GLASSBRIDGE’s Pro-China Influence Network of Fake Sites Targets the US

Published on November 25, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Google has revealed GLASSBRIDGE, a pro-China influence network utilizing inauthentic news sites to promote state-aligned narratives globally. Operating through stand-alone digital PR firms, GLASSBRIDGE employs syndication services to present tailored propaganda as legitimate local news, deceiving regional audiences.

The revelation follows Microsoft's identification of a new threat actor, Storm-2077, active since January 2024. Storm-2077 has launched cyberattacks targeting U.S. government agencies, the defense industrial base, telecommunications, and financial services worldwide. 

The group uses phishing campaigns to harvest credentials, enabling access to cloud environments and sensitive email data. Tools such as Cobalt Strike and open-source malware like Pantegana are leveraged to execute these intelligence-gathering missions.

GLASSBRIDGE is an ecosystem of companies and newswire services that publish inauthentic news content | Source: Google TAG

Microsoft notes the increasing sophistication of Chinese cyber operations. "Public disclosures of threat actors' activities have driven them to adapt their methods," the company stated. These evolving tactics make tracking and attribution more challenging than a decade ago.

Google's Threat Analysis Group provided further details about GLASSBRIDGE's operations. The network has exploited credible subdomains such as markets.post-gazette, business.thepilotnews, and finance.azcentral to host content tailored to specific regional audiences. 

This tactic amplifies their state-crafted narratives under the guise of independent journalism. Companies like Shenzhen Bowen Media and Shanghai Haixun Technology are implicated in this network.

The North Korean IT worker ecosystem | Source: Microsoft

Since 2022, Google has blocked over 1,000 GLASSBRIDGE-operated websites from appearing in its Google News and Google Discover sections. TAG researcher Vanessa Molter warned, "These sites demonstrate how influence operations have progressed beyond traditional social media platforms." 

The activity cluster overlaps with a threat group tracked as TAG-100 by Recorded Future's Insikt Group.

The exposure of GLASSBRIDGE underscores the increasing integration of disinformation campaigns with advanced cyberattacks. Organizations must prioritize robust threat detection and mitigation measures to combat this dual-edged strategy.

This tactic is not new; before the 2024 presidential elections, Iranian threat groups were seen distributing false news in an influence campaign, with one gang launching various domains with fake news sites targeting liberal and conservative voters.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: