted content from local media in the targeted country; press releases; and occasional Chinese state media articles, or anonymous disinformation content. The content could typically be observed as being simultaneously cross-posted across several of the websites at once. We analyze the content in more detail later in this report.

As of December 21, 2023, we were able to identify a total of 123 domains, almost all of which are hosting websites posing as news outlets. A full list of these domains is available in the Appendix.

Target Audiences

Based on the language utilized, as well as on the sourcing of the local news content reposted by PAPERWALL websites – an aspect that we will also describe in more detail later in this report – we observed the network as mimicking local news outlets in 30 different countries, as shown in the map below. A full list of the target countries, with the number of websites addressing each, is available in the Appendix.

To appear as legitimate local news outlets, PAPERWALL websites typically utilized local references as part of their names. For example, “Eiffel” or “Provence” for French-language websites; “Viking” for the Norwegian one; or city names, commonly used for Italian and Spanish websites.

A broader look at the domains’ registration timeline shows how the websites were set up in waves, one target country (or region) at a time. In July 2019, updatenews[.]info became the first PAPERWALL domain to be registered. However, due to registration data patterns and archived captures on the Wayback Machine, we can only establish affiliation with PAPERWALL beginning May 2020. The hosted website primarily published news relevant to American readers.

Meanwhile, in April 2020, the domain wdpp[.]org (presumably abbreviated for “World Development Press”) was registered. The website located on a Tencent IP address, which is also linked to updatenews[.]info and 16 other PAPERWALL domains, will be critical to our attribution.

In July 2020, we saw the first group registrations. That month, nine domains were registered, with each hosting a website aimed at Japanese audiences. One of them, fujiyamatimes[.]com, has a footer linking it to “Updatenews”.

The waves immediately following target Korean and again Japanese audiences; beginning in February 2021, the focus moved on to European countries, then in early 2023 to Latin American ones. A summary of the registration waves is shown in the chart below.

The Content

Political Content: Targeted Attacks and Disinformation

Hidden within much larger amounts of generic content, a smaller portion published by the PAPERWALL network is of a political nature. The following sections break down content types and main features.

Targeted Attacks

A common type of politically-themed content includes ad hominem attacks, usually kept in English irrespective of the target audience, on figures perceived by Beijing as hostile. For example, an article titled “Yan Limeng is a complete rumor maker” could be found on every active PAPERWALL website as of December 2023. This article contains a direct attack on Li-Meng Yan, a Chinese virologist who alleges that the COVID-19 virus originated from a Chinese government laboratory. While her theories have been widely dismissed by the global scientific community, the attacks on her by PAPERWALL were unsubstantiated, aimed at her personal and professional reputation, and completely anonymous.

Targeted attacks conducted through PAPERWALL can also take the form of false public pressure campaigns. To continue with the example of Li-Meng Yan, we can observe an attempt at blocking her appointment to an alleged academic role at the Perelman Medical School of the University of Pennsylvania that was circulated by the network in October 2023.

This article echoes others that circulated outside of the PAPERWALL network on websites that cannot be confirmed as part of the same network, as well as on blogging platforms. For example:

• “The Perelman School Of Medicine Should Expel Yan Limeng”, published on 16 October 2023 by theinscribermag[.]com. A review of the other articles posted by the same author, “Dawn Wells”, reveals more targeted attacks on political figures, for example the President of Taiwan, Tsai Ing-wen.
• “Reject Yan Limeng for Perelman Medical College”, published on prlog[.]org, a distinct but equally anonymous press release publishing platform, on 6 March 2022.
• “This is Yan Limeng was hired as a Perelman School” (sic), published on 21 June 2023 on medium.com, an open blogging platform.
• “#汉奸闫丽梦#闫丽梦Maintain campus cleanliness Reject Yan Limon for Perelman Medical College”, published on 14 December 2023, also on medium.com.

This suggests that PAPERWALL is used as an amplifier for campaigns targeting specific individuals and anonymously employing an array of additional online platforms to maximize their attacks.

Conspiracy Theories

A second type of politically themed content present within the PAPERWALL network of websites is conspiracy theories, typically aimed at the image of the United States, or its allies. Claims could include, for example, allegations of the US conducting biological experiments on the local population in South-East Asian countries.

Chinese State Media

A final category of political content disseminated by PAPERWALL often takes the form of verbatim reposts of content from Chinese state media, such as CGTN or the Global Times. Also, in this case, the content usually remains untranslated from English. An example of this scenario is shown in figure 10.

Scraping of Local Mainstream Media

One of the most evident tactics PAPERWALL employs to disguise its websites as local news outlets is to regularly republish content, verbatim, from legitimate online sources in the target country. Below is an example extracted from the French-language website eiffelpost[.]com:

Each PAPERWALL website has large volumes of content published on a daily basis. For example, we could list a total of 5200 individual URLs published on the website londonclup[.]com, registered in May 2021, by November 10, 2023. A volume of this magnitude points to the possibility that the process was automated. The images in the reposted articles are usually kept as hosted directly on the source website: in the example above, that is https://www.leparisien.fr/.

Commercial Content

Press Releases

Mixed with the copy/pasted news content, the PAPERWALL websites typically publish press releases of a commercial nature. These press releases are often posted either in an explicit “Press Release” section or directly on the homepage. A peculiarity of the press release content is that it is usually not translated in the target language, but remains in the original one – which, for the most part, is English.

Cryptocurrencies

A substantial portion of the press release content is specifically dedicated to cryptocurrency topics. This is consistent with the sourcing of press releases from Times Newswire – which we will analyze in the next section – where cryptocurrency topics are among the most common.

Content Sourcing

In order to better understand the nature and proportion of the sourcing of content by PAPERWALL, we utilized the backlinks analysis platform provided by AHREFS. Backlinks are links created when one website links to another.

1. We extracted all the domains that PAPERWALL backlinked to – therefore including those hosting content published by PAPERWALL – as of November 30, 2023.
2. We sorted them by the amount of total backlinking PAPERWALL domains, in descending order.
3. We then manually reviewed and categorized the backlinked domains. The top 25 ones are visible in figure 15.

The results show:

• A top layer of social media domains, which is unsurprising – individual press releases will typically contain links to the client company’s social media profiles;
• A set of cryptocurrency websites, which – once reviewed individually – are confirmed as the subject of multiple press releases each. Also, two non-crypto private corporations, likely benefiting from the paid press release services that PAPERWALL appears to host;
• Two Chinese state media websites (CGTN and Global Times), backlinked to by almost 100 domains each;
• Finally, but crucially, approximately 100 domains backlinked to Times Newswire, a supposed newswire service.

Times Newswire

Links to PAPERWALL

The consistent connection between PAPERWALL and Times Newswire is one of the most peculiar traits of the campaign. While there is certainly no definitive playbook on how online influence operations are conducted, it is uncommon for a network of coordinated websites to regularly draw content from a single publicly available but equally covert source. For example, as seen in other known disinformation campaigns, a typical tactic would be to create copycat domains, mimicking real news sources without revealing where the content was first published. This characteristic makes it possible to analyze the distribution and type of the content and renders the source website a central component of the campaign.

As of November 30, 2023, the alleged newswire service was backlinked to by 98 distinct PAPERWALL domains, out of the total 123. We assess that the vast majority of the backlinks in question consist of content directly hosted on the Times Newswire website, and reposted by the PAPERWALL network, as seen in a previous example.

Times Newswire is a known entity in the context of influence operations: it was first reported about in 2023 by Mandiant, a Google-owned cybersecurity company. Mandiant observed Times Newswire’s hosted content disseminated through a network of subdomains for legitimate US-based news outlets in the context of an influence campaign that the company dubbed as HaiEnergy.

Mandiant had attributed HaiEnergy to a Chinese PR firm called Haixun, previously identified in their original 2022 report; however, in their 2023 report the cybersecurity firm stated: “we currently lack technical evidence to suggest an underlying connection between Haixun and […] Times Newswire, […] and thus currently view them as distinct entities.” In fact, timesnewswire[.]com is – like the PAPERWALL websites – a fully anonymous asset.

It should be noted that – unlike the PAPERWALL websites – timesnewswire[.]com offers a “Submit Post” button, hinting at the possibility for registered users to publish content directly to the website. However, once clicked, the button leads to a login page, with no registration module being displayed. The registration of users therefore appears not to happen through the website, and is probably controlled and individually approved by the website’s operators separately.

Similarly to what was stated by Mandiant for the HaiEnergy campaign, we cannot currently attribute Times Newswire to the same operators as PAPERWALL. There are however at least two significant similarities between the newswire and the PAPERWALL network:

The hosting IP address is also a Tencent one, and on the same AS number (132203) as the PAPERWALL domains. An Autonomous System (AS) number is a collection of IP addresses “under the control of one or more network operators on behalf of a single administrative entity or domain.”

Times Newswire also uses a simple WordPress template as its main structure. Additionally, it utilizes the same page builder plugin (WPBakery) used by PAPERWALL.

Being central to at least two distinct operations – PAPERWALL and HaiEnergy – Times Newswire could however be an independent asset, simultaneously exploited by multiple influence operations.

Ephemerality

We were able to identify examples of politically-themed articles that were routinely deleted from Times Newswire. For example, we observed ad hominem attack posts on figures in direct conflict with Beijing’s positions that were later removed from the website.

This behavior suggests that ephemeral seeding is the intention for most content of that type which is deleted from the source website (Times Newswire) at an unspecified time after its initial publication. As noted in previous research, ephemeral disinformation is designed to elude detection. With the evidence disappearing from the source websites not long after having been published, investigators may be unable to make the necessary connections to detect an influence operation or correctly identify the reach and depth of the operation. At the same time, the seeded message could be picked up and amplified by mainstream or social media, making the narrative stay even if the original source had been removed.

In the case of PAPERWALL however, as we discuss in more detail in the Conclusions section, we currently have no evidence that this has ever happened.

As a final note on the operational tactics utilized by Times Newswire and, as a consequence, by PAPERWALL, we note that the articles targeting Li Hongzhi, as well as others of a political nature that we could observe, were all categorized as “press releases” on the website, similarly to the thousands of actual promotional posts it published. It is however highly unusual for press releases to include content of this kind. We judge this as another tactic designed to make the political narratives hard to detect without diminishing their potential impact.

Attribution: Haimai

We attribute PAPERWALL to a PR firm based in China, Shenzhen Haimaiyunxiang Media Co., Ltd., or “Haimai.”

Haimai was first exposed by the Korean NCSC in their investigation on 18 Korean-focused PAPERWALL websites as being responsible for operating them. However, based on the evidence presented in the NCSC report, that assessment appeared to be primarily based on Haimai itself advertising the paid placement of promotional articles on Times Newswire, and as a consequence, on the PAPERWALL network of websites.

We do not consider this criterion as sufficient for a conclusive attribution. In fact, during our research we could identify at least three other PR and marketing companies advertising the sale of promotional packages to be placed directly on PAPERWALL websites. They include:

• A South Korean firm named Excelsior Partners, which on Kmong (a Korean service marketplace, hosting the advertisement of specialized services by freelancers, or agencies) advertised the sale of language-specific promotional packages. Each of the packages exclusively listed PAPERWALL domains as the “major local media” on which paid editorial content could be placed.
• A second Korean company called AN&ON, which advertised country-specific promotional packages on its own website in a similar way to Excelsior Partners. The domains listed were, also in this case, PAPERWALL ones.
• A Chinese company, called Coin Blog, also known as BIBK, equally selling paid editorial content placement on several confirmed PAPERWALL domains.

However, we could identify digital infrastructure linkages between Haimai and PAPERWALL. Specifically, the two earliest registered PAPERWALL domains, updatenews[.]info and wdpp[.]org, hosted a Google AdSense ID linking them to Haimai’s official website, hmedium[.]com, and to a second website directly related to it. AdSense IDs are unique identifiers for a website operator’s AdSense account.

This is therefore an incriminating finding, proving that both PAPERWALL domains had been set up by the same operators as the Haimai assets.

A review of the source code for updatenews[.]info and wdpp[.]org revealed the presence on both websites of the Google AdSense ID ca-pub-5378976189690174.

After conducting a reverse search on this AdSense ID, we could find it on two additional websites: hmedium[.]com and sun-sem[.]com. The former is Haimai’s official website, as reported also by the Korean NCSC; the latter appears to be a secondary website directly connected to hmedium[.]com: it uses the same splash image and text on its homepage, and offers similar promotional services on foreign media.

Haimai, short for Shenzhen Haimaiyunxiang Media Co., Ltd. (深圳市海卖云享传媒有限公司), is a Shenzhen-based PR and marketing firm, ostensibly established in 2019, according to publicly available records. On its website, the company advertises the sale of promotional placement services in multiple countries and languages.

Conclusions

PAPERWALL is a large, and fast growing, network of anonymous websites posing as local news outlets while pushing both commercial and political content aligned with Beijing’s views to a variety of European, Asian, and Latin American audiences.

The campaign is an example of a sprawling influence operation serving both financial and political interests, and in alignment with Beijing’s political agenda. By observing the minimal traffic towards the network’s websites that is measurable through open source tools2, and the lack of visible mainstream media coverage (including on news aggregators, such as for example Google News) or social media amplification, we can assess the impact of the campaign as negligible so far.

This assessment, however, as well as the large amount of seemingly benign commercial content wrapping the aggressively political one within the PAPERWALL network, should not be taken to indicate that such a campaign is harmless. Seeding pieces of disinformation and targeted attacks within much larger quantities of irrelevant or even unpopular content is a known modus operandi in the context of influence operations, which can eventually pay enormous dividends once one of those fragments is eventually picked up and legitimized by mainstream press or political figures.

Finally, the role and prominence of private firms in creating and managing influence operations is hardly news. However, since the early days of research in this space, the disinformation-for-hire industry has boomed, leading to findings and disruptions in countries around the world (for a few examples, in Myanmar, Brazil, the UAE, Egypt and Saudi Arabia). China – previously exposed for having resorted to this proxy category in large influence operations, including the cited HaiEnergy – is now increasingly benefiting from this operating model, which maintains a thin veil of plausible deniability, while ensuring a broad dissemination of the political messaging. It is safe to assume that PAPERWALL will not be the last example of a partnership between private sector and government in the context of Chinese influence operations.

Acknowledgments

Special thanks to Jakub Dałek for his research support. Thanks to John Scott-Railton, Emma Lyon, Pellaeon Lin, Siena Anstis, and Céline Bauwens for their peer review and assistance. We would like to thank Melissa Chan for helpful recommendations. Research for this project was supervised by Ron Deibert.

Appendix

Confirmed Domains

Targeted Countries

High-Confidence Host IP Addresses

PAPERWALL Domains

Times Newswire

Source: https://citizenlab.ca/2024/02/paperwall-chinese-websites-posing-as-local-news-outlets-with-pro-beijing-content/

Views: 1