Doppelgänger: Russia-Linked Influence Network Targets Germany with Disinformation

SentinelLabs and ClearSky Cyber Security have been tracking an intensive influence operation spreading propaganda and disinformation since late 2023. This campaign, attributed to the Russia-aligned Doppelgänger network, initially focused on anti-Ukrainian content but has expanded to target audiences in the US, Israel, Germany, and France. With a distinct, sustained emphasis on Germany, Doppelgänger’s tactics reveal a calculated effort to exploit fractures within German society and its broader role within the EU.

Doppelgänger’s Modus Operandi in Germany

Doppelgänger’s campaign is tailored to resonate deeply with German audiences, preying on existing anxieties and aiming to sow discord. The operation exploits hot-button issues like inflation, social unrest, and immigration to erode trust in the ruling coalition. By linking these domestic concerns to the conflict in Ukraine, Doppelgänger seeks to portray Germany’s support for Ukraine as a key driver of the country’s internal struggles. This coordinated effort likely aims to sway public opinion ahead of critical elections across the EU, and especially within Germany, where federal elections will occur in 2025.

Multi-language posts tailored to the targeted audiences

Doppelgänger’s reach amplifies this danger. The network’s tactics echo those reported by organizations like Recorded Future and Meta, underscoring its persistence and reach across multiple democracies. This campaign’s scale and synchronization with Germany’s political climate underscore the potential dangers of election interference, a trend also highlighted by the German Ministry of Foreign Affairs and the prominent media outlet Der Spiegel.

Dissemination Tactics

Doppelgänger’s disinformation machine is complex and multi-layered:

1. Social Media Infiltration: Doppelgänger operates a network of seemingly legitimate X (formerly Twitter) accounts. These accounts strategically share links to Doppelgänger-created fake news websites or amplify articles from third-party sites aligned with its goals. Coordinated retweets and engagement tactics lend the illusion of organic spread.

2. Obfuscation and Tracking: To maximize reach and evade detection, the network employs a series of obfuscation techniques. Links are disguised with thumbnail images on Telegra[.]ph, secondary websites redirect traffic, and JavaScript code is obscured with Base64-encoding. Doppelgänger also likely uses the Keitaro Tracking System to monitor campaign performance, helping it refine its tactics in real-time.

3. Third-Party Content Exploitation: Alongside its network of fake sites, Doppelgänger leverages content published by platforms such as telepolis[.]de, deutschlandkurier[.]de, and others. While these outlets are legitimate, the specific articles chosen promote anti-Western or pro-Russian narratives, subtly reinforcing Doppelgänger’s broader disinformation campaign.

Propaganda Content Analysis

Doppelgänger’s propaganda blends overt attacks with subtle manipulation:

• Economic Fear-Mongering: Articles relentlessly focus on strikes by public transport workers, farmers’ protests, and inflation. This aims to discredit the ruling coalition, implying their policies fuel these crises, while strategically tying economic woes to support for Ukraine.
• Anti-Immigration Stoking: Articles fuel animosity towards the government’s immigration policies, a divisive issue in German politics. Doppelgänger criticizes government spending and links immigration to broader societal challenges, again linking both to the unpopular (for some) backing of Ukraine.
• Weaponizing ‘Softer’ Topics: Even non-political articles on health, sports, or culture contain subtle anti-government twists. This insidious technique seeks to normalize discontent, turning even casual news consumption into exposure to Doppelgänger’s propaganda machine.

Anti-government statements in a health-themed article (emphasis added)

Infrastructure Insights

Doppelgänger’s infrastructure reveals a calculated effort to evade detection:

• Disposable Websites: Fake news sites are shifted between hosting providers, with short lifespans and cyclical patterns, making them difficult to track long-term.
• Hidden Control: Campaign monitoring servers likely sit behind cloud-based reverse proxies to hide their true location, protecting the network’s core.
• Geofencing: Many destination websites employ geofencing, limiting traffic to German IP addresses, hindering external scrutiny or takedown efforts.

The Need for Global Vigilance

Doppelgänger exemplifies how state-backed information warfare aims to manipulate public opinion and undermine democratic processes. This campaign’s persistent focus on Germany highlights the vulnerability of even strong democracies to such tactics, especially during election periods. Countering this threat demands a multi-pronged approach:

• Public Awareness: Increased funding for media literacy campaigns is critical in empowering citizens to identify disinformation and resist manipulation.
• Platform Accountability: Social media platforms and infrastructure providers must improve transparency and proactively counter disinformation.
• Collaborative Defense: Governments, researchers, and civil society must partner to share information, develop counter-strategies, and protect democratic integrity