Cybersecurity News that Matters

Cybersecurity News that Matters

This content is optimized for desktop web viewing. Please be aware that accessing it on mobile devices may not provide the best experience. We apologize for any inconvenience this may cause and appreciate your understanding.

The Readable

In November of 2023, a joint team comprised of the South Korean intelligence agency and four cybersecurity firms revealed a dark corner of the web that few would have believed existed: an alleged Chinese influence campaign involving more than three dozen fake websites disguised to resemble South Korean news publications.

The National Cyber Security Center (NCSC) cyber threat analysis team traced the origin of these sites to two Chinese marketing firms and one newswire service, discovering that these entities were attempting to spread misleading articles through their media channels. From the names of the publications to the articles they posted, the haphazardly assembled fake websites were intended to blur the line between truth and falsehood, their aim being to deceive readers who stumble upon their front pages into accepting “fake news” as coming from legitimate news organizations.

A month after this initial discovery, a further 28 fake news sites were uncovered by the joint team. As it is near certain that Chinese influence campaigns will continue to be deployed against South Korea into the foreseeable future, The Readable has examined eighteen fake news sites out of “Shenzhen Haimai Yunxiang Media Co., Ltd,” one of the aforementioned Chinese marketing companies, to take a closer look at its efforts to mislead South Korean citizens.

Turning an eye to the blind spot: the local news organizations

On its official website, the Chinese marketing firm boasted that they were in contact with news organizations across the globe, including one in South Korea called the “Chungcheng Times.” According to the joint team, this outlet is a fictional news organization created by the offending company. The Chinese company sought to disguise the site’s true identity and purpose by altering the name attached to it by one character—making it very closely resemble the name of a legitimate outlet operating out of Chungchengbuk-do.
충청타임스
Chungcheng Times
The Chinese company sought to disguise the site’s true identity and purpose by altering the name attached to it by one character—making it very closely resemble the name of a legitimate outlet operating out of Chungchengbuk-do.
인천포커스
Incheon Focus
One of the fake news sites was named “Incheon Focus,”

a title that could be easily mistaken for the legitimate local news outlet,

“Focus Incheon.”
The marketing firm also established a news organization under the Korean name -“Gyeonggido Daily,” which closely resembles legitimate news outlets operating out of Gyeonggi province such as “Gyeonggi Daily,” “Daily Gyeonggi Newspaper,” and “Gyeonggi N Daily.” One of the fake news sites was named “Incheon Focus,” a title that could be easily mistaken for the legitimate local news outlet, “Focus Incheon.” Furthermore, the Chinese marketing company operated two fake news sites with names identical to two separate local news organizations, one of which ceased operations in December 2022.
In total, fifteen out of eighteen Chinese fake news sites incorporated the correct names of real regions in their fake company names. “If the operators had created fake news sites similar to major news organizations based in Seoul, however, the intended deception would have easily been uncovered,” explained Song Tae-eun, an assistant professor in the Department of National Security & Unification Studies at the Korea National Diplomatic Academy, to The Readable. “There is also the possibility that they are using the regional areas as an attempt to form ties with the local community; that being the government, the private sector, and religious communities.”

A spoonful of truth can muddle fake and real

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

The Marine Environment Policy Division is an authentic government organization under the Ministry of Oceans and Fisheries. The Readable reached out to the Ministry and requested the employment status of the quoted official. The Ministry of Oceans and Fisheries confirmed that there is no government official with that name or job title.
According to the initial report, the bogus news sites were posting articles produced by South Korean news outlets without their consent. The Readable accessed all eighteen websites on January 4 and discovered that fifteen websites were still publishing unauthorized articles, including one site that changed its main source of authentic articles to a new source not mentioned in the original report.
“It is possible to gain trust by mixing truth with falsehoods. Once there is some truth inside a piece of information, its credibility increases dramatically. People are more likely to lower their guards,” said Song, who is an expert on disinformation. “The Chinese also incorporate the tactic of posting genuine news produced by credible media outlets alongside fake news and create multiple fake websites, targeting the United States.”
Alongside these articles, the Chinese marketing company posted deceptive content through a newswire service named “TimesNewswire” from January of 2021 to October of 2023. This content, which was forty-two pieces in total, did not reveal the source or identity of the writer, only the user who uploaded the post, a poster going by the name of “Chunqt.” Posted simultaneously on all eighteen websites, most of Chunqt’s content either denounced Japan and the United States or promoted the Chinese government or its culture.
One of the fake articles, published on September 5, 2022, criticized Japan for its decision to discharge treated radioactive water from the Fukushima nuclear plant into the sea and requested the South Korean government to protect its citizens from harmful aftereffects. The unknown writer included the direct statement of an official named “Kim So-geum” who is working at the Marine Environment Policy Division, who explained that it is difficult to fathom the seriousness of the case as the related research is still ongoing.
The Marine Environment Policy Division is an authentic government organization under the Ministry of Oceans and Fisheries. The Readable reached out to the Ministry and requested the employment status of the quoted official. The Ministry of Oceans and Fisheries confirmed that there is no government official with that name or job title.

“From the perspective of strategic communication, a propaganda campaign can be classified into three different types: the black, the white, and the grey,” explained Yun Min-woo, a professor at the Department of Police Science & Security Studies at Gachon University. “This can be regarded as grey propaganda, which is in the middle of the black and white. It is where fabricators mix fact and falsehoods in their messages.”

Yun added that the impact of such influence campaigns could be immense as they can create fear in its target audience. “What is important is the fact that bad actors could include information that enhances the belief of the readers,” said Yun. “In the case of the article, the deception could occur merely by failing to differentiate between “treated radioactive water” and “radioactive water.” The latter suggests that radioactive water—which by implication is highly dangerous—could be discharged into the sea without treatment, which was not the case in reality.”

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.

“From the perspective of strategic communication, a propaganda campaign can be classified into three different types: the black, the white, and the grey,” explained Yun Min-woo, a professor at the Department of Police Science & Security Studies at Gachon University. “This can be regarded as grey propaganda, which is in the middle of the black and white. It is where fabricators mix fact and falsehoods in their messages.”

A layer of prejudice as a defense mechanism against influence campaigns

The Readable tried to access all eighteen bogus news websites online. Only one, however, was accessible using Naver, the most prominent online search engine preferred by South Korean citizens to access news articles. Nine out of the eighteen bogus sites were accessible using Google.
The Korea Communications Standards Commission (KCSC), which reviews malicious information uploaded online and has the authority to block access to illegal content after internal deliberation, said to The Readable in an email statement on January 17 that they were aware of the problems and are in the process of deliberating the matter with the appropriate authorities.
The National Intelligence Service (NIS) said to The Readable on January 19 that they are working with relevant authorities such as the Ministry of Culture, Sports and Tourism (MCST), and the KCSC to block the fake news sites.
Although the true purpose of these activities has not yet been discerned, experts warn that Chinese propaganda will continue to target South Korean citizens. “People with a sharp eye might be able to distinguish the roughly crafted fake news sites from authentic media outlets,” said Song. “However, we also have to consider the possibility of a third party, for example, a politician or an academic, employing the accusation of “fake news” to mislead the South Korean public for his or her own personal gain.”
Ryu So-jun, a leader of the threat analysis team of the South Korean cybersecurity firm S2W, which participated in the joint cyber threat analysis team, explained that these influence campaigns could carry on their activities, as fake news sites are constantly being discovered. “We do not regard these websites as dangerous as they lack sophistication. However, we evaluate them as being potentially dangerous, as there is no way of knowing how these fledgling sites might evolve moving forward into the future,” said Ryu.
Yun stressed the importance of disseminating the facts related to Chinese influence campaigns as a countermeasure. “Normally the word ‘prejudice’ or ‘bias’ is used in a negative context. However, in the case of propaganda campaigns, this could accomplish the opposite by giving ordinary people an advantage,” explained Yun. “As people know more about how China is trying to carry out influence operations against South Korea, this could create a prejudice in readers, a filter in each person’s mind able to act as a self-defense shield against possible future interference.”

Chinese marketing firm created fake news sites targeting 30 countries, researchers reveal

Date

Depending on the current status of the system, loading can be slow.



A digital watchdog group uncovered a vast network of at least 123 fake news sites on Wednesday, originating in China and spread across 30 countries, designed to promote pro-Beijing propaganda while undermining criticisms of the Chinese government. This revelation showed that the Chinese influence operation extended well beyond the South Korean border, where similar fake websites were identified last year.
In their latest report, Citizen Lab researchers disclosed an extensive influence operation named PAPERWALL, orchestrated by China, targeting nations across Asia, Europe, and Latin America. The operation first set its sights on Japan, where it established nine fake news sites in July 2020. Subsequently, it expanded into South Korea, France, the United Kingdom, Ireland, and Italy between 2020 and 2021, thereby including these countries among its targets. By the end of last year, the operation had extended its reach to a total of 30 countries.
Among the 123 fake news sites identified, South Korea emerged as the most targeted country, with 17 websites dedicated to spreading misinformation about it. It was closely followed by two of its neighbors: Japan and Russia. The researchers omitted one website from their count that had been included in a report by South Korea’s National Cyber Security Center in November of the previous year, which had identified a total of 18 bogus websites. This exclusion was due to its association with another fake news site named “wdpp.org,” which is one of the first registered fake websites alongside “updatednews.info,” created in 2020 and 2019 respectively.

Alberto Fittarelli, a senior researcher and the disinformation research lead at Citizen Lab, provided insight into the targeting of these three countries in an email statement. He mentioned, “We can’t be certain of the reason,” but highlighted that at least two South Korean companies seemed to have the ability to publish content on the PAPERWALL network of websites. This suggests that the motivations behind the focus on these countries could be primarily commercial.

The Citizen Lab, a cybersecurity research and internet watchdog group based at the University of Toronto, focuses on investigating advanced digital threats against civilians, including the malicious use of surveillance tools. The group began tracking the activities of Chinese influence operators after their operations were publicly exposed in October 2023 by the Italian news organization, Il Foglio. Delving deeper into the investigation, Citizen Lab, alongside the South Korean intelligence agency and its private partners, not only uncovered and exposed the fake news sites, but they also directly attributed disinformation campaigns to a Chinese marketing firm, “Shenzhen Haimai Yunxiang Media Co., Ltd.”

Mirroring the approach used with South Korean fake news sites, the fraudulent news outlets attempted to deceive readers by masquerading as legitimate local news organizations within the target countries. The operators republished articles from genuine local media, cleverly naming the fake news sites with words and regions relevant to the local language, such as incorporating “Eiffel” for a fake French website and “Napoli” for an Italian one. This strategy aimed to lend an air of credibility to these deceptive platforms.

Concealed within a broad mix of benign content, such as commercial press releases, the operators embedded malicious articles. These writings commended the Chinese government and aimed to tarnish the professional and personal reputations of individuals viewed by the regime as hostile to Beijing. The researchers particularly pointed out a targeted campaign against Chinese virologist Li-Meng Yan, who had proposed theories linking the origin of the coronavirus to a laboratory in China—a claim widely dismissed by the international scientific community. Despite the controversy, the operators circulated an article titled “Yan Limeng is a complete rumor maker” across every accessible fake website in December of the previous year.
Between February 20 and 23, The Readable conducted a review of 123 fake news sites and managed to access 121 of them, including three sites that were previously inaccessible. The researchers categorized four sites as “undetermined” due to them being offline, a characteristic tactic of the operators who periodically make these fake sites available. With the addition of the three websites, which are strongly suspected to target Brazil, Mexico, and Turkmenistan, The Readable discovered that derogatory articles were present on all but six of the sites reviewed. 
Additionally, they disseminated misleading content with conspiratorial narratives, including claims that the United States conducted biological experiments on populations in Southeast Asia. This tactic of mixing harmful content with benign news was clearly intended to subtly influence readers’ perceptions.
The deceptive content was predominantly sourced from a news wire service called “Times Newswire,” along with promotional materials. The researchers highlighted the unusual relationship between the fake news sites and this news wire service as “one of the most peculiar traits of the campaign.” The Citizen Lab remarked in their report, “While there is certainly no definitive playbook on how online influence operations are conducted, it is uncommon for a network of coordinated websites to consistently use content from a single publicly available but equally covert source.”

The digital watchdog group assessed that the impact of the Chinese influence operation has been “negligible so far,” with the fake news sites attracting limited reader and social media engagement. Additionally, much of the malicious content was produced in English, posing comprehension challenges for those who primarily speak their native languages, thereby limiting the content’s reach and penetration. However, the group warned of potentially severe consequences should this misleading content be amplified by legitimate local media outlets or political figures.

Fittarelli, with over 15 years of experience in technology companies, notably Meta, and specializing in investigating influence operations, suggested that Haimai’s operation likely serves multiple objectives. “One purpose is commercial – distributing press releases for paying customers on what appears to be international media, despite these outlets being fictional,” he explained. Fittarelli further indicated the possibility of the Chinese government being among the clients, as evidenced by the inclusion of anonymous pro-Beijing disinformation and harassment articles within the “press release” sections of the websites.

The report highlighted the growing trend of the disinformation-for-hire industry, which refers to private companies offering information operations as a service to clients, and which are increasingly operating to the benefit of the Chinese government. The senior researcher noted, “[Disinformation-for-hire] benefits any actor that purchases such services, (…) and it is increasingly viewed as being favored by, and likely requested by, governments.” They further speculated, based on an educated guess, that PAPERWALL will not be the last operation of its kind. The rationale behind this prediction is the relatively low cost of executing such tactics and the potentially high rewards when these operations succeed.

The report highlighted the growing trend of the disinformation-for-hire industry, which refers to private companies offering information operations as a service to clients, and which are increasingly operating to the benefit of the Chinese government. The senior researcher noted, “[Disinformation-for-hire] benefits any actor that purchases such services, (…) and it is increasingly viewed as being favored by, and likely requested by, governments.” They further speculated, based on an educated guess, that

What makes this article different from the others

1.
The Readable looked into the titles of all eighteen fabricated news websites and compared them to local news organizations. The Readable learned that two of the fake news sites have a close resemblance to legitimate news outlets. We also discovered two websites that falsely bear the name of two genuine South Korean news publications.

2.
The Readable contacted Song Tae-eun, an assistant professor at the Department of National Security & Unification Studies at the Korea National Diplomatic Academy, who is an expert on disinformation, and included her insights on possible reasons why the Chinese fake news operators were seeking to impersonate South Korean news media outlets.

3.
The Readable accessed all eighteen bogus news sites and looked into the changes after the publication of the report from the National Cyber Security Center (NCSC) cyber threat analysis team in November of last year. The Readable included news on the latest changes, such as whether the sites have continued to upload articles produced by credible South Korean news organizations.

4.
The Readable analyzed the forty-two pieces of malicious content listed on the initial report from the joint analysis team and discovered that the operators cited a nonexistent government official working at the Ministry of Oceans and Fisheries. The Readable reached out to the Ministry and received confirmation that no such person was employed by the Ministry.

5.
The Readable contacted Yun Min-woo, a professor at the Department of Police Science & Security Studies at Gachon University and included his insights on the characteristics of the Chinese influence campaign and its impact on South Korean citizens.

6.
The Readable tried to access all eighteen fake websites using Naver and Google and included the number of websites able to be accessed using these online search engines in the article.

7.
The Readable included the comment received from the Korea Communications Standards Commission (KCSC) and the National Intelligence Service (NIS) related to their efforts to block fraudulent websites.

8.
The Readable managed to access three of the four websites that had been classified as “undetermined” in the Citizen Lab’s report, indicating they were previously inaccessible due to the operators’ practice of making these fake sites available only intermittently. Based on the language used and the origins of articles posted on these fake news sites, The Readable inferred that each of the three websites was targeting Brazil, Mexico, and Turkmenistan, respectively.

9.
The Readable attempted to visit all 123 fake websites identified in the Citizen Lab’s report, published on February 7, and succeeded in accessing 121 of them from February 20 to 23. During this review, The Readable found that the derogatory article in question was posted on 117 of these websites.

10.
The Readable dedicated a total of 130 hours from January to February to the publication of three articles and two interactive features on the Chinese influence campaign involving fake news sites.

From January 3 to 5, The Readable spent 15 hours analyzing 18 bogus South Korean news sites, which were identified by the National Cyber Security Center (NCSC) cyber threat analysis team in November of the previous year.

 

From January 8 to 12, The Readable invested 35 hours in examining all the fake websites and the 42 instances of malicious content hosted on these platforms, as confirmed by the NCSC cyber threat analysis team. The team also contacted government officials and South Korean experts, culminating in the publication of an in-depth article titled “A glimpse inside a Chinese influence campaign: How bogus news websites blur the line between true and false.”

 

From January 17 to 19, The Readable dedicated 12 hours to gathering feedback from the Korea Communications Standards Commission (KCSC) and the National Intelligence Service (NIS), incorporating their comments into the original report.

 

Over January 23 and 24, The Readable spent 14 hours crafting an opinion piece reflecting on the experience of covering the 18 fake news sites, titled “[Perspective] Preparing for the best and the worst in the face of the Chinese influence campaign.”

 

On February 1 and 2, The Readable allocated 10 hours to analyze an embargoed report from Citizen Lab, revealing that a Chinese marketing firm was behind the creation of fake websites across 30 countries. The team collaborated with the internet watchdog group to produce the article based on this report.

 

From February 5 to 6, The Readable devoted 18 hours to comparing the Citizen Lab report with findings from the South Korean threat intelligence team. This comprehensive analysis led to the publication of an article titled “Chinese marketing firm created fake news sites targeting 30 countries, researchers reveal.”

 

On February 15 and 16, The Readable spent 6 hours gathering examples of interactive news articles and held a meeting to discuss the creation of the first interactive article for The Readable.

 

From February 20 to 26, The Readable dedicated 20 hours to accessing all 123 fake websites identified by Citizen Lab. During this process, the team collaborated with the internet watchdog to incorporate new findings into the original report.

The Readable.

Subscription

Subscribe to our newsletter for the latest insights and trends. Tailor your subscription to fit your interests:

By subscribing, you agree to our Privacy Policy. We respect your privacy and are committed to protecting your personal data. Your email address will only be used to send you the information you have requested, and you can unsubscribe at any time through the link provided in our emails.

Stay Ahead with The Readable's Cybersecurity Insights