This report analyzes Doppelgänger information operations conducted by Russian actors, focusing on impersonation of news websites to spread disinformation on social networks, especially during France’s June 2024 snap election. It details the operational infrastructure, redirection chains, target audiences, and political implications, underscoring the ongoing threat to Western democracies and the need for countermeasures and international cooperation. #Doppelgänger #RussianActors #XTwitter #FranceSnapElection #KeitaroTracker #CopyCop
Keypoints
- Doppelgänger operations manipulate public opinion via social networks to advance Russian interests in Europe and the United States.
- Impersonation of popular news websites is a core tactic used to disseminate disinformation.
- The report centers on activities surrounding France’s June 2024 snap election.
- Approximately 800 bot accounts post links to first-level redirectors and amplify disinformation.
- Disinformation flows through obfuscated redirection chains, including 1st and 2nd level redirectors and a Tracker, to final content.
- Content analysis indicates a bias toward conservative and nationalist viewpoints, with some crossovers into left-libertarian narratives, aiming to destabilize Western democracies.
- Doppelgänger amplifies content from other campaigns (e.g., CopyCop) and employs interconnected infrastructure, underscoring the need for robust countermeasures and international cooperation.
MITRE Techniques
- [T1086] Impersonation – Brief description of how it was used. “Actors impersonate legitimate news websites to spread disinformation.”
- [T1491] Social Media Manipulation – Brief description of how it was used. “Utilization of social media platforms like X/Twitter for disseminating fake news.”
- [T1071] Bot Networks – Brief description of how it was used. “Deployment of bot accounts to amplify disinformation and manipulate public perception.”
- [T1070] Obfuscated Infrastructure – Brief description of how it was used. “Use of complex redirection chains to obscure the source of disinformation.”
- [T1400] Content Manipulation – Brief description of how it was used. “Creation of fabricated news websites and content to mislead audiences.”
Indicators of Compromise
- [IP Address] 1st level redirectors – 168.100.9.238, 77.105.135.48, and 185.172.128.161
- [IP Address] 2nd level redirectors – 206.188.197.116, 64.190.113.45, 195.85.115.36, 195.2.73.149
- [IP Address] Tracker/hosting after Cloudflare – 45.87.41.37, 65.108.158.243
- [IP Address] Doppelgänger-fabricated website hosting (after Cloudflare) – 111.90.146.198, 101.99.90.184, 101.99.90.165
- [IP Address] CopyCop-fabricated website hosting (after Cloudflare) – 95.165.66.27
- [Domain] 1st level redirector domains – gatoogeef[.]info, cheekss[.]click
- [Domain] Suspicious/fabricated domains – closermag[.]eu, conspiracywatch[.]in
- [URL] Final content URLs – hxxps://acrosstheline[.]press/escaping-from-war/biden-prioritizes-ukraine-over-u-s-border-security, hxxps://allons-y[.]social/bardella-menaces-de-recuperer-les-milliards-pilles-par-l-ue/
- [IP Address] Suspicious IP for CopyCop-related hosting – 46.138.250[.]248
Read more: https://harfanglab.io/insidethelab/doppelganger-operations-europe-us/