The organizers of a pro-People's Republic of China (PRC) influence campaign called "HaiEnergy" are taking the art of disinformation to new heights, appropriating US news outlets, paying influencers, and more to promote their agenda.
Google Cloud's Mandiant first detailed the campaign a year ago, at which time it had puppeted multiple social media assets and at least 72 “news” websites to push content strategically aligned with the political interests of the PRC. In months since, the campaign has expanded even beyond cyberspace, financing two physical protests in Washington, DC, and even throwing a Times Square billboard into the mix.
Mandiant researchers have named at least two organizations behind the campaign. First there's Shanghai Haixun Technology Co., Ltd (上海海讯社科技有限公司), a PR firm whose thin and error-laden website suggests it is not quite what it seems. Additionally, there's FinancialContent Inc., which specializes in sneaking news stories onto the websites of legitimate publishers.
Despite the large, coordinated effort to push a specific, clear agenda, HaiEnergy has proven remarkably ham-handed and ineffective. "The best way to describe it is: creative," says Ryan Serabian, a Mandiant senior analyst. "Not sophisticated, but very creative."
What Is HaiEnergy?
In its early stages, HaiEnergy consisted of largely conventional methods for disseminating propaganda on the Web. The perpetrators wielded an arsenal of 72 news websites, published worldwide in 11 languages. Claiming to be independent, the websites pushed stories criticizing policies of the US and its allies, supporting the erosion of Hong Kong's electoral system, and tarnishing outspoken opponents of the Chinese Communist Party (CCP). These stories were then amplified by a small number of inauthentic and paid social media accounts.
Since then, the campaign has grown much larger and stranger than that. For example, researchers discovered Shanghai Haixun hiring freelancers on Fiverr.com to promote content consistent with its influence campaign, like a video heralding China's "victory" over COVID-19.
The campaign has also since graduated from cyberspace — for instance, by funding two protests in Washington DC in June and September 2022. In both cases, "two small groups of protesters can be observed demonstrating in Washington, DC, holding placards and chanting slogans intended to highlight US domestic issues, such as racial discrimination and abortion," the researchers explained. The protestors didn't seem too determined to keep up appearances, however, as they also protested the oddly specific issue of an import ban affecting cheap solar industry parts from Xinjiang.
Both protests were amplified by two appropriately vaguely named Haixun-operated newswire outlets, Times Newswire and World Newswire, and spread by inauthentic social media profiles.
In another case of HaiEnergy IRL, an article published to Times Newswire promoted a pro-PRC advertisement apparently displayed in the center of Times Square in New York. "We lack evidence to confirm that the ad was actually placed on the billboard or that it was paid for by the campaign," the researchers cautioned. "However, we note the possibility, given our understanding of the campaign, Haixun's self-promoted strategy of 'LED digital marketing services' specifically referencing ad placement in 'Times Square, New York' and an identified service that sells digital advertisements on the specific billboard featured in the Times Newswire article."
"They're experimenting with new tactics and we can expect them to keep doing this," Serabian warns. "Anytime this stuff crosses over into the physical space, in my opinion, that's a sound for alarm."
HaiEnergy's Invisibility (for Better and for Worse)
The impact of HaiEnergy so far has not been extensive. While that ineffectualness is good news, it also cuts both ways: Its invisibility has afforded its operators time and space to experiment with new tactics.
Consider FinancialContent Inc., a US-registered company that appears to supply stock and financial news data to various websites. As Serabian explains, "FinancialContent appears to establish relationships with these legitimate news outlets by providing stock and news data, but they also happen to be ingesting from two obscure newswire outlets [Times Newswire and World Newswire] being leveraged by this PR firm [Haixun]."
FinancialContent effectively behaves like a Trojan horse, so Haixun news stories "slipped through the cracks," he says, making it onto subdomains belonging to 32 US publishers.
The following image demonstrates one case of a Times Newswire story picked up by AZCentral, an Arizona news website with 6.5 million views per month.
"I think that we need to be vigilant and keep outing these campaigns, no matter how sophisticated or big or small they are," Serabian concludes. "Because when we brought this to the attention of the news outlets, they were not even aware that this was happening on their websites."