blog.sekoia.io
Open in
urlscan Pro
35.214.255.233
Public Scan
URL:
https://blog.sekoia.io/master-of-puppets-uncovering-the-doppelganger-pro-russian-influence-campaign/
Submission Tags: falconsandbox
Submission: On July 30 via api from US — Scanned from NL
Submission Tags: falconsandbox
Submission: On July 30 via api from US — Scanned from NL
Form analysis
2 forms found in the DOMName: loginform — POST https://blog.sekoia.io/wp-login.php
<form name="loginform" id="loginform" action="https://blog.sekoia.io/wp-login.php" method="post">
<p class="login-username">
<label for="user_login">Username or Email Address</label>
<input type="text" name="log" id="user_login" autocomplete="username" class="input" value="" size="20" placeholder="Your email or username...">
</p>
<p class="login-password">
<label for="user_pass">Password</label>
<input type="password" name="pwd" id="user_pass" autocomplete="current-password" spellcheck="false" class="input" value="" size="20" placeholder="Your password...">
</p>
<p class="login-remember"><label><input name="rememberme" type="checkbox" id="rememberme" value="forever"><span class="notizia-checkbox-control"></span> Remember Me</label></p>
<p class="login-submit">
<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary notizia-button" value="Log In">
</p>
<div class="notizia-loader"></div>
<input type="hidden" name="redirect_to" value="https://blog.sekoia.io/master-of-puppets-uncovering-the-doppelganger-pro-russian-influence-campaign/">
<p></p>
</form>
GET https://blog.sekoia.io/
<form role="search" method="get" class="search-form" action="https://blog.sekoia.io/">
<label>
<span class="screen-reader-text">Search for</span>
<input type="search" class="search-field" placeholder="Search..." value="" name="s"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
stroke-linejoin="round" class="feather feather-search notizia-custom-search">
<circle cx="11" cy="11" r="8"></circle>
<line x1="21" y1="21" x2="16.65" y2="16.65"></line>
</svg>
</label>
</form>
Text Content
We value your privacy We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Customize Reject All Accept All Customize Consent Preferences We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below. The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... Show more NecessaryAlways Active Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data. * Cookie cookieyes-consent * Duration 1 year * Description CookieYes sets this cookie to remember users' consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about the site visitors. * Cookie __cf_bm * Duration 1 hour * Description This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. Functional Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features. * Cookie pll_language * Duration 1 year * Description Polylang sets this cookie to remember the language the user selects when returning to the website and get the language information when unavailable in another way. * Cookie li_gc * Duration 6 months * Description Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes. * Cookie lidc * Duration 1 day * Description LinkedIn sets the lidc cookie to facilitate data center selection. Analytics Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc. * Cookie _ga_* * Duration 1 year 1 month 4 days * Description Google Analytics sets this cookie to store and count page views. * Cookie _ga * Duration 1 year 1 month 4 days * Description Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. * Cookie _hjSessionUser_* * Duration 1 year * Description Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site. * Cookie _hjSession_* * Duration 1 hour * Description Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site. * Cookie _gid * Duration 1 day * Description Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously. * Cookie _gat_gtag_UA_* * Duration 1 minute * Description Google Analytics sets this cookie to store a unique user ID. * Cookie __hstc * Duration 6 months * Description Hubspot set this main cookie for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). * Cookie hubspotutk * Duration 6 months * Description HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts. * Cookie _gcl_au * Duration 3 months * Description Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services. * Cookie __hssrc * Duration session * Description This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session. * Cookie __hssc * Duration 1 hour * Description HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. * Cookie _mkto_trk * Duration 1 year 1 month 4 days * Description This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo. * Cookie _cfuvid * Duration session * Description Description is currently not available. Performance Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors. No cookies to display. Advertisement Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns. * Cookie li_sugr * Duration 3 months * Description LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant. * Cookie bcookie * Duration 1 year * Description LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs. * Cookie euid * Duration 13 years 7 months 1 day 16 hours * Description This cookie is set by the provider Emerse.This cookie is used to present the visitor with relevant content and advertisement. * Cookie IDE * Duration 1 year 24 days * Description Google DoubleClick IDE cookies store information about how the user uses the website to present them with relevant ads according to the user profile. * Cookie test_cookie * Duration past * Description doubleclick.net sets this cookie to determine if the user's browser supports cookies. Uncategorized Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet. No cookies to display. Reject All Save My Preferences Accept All Powered by LOG IN Whoops! You have to login to access the Reading Center functionalities! Username or Email Address Password Remember Me Forgot password? SEARCH THE SITE... Search for * All categories * Research & Threat Intelligence * Blogpost * Product News & Tutorials Reset * Categories * Research & Threat Intelligence * Product News & Tutorials * Discover Sekoia SOC platform * Interactive demo * Newsletter * English * English * Français * CategoriesToggle menu * Research & Threat Intelligence * Product News & Tutorials * Discover Sekoia SOC platform * Interactive demo * Newsletter * EnglishToggle menu * English * Français * UserToggle menu * Log in Log in Blogpost Research & Threat Intelligence MASTER OF PUPPETS: UNCOVERING THE DOPPELGÄNGER PRO-RUSSIAN INFLUENCE CAMPAIGN Influence Infrastructure Strategic Sekoia TDR, Coline Chavane, Amaury G. and Kilian Seznec May 21 2024 0 Read it later Remove 29 minutes reading This report was originally published for our customers on 14 May 2024. EXECUTIVE SUMMARY * The DoppelGänger campaign is an ongoing influence campaign, starting from May 2022 and attributed to the Structura National Technologies (Structura) and the Social Design Agency (SDA), which are two Russian entities. * The primary goal of DoppelGänger is to diminish support for Ukraine in the wake of Russian aggression and to foster divisions within nations backing Ukraine. It targets audiences in France, Germany, Ukraine, and the United States, but also in the United Kingdom, Lithuania, Switzerland, Slovakia, Israel and Italy. * The campaign is supported by a network with two categories of news websites: typosquatted legitimate media outlets and organisations, and independent news websites. * Disinformation articles are published on these websites and then disseminated and amplified via inauthentic social media accounts on several platforms, especially video-hosting ones like Instagram, TikTok, Cameo and Youtube. * Sekoia observed a correlation between the number of articles published per country and events like domestic protests, decisions on Ukraine military aid or Russian sanctions, and national budget voting periods. * The redirection process used in the DoppelGänger campaign is done using 3 stages of redirection. The first stage provides thumbnail metadata to the social network. The second stage downloads and executes an obfuscated JS script from the third stage and further leverages it to redirect the user to the disinformation article website. The third stage allows the attacker to monitor campaign effectiveness using Keitaro. * Sekoia analysts uncovered a new cluster linked to this campaign and monitored by a control panel. The panel intends to manage several disinformation websites in parallel. They publish mostly content in Russian, which points to a probable different objective from what was observed previously. Our hypothesis is that the Russian-agencies Structura and SDA steering the campaign are also in charge of Russian-speaking propaganda missions on behalf of Moscow. TABLE OF CONTENTS * Executive summary * Introduction * I. DoppelGänger campaign: Victims, Objectives and Relays * Victimology, objective, and attribution * Victimology: Western countries in the crosshairs * Objective: Weakening democracies * Attribution: Russian entities Structura and SDA * A network of news websites as a backbone * A network with two categories of websites * Websites employing specific targeting * Geographically Tailored Narratives: Evolution and Adaptation * Dissemination and amplification via inauthentic accounts on social media platforms * X/Twitter * Facebook * Video-hosting platforms: Instagram, TikTok, Cameo, Youtube * II. Active infrastructure: a multilayered mechanism * Stage 0 – Social Botnet * Stage 1 – Metadata and redirection * Stage 2 & 3 – Path to misinformation page * III. Behind the curtain of the DoppelGänger “parallel infrastructure” * Discovery of a global control panel * Uncovering new disinformation websites targeting Russia * Conclusion * Observables INTRODUCTION On the eve of 2024, an election year in which more than 54% of the world’s population will be called to the polls, the pro-Russian influence campaign DoppelGänger has been given special attention by Western democracies. This type of operation consists of intentionally spreading false or inaccurate information for malicious purposes. Investigations publicly released throughout 2023 have emphasised the scale of the DoppelGänger campaign, also called Recent Reliable News (RRN), and its ability to adapt to current events in the various target countries. In this report, Sekoia Threat Detection & Research (TDR) team analysed the relays of this campaign, its technical infrastructure and the narratives shared in order to understand the objectives of DoppelGänger and its capacity for disrupting democracies. We came to the conclusion that the infrastructure uncovered by VIGINUM and Recorded Future in 2023 are still relevant and active in April 2024. Additionally, we were able to identify a new cluster associated with this campaign, which has not been publicly documented. Although previous reports acknowledged the limited impact of this influence campaign relative to the resources invested. Indeed, no significant engagement from authentic users on social media posts and with disinformation articles was observed. However, through widespread repetition of specific narratives, disinformation has the potential to undermine confidence in the democratic process and exacerbate divisions within society. Therefore, the extended reach of disinformation content on social media platforms as well as recent electoral outcomes underscore the challenge of assessing the true impact of disinformation campaigns. I. DOPPELGÄNGER CAMPAIGN: VICTIMS, OBJECTIVES AND RELAYS The DoppelGänger campaign is an ongoing influence campaign, active since 2022 and attributed to Russia. An influence operation can be defined as an operation affecting the logical layer of cyberspace to shape attitudes, decisions and behaviours of a targeted audience. In the case of DoppelGänger, it leverages disinformation: “whereas misinformation refers to the accidental dissemination of inaccurate information, disinformation is not only inaccurate, but is primarily intended to mislead and is disseminated with the aim of causing serious harm”, according to the United Nations. The primary goal of DoppelGänger is to diminish support for Ukraine in the wake of Russian aggression and to foster divisions within nations backing Ukraine. It is part of a long history of cyber influence campaigns attributed to agencies related to the Russian government: InfoRos (2000-2014) documented by OpenFacto, Secondary Infektion (since 2014), uncovered by the Atlantic Council’s Digital Forensic Research Lab, DoppelGänger/RRN (since 2022), uncovered by Meta and first documented by T-Online and Süddeutsche Zeitung, and more recently, Portal Kombat (2023), uncovered by VIGINUM. Reports on DoppelGänger highlight its capability to target a wide range of countries with narratives customised to local issues. Leveraging resources from news websites to social media platforms, it also underscores the substantial investment by Russian agencies orchestrating this campaign. VICTIMOLOGY, OBJECTIVE, AND ATTRIBUTION VICTIMOLOGY: WESTERN COUNTRIES IN THE CROSSHAIRS DoppelGänger is an influence campaign targeting Western countries. Its primary focus is France, Germany, Ukraine, and the United States. Additionally, there have been targeted efforts toward audiences in the UK, Lithuania, Switzerland, Slovakia and Italy, but on a smaller scale. Since at least November 2023, Israel has also been subjected to disinformation narratives. The latter appear to be primarily aimed at undermining the United States due to their longstanding alliance with Tel Aviv, rather than specifically targeting Netanyahu’s government. OBJECTIVE: WEAKENING DEMOCRACIES The DoppelGänger campaign, also known as Recent Reliable News (RRN), utilises a variety of articles, videos, and caricatures in English, German, French, Hebrew, and Ukrainian to undermine support for Ukraine’s government. The promoted narratives aim firstly at sowing doubts among Western public opinion about helping Kyiv and sending military and financial support regarding the impact on their own living conditions. Secondly, the narratives try to erode confidence in institutions, amplifying criticism of the leaders/institutions/governments’ decisions. Finally, the campaign plays on political, societal, religious divisions to increase its impact and weaken solidarity and support among Western populations. ATTRIBUTION: RUSSIAN ENTITIES STRUCTURA AND SDA The DoppelGänger campaign has been attributed to two Russian entities by Meta in December 2022 and by VIGINUM in July 2023: Structura National Technologies (Structura) and the Social Design Agency (SDA). It culminated in both the EU and US Department of Treasury sanctioning the implicated Russian companies. A NETWORK OF NEWS WEBSITES AS A BACKBONE The DoppelGänger campaign is based on a network of news websites to spread disinformation articles. Articles are published on various types of websites, and then shared and amplified by inauthentic social media accounts to reach as wide an audience as possible. A NETWORK WITH TWO CATEGORIES OF WEBSITES This network of websites is compounded by typosquatted websites (Category 1 websites) – which mimic the URLs of legitimate websites to lure victims into accessing content they usually accesses on the Internet – and by news websites presenting themselves as independent (Category 2 websites). Within the first category, various legitimate websites have been typosquatted to enhance the credibility of purported narratives by associating them with trusted sources. Category 2 websites obtain legitimacy through their participatory and alternative nature compared to more conventional news sources often perceived as corrupted by conspiracy theorists. WEBSITES EMPLOYING SPECIFIC TARGETING This network of websites targets specific audiences based on various characteristics: * Nationality/Region-specific: the name of the websites is in the language of the targeted audience and/or refers to cultural aspects of the country or the region selected. Ex: ledialogue[.]fr, levinaigre[.]net, derbayerischelowe[.]info * Community-oriented: websites specifically dedicated to LGBTQ+, to the European Union, to conspirationists. Ex: mypride[.]press, spicyconspiracy[.]info, holylandherald[.]com * Political-themed: websites addressing immigration issues, to antiwar activists, liberals. Ex: acrosstheline[.]press, antiwar[.]com, electionwatch[.]live, theliberal[.]in * Sector-focused: websites focusing on health, culture, foreign affairs, intelligence, sport. Ex: lesifflet[.]net, la-sante[.]info, artichoc[.]io It highlights the relative sophistication of this campaign, which is based on a preliminary work of identifying key communities able to be receptive to specific contents to align with Russian objectives. CONSISTENT WITH THE THEORIES OF “FILTER BUBBLES” AND “ECHO CHAMBERS” This methodology echoes with the theory of “filter bubbles” and “echo chambers” of the Internet expert Eli Pariser. He described how online algorithms can limit individuals’ exposure to diverse viewpoints, creating isolated information environments where users primarily encounter content that aligns with their existing beliefs and preferences. Filter bubbles result from algorithms prioritising content based on user preferences, while echo chambers emerge when users engage with like-minded individuals and reinforce their beliefs through repeated exposure to similar viewpoints. Therefore, creating specific websites and narratives for determined audiences can serve malicious operators to enter more efficiently these “bubbles” or “chambers” on the Internet or to design more effective disinformation narratives based on readers’ beliefs and topics of interest. GEOGRAPHICALLY TAILORED NARRATIVES: EVOLUTION AND ADAPTATION In the DoppelGänger campaign, narratives are designed for specific audiences depending on their country of residence. Each article published by a website of the network is related to a campaign identifier compounded by the ISO 3166-1 alpha-2 country code of the target, the date (dd-mm) and the name of the publishing website. Sekoia analysts tracked articles related to France, Germany, the United States, Ukraine, and Italy from November 2023 to mid-April 2024. The chart below illustrates our monitoring, revealing a correlation between the number of articles published per country and events like domestic protests, decisions on Ukraine military aid or Russian sanctions, and national budget voting periods. This almost immediate connection with current events in Western countries allied with Ukraine has already been observed in activities related with pro-Russian groups conducting offensive cyber operations, such as NoName057(16). We noticed a decline in the number of articles published from mid-November 2023 to April 2024. This decline could be attributed to the release of reports on the DoppelGänger campaign between August and December 2023. These reports might have prompted malicious operators to shift to new infrastructure (Voice of Europe, News Front) or modify existing features, making it harder to track the campaign. A second observation is the variations in the countries’ targeting over time, especially since February 2024: * Germany was a major target in the second half of November, as well as in the first half of January. This can be explained by the fact that it corresponds to two major periods during which the German government was discussing its military efforts for its own defence and regarding Ukraine. Therefore, it is likely DoppelGänger was used upstream to mobilise the population in order to influence the decision. On 26 November 2023, the German Chancellor Olaf Scholz’s governing coalition approved doubling the country’s military aid for Ukraine to 8 billion euros in 2024. On 14 February 2024, the German Chancellor Olaf Scholz announced that the country will dedicate 2% of its GDP to its defence, which did not happen since the end of the Cold War. Germany was also preparing to host the Security Conference of Munich (16–18 February), and so discussed military support to Ukraine, which was then confirmed by the Luftwaffe listening scandal. * France has once again become a major target just after President Macron gave his speech on the 26th February at an international conference for the support of Ukraine. He called for an awakening of Kiev’s allies in order to defeat Russia and suggested that sending troops to Ukraine will not be excluded. After this peak, we observed a new decline of RRN articles with the FR campaign identifier. These findings confirm the main objective of the campaign, which is to undermine Ukraine’s support, and incidentally destabilise Western democracies at the eve of the European elections. It also demonstrates the ability of malicious operators to adapt their targeting depending on current events and political and military decisions. DISSEMINATION AND AMPLIFICATION VIA INAUTHENTIC ACCOUNTS ON SOCIAL MEDIA PLATFORMS The DoppelGänger network relies on social media to spread content, amplify user engagement, and also target journalists and fact-checkers. The dissemination process is described in the illustration below. The Section Active infrastructure: a multilayered mechanism goes into more technical details of this process. Social media platforms involved in DoppelGänger are numerous, which is a characteristic of this campaign. In this section, Sekoia analysed the role of each social media platform to understand their specificities. X/TWITTER On X (former Twitter), inauthentic social media accounts are created massively and in waves to spread disinformation content initially published on the DoppelGänger network of news websites. TDR analysts studied the waves of March 2023, December 2023 and March 2024. Accounts follow a pattern of a name followed by four to six random numbers, but the name doesn’t always match the language of publication. For example, the account “@ButzlaffF6068” uses a German name while posting in multiple languages, including Russian, English, German, and French. Among X’s inauthentic social media accounts, we identified two categories: ‘Posters‘, responsible for sharing DoppelGänger articles, and ‘Followers,’ who amplify these posts. Followers typically follow at least three verified accounts, often related to sports or music, likely to avoid detection by hosting platforms. FOCUS ON THE OPERATION MATRIOCHKA In January 2024, a sub-campaign of DoppelGänger was uncovered by AntiBot4Navalny, called the Operation Matriochka. This operation emphasises how X can be leveraged not only to spread disinformation articles from the DoppelGänger network, but also to challenge the credibility and limit the capacities of journalists and fact checkers to fight against disinformation. This operation involved targeting legitimate media outlets, journalists, and fact-checkers by commenting on X their posts, challenging their content, and sharing disinformation articles, prompting further investigation. The end goal of this sub-campaign is to grab the attention of journalists and fact checkers for investigations on news fabricated from scratch. The accounts involved in this sub-campaign can be divided into two groups: an initial tier of X accounts responsible for disseminating fabricated content, and a secondary group tasked with referencing this material when engaging with media outlets and fact-checkers. FACEBOOK Facebook is another social media platform used in the DoppelGänger campaign to share disinformation articles, but also to spread pro-Russian political ads. At the beginning of the campaign in May 2022, articles were shared via Facebook pages of Russian officials part of the international diplomatic network. From August 2022, according to DisinfoEU Labs, a more industrial strategy was used, relying on inauthentic accounts to amplify disinformation narratives. Contrary to X, inauthentic social media accounts on Facebook are used to share only one article and then are abandoned. This is referred to as “burner accounts”. DoppelGänger also relies on political ads to weaponize news events. It takes advantage of the fact that political ads are not declared as such on Facebook and Instagram, limiting the capacity of Meta to moderate such content. A 2024 report of AI Forensics claimed that despite the campaign being flagged, DoppelGänger remains particularly active and continues to increase its reach. Indeed, between August 2023 and March 2024, over 3,826 ads have been reaching 37,326 accounts in Germany and 138,590 in France. Source: No Embargo In Sight, Meta let’s pro-Russia propaganda ads flood the EU. AI Forensics Even if the reach of pro-Russian Facebook ads is increasing according to AI Forensics research, the engagement from authentic accounts remains low or non-existent. Nevertheless, it can still be considered as a potential threat for institutions and governments in critical contexts, such as electoral periods. VIDEO-HOSTING PLATFORMS: INSTAGRAM, TIKTOK, CAMEO, YOUTUBE In addition to X and Facebook, DoppelGänger relies on other social media, and especially on video-sharing platforms such as TikTok, Instagram, Youtube and Cameo. Indeed, DoppelGänger leveraged deep fakes, as well as round-table conferences and video reports to support disinformation narratives. On March 24, 2024, TDR analysts flagged a Youtube video entitled “INTEL Roundtable w/ Johnson & McGovern: Roundup on Ukraine and Gaza” published by “Judge Napolitano – Judging Freedom”, who has 324,000 subscriptions on the video-hosting platform. This content, featuring Judge Andrew Napoli, attempts to present expert analysis linking two conflicts to persuade audiences seeking credible information. The video mimics a television program’s professional production quality but exhibits clear pro-Russian bias, aiming to undermine Ukraine. It highlights a key characteristic of DoppelGänger, which is being a multi-platform operation, and also demonstrates the diversity and the quality of the shared content’s formats, even if the substance remains relatively undeveloped. II. ACTIVE INFRASTRUCTURE: A MULTILAYERED MECHANISM The infrastructure used in the DoppelGänger campaign is composed of multiple layers whose goal is to redirect the user to a final propaganda website. The redirection chain starts by a simple post or ad on social media where the target audience is present. This audience is caught with controversial topics and redirected to existent or newly created articles through a succession of techniques that are detailed below. The URLs related to the campaign’s infrastructure are listed in the Appendix. STAGE 0 – SOCIAL BOTNET The first layer of the infrastructure is composed of a population of bots on targeted social media which create intriguing posts inciting curious users to click on the given link. The post lures users by presenting polemical subjects, whether they are drawn from real facts, often amplified and distorted, or entirely created to fit a chosen speech. These subjects are shared in the form of simple posts on the X platform or via paid ads campaigns on Facebook and Instagram. These posts contain a link that uses the URL shortener provided by the platform to redirect to the first stage website. The redirection process of the respective social media users starts by a simple post on X, presenting a subject with a strong title. We can also find disinformation ads campaigns printed on Facebook and Instagram by looking on the Meta Ads library. STAGE 1 – METADATA AND REDIRECTION The link from social media posts leads to the URL shortener used by both social networks, a t.co page for X’s, and l.facebook.com for Meta’s network. It is typically used by the social networks to filter some URLs and warn the user if the website may be harmful, or to provide data about the number of people following a link. The URL shortener redirects to the stage 1 websites whose purpose is to provide the social platform with the information needed to produce an attractive thumbnail for users. The first stage website uses cheap domain names from uncommon TDLs such as .click, .online or .buzz. Sekoia analysts observed a few hundred of these domains, and a random subdomain is generated on one of them for every shared article. Most of these domains were created between March and October 2023 and are hosted on Russian-related AS and some bulletproof hosters. An example of stage 1 URL would be http://a8czwp[.]gituyahmainnya18[.]click/s8yrcy. These websites are also used to provide to the social media some metadata to create the post, including the thumbnail, which is hosted on telegra.ph (a publishing tool for Telegram posts). The interesting part in this page is the metadata contained in the header, used to provide to X the information about the page, title, description, and thumbnail, which is hosted on telegra.ph. This page redirects immediately to http://docnanb[.]com/holy9180238 and is generally not visible to users. It is interesting that this kind of page is filled with a Cyrillic text. In case the redirect may be slow or disabled, the page contains a JS script used to hide this text by changing the font colour to white. STAGE 2 & 3 – PATH TO MISINFORMATION PAGE The stage 2 domains are used to request the stage 3 domains which are at the centre of the whole infrastructure and perform the indicated redirection to the disinformation website. They are hosted on a few IP addresses (6 different IPs at the time of writing), all from the BL Network (BLNWX) AS, a hosting service allowing users to pay for hosting by using cryptocurrencies. The observed domains are all using the .com top level domain (TLD) and those using SSL encryption are associated with a Let’s Encrypt certificate. The URL path to the redirection page is composed of the first four letters of the destination website followed by seven numbers (e.g. http://arizztar[.]com/welt2337550) The http://docnanb[.]com/holy9180238 page is an example of stage 2 in the redirection process. It takes the form of a randomly generated page filled with a meaningless text. Screenshot from http://docnanb[.]com/holy918023 The code of the stage 2 pages is simple and ends with a base64 encoded and lightly obfuscated script which is decoded and executed when the page is loaded into the user’s browser. The script creates a new script tag in the HTML page with a src attribute, allowing it to get its content from a specific URL. Since November 2023, we only observed three domains hosting the downloaded Javascript allowing the redirection: ggspace[.]space, sdgqaef[.]site, and greatroomservice[.]info. These domains are protected by Cloudflare. Several reports on the DoppelGänger campaign have referenced the two initial domains. As of the time of writing, these domains remain active, suggesting that the campaign operator persists in utilising the same infrastructure. As we could not link every found article to a stage 3 domain, it is probable that other domains exist. The script from the stage 2 website requests one of these stage 3 domains and sends multiple information including a campaign ID: https://sdgqaef[.]site/US-13-03_holylandherald. When requested with the right campaign ID, these servers will respond with an obfuscated script leading to the disinformation website. The downloaded script from one of these stage 3 domains is obfuscated and is used to dynamically create the redirection by rewriting the page. return ( document.open(), document.write("<html><head>"), document.write('<meta name="referrer" content="never" />'), document.write('<meta http-equiv="refresh" content="0;url=' + e + '" />'), document.write("</head></html>"), void document.close() ); Result: <head> <meta name="referrer" content="never"> <meta http-equiv="refresh" content="0;url=https://holylandherald.com/axis-of-resistance-or-evil/"> </head> <body></body> It is worth noting that the infrastructure described in reports from November 2023 onwards is still in use, even if other servers have been added to the arsenal. It indicates that the threat actor does not fear a takedown from hosters or national authorities. Private takedown of social network botnets were performed by Meta and X, but they seem to be periodically regenerated. As mentioned by other reports, if you reach the /admin path of these stage 3 domains, you are welcomed by a login page corresponding to Keitaro’s one. Keitaro is a tracker designed for media buyers and publishers. It is highly likely that the attacker uses Keitaro to monitor the effectiveness of their campaign. It is probable that ggspace[.]space, sdgqaef[.]site, and greatroomservice[.]info uses Keitaro to measure the effectiveness of each campaign. III. BEHIND THE CURTAIN OF THE DOPPELGÄNGER “PARALLEL INFRASTRUCTURE” Although the DoppelGänger campaign has been documented in open sources, in particular by VIGINUM, DisinfoEU and TrendMicro, Sekoia analysts have identified a new cluster based on indicators published in previous articles. The newly identified cluster publishes content mostly in Russian, which points to a probable different objective from what was observed previously. Indeed, DoppelGänger has been mainly targeting Ukraine’s allies, rather than Russian-speaking audiences. Our hypothesis is that the Russian entities Structura and SDA steering the campaign are also in charge of Russian-speaking domestic propaganda missions on behalf of Moscow. Considering the various websites listed in the DoppelGänger campaign, it is worth mentioning that several of them have adopted a Content Distribution Network (CDN), specifically Cloudflare. This configuration has the effect of concealing the IPv4 address of the hosting server, thus limiting investigative capabilities to identify similar disinformation infrastructures. However, depending on the content management systems (CMS) used by websites, it is possible to exploit certain misconfigured native functions to reveal the IPv4 address of a website’s hosting. This applies in particular to the newsroad[.]online website. Screenshot of newsroad[.]online home page Since 6 April 2022, the newsroad[.]online website has provided a parallel infrastructure to DoppleGänger, bringing together articles in French, Italian, German, English and Spanish. Further details of how it works are given in the VIGINUM article, including an explanation of typosquatted media that redirect to real, legitimate journalistic sites. The newsroad[.]online site is running under WordPress version 6.5.2, and its IPv4 address corresponds to a Cloudflare CDN. In the source code of the HTML page, there is a file called xmlrpc.php. This file facilitates remote communication with a WordPress site (similar to an API) and is activated by default, requiring certain rights to be modified. Inadequate configuration of this file is common, potentially allowing this entry point to the website to be requested. This is the case for this website, which has a method called pingback.ping, and which allows you to receive a ping from the site. By setting up a system with an online webhook, the real IP address of newsroad[.]online is confirmed to be 178.62.255[.]247. DISCOVERY OF A GLOBAL CONTROL PANEL As of 22 April 2024, the address 178.62.255[.]247 hosts on port 8080 a Traefik interface, an HTTP reverse proxy, and load balancer that makes deploying microservices easily. This tool is available in open source on GitHub. It seems that this control panel is intended to manage several disinformation websites in parallel, and therefore set up and maintained by the creators of the DoppelGänger campaign. Access to the interface is direct and requires no authentication. Screenshot of http://178.62.255[.]247:8080/dashboard/ page On the “Providers” tab, this interface manages several domain names, including newsroad[.]online. The full list of managed websites is summarised in Appendix: Websites referenced in Traefik interface. Another tab is available in the interface, entitled “Health”. This tab provides a page showing various statistics relating to the current state of the server. Screenshot of http://178.62.255.247:8080/dashboard/status page This dashboard provides an overview of the server’s response time to requests. The “Total Status Code Count” graph, which illustrates the audience of the websites managed, reveals that since it went live, the number of consultations has exceeded 26 million, indicating a level of proliferation considered to be high. This number seems consistent with the reach of the DoppelGänger campaign on social media. For instance, AI Forensics found that between August 2023 and March 2024, pro-Russian political ads linked to DoppelGänger reached over 38 million accounts in France and Germany. In addition, a table is presented listing all the logs classified under the “error” indicator. This feature enables real-time observation of interactions with all the websites listed in the “Providers” tab. This functionality is essential for monitoring performance and identifying potential malfunctions within the managed network. The URL /health provides access to the same data as that available via the /dashboard/status interface, but presented in a structured JSON format. Since this data is accessible via an API returning a response structured format, it is possible to develop a script designed to be executed over several hours to compile an overview of the logs. Analysis of this data revealed that certain articles, which no longer exist, are still being requested (for example /vysokie-tehnologii/kto-poluchit-hyperos-v-yanvare-nazvany-xiaomi-redmi-i-poco/), suggesting the existence of still active links shared on social networks and likely to be clicked on by users. In addition, an IPv4 address, 206.189.243[.]184, which does not appear among the interface elements on Traefik, was identified. This IP address broadcasts the same content as 178.62.255[.]247, suggesting that it could function as a redundancy solution. As a result, the same script was run to try to discover new data in the logs, but no difference was found. UNCOVERING NEW DISINFORMATION WEBSITES TARGETING RUSSIA An analysis of websites that share the same “Route Rule” for Traefik frontends and backends as newsroad[.]online reveals that they use similar container structures, although the disseminated content differs. This observation highlights a uniformity in the architecture of these sites, while allowing for diversity in the information presented. Screenshot of the 178.62.255[.]247 interface “Provider” tab In this way, it is fairly easy to administer these different websites from a technical point of view. WebsiteYandex Metrika counterCreation datenewsroad[.]online882897472022-04-06newsbd[.]ru2022-03-18nnewws[.]ru2022-03-10lastminutenews[.]ru2022-03-10eventality[.]ru2022-03-10myfreshnews[.]ru2021-07-12edurustoday[.]ru2020-05-13 According to VIGINUM, these websites were operational during the period of “increased manoeuvring” identified as June to September 2022. In addition, for sites such as eventality[.]ru and lastminutesnews[.]ru, we note the use of urlbox[.]online at the second level, which is used to generate shortened URLs redirecting to legitimate journalistic sites. ANALYSING SECOND LEVEL REDIRECTION The urlbox[.]online URLs contain a campaign identifier (campaign ID), as it was the case in the request of stage-2 to stage-3 websites described in Section II: Active Infrastructure: a multi-layer mechanism. Sekoia analysts identified four campaign IDs written in Russian: “Prez”, which redirects to articles about the 2024 Russian presidential election, “Protch”, which redirects to articles about Russian regions, “Mat”, which redirects to articles about “Russkiy Mir”, i.e. Russian values and identity, and “LDNR”, which redirects to articles about the Donetsk People’s Republic (DPR) and the Luhansk People’s Republic (LPR). It enables Sekoia to assess that this cluster is dedicated to Russian-speaking propaganda missions, differing from what was previously observed. A detailed analysis of the content of these websites is presented in the table below: Although these sites date back to a period of activity in 2022, they are continually updated and are still publishing content in 2024. This consistency of updating leads Sekoia analysts to conclude with a high level of confidence that this campaign is still active, and believe that Russian disinformation platforms actively maintain and develop internal narratives in order to continue to engage the Russian population, while countering narratives opposed to the war. This necessity is part of the management of public opinion in the face of geopolitical developments likely to influence the perception of the conflict. This strategy aims to preserve cohesion and support within the Russian society in the face of external influences that could undermine the government’s official position. COMPARISON WITH PORTAL KOMBAT, AND THE “-NEWS[.]RU” ECOSYSTEM This cluster targets Russian-speaking audiences in Russia and in Ukraine, as demonstrated by the campaign IDs. Therefore, Sekoia analysts searched for potential overlaps with Portal Kombat, which is an influence campaign attributed to Russia. Documented by VIGINUM in February 2022, Portal Kombat also targets Russian-speaking audiences, leveraging the “-news[.]ru” ecosystem. Similarities arise, such as the targeted audience, the redirection to articles written by Russian news outlets agencies, such as Lenta.ru, and the content of websites, which varies from websites sharing political content and others redirecting almost exclusively to non-political articles. Despite these common points, technical investigations did not enable Sekoia to link the two infrastructures together. The shared favicon is different from the cluster uncovered by Sekoia, as well as the IPv4 range of “-news[.]ru” (78.21.15.0/24), which differs, leading therefore to a distinct autonomous system (AS 49352). Therefore, Sekoia assesses this new DoppelGänger cluster and Portal Kombat are two ongoing, simultaneous yet distinct, Russian influence campaigns with constantly active infrastructures. However, there is no evident overlap between those two, meaning it might be conducted by different operators in parallel. CONCLUSION The DoppelGänger influence campaign attributed to Structura and SDA, two Russian entities, is characteristic by its large scale, its multi-platform nature, as well as its capacity to adapt its narratives to different countries and the current news. Following reports published in 2023 about this disinformation campaign by VIGINUM and Recorded Future, Sekoia analysts were able to confirm that the technical infrastructure of the campaign is still active and that it is related to a previously unreported cluster, managing news websites redirecting towards Russian news outlets. This is consistent with the fact that Structura and SDA are also likely to conduct Russian-speaking campaigns for the Russian government. Regarding infrastructure uncovered in previous reports, we observed several hundreds of domain names and websites associated with the DoppelGänger infrastructure but it’s very likely that part of the infrastructure, notably the one linked to disinformation campaigns on Facebook, remains to be discovered. At this stage of our investigation, it constitutes a limitation of our monitoring regarding the campaign evolution over time. However, Sekoia analysts assess it is likely the DoppelGänger campaign will remain largely active for several months, or even years to come. Indeed, while it was uncovered as early as May 2022 and investigation reports illuminating its technical infrastructure were released, the campaign is still active in numerous countries. AI Forensics assessed in a 2024 report that the reach of Facebook’s political ads linked to DoppelGänger since their investigation from August 2023 to March 2024 has even increased by five to ten times over time. The persistence of pro-Russian influence campaigns is likely due to social media platforms failing to efficiently enforce their regulatory policies. But it can also be related to institutions, which are slow to adopt measures following the publication of investigation reports. Even if the impact of disinformation campaigns is difficult to assess, the increasing sophistication of DoppelGänger is certain. It is demonstrated by the expansion of the campaign to new platforms, especially video-sharing ones like TikTok and Instagram, which was coupled with the use of deepfakes. Contents also appear increasingly professional, mimicking graphic charter of conventional media, or making fake round tables of experts on Youtube. Even if the substance of the narratives remains easily associated with Russian propaganda in most of the cases, an IPSOS survey in France revealed 66% of those questioned believe in at least one piece of fake news presented to them. The recent electoral outcome in Slovakia also questioned the current impact of pro-Russian influence campaigns in shaping public opinions, especially in electoral periods. The Digital Service Act (DSA) implemented in November 2023 and the Commission guidelines to assist Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) in mitigating risks like election integrity may play a role in urging platforms to prevent the spread of disinformation and also support civil society and government agencies’ efforts in protecting the democratic process. Thank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications by clicking here. You can also contact us at tdr[at]sekoia.io for further discussions. OBSERVABLES The list of Observables are available on Sekoia GitHub repository. Thank you for reading this blogpost. We welcome any reaction, feedback or critics about this analysis. Please contact us on tdr[at]sekoia.io. * Following NoName057(16) DDoSia Project’s Targets * Unveiling of a large resilient infrastructure distributing information stealers * Adversary infrastructures tracked in 2023 * The Predator spyware ecosystem is not dead * Overview of the Russian-speaking infostealer ecosystem: the distribution Share Share this post: WHAT'S NEXT INTRODUCING SEKOIA TDR This time, we’re not revealing a new cyber threat investigation or analysis, but I want to share some insights... Nicolas Caproni PIKABOT: A GUIDE TO ITS DEEP SECRETS AND OPERATIONS This blog post provides an in-depth analysis of PikaBot, focusing on its anti-analysis techniques implemented in the different malware... Pierre Le Bourhis, Quentin Bourgue and Sekoia TDR COMBINING SEKOIA INTELLIGENCE AND OPENCTI The Filigran x Sekoia.io partnership announcement is an opportunity to put the spotlight back on the benefits of the integration between... Arnaud Dechoux and SEKOIA.IO COMMENTS ARE CLOSED. TRENDING TOPICS SOC DETECTION ENGINEERING STEALER * APT * Cyber Threat Intelligence * Cybercrime * Detection * Infostealer * Malware * Ransomware * XDR * Discover Sekoia SOC platform * Stay tuned