GLASSBRIDGE’s Pro-China Influence Network of Fake Sites Targets the US

• A pro-China network of fake websites was exposed by Google TAG as part of an influence campaign.
• Named GLASSBRIDGE, the network promoted state-aligned narratives using modified legitimate news.
• The activity cluster seems to overlap with the Insikt Group-identified TAG-100 threat group.

Google has revealed GLASSBRIDGE, a pro-China influence network utilizing inauthentic news sites to promote state-aligned narratives globally. Operating through stand-alone digital PR firms, GLASSBRIDGE employs syndication services to present tailored propaganda as legitimate local news, deceiving regional audiences.

The revelation follows Microsoft's identification of a new threat actor, Storm-2077, active since January 2024. Storm-2077 has launched cyberattacks targeting U.S. government agencies, the defense industrial base, telecommunications, and financial services worldwide. 

The group uses phishing campaigns to harvest credentials, enabling access to cloud environments and sensitive email data. Tools such as Cobalt Strike and open-source malware like Pantegana are leveraged to execute these intelligence-gathering missions.

Microsoft notes the increasing sophistication of Chinese cyber operations. "Public disclosures of threat actors' activities have driven them to adapt their methods," the company stated. These evolving tactics make tracking and attribution more challenging than a decade ago.

Google's Threat Analysis Group provided further details about GLASSBRIDGE's operations. The network has exploited credible subdomains such as markets.post-gazette, business.thepilotnews, and finance.azcentral to host content tailored to specific regional audiences. 

This tactic amplifies their state-crafted narratives under the guise of independent journalism. Companies like Shenzhen Bowen Media and Shanghai Haixun Technology are implicated in this network.

Since 2022, Google has blocked over 1,000 GLASSBRIDGE-operated websites from appearing in its Google News and Google Discover sections. TAG researcher Vanessa Molter warned, "These sites demonstrate how influence operations have progressed beyond traditional social media platforms." 

The activity cluster overlaps with a threat group tracked as TAG-100 by Recorded Future's Insikt Group.

The exposure of GLASSBRIDGE underscores the increasing integration of disinformation campaigns with advanced cyberattacks. Organizations must prioritize robust threat detection and mitigation measures to combat this dual-edged strategy.

This tactic is not new; before the 2024 presidential elections, Iranian threat groups were seen distributing false news in an influence campaign, with one gang launching various domains with fake news sites targeting liberal and conservative voters.