Doppelgänger | Russia-Aligned Influence Operation Targets Germany
2024-2-22 21:55:20 Author: www.sentinelone.com(查看原文) 阅读量:14 收藏

Executive Summary

  • SentinelLabs and ClearSky Cyber Security have been tracking the activities of a suspected Russia-aligned influence operation network named Doppelgänger.
  • We observed Doppelgänger intensively targeting German audiences, coinciding with recent reports from the German Ministry of Foreign Affairs and Der Spiegel.
  • The network spreads propaganda and disinformation through news articles focused on current socio-economic and geopolitical topics relevant to the general population.
  • Doppelgänger disseminates content criticizing the ruling government coalition and its support for Ukraine, likely aiming to influence public opinion before the upcoming elections in Germany.
  • Doppelgänger leverages a substantial network of X accounts, actively participating in coordinated activities to enhance visibility and engage audiences.

Overview

SentinelLabs and ClearSky Cyber Security have been tracking a propaganda and disinformation campaign since late November 2023, highly likely orchestrated by Doppelgänger, a suspected Russia-aligned influence operation network known for its persistent and aggressive tactics. Initially focusing on disseminating anti-Ukraine content following the onset of the Russo-Ukrainian conflict, Doppelgänger has since broadened its scope, targeting audiences in the US, Israel, Germany, and France.

We observed a significant emphasis by Doppelgänger on targeting German audiences. The network’s activities are characterized by consistent efforts to disseminate propaganda and disinformation content, particularly by exploiting current topics of geopolitical and socio-economic significance among the population. The majority of the content seizes every opportunity to criticize the ruling government coalition and its support for Ukraine.

With Doppelgänger activities intensifying in times of frequent political shifts in Germany, we suspect that the network’s goal is to erode support for the coalition in light of upcoming European Parliament, municipal, and federal state elections, culminating in federal government elections scheduled for 2025.

While we were documenting the Doppelgänger campaign, the German Ministry of Foreign Affairs and the prominent German media outlet Der Spiegel reported on overlapping activities, highlighting a growing concern about election interference.

In this post, we supplement existing reporting by providing additional technical indicators and insights into Doppelgänger’s tactics and disseminated content, with the ultimate goal of further heightening public awareness of this threat.

This report focuses on Doppelgänger activities targeting German audiences; a complementary report by Clearsky Cyber Security delves into the network’s targeting of Israel, the United States, and Ukraine. The activities we observed closely resemble and partially overlap with those previously reported by Recorded Future and Meta, indicating the persistent nature of Doppelgänger.

We observed Doppelgänger orchestrating the operation of a large coordinated network of X (formerly known as Twitter) accounts. These accounts propagate content from third-party websites whose content aligns with Doppelgänger propaganda goals, as well as from sites that Doppelgänger itself has created.

The majority of the X accounts we discovered as part of our investigation had not been deactivated at the time of writing. In an effort to maximize visibility and audience engagement, these accounts participate in coordinated activities, such as regularly posting and reposting content from highly popular profiles, as well as engaging with posts from other suspected Doppelgänger-managed accounts.

The posts from these accounts contain links that redirect visitors through two stages to the destination articles intended for consumption. These stages implement obfuscation and tracking techniques. Coupled with the carefully constructed infrastructure management practices we observed Doppelgänger implementing, this underscores the network’s determination to operate without interruptions while effectively tracking the performance of its influence operations.

Redirection Stages

The first-stage websites, which Doppelgänger distributes on X, use thumbnail images hosted at telegra[.]ph to obfuscate the website thumbnails and redirect to second-stage sites.

First-stage website
First-stage website

The second-stage websites contain text unrelated to the campaign and execute a JavaScript code obfuscated using Base64-encoding.

Second-stage website
Second-stage website

The JavaScript code samples we analyzed issue a request to ggspace[.]space (reported as part of previous Doppelgaenger campaigns) or sdgqaef[.]site. The request includes tracking information, which is likely a campaign identifier. These are in the format of [country]-[day]-[month]_[domain], where [domain] refers to the domain hosting the destination article (DE-02-01_deintelligenz for an article hosted at deintelligenz[.]com). The IOC table at the end of this post lists some of the campaign identifiers we observed.

Second-stage website: Deobfuscated JavaScript code
Second-stage website: Deobfuscated JavaScript code

In addition, the JavaScript code executed by second-stage websites dynamically loads another JavaScript code provided by ggspace[.]space or sdgqaef[.]site, which implements logic for generating web content that redirects to a destination article.

JavaScript code from sdgqaef[.]site

JavaScript code from sdgqaef[.]site
JavaScript code from sdgqaef[.]site

sdgqaef[.]site and ggspace[.]space host at the /admin URL path a login page, which has been assessed to be of the Keitaro Tracking System. Doppelgaenger possibly uses Keitaro to track the effectiveness of its campaigns.

Login page hosted at sdgqaef[.]site
Login page hosted at sdgqaef[.]site

Social Media Activities

Probably in an attempt to increase their visibility, some of the suspected Doppelgänger-managed X accounts we identified regularly post content, which does not necessarily contain first-stage websites, whereas others remain idle for relatively long time periods.


An active and idle suspected Doppelgänger account
An active and idle suspected Doppelgänger account

We observed accounts posting content linking to first-stage sites in multiple languages of the targeted audiences. Further, the Doppelgänger’s account network is probably attempting to increase the engagement metrics of posts that link to first-stage websites in a targeted manner through reposts and views. This becomes evident when these metrics are compared with the metrics of posts by the same accounts that do not link to first-stage websites.

Multi-language posts tailored to the targeted audiences
Multi-language posts tailored to the targeted audiences
Engagement metric discrepancies
Engagement metric discrepancies

We identified multiple clusters of suspected Doppelgänger-managed accounts which have joined the X platform within the same month. We observed a significant level of coordination in the activities of the accounts within the same cluster, suggesting centralized control. This includes reposting of the same content at almost the same time, typically that of highly popular profiles. In addition, engagement metrics of posts that link to first-stage sites by suspected Doppelgänger accounts within the same cluster often have very similar engagement metrics.


Coordinated activities
Coordinated activities
Engagement metric similarities
Engagement metric similarities

Our analysis of the engagement metrics for almost all the accounts we identified revealed a range of reposts between 700 and 2000, with a median value of 883, and a range of views between 613 and 14000, with a median value of 5000.

Propaganda and Disinformation Content

Doppelgänger has been very active in creating websites that host articles for consumption by targeted audiences through the previously described multi-stage approach. Among these sites, there are domains and websites impersonating third-party news outlets, which includes mimicking their design, structure, and domain names, such as welt[.]pm (inauthentic) vs. welt[.]de (authentic) and faz[.]ltd (inauthentic) vs. faz[.]net (authentic). We assess that the rest of the websites we observed have been created by Doppelgänger with original design and structure and no indications of impersonating established news platforms.

In most cases, we observed consistent and regular publishing of new content, with only occasional idle periods lasting a few days at most. Some of the content consists of a blend of materials sourced from other websites and translated into the languages of the targeted audiences.

A closer look at the custom-built websites indicates that Doppelgänger has been making a fast-paced effort to bring its websites online and start distributing content. For example, some sites include template text or exhibit errors in search functionalities. Furthermore, nearly all of these websites lack social media presence. They display icons of social media platforms that link to the domains of these platforms rather than specific profiles.

Template text (emphasis added)
Template text (emphasis added)

Many of the custom-built websites have been built and are managed using the WordPress content management system. We observed that some websites display status messages in Russian when users perform content searches and the activity fails with an error, indicating the use of Russian-language WordPress components.

Wordpress status message translates to “Search for”
WordPress status message translates to “Search for”

The majority of the articles Doppelgänger distributes have a strong anti-government narrative, especially in regard to the government’s support of Ukraine. The article snippets we present below are machine-translated from German into English.

An article at arbeitspause[.]org discusses a recent series of strikes by workers in the German public transport demanding better wages and better working conditions. The challenges relating to the state of workers in this sector, such as rising living costs due to inflation and shortage of workers, are a pressing concern in Germany that captures the attention of the broader population.

Article snippet from <i>arbeitspause[.]org</i>, referencing Scholz, the German chancellor (emphasis added)
Article snippet from arbeitspause[.]org, referencing Scholz, the German chancellor (emphasis added)

On a similar note, another article at arbeitspause[.]org focuses on the recent strikes by German farmers, which involved the blockade of major roads and were motivated by rising living costs and the government’s plan to phase out agricultural subsidies. Overlapping at times with the strikes in the public transport sectors, the farmers’ strikes have been disrupting mobility and therefore garnered the attention of the population and mass media. Doppelgänger has attempted to capitalize on the momentum by criticizing the government’s plan regarding agricultural subsidies, drawing a connection to the government’s support for Ukraine.

Article snippet from arbeitspause[.]org
Article snippet from arbeitspause[.]org

An article at derglaube[.]com focuses on the German immigration policy, which, according to some polls, ranks among the top issues for voters in Germany. In addition, the media frequently covers topics relating to the government’s allocation of funds for immigration-related programs and services. Consistent with typical Doppelgänger practices, the influence operation network uses this opportunity to cast the government in a negative light and introduce its support for Ukraine into the narrative.

Article snippet from derglaube[.]com (original emphasis)
Article snippet from derglaube[.]com (original emphasis)
Article snippet from derglaube[.]com (emphasis added)
Article snippet from derglaube[.]com (emphasis added)

In an attempt to blend political-oriented propaganda or disinformation among other topics, some websites host articles covering broader subjects such as health, sports, and culture. We observed attempts to introduce propaganda even in such articles. For example, an article hosted at miastagebuch[.]com initially discusses headaches from a medical perspective only to later indicate the German government as one of the major causes of headaches.

Anti-government statements in a health-themed article (emphasis added)
Anti-government statements in a health-themed article (emphasis added)

We emphasize that Doppelgänger also targets Germany through articles published by third-party outlets, such as telepolis[.]de, freiewelt[.]net, overton-magazin[.]de, and deutschlandkurier[.]de.

The articles from these outlets that Doppelgänger disseminates focus on both domestic and international topics, some with a strong anti-Western narrative. For instance, an article from overton-magazin[.]de portrays the West as profiteering from the Russo-Ukrainian conflict, while depicting Ukraine as a plaything of Western global players (cit.).

Article snippet from overton-magazin[.]de (emphasis added)
Article snippet from overton-magazin[.]de (emphasis added)

Additionally, an article from osthessen-news[.]de highlights factors such as the Ukraine war and inflation as contributors to economic challenges in Germany, prompting medium-sized companies to consider restructuring due to escalating costs. Issues concerning small- and mid-sized companies are particularly relevant to the broader German audience, given their significant contribution to the country’s overall economy.

Article snippet from osthessen-news[.]de
Article snippet from osthessen-news[.]de

Infrastructure

The Doppelgänger infrastructure can be structured into four parts subject to different infrastructure management and control practices, with each part designated to hosting the different entities involved in disseminating content for consumption by targeted audiences: the first-stage and second-stage redirection websites, the servers likely used for monitoring campaign performance (ggspace[.]space and sdgqaef[.]site), and the destination websites.

The first-stage and second-stage websites often shift between a variety of hosting providers, such as Hostinger, Global Internet Solutions, and Digital Ocean. The domains of these websites typically have short lifespans, lasting only several days at a time and recurring multiple times over a few years. We observe that Doppelgänger activates the domains for brief periods during its campaigns before deactivating them again.

The domains of the first-stage websites have a diverse range of top-level domains (TLDs), including generic TLDs such as .buzz, .art, .store, .site, and .online, as well as country code TLDs like .co.uk and .br. The domains’ format suggests an automated generation approach involving the creation of subdomains and numerical suffixes, for example, pcrrjx.kredit-money-fun169[.]buzz and yzrhhk.kredit-money-fun202[.]buzz.

This strategy, combined with the frequent rotation between hosting providers and the cyclical nature of the domains, indicates an effort by Doppelgänger to evade detection and tracking of its first-stage infrastructure, which is exposed on social media platforms and therefore more likely to be subjected to scrutiny. Doppelgänger does not apply the same domain naming convention to second-stage websites, which are not directly exposed on social media platforms.

Playing a central role in Doppelgänger’s campaigns, ggspace[.]space and sdgqaef[.]site are responsible for both redirection and presumably monitoring campaign performance. They are hosted behind a Cloud-based reverse proxy infrastructure, likely implemented as a security measure to obfuscate their true hosting locations. In contrast to the first-stage and second-stage domains, the active periods of these domains typically span several months during Doppelgänger’s campaigns.

Many of the servers hosting the destination websites are managed using cPanel, and some implement geofencing, which restricts traffic to IP addresses from targeted countries. This practice is likely intended to minimize exposure of their infrastructure and content to scrutiny and monitoring by researchers or authorities outside those regions, reducing the likelihood of detection and investigation into Doppelgänger’s activities.

The domains of the majority of these websites were first registered in the first quarter of 2023 and some as early as mid-2022, remaining active as of the time of writing. A smaller subset of domains, such as derglaube[.]com, which we assess with high confidence as being managed by Doppelgänger at this time, have been active for nearly 10 years, with intermittent periods of inactivity lasting a few years at most.

Conclusions

Doppelgänger represents an active instrument of information warfare, characterized by strategic use of propaganda and disinformation to influence public opinion. The campaign targeting Germany we discussed in this post serves as a compelling example of the persistent and continually evolving nature of Russia-aligned influence operations, which exploit social media and current topics of geopolitical and socio-economic significance to shape perceptions.

We anticipate that Doppelgänger’s activities, targeting not only Germany but also other Western countries, will persist and evolve, particularly in light of the major elections scheduled across the EU and the USA in the coming years. We expect Doppelgänger to continue innovating its infrastructure and obfuscation tactics to make its activities more difficult to detect and disrupt.

We emphasize that countering influence operations requires a comprehensive and collaborative approach, involving enhancing public awareness and media literacy to identify and resist manipulation, alongside prompt and effective actions by social media platforms and infrastructure operators to limit the spread of propaganda and disinformation online.

SentinelLabs continues to monitor Doppelgänger activities and remains committed to timely reporting on its operations to improve public awareness of this threat and mitigate its impact.

Indicators of Compromise

Due to the extensive volume of observed indicators, we present here only a selection, including indicators from parallel campaigns targeting France alongside those targeting German audiences.

Domains

Value Note
09474w.reyt-cre-ad34[.]buzz First-stage website
1wifsq.c-majac-ann4[.]buzz First-stage website
3wk8wa.kariz-good-ad10[.]buzz First-stage website
62ogyy[.]internetbusinesslondon[.]co[.]uk First-stage website
6fmb3r[.]great-cred195[.]buzz First-stage website
allons-y[.]social Doppelgänger-managed destination website
antiwar[.]com Third-party website whose articles Doppelgänger disseminates
arbeitspause[.]org Doppelgänger-managed destination website
arizztar[.]com Second-stage website
bfmtv[.]com Third-party website whose articles Doppelgänger disseminates
bluetoffee-books[.]com Second-stage website
brennendefrage[.]com Doppelgänger-managed destination website
buegym.ranking-kariz108[.]buzz First-stage website
contre-attaque[.]net Third-party website whose articles Doppelgänger disseminates
d6egyr.borafazerfestaoficial[.]online First-stage website
deintelligenz[.]com Doppelgänger-managed destination website
derbayerischelowe[.]info Doppelgänger-managed destination website
derglaube[.]com Doppelgänger-managed destination website
derrattenfanger[.]net Doppelgänger-managed destination website
deutschlandkurier[.]de Third-party website whose articles Doppelgänger disseminates
faridmehdipour[.]com Second-stage website
faz[.]ltd Doppelgänger-managed destination website
freeebooktemplates[.]com Second-stage website
freiewelt[.]net Third-party website whose articles Doppelgänger disseminates
ggspace[.]space Server likely used for monitoring campaign performance
grunehummel[.]com Doppelgänger-managed destination website
histoireetsociete[.]com Third-party website whose articles Doppelgänger disseminates
hungarianconservative[.]com Third-party website whose articles Doppelgänger disseminates
jungefreiheit[.]de Third-party website whose articles Doppelgänger disseminates
kaputteampel[.]com Doppelgänger-managed destination website
ledialogue[.]fr Third-party website whose articles Doppelgänger disseminates
legrandsoir[.]info Third-party website whose articles Doppelgänger disseminates
leparisien[.]re Doppelgänger-managed destination website
lildoxi[.]com Second-stage website
miastagebuch[.]com Doppelgänger-managed destination website
mt-secure-bnk[.]com Second-stage website
nice-credits-list266[.]buzz First-stage website
nw3m7o.samaritana.com[.]br First-stage website
o21obd.reyt-credbest-mx29[.]buzz First-stage website
osthessen-news[.]de Third-party website whose articles Doppelgänger disseminates
overton-magazin[.]de Third-party website whose articles Doppelgänger disseminates
pcrrjx.kredit-money-fun169[.]buzz First-stage website
profesionalvirtual[.]com Second-stage website
realpeoplesreviews[.]com Second-stage website
referendud[.]com Second-stage website
restuapp[.]com Second-stage website
sbl63p.kredit-money-fun274[.]buzz First-stage website
sdgqaef[.]site Server likely used for monitoring campaign performance
sueddeutsche[.]ltd Doppelgänger-managed destination website
telepolis[.]de Third-party website whose articles Doppelgänger disseminates
uncut-news[.]ch Third-party website whose articles Doppelgänger disseminates
v5yoaq.chilling[.]lol First-stage website
voltairenet[.]org Third-party website whose articles Doppelgänger disseminates
wanderfalke[.]net Doppelgänger-managed destination website
welt[.]pm Doppelgänger-managed destination website
www.nachdenkseiten[.]de Third-party website whose articles Doppelgänger disseminates
yzrhhk.kredit-money-fun202[.]buzz First-stage website

Campaign Identifiers

DE-02-01_deintelligenz
DE-09-01_derrattenfanger
DE-13-01_nachdenkseiten_-2
DE-13-01_telepolis_-2
DE-15-11_deutschlandkurier
DE-17-11_jungefreiheit
DE-21-11_freiewelt
DE-23-12-2_arbeitspause
DE-23-12-2_arbeitspause
DE-24-11_grunehummel
DE-25-01_brennendefrage
DE-25-01_derglaube
DE-25-01_welt
DE-27-12_faz
DE-27-12_miastagebuch_-2
DE-27-12_sueddeutsche
DE-29-01_derbayerischelowe
FR-03-02_candidat
FR-03-02_lexomnium_-2
FR-04-02_allons-y
FR-13-01_original
FR-19-01_bfmtv_s
FR-23-12-2_franceeteu
FR-23-12-2_leparisien
FR-25-01_la-sante
FR-26-12_hungarianconservative
FR-26-12_lepoint_-2
FR-26-12_voltairenet
FR-27-12_ledialogue
FR-27-12_lesfrontieres

Suspected Doppelgänger-managed X/Twitter Accounts

AyniyeMcca18343
Brent8332812692
ButzlaffF6068
chareaterc59681
Chris423806
Dan2082135
elasagev1981744
Equinoxevt4
Eric69112331297
Eric81026324555
izaguine65954
jacksanbac66126
Jermaine1384705
Jermaine1384705
Jim388251815042
Joseph673224507
Joseph673224507
Kevin1135109
Kristin1039811
Marc182057
Marc1826509
Mark5768674550
MeadowOf43589
MehetabelW87922
MGlasscock91268
Mike3614071710
MingoGerri92116
MissyVoorh3954
MitchamNis5726
MKarg84246
ModestiaH56404
ModestineF72279
MonteroTer52325
MontesRodi62373
moore_tess5916
MorelockSo28285
MorganMcqu33699
MunroHelen78796
MurdockTip96177
myrta53009
NancyOrona49857
NannySpeer51042
NatalaWelb47593
Natasha90680770
NaylorVida41053
NCraighead92692
NFridley71438
Nikki9265841534
NikoliaE39574
NJean52219
NKuehner28951
OClodfelte8787
of_navy23563
of_novelis81275
OlguinElsy987
Oliver1325592
Omar37785134192
Pam807954589169
PauliHarry9140
PegeenD80598
Pete1192428369
Rayshaw78069964
Rounak1685212
Tim298432442090


文章来源: https://www.sentinelone.com/labs/doppelganger-russia-aligned-influence-operation-targets-germany/
如有侵权请联系:admin#unsafe.sh