Jump to Content
Threat Intelligence

Pro-PRC HaiEnergy Campaign Exploits U.S. News Outlets via Newswire Services to Target U.S. Audiences; Evidence of Commissioned Protests in Washington, D.C.

July 24, 2023

Written by: Ryan Serabian, Daniel Kapellmann Zafra, Conor Quigley, David Mainor

In August 2022, Mandiant released a public report detailing an ongoing influence campaign leveraging infrastructure attributed to the Chinese public relations (PR) firm Shanghai Haixun Technology Co., Ltd (上海海讯社科技有限公司) (referred to hereafter as “Haixun”). This campaign, which we dubbed “HaiEnergy,” leveraged a network of at least 72 inauthentic news sites—which presented themselves as independent news outlets based in various regions across the world—and a number of suspected inauthentic social media assets to amplify content strategically aligned with the political interests of the People’s Republic of China (PRC).

When we released our initial report, we were unable to determine the extent to which Haixun was involved in, or even aware of this campaign, as our visibility was limited to the campaign’s use of infrastructure linked to the company. In recent months, however, we have identified additional evidence suggesting Haixun is not only aware of the campaign but is actively supporting it through the solicitation of for-hire freelancers via Fiverr to promote campaign content.

Additionally, we have identified new tactics, techniques, and procedures (TTPs) being employed by HaiEnergy, which includes the use of newswire services to distribute pro-PRC content to subdomains of legitimate U.S.-based news outlets. We also note the possibility the campaign is leveraging less conventional TTPs, citing a specific example in which an ad displaying pro-PRC messaging was possibly placed on a billboard in New York City’s Times Square.

Finally, and perhaps most noteworthy, we have evidence to suggest the campaign may have financed at least two staged in-person protests in Washington, D.C. The campaign then used the protests as source material in HaiEnergy-linked operations that promoted narratives surrounding highly divisive U.S. domestic issues and messaging critical of a June 2022 decision by the U.S. Government to ban all goods produced in China's Xinjiang region.

Campaign Leverages Newswire Services and Subdomains Associated with Legitimate U.S.-Based News Outlets

Since we published our initial report, Mandiant has identified additional dissemination vectors leveraged by HaiEnergy, which includes two self-described “press release” services—"Times Newswire" (timesnewswire.com) and "World Newswire" (wdwire.com)—and at least 32 subdomains of legitimate U.S.-based news outlets resolving to third-party infrastructure associated with a U.S.-based company named “FinancialContent, Inc.” (see Appendix for technical analysis).

We note that we have not observed evidence indicating that any of the impacted outlets were compromised. Based on our technical analysis of these subdomains, combined with insights gleaned from open-source reporting, it is possible FinancialContent, Inc. provided these outlets with a service that supplies stock and financial news data to be displayed on the subdomains we have identified. According to at least one source, content provided by FinancialContent, Inc. is sometimes published to these subdomains without approval or review.

We have attributed the use of these vectors to HaiEnergy based on overlapping content published to these newly-observed entities and to previously known HaiEnergy infrastructure,as well as observations surrounding the coordinated amplification of content published to all sites we now attribute to the campaign (see next section).

  • In numerous instances, we have observed identical pro-PRC articles published to both World Newswire and Times Newswire, which were also published to suspected inauthentic news sites we have previously attributed to HaiEnergy (see Figure 1 and Figure 2).
  • Additionally, we have observed the campaign leverage these sites in both the seeding and dissemination of campaign-promoted narratives, a form of information laundering intended to provide a veneer of legitimacy. For example, we identified content which was published to an inauthentic news outlet previously attributed to HaiEnergy cite information allegedly originating from a FinancialContent, Inc.-linked subdomain, Arizona Republic (finance.azcentral.com). Notably, the article on this subdomain in turn credited Times Newswire as the original source (see Figure 3).
  • Mandiant previously identified and subsequently detailed in our August 2022 report a downloadable spreadsheet hosted at “haixunpr.org”, which provided insight into the PR firm’s digital marketing strategy. An additional spreadsheet we identified hosted at “haipress.com,” part of Haixun’s “Positive Energy” package, contained a distribution list presumably for content delivery which contained the subdomains we have identified along with hundreds of additional URLs that Mandiant continues to investigate (see Figure 4). As we noted in our previous blog post, the term “positive energy” (正能量) is an important term in the Xi Jinping era that refers to messages positively portraying the Chinese Communist Party (CCP), the Chinese Government, and its policies.
  • Mandiant has also observed content originating from World Newswire, Times Newswire, and previously identified HaiEnergy sites shared by overlapping social media accounts in a coordinated manner, including those we have previously attributed to HaiEnergy, as well as newly-identified for-hire freelancers we judge were commissioned by Haixun to amplify campaign content (see next section).

Despite the common denominator of having been leveraged by the HaiEnergy campaign, we currently lack technical evidence to suggest an underlying connection between Haixun and World Newswire, Times Newswire, or FinancialContent, Inc. and thus currently view them as distinct entities.


Figure 1: Times Newswire (left) and a HaiEnergy website (right) posted identical articles on the same day


Figure 2: World Newswire (left) and a HaiEnergy website (right) posted identical Russian-language articles


Figure 3: A HaiEnergy site posts an article identical to one on Times Newswire and links directly to that Times Newswire article published on a subdomain of a U.S. news outlet


Figure 4: Spreadsheet downloaded from haipress.com advertises “Positive Energy” package for “high quality media outlets” in the U.S. and Europe

Haixun Likely Leveraging Global Marketplace to Outsource Content Promotion

Our previous understanding of Haixun’s involvement in HaiEnergy was limited to the campaign’s use of infrastructure linked to the PR firm; namely, at least 72 suspected inauthentic news sites which all leveraged content from the server “02100.vip” that was registered by Haixun. However, recent observations associated with the company’s presence on Fiverr, a global online marketplace for freelance services, has given us additional evidence suggesting the company is complicit in the broader campaign, as well as insight into the methods in which it outsources content promotion.

Specifically, we identified a Fiverr account we attribute to Haixun actively engaged in soliciting individuals to promote content both consistent with the political narratives promoted by the HaiEnergy campaign and sourced to infrastructure we attribute to it (Figure 5). Additionally, we observed numerous reviews from the Haixun Fiverr account as a “buyer” placed on identified “seller” accounts. Likewise, we observed identified “sellers” confirming this transactional relationship between both parties by leaving reciprocal reviews.

  • For example, we observed multiple “seller” accounts identifying as paid promoters amplify pro-PRC content via corresponding profiles on other social media platforms, including by directly linking to content originating from identified newswire services and subsequently published to subdomains of genuine U.S.-based news outlets (see Figure 6). In some cases, HaiEnergy-sourced content was promoted by social media accounts linked to paid promoters on the same days, further suggesting a notable degree of coordination (Figure 7).
  • In at least one instance, we observed Haixun, via its Fiverr account, commission an influencer to promote a video surrounding China’s “victory” over COVID-19. On Fiverr, the Haixun account shared a screenshot of the video being posted by the influencer, presumably as proof of service delivery, alongside text stating “Great service, fast respond. Looking forward to the next collaboration [sic].” The link to the influencer-hosted video was then embedded in a Times Newswire article that was distributed to subdomains associated with genuine U.S.-based news outlets.

Based on the number of paid promoter accounts that we identified with a substantial following (i.e., over 100,000 followers), we surmise that Haixun selectively targeted for-hire accounts that could maximize campaign reach. Despite the use of these for-hire accounts within the context of a campaign we assess to be both coordinated and inauthentic, we detail the activity of these accounts solely to demonstrate the level of coordination exhibited by the campaign’s operators, and refrain from making any assertions pertaining to the authenticity of individual for-hire accounts or whether these individuals are witting or unwitting participants.


Figure 5: Haixun Fiverr account profile (redacted)


Figure 6: Freelance Fiverr account offers promotion on Twitter (top left), Haixun Fiverr account (redacted) leaves review (bottom left), for-hire Twitter (right) links to content by Times Newswire on a subdomain of the Arizona Republic (finance.azcentral.com) linked to FinancialContent, Inc.


Figure 7: Workflow illustrating sample observed dissemination vectors from HaiEnergy campaign

Sets of Inauthentic Accounts Promote Subdomains in a Coordinated Manner

In addition to users we believe were commissioned by Haixun, Mandiant also identified two clusters of suspected inauthentic accounts operating on Twitter engaged in the concerted promotion of source material originating from HaiEnergy-linked sources. One cluster was used to tweet links to articles sourced to various subdomains leveraged by the campaign, while the second cluster was used to reply to these tweets in a likely attempt to feign authentic engagement. In at least one instance, accounts we identified used first-person pronouns to feign concern over the recent Ohio train derailment in early February 2023, implying that they were U.S.-based individuals (Figure 8).


Figure 8: Tweet by account in first cluster features subdomain of U.S. news outlet with replies by second cluster of accounts (left); account in first cluster uses first-person pronouns to feign concern over the Ohio train derailment in early February 2023 (right)

Evidence Suggests Operators Behind HaiEnergy May Have Commissioned Staged In-Person Protests in Washington, D.C.

In addition to commissioning campaign support in the dissemination phases of HaiEnergy-attributed operations, we have evidence to suggest the campaign may have also financed at least two staged in-person protests in Washington, D.C. Both protests, which occurred around June and September 2022, were documented via video and subsequently used as source material to support campaign-promoted narratives published by assets and infrastructure leveraged by HaiEnergy.

The first protest we suspect to have been manufactured by the campaign was allegedly in response to the 2022 International Religious Freedom (IRF) Summit—an annual event held in Washington, D.C. aimed at bringing awareness to restrictions on religious freedom. The second protest appears to have been manufactured in response to a June 2022 decision by the U.S. Government to ban all goods produced in China’s Xinjiang region—a decision which came under the backdrop of continued allegations of human rights abuses against China’s ethnic-minority Uyghur population. In both videos, two small groups of protesters can be observed demonstrating in Washington, D.C., holding placards and chanting slogans intended to highlight U.S. domestic issues, such as racial discrimination and abortion, as well as criticize U.S. policy impacting the import of solar industry-specific components from Xinjiang—a key supplier of cheap critical components used by the solar panel manufacturing industry. As previously alluded to, HaiEnergy subsequently leveraged these videos to bolster campaign messaging.

  • In both instances, we observed articles referencing these protests published by the aforementioned press release service, Times Newswire. Additionally, verbatim articles referencing the protests were subsequently distributed to the subdomains of legitimate U.S.-based news outlets leveraged by HaiEnergy (see Figure 9, Figure 10, and Figure 11).
  • We also observed both protest videos being amplified by social media accounts we have attributed to HaiEnergy, including at least one we judge is associated with a freelancer that was commissioned by Haixun via Fiverr (see Figure 12 and Figure 13).
  • Notably, we were unable to identify any outside sources referencing these protests other than those we either attribute directly to HaiEnergy or have identified as being tangential to the campaign by virtue of paid promotion services.
  • Analysis of the videos’ contents and the context in which they were promoted suggested that it was at least plausible the protests were orchestrated on behalf of a third party. Given this hypothesis and based on information gleaned from the videos, Mandiant identified the source of both videos and subsequently obtained information indicating this source had allegedly been commissioned on behalf of an unnamed client to stage both protests.
  • While we lack direct evidence that Haixun paid the individuals we identified in the protest videos, we consider evidence that the campaign commissions freelance services in other contexts, the concerted promotion of these protests by HaiEnergy-linked assets, and information indicating the protests were paid for and staged to support our overall assessment.

Figure 9: Times Newswire promotes article on IRF Summit protest (left); subdomain of U.S. news outlet promotes same article and cites Times Newswire as source (right)


Figure 10: Times Newswire (left) posts article concerning "September 24" protest in Washington, D.C.; one of the 32 subdomains (right) of U.S. news outlets promotes identical article and cites Times Newswire as source


Figure 11: Times Newswire article cites chant and text featured on signs from September 24 protest video shared by HaiEnergy accounts


Figure 12: Haixun Fiverr account (redacted) leaves review on freelancer’s Fiverr page (left); post on the freelancer’s Twitter account promoting the IRF Summit protest video (right)


Figure 13: Previously identified social media accounts leveraged as part of the HaiEnergy campaign promote identical text from Times Newswire article and video of protest in Washington, D.C.

Campaign Referenced Billboard Advertisement and Additional Protest in Times Square, New York

Attempts by the campaign to manufacture source material offline for subsequent use in HaiEnergy-linked operations may not be isolated to the aforementioned protests in Washington, D.C. Specifically, we observed an article published to Times Newswire claiming that protests occurred in response to Taiwanese President Tsai Ing-wen’s recent transit through the U.S. and referencing a pro-PRC message vis-à-vis Taiwan displayed on a billboard in New York City’s Times Square (Figure 14). We lack evidence to confirm that the ad was actually placed on the billboard or that it was paid for by the campaign. However, we note the possibility, given our understanding of the campaign, Haixun’s self-promoted strategy of “LED digital marketing services” specifically referencing ad placement in “Times Square, New York” (Figure 15), and an identified service that sells digital advertisements on the specific billboard featured in the Times Newswire article.


Figure 14: Times Newswire article references Times Square billboard (left); image from billboard sourced from Global Times article (right)


Figure 15: Pamphlet from haipress.com claims to offer digital advertisements in Times Square, New York

Overlaps with Pro-PRC DRAGONBRIDGE Campaign

In our August 2022 report, we noted that while we currently track HaiEnergy and DRAGONBRIDGE as separate campaigns, we have observed some, albeit limited, overlap between the two activity sets, mainly vis-à-vis the prevailing themes present in observed narratives promoted by both campaigns and, to a lesser extent, the use of some conventional TTPs. Since the publication of that report, we have acquired additional data points demonstrating further overlap between the two campaigns, making it at least plausible that these observations could be the result of shared tasking or group overlap. Despite these additional data points and absent any technical indicators linking the two, we still opt to treat these activity sets as distinct campaigns, though we are actively investigating the relationship between the two. For reference, we include some of the more notable newly-observed overlaps:

  • On Jan. 9, we observed an article titled “The Frequent Shootings in the United States are the Greatest Contempt for Human Rights” published via the press release service Times Newswire. The article included a hyperlink to a video posted by an account we attribute to the DRAGONBRIDGE campaign. The video itself is part of a sketch animation series known as “Chris shows you the world,” which we have previously observed promoted by DRAGONBRIDGE accounts.
  • On Dec. 4, 2022, we observed an article titled “US CIA: The Manifest of the Unholy Saint in Africa'' published via the press release service World Newswire. The article, which we have identified as being appropriated from the site “Online Nigeria” (onlinenigeria.com), was altered by removing its original hyperlinks and replacing them with a URL directing readers to a tweet posted by a now-suspended inauthentic account. This tweet featured replies from additional accounts we suspect are inauthentic that have noticeably amplified content and source material we have previously attributed to DRAGONBRIDGE-related threat activity. Notably, we observed this article distributed to the subdomain markets.financialcontent.com, which cited World Newswire as a source, before it was distributed on Facebook and Twitter approximately two days later by a self-described journalist (Figure 16).
  • Additionally, we have observed corresponding Twitter profiles associated with identified accounts on Fiverr commissioned by Haixun retweet suspected inauthentic accounts that have amplified content consistent with source material promoted by DRAGONBRIDGE accounts.

Figure 16: Original article posted to Online Nigeria (top left); article altered and posted to World Newswire (top right); article distributed to FinancialContent, Inc. (bottom right); promoted by self-described journalist on Twitter and Facebook (bottom left)

Outlook and Implications

To date, pro-PRC influence campaigns that Mandiant currently tracks have largely failed to generate substantial engagement from authentic users, with most seemingly operating within the confines of their own echo chambers despite campaign operators’ use of multiple platforms and dissemination vectors to reach target audiences. Just as researchers within the disinformation space search for new and novel ways to measure the impact of influence campaigns, threat actors, conversely, are recalibrating their efforts to achieve maximum effectiveness. As early as 2020, researchers within the disinformation space have acknowledged the pivotal role high-profile influencers can play in furthering the reach of IO campaigns. Based on our most recent observations associated with HaiEnergy, it is plausible that operators behind this campaign have recognized the ineffectiveness of past tactics and now look to expand the campaign’s overall reach by outsourcing certain aspects of its operation. The possible financing of at least two staged in-person protests for use as source material in HaiEnergy-linked information operations is, in particular, a significant escalation in TTPs employed by this campaign, and further evidence suggesting the campaign is expanding its tactics to maximize potential impact.


Subdomains Leveraged to Promote Pro-PRC Content from Times Newswire and World Newswire Intended to Masquerade as Content from Second-Level Domains of U.S. News Outlets; Infrastructure Linked to FinancialContent, Inc.

Based on our technical analysis, we judge that the content displayed on the 32 subdomains of websites belonging to legitimate U.S. news outlets is intended to masquerade as content published on the main websites (second-level domains) of these outlets. All 32 subdomains have leveraged infrastructure that can be attributed to the FinancialContent, Inc. company.

  • The 32 subdomains we identified all pointed (via CNAME records) to the same internet resource at one point in time, a DNS label under the name financialcontent.com. The shared resources at financialcontent.com then delivered the user to one of two internet servers ( and that presented content masquerading as U.S. news outlets, hosted at a service provider called "Garden State Computing" (Table 1).
    • For example, the subdomain “markets.post-gazette.com” of the Pittsburgh Post-Gazette (post-gazette.com) led to a DNS label under the name financialcontent.com before it delivered the user to the server (see Figure 17 and Figure 18), which displayed content masquerading as the Pittsburgh Post-Gazette.
    • We observed a statement at the bottom of all 32 subdomains we identified hosted on the two servers claiming, "Data & News [is] supplied by cloudquote.io," which is a service offered by the FinancialContent, Inc. company (Figure 19).

FinancialContent, Inc. Possibly Provided Service to U.S. News Outlets

Based on our analysis of these subdomains and insights gleaned from open-source reporting, it is possible FinancialContent, Inc. provided these outlets with a service that supplies stock and financial news data to be displayed on the subdomains we have identified. According to at least one source, content provided by FinancialContent, Inc. is sometimes published to these subdomains without approval or review.

  • An article published by "Media Matters for America" (mediamatters.org) on March 3, 2013, implicated the FinancialContent, Inc. company in activity involving the placement of a fraudulent story on Boston.com, the sister website of The Boston Globe.
  • Specifically, it claimed that FinancialContent, Inc. placed a false story concerning New York Times columnist Paul Krugman filing for "Chapter 13" bankruptcy on Boston.com without the publication's knowledge.
  • Media Matters' reporting cites Ron Agrella, a former editor at Boston.com, who stated that the false article was placed on Boston.com without approval or review from Boston.com or The Boston Globe. Agrella also noted that Boston.com had partnered with the FinancialContent, Inc. company for "stock data" and that the news stories were "additional content provided on the side."

Figure 17: Screen capture from second-level domain of Pittsburgh Post-Gazette "post-gazette.com" (top); subdomain "markets.post-gazette.com" (bottom) displays content intended to masquerade as content on post-gazette.com, cites Times Newswire as source


Figure 18: Output of Domain Information Groper (DIG) Linux command indicating that markets.post-gazette.com pointed to the Canonical Name (CNAME) record "markets.financialcontent.com," among other shared resources; content intended to masquerade as that published by the Pittsburgh Post-Gazette was ultimately hosted at


Figure 19: "About us" page on CloudQuote website (cloudquote.io) claims that it is a service of FinancialContent, Inc.

The Arizona Republic finance.azcentral.com markets.financialcontent.com
Pittsburgh Post-Gazette markets.post-gazette.com markets.financialcontent.com
Starkville Daily News business.starkvilledailynews.com markets.financialcontent.com
The Kane Republican business.kanerepublican.com markets.financialcontent.com
Sweetwater Reporter business.sweetwaterreporter.com markets.financialcontent.com
The Daily Press business.smdailypress.com markets.financialcontent.com
Poteau Daily News business.poteaudailynews.com markets.financialcontent.com
The Call business.woonsocketcall.com markets.financialcontent.com
Mammoth Times business.mammothtimes.com markets.financialcontent.com
The Evening Leader business.theeveningleader.com markets.financialcontent.com
The Post and Mail business.thepostandmail.com markets.financialcontent.com
My Mother Lode money.mymotherlode.com markets.financialcontent.com
The Inyo Register business.inyoregister.com markets.financialcontent.com
The Punxsutawney Spirit business.punxsutawneyspirit.com markets.financialcontent.com
Borger New-Herald business.borgernewsherald.com markets.financialcontent.com
The Times business.pawtuckettimes.com markets.financialcontent.com
Statesman Examiner business.statesmanexaminer.com markets.financialcontent.com
Decatur Daily Democrat business.decaturdailydemocrat.com markets.financialcontent.com
The Pilot News business.thepilotnews.com markets.financialcontent.com
The Newport Daily Express business.newportvermontdailyexpress.com markets.financialcontent.com
Malvern Daily Record business.malvern-online.com markets.financialcontent.com
Southern Rhode Island Newspapers business.ricentral.com markets.financialcontent.com
Wapakoneta Daily News business.wapakdailynews.com markets.financialcontent.com
Times Record business.times-online.com markets.financialcontent.com
The Guymon Daily Herald business.guymondailyherald.com markets.financialcontent.com
Daily Times Leader business.dailytimesleader.com markets.financialcontent.com
The Ridgway Record business.ridgwayrecord.com markets.financialcontent.com
Big Spring Herald business.bigspringherald.com markets.financialcontent.com
The Observer News Enterprise business.observernewsonline.com markets.financialcontent.com
The Saline Courier business.bentoncourier.com markets.financialcontent.com
The Buffalo News markets.buffalonews.com markets.financialcontent.com
The Community Post business.minstercommunitypost.com markets.financialcontent.com
Table 1: 32 subdomains of U.S. news outlets have pointed to network infrastructure at financialcontent.com at one point in time, before resolving to one of two servers. We note that as of the time of this publication, markets.post-gazette.com, finance.azcentral.com, and business.thepostandmail.com are no longer resolving to infrastructure linked to FinancialContent, Inc.


Special thanks to Mark Parker Young and numerous other individuals who provided valuable insights and analysis.

Posted in