The Russia-linked influence operation called Doppelganger has targeted Ukrainian, U.S., and German audiences through a combination of inauthentic news sites and social media accounts.
These campaigns are designed to amplify content designed to undermine Ukraine as well as propagate anti-LGBTQ+ sentiment, U.S. military competence, and Germany’s economic and social issues, according to a new report shared with The Hacker News.
Doppelganger, described by Meta as the “largest and the most aggressively-persistent Russian-origin operation,” is a pro-Russian network known for spreading anti-Ukrainian propaganda. Active since at least February 2022, it has been linked to two companies named Structura National Technologies and Social Design Agency.
Activities associated with the influence operation are known to leverage manufactured websites as well as those impersonating authentic media – a technique called brandjacking – to disseminate adversarial narratives.
Learn Insider Threat Detection with Application Response Strategies
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.
The latest campaigns are also characterized by the use of advanced obfuscation techniques, including “manipulating social media thumbnails and strategic first and second-stage website redirects to evade detection, and the likely use of generative artificial intelligence (AI) to create inauthentic news articles,” the cybersecurity firm said.
The findings demonstrate Doppelgänger’s evolving tactics and throw light on the use of AI for information warfare and to produce scalable influence content.
The campaign targeting Ukraine is said to consist of more than 800 social media accounts, in addition to banking on first and second-stage domains to conceal the true destination. Some of these links also use the Keitaro Traffic Distribution System (TDS) to assess the overall success and effectiveness of the campaign.
One of the notable aspects of the U.S. and German campaigns is the use of inauthentic media outlets such as Election Watch, MyPride, Warfare Insider, Besuchszweck, Grenzezank, and Haüyne Scherben that publish malign content as original news and opinion outlets.
“Doppelgänger exemplifies the enduring, scalable, and adaptable nature of Russian information warfare, demonstrating strategic patience aimed at gradually shifting public opinion and behavior,” Recorded Future said.
It’s worth pointing out that Meta, in its quarterly Adversarial Threat Report published last week, said it also found a new cluster of websites linked to Doppelganger that are geared towards U.S. and European political affairs, such as migration and border security.
“Their latest web content appears to have been copy-pasted from mainstream U.S. news outlets and altered to question U.S. democracy and promote conspiratorial themes,” Meta said, highlighting Election Watch as one of the U.S.-focused sites.
“Soon after the Hamas terrorist attack in Israel [in October 2023], we saw these websites begin posting about the crisis in the Middle East as a proof of American decline; and at least one website claimed Ukraine supplied Hamas with weapons.”
Meta also said it took steps to disrupt three separate covert influence operations – two from China and one from Russia – during the third quarter of 2023 that leveraged fictitious personas and media brands to target audiences in India and the U.S., and share content about Russia’s invasion of Ukraine.
It, however, noted that proactive threat sharing by the federal government in the U.S. related to foreign election interference has been paused since July 2023, cutting off a key source of information that could be valuable to disrupt malicious foreign campaigns by sophisticated threat actors.