National Cyber Security Center and partners analyzed how Chinese media relations firms disguise news sites as Korean outlets to influence public opinion in Korea. The report highlights operations by Haimai, Haixun, and World Newswire, including fake domain networks, overseas hosting, and social-media amplification. Hashtags: #Haimai #TimesNewswire #WorldNewswire #Haixun #Jeju4_3Incident #ChineseInfluenceOperations
Keypoints
- Chinese media relations firms disguising Korean media outlets are distributing content in Korea via fake sites.
- Haimai, Haixun, and World Newswire are identified as involved in creating or operating disguised Korean outlets.
- Haimai used Times Newswire and operated 18 self-made Korean fake sites to disseminate content; 43.155.173.104 (Tencent-hosted) was the shared IP for most sites; GoDaddy registered many domain names; sites were WordPress-based.
- Fake sites imitate real Korean media names (e.g., Chungcheong Times) and often lack legitimate contact information, posting as if they were genuine outlets.
- Haimai circulated pro-China, anti-U.S., and anti-Japan content, including attempts to spread material via SNS and related YouTube links.
- World Newswire and Haixun cases show broader Chinese influence activity, with World Newswire sites posting PR/China content and Haixun tied to the HaiEnergy-style campaign identified by Mandiant.
- Conclusion emphasizes potential influence operations in Korea and the need for defenses even though direct impact may be limited by Korea’s in-link news model.
MITRE Techniques
- [T1036] Masquerading – Disguising websites as Korean media outlets to impersonate legitimate outlets. Quote: ‘websites disguised as Korean media outlets’
- [T1583] Acquire Infrastructure – Establishing fake sites with a shared IP, overseas hosting, and domain registrations to support disinformation. Quote: “The domains of the fake sites created by Haimai are all operating from the same IP 43.155.173.104, which is identified as a server hosted by Tencent. Notably, the domains for most of the 18 sites were registered through GoDaddy.com… The sites hosted on these IPs were all built on WordPress.”
Indicators of Compromise
- [IP Address] 43.155.173.104 – Tencent-hosted server used to host 18 fake Korean media sites.
- [Domains] timesnewswire.com – used as the official newswire platform; cctimes.kr (real) vs cctimes.org (fake) – demonstrates impersonation of Korean outlets. wdwire.com – World Newswire domain linked to fake sites.
- [Domains] Domains registered via GoDaddy.com for the fake sites (multiple domains) – indicates infrastructure acquisition for impersonation networks.
- [Platform/Hosting] WordPress-based sites – all fake sites were built on WordPress, hosted on the identified IPs.