Source: Intrinsec
A recent report by cybersecurity firm Intrinsec has unveiled an ongoing large-scale disinformation campaign, known as Doppelgänger, which is actively targeting Western countries through manipulated social media content and impersonated media outlets. The campaign, traced to Russian networks, has been leveraging fake news articles, deceptive online personas, and bulletproof hosting infrastructures to propagate misleading narratives aimed at destabilizing public trust in democratic institutions.
The Doppelgänger operation was first attributed to Russian organizations by Meta in 2022, linking the activities to two companies: Structura National Technologies and Social Design Agency. Since then, the campaign has expanded its reach, infiltrating major European nations and Israel with false narratives designed to polarize societies and weaken support for Ukraine amid the ongoing war.
According to Intrinsec’s findings, the campaign has employed bot networks on X (formerly Twitter) to amplify disinformation articles hosted on typosquatted domains—websites that mimic legitimate news outlets to deceive unsuspecting users. The strategy, as outlined in the report, exploits geopolitical tensions and economic concerns to manipulate public sentiment.
The campaign has been particularly active in France, Germany, Italy, Ukraine, and Israel, spreading region-specific falsehoods designed to exploit domestic concerns. Some of the key narratives identified include:
France:
- Anti-Western propaganda portraying the U.S. as an economic oppressor exploiting European nations.
- Depictions of France in decline, with President Macron blamed for economic and social crises.
- Efforts to undermine support for Ukraine, portraying aid as wasteful and counterproductive.
Germany:
- Economic downturn and government incompetence, blaming the coalition government for recession and unemployment.
- Anti-immigration sentiments, linking migration policies to increased crime and economic instability.
- Skepticism toward aid for Ukraine, portraying it as financially burdensome and ineffective.
Italy:
- Use of pro-Russian local media, rather than impersonation, to spread narratives undermining Ukraine.
- Claims of exaggerated Ukrainian military losses to create doubt about Ukraine’s war efforts.
Ukraine:
- Narratives portraying Ukraine as isolated, suggesting Western nations are withdrawing their support.
- Allegations of widespread corruption, positioning Ukraine’s government as untrustworthy.
- Calls for surrender, advocating for peace through territorial concessions to Russia.
Israel:
- Accusations of U.S. abandonment, portraying the Biden administration as prioritizing Ukraine over Israel.
- Claims of rising antisemitism in the U.S., allegedly encouraged by American policies.
- Economic struggles linked to Western inaction, fueling dissatisfaction with Israel’s leadership.
Intrinsec’s investigation also highlights how Doppelgänger has leveraged bulletproof hosting providers to evade detection and maintain operational resilience. The campaign makes extensive use of Kehr[.]io, a redirection provider advertised on Russian-speaking underground forums, to bypass content moderation on social media platforms.
Key findings from the infrastructure analysis reveal that:
- Hosting is done through Partner Hosting LTD (AS215826) and WAIcore Ltd (AS213887), both linked to entities in Ukraine and Belarus with ties to bulletproof hosting solutions.
- Domains hosting fake articles frequently redirect through Kehr[.]io to avoid being blocked.
- Second-layer redirectors are hosted on SERVERS TECH FZCO (AS216071) in Dubai, previously used in cybercriminal activities.
As the Doppelgänger operation evolves, its ability to mimic legitimate media outlets and spread disinformation on sensitive political topics presents a significant challenge for cybersecurity experts and policymakers. By exploiting public fears, economic instability, and geopolitical conflicts, the operation seeks to erode trust in democratic institutions and disrupt global alliances.
The ongoing nature of the campaign indicates that its architects remain well-resourced and adaptable, continually refining their tactics to evade detection. To counter this threat, Intrinsec recommends proactive monitoring of suspect domains, enhanced content verification practices, and increased collaboration between social media platforms and cybersecurity firms to dismantle these networks.
Related Posts:
- OpenAI Disrupts 20+ Malicious Operations, Including Election Interference and Malware Development
- New Research Exposes VPN Vulnerability: Port Shadow Attacks Undermine User Privacy
- Premium Panel Phishing Toolkit Exposed: Two Years of Global Attacks
- Meta’s Q3 2024 Adversarial Threat Report: Global Disinformation Networks Disrupted
