Note: I have no special visibility into the Nauru leaks, all of the information I have used in this analysis is publicly available and a list of references is at the end of the post.
TL;DR
- Law changes in Australia and NZ have affected Chinese influence operations.
- Russian successes (at least perceived successes) have provided the CCP with a viable alternative.
- We have begun to see evidence of this shift in practice in the ANZ region during the 2022 Australia election.
Nauru Leaks
Background
Chinese influence operations have been fairly transparent, work by people like Clive Hamilton and Anne-Marie Brady have bought this activity into the public consciousness. This has led to increased media attention and law changes in ANZ curbing some of the most egregious activity for example, as media coverage increased simultaneously and quietly MPs Raymond Huo & Jian Yang were withdrawn from the Labour and National parties in NZ.
Problem solved right? Maybe not.
Two bears, one cosy and one fancy, swung the 2016 US election should you believe the hype. The Russian interference in the US 2016 election showed that hack and leak operations were a viable alternative to more direct methods. These capabilities take time to develop and mature, keeping that in mind let’s fast forward to 2022 and some questionable “leaks”.
This type of subversive activity is commonly referred to as “Active Measures” a term that originated in the Soviet Intelligence machine - активные мероприятия. If you would like to delve deeper I can’t recommend Thomas Rid’s book Active Measures enough.
A couple of news stories dropped via leaks at inopportune times for the Australian Liberal party. The first was a leaked draft security agreement between China and the Solomon Islands that appeared online on March 24th, less than 2 months out from the election. The second was a leak of emails from the Nauru Police, where Australia has an offshore processing centre for asylum seekers, on May 2nd less than 3 weeks before the election. The timing, content, and other contextual details point to these leaks not being organic. Accepting the premise that the leaks were not organic but were the product of an intelligence service, then looking for an explanation based on capability and motive we can quickly narrow the potential source to China.
But there is bipartisan opposition to Chinese interference!
Yes, however, the Morrison government had been vocal critics of human rights abuses in Hong Kong and Xinjiang, called for a WTO investigation into the origin of COVID19, and strengthened the AUKUS agreement purchasing nuclear submarines capable of operating in the South China Sea. It would not be an exaggeration to say that bilateral relations between China and Australia were at their worst since the 1980’s. Given this, I think it would be acceptable to assume that the CCP the preferred winner of the 2022 election would be the Australian Labor Party.
I’m convinced! CCP interference swung the 2022 Australian Election!!
Not so fast, I think the material effect of these “leaks” was minimal at best. Scott Morrison was already a very unpopular politician (don’t look up what happened at the Engadine McDonalds 20/09/1997). The “leaks” were also unlikely to swing voters, anyone concerned with the offshore detention centre policy were unlikely to vote Liberal, similarly voters with security in the Pacific as their top concern were unlikely to vote Labor. Also, while in other countries stirring up the base of a party could help drive voter turnout, voting in Australia is mandatory.
Then why should we care?
I believe this is just the beginning and as this capability develops Chinese active measures will become more sophisticated and more successful. We are closing in on an election in NZ, likely September-December 2023, and need to be on the lookout for Chinese election interference that is less overt then what we are used to.
New Zealand may also be more susceptible to this type of interference than Australia. Unlike Australia voting in NZ is not mandatory, and when in NZ the minor parties are far more influential and can play the role of King Maker as Winston Peter’s NZ Frist party did in the 2017 election.
But who did it!?
As stated above I think the only actor with both the capability and motive is the Chinese Communist Party. In particular this activity is consistent with the “Three warfares” (public opinion, psychological, and legal warfare) activities undertaken by the PLA’s Strategic Support Force perhaps by the “Base 311” (PLA Unit 61716) actor identified in the Chinese Influence Operations paper Paul Charon & Jean-Baptiste Jeangene Vilmer.
That said, without ASIO or the AFP releasing a statement and/or technical indicators attribution is going to be speculative.
Leak analysis
This is a work in progress and I will expand this as time allows. Last updated 03/12.
Below I will analyse the statement released with the Nauru Police Force email leak which can be read here. The aim of this analysis isn’t to attempt to identify the responsible party but to attempt to determine if it is an authentic activist leak or if that was a cover story.
Timeline:
- Staging begins: 29/04/22 01:20 (UTC)
- Based on the earliest timestamp seen on the .eml files converted from NRT to UTC.
- Staging completed: 01/05/22 20:36 (UTC)
- Based on the latest timestamp seen on the .eml files converted from NRT to UTC.
- Torrent file created: 02/05/22 09:05 (UTC)
- From “npf.gov.nr” torrent file:
creation datei1651482339e4
- From “npf.gov.nr” torrent file:
- Leak posted by Enlance Hacktivista: 02/05/22 11:29 (UTC)
- Based on revision history on their leak site.
The timeline above is based on timestamps from the leaked files and indicates a decent amount of dwell time as well as patience from the actor. I don’t believe this is consistent with the behaviour of an amateur hacktivist but rather an experienced actor who wants to remain hidden.
In contrast to the time spent staging, the time to leak after staging was completed is very short with little time for the actor to analyse the content. In the case of a hacktivist leak it would be expected for the actor to read through the data to find the most impactful informational in order to highlight it so they can maximise the impact.
Also potentially of note, the staging start time and torrent file creation both occurred during standard 9-9-6 work hours for the CST time zone. But given the sample size this shouldn’t be given much weight.
Plagiarised Content
After stripping back the note to its core content, removing the references ascii art etc, there are 753 words left. The last section of the note is the poem ‘We are refugees’ written by Kokulan, a Sri Lankan refugee, which can be read here. I will exclude it from the analysis here as I feel it is unfair to consider it due to it obviously being separate from the core of the statement, even though the author is unattributed.
That leaves 589 words of which 438 are directly copied or copied with minor alterations from 2 sources, an Amnesty international report titled ‘Island of Despair’ and the Wikipedia page Nauru Regional Processing Centre. With 74% of the content being plagiarised, only the demands and the brief paragraphs on intent immediately preceding it are original.
I don’t believe a primarily plagiarised statement like this is congruent with a hacktivist leak. I would expect a longer note with mostly original content to accompany a hacktivist leak. Keep in mind this is an issue the activist cares about enough to go to the effort of hacking the target and also potentially risk arrest.
Textual Clues
One minor misspelling caught my eye as soon as I read the statement. In paragraph 2 the author of the statement uses the American spelling for the word liveable, spelling it “livable”, this is inconsistent with the rest of the note using British spelling both in the copied content and in the original content, for example the spelling of centre in the authors demands.
This could point to there being multiple authors, or a non-native English speaking author.
Also of note, the author has started their references from 0 and not 1. None of the other leak release statements posted to Enlace Hacktivista start their references from 0. I haven’t found a particular style or country/language where this is the practice but if you are aware of one let me know.
Torrent File
The torrent file was created using a command line utility mktorrent. I would expect a hacktivist actor to be more likely to use a GUI client like Deluge or uTorrent, however, I haven’t had time to review other leak torrent files yet to see if this is abnormal.
The pages clogging up my browser (references)
Chinese Influence Operations: A Machiavellian Moment- Paul Charon & Jean-Baptiste Jeangene Vilmer
HomeAffairs.gov.au - Countering foreign interference
The Guardian - The deal that shocked the world: inside the China-Solomons security pact
ASPI - Chinese state media working to undermine Australia in Solomon Islands
APH.gov.au - Foreign interference—neither new nor limited to China