Keypoints
- Insikt Group links the āEmpire Dragonā network to a coordinated, inauthentic information operation likely based in China and aligned with Chinese government objectives.
- The network has operated since early 2021 and shifted focus from Chinese domestic topics to U.S. and allied audiences after August 2022.
- Empire Dragon uses multilingual posts across platforms, account impersonation, fringe groups and āuseful idiotsā to amplify narratives, but has struggled to gain organic engagement.
- There is a measurable convergence between Empire Dragon narratives and Russian disinformation, with the Chinese-aligned network amplifying Russian-origin narratives.
- Poor content quality (machine translation, low-quality imagery) has limited impact so far, but adoption of multilingual LLMs and advanced image-generation models is expected to increase effectiveness.
- Recorded Future predicts the network will refine tactics to influence major 2024 events (Taiwan and U.S. elections) by promoting candidates, attacking leaders, and polarizing voters.
MITRE Techniques
- [T1585] Establish Accounts ā Creating and operating inauthentic and impersonated accounts to conduct coordinated information operations (ācoordinated and inauthentic operationā¦ā).
- [T1078] Valid Accounts ā Using impersonated or otherwise leveraged accounts to publish and amplify narratives across platforms (āaccount impersonationā).
- [T1583] Acquire Infrastructure ā Deploying multilingual posting infrastructure and cross-platform distribution to reach global audiences (āengage in information operationsā¦ through various languages, topics, and platformsā).
- [T1204] User Execution ā Recruiting or manipulating āuseful idiotsā and fringe political groups to disseminate and amplify content (āemploying āuseful idiots,ā fringe political groupsā).
- [T1588] Obtain Capabilities ā Integrating multilingual large language models and image-generation models to improve content quality and believability (āimprovements in multilingual large language models and image generation modelsā).
Indicators of Compromise
- [Domain] Report and analysis hosting ā recordedfuture.com (original analysis and blog post), go.recordedfuture.com (PDF report link).
- [File] Report PDF ā https://go.recordedfuture.com/hubfs/reports/cta-2023-0830.pdf (full analysis available as downloadable PDF).
- [Asset] Image/content host ā cms.recordedfuture.com/uploads/ā¦ (image assets used in the published analysis).
Recorded Futureās technical assessment identifies Empire Dragon as an organized information operation employing structured account and infrastructure tactics to disseminate narratives. The operation establishes and manages inauthentic and impersonated accounts across multiple platforms (establish accounts / valid accounts), builds or acquires multilingual distribution infrastructure to post and syndicate content, and uses third-party actorsādescribed as āuseful idiotsā and fringe groupsāto artificially amplify messaging. These operational choices map to common adversary behaviors: account creation/establishment, exploitation of valid accounts for posting, and acquisition of dissemination capabilities.
Operational constraints observed include low organic engagement driven by poor content quality (machine-translated text and weak imagery) and sporadic amplification. Technically, the network is positioned to upgrade its toolchain: adoption of multilingual large language models and advanced image-generation models represents an Obtain Capabilities pathway that will likely increase content coherence and cross-language believability. Analysts note a shift toward amplifying externally originated narratives (notably from the Russian disinformation ecosystem), indicating reuse of third-party content and coordinated cross-campaign amplification techniques.
Recorded Future anticipates continued refinement ahead of 2024 geopolitical events; defenders should monitor account-establishment patterns, cross-platform posting infrastructure, sudden upticks in coordinated amplification, impersonation activity, and the emergence of higher-quality, AI-generated multilingual content as indicators of increased operational capability.