Google removes 3,000 YouTube channels linked to China spam network

Google between July and September removed 3,000 YouTube channels it said were operated by a spam network that sows pro-China sentiment and criticises countries such as the US.

The political spam network has been active since around August 2019, and was identified in September 2019 by social network analysis company Graphika. At the time, the network was using hijacked or fake accounts on YouTube, Twitter, and Facebook to attack Hong Kong's pro-democracy protesters. Graphika dubbed the network 'Spamouflage Dragon', since it interspersed political messages with high volumes of spam-like content like animal, music and TikTok videos.

This year, the network has begun posting in English as well as Mandarin about current events in the US, such as the Black Lives Matter protests, the wildfires on the West Coast, and the US response to Covid-19.

As the US presidential election approaches, Google's Threat Analysis Group (TAG) has been "aggresively" identifying and removing accounts associated with the network to limit its influence.

It terminated 3,000 YouTube channels associated with the network over the third quarter of 2020, including 299 in July, 1,846 in August and 1,628 in September, according to TAG's Q3 Bulletin.

"As a result, this network hasn’t been able to build an audience," Shane Huntley, director of software engineering at Google's TAG wrote in a blog post published Friday (October 16).

Huntley said most of the videos its identifies as part of the China network have fewer than 10 views, and most of these views appear to come from related spam accounts rather than actual users. 

"So while this network has posted frequently, the majority of this content is spam and we haven’t seen it effectively reach an actual audience on YouTube," he wrote.

Huntley's blog detailed Google's preventative action against bad actors ahead of the November 3 election.

To date, TAG said it has not identified any "significant coordinated influence campaigns" targeting, or attempting to influence, US voters on Google's platforms.

It identified phishing attempts against the personal email accounts of staffers on the Biden and Trump campaigns by Chinese and Iranian APTs (Advanced Persistent Threats) respectively in June, but it "hasn’t seen any evidence of such attempts being successful", Huntley said.

The Iranian and the Chinese groups targeted campaign staffers’ personal emails with credential phishing emails and emails containing tracking links. In one example, attackers impersonated McAfee. The staffers would be prompted to install a legitimate version of McAfee anti-virus software from GitHub, while malware was simultaneously silently installed to the system.

The Covid-19 pandemic has also provided opportunities for fraudulent networks to spread malware, Google said. Earlier this year, it identified threat actors from China, Russia and Iran targeting pharmaceutical companies and researchers involved in vaccine development efforts. In September, multiple North Korea groups shifted their targeting towards Covid-19 researchers and pharmaceutical companies, including those based in South Korea. One campaign used URL shorteners and impersonated the target’s webmail portal in an attempt to harvest email credentials, Google said. In a separate campaign, attackers posed as recruiting professionals to lure targets into downloading malware, it added.