Full Report
Today we are sharing updated insights about DRAGONBRIDGE, the most prolific IO actor Google’s Threat Analysis Group (TAG) tracks.
Analysis Summary
# Threat Actor: DRAGONBRIDGE
## Attribution & Identity
- **Attribution:** PRC-linked (People's Republic of China) influence operator.
- **Aliases:** "Spamouflage Dragon"
- **Associated Groups:** Described as the most prolific Influence Operation (IO) actor tracked by Google's Threat Analysis Group (TAG). Activity observed across multiple platforms including YouTube, Blogger, and X (formerly Twitter).
## Activity Summary
DRAGONBRIDGE is characterized by prolific, high-volume content generation across multiple social media platforms, primarily focusing on spammy content, though a fraction pushes pro-PRC geopolitical narratives.
- **Recent Activity:** In 2023, Google disrupted over 65,000 instances of activity; Q1 2024 saw over 10,000 instances disrupted, totaling over 175,000 disruptions lifetime.
- **Campaign Focus:** Leans into US social wedge issues, Taiwan politics, and major global news events (e.g., Israel-Hamas war).
- **Taiwan Election Campaign (Jan 2024):** Surged thousands of videos and comments promoting pro-unification narratives and criticizing outgoing President Tsai Ing-wen, including calls to action against the Democratic Progressive Party. Videos featured synthetic audio, avatars, and alleged machine-translated text.
- **US Focus:** Actively spreading narratives highlighting US political divisions, monitored for shifts related to the US presidential election.
- **Mandiant Observations:** Noted usage of more nuanced tactics on non-Google platforms, including inauthentic personas posing as US residents and leveraging "follow trains" to gain unwitting followers, resulting in higher limited authentic engagement primarily on X.
## Tactics, Techniques & Procedures
- **Content Generation:** High volume, low-quality content production across various platforms.
- **Adaptation to News Cycle:** Quickly pivots to create content reacting to breaking news, sometimes within a few weeks. Creates high volumes of content ahead of anticipated events (e.g., Taiwan election).
- **Use of Synthetic Media/AI:** Utilizes AI-generated news hosts, synthetic audio, and avatars in video content.
- **Content Style:** Often uses robotic voiceovers, stock footage, and publicly available images; displays awkward phrasing suggesting machine translation.
- **Social Media Manipulation:** Employs engagement strategies like "follow trains" and uses inauthentic personas posing as residents in target geographies.
- **Content Reuse:** Posting identical video content across platforms like YouTube and X.
- **Mimicry:** Copying content from real social media users on external platforms.
- **Engagement Tactics:** Relies heavily on inauthentic engagement from other DRAGONBRIDGE accounts to boost content visibility.
- **TTPs (MITRE ATT&CK N/A in source, inferred):**
- T1564.005: Virtualization/Emulation (Use of synthetic avatars/audio)
- T1560.001: Archive Collected Data (Leveraging stock/publicly available material)
- T1566.002: Spearphishing Link (Dissemination across social media platforms)
## Targeting
- **Sectors:** No specific technical sectors targeted; primary focus is on geopolitical influence and public discourse.
- **Geography:** Primarily targets Chinese speakers, but also disseminates narratives in English and other languages. Narratives have focused on US politics and Taiwanese elections.
- **Victims:** Targeting specific political figures (e.g., Taiwan’s outgoing President Tsai Ing-wen) and aiming to sow division within the US population.
## Tools & Infrastructure
- **Malware Families:** None explicitly mentioned.
- **Infrastructure:** Activity observed across YouTube, Blogger, and X (formerly Twitter). Specific C2 servers, domains, or IPs were not provided in the summary.
## Implications
DRAGONBRIDGE represents a highly persistent and scalable influence effort operating on multiple platforms, despite consistently failing to gain significant organic reach. Their continued experimentation, particularly with AI-generated content and adopting slightly more nuanced engagement tactics on platforms like X, suggests an ongoing attempt to refine influence methods. The volume of disruption indicates a significant commitment by the originating state actor to influence external narratives.
## Mitigations
- **Platform Monitoring:** Continue scaling detection efforts across social media platforms to rapidly disrupt coordinated inauthentic activity.
- **Content Analysis:** Focus identification on content exhibiting low quality, robotic voiceovers, machine-translated phrasing, or rapid, reactive production around geopolitical events.
- **Behavioral Analysis:** Monitor for inauthentic engagement patterns, such as content interactions existing primarily between known inauthentic accounts.
- **AI/Synthetic Media Detection:** Enhance detection capabilities for synthetically generated video and audio content used for influence operations.