September 27, 2022

By Alexandre Alaphilippe, Gary Machado, Raquel Miguel and Francesco Poldi, EU DisinfoLab. In partnership with Qurium.

Today, EU DisinfoLab exposes a Russia-based influence operation network that has been operating in Europe since at least May 2022 and is still ongoing. Doppelganger, the name we gave to this campaign, uses multiple “clones” of authentic media (at least 17 media providers, including, Bild, 20minutes, Ansa, The Guardian or RBC Ukraine) and targets users with fake articles, videos and polls. To do so, the malicious actors behind it bought dozens of Internet domain names similar to the ones of authentic media and copied their designs.

This is yet another example of a cross-platform operation, with its core hosted on web pages, and amplification profiles across social media networks, including Facebook and Twitter. The operation makes use of different formats, from videos to online ads.

Depicting Ukraine as a failed, corrupt, and Nazi state. Promoting Kremlin narratives on the Ukraine war such as denying the Bucha massacre. Fearmongering Germans, Italians, French, Latvians and British citizens about how sanctions against Russia will ruin their lives. These are the main objectives of the campaign that has been running online from May 2022 and is still ongoing.

EU DisinfoLab has partnered with the Swedish non-profit foundation Qurium Media Foundation, a provider of digital security solutions and forensics investigations to independent media and human rights organisations. You can find the technical report by Qurium here.

This independent investigation is solely based on open-source information and was built on initial leads published by other organisations (notably reports from T-Online and the Sueddeutsche Zeitung). Tools used to unravel and analyse the network have included the Meta Ads Library, CrowdTangle and publicly available Internet infrastructure data. This research started on 30 August and was triggered after the initial publication of T-Online, which uncovered part of this network.

This coordinated operation consists of cloning the appearance and credit of authentic journalistic content to disseminate blatant disinformation. Our findings show that disinformation actors behind this campaign have implemented a sophisticated and coherent strategy of replicating and impersonating authentic media. It involves, amongst other tactics, spoofing domain names or creating videos falsely attributed to legitimate media. It also includes clever techniques such as smart redirections or geo-blocking users based on location. According to our partner Qurium, the sophisticated features of at least part of this campaign were enabled by a software of a company named Keitaro, registered in Estonia.

After these findings, EU DisinfoLab has taken the appropriate steps to alert relevant authorities and institutions of this operation.

We found distinct networks of various Facebook Pages and fake Facebook profiles actively amplifying this
operation. These networks were operated subsequently while the operation was unfolding. Once used, most of these networks were abandoned by their owners, similarly to the use of burner accounts.

Our investigation does not lead to a formal attribution to a specific actor. However, many elements are
pointing towards the involvement of Russia-based actors. On the infrastructure side, impersonated domain names were operated by the same actor, and some of these domains were bought through the Russian Internet registrar. Fake videos were produced by computers with a Russian set-up, one of them operating from the GMT+8 time zone. Moreover, the narratives of the campaign are all aligned with Russian propaganda.

However, Doppelganger operators remain unidentified and therefore a continuing threat. Despite the work of our teams and corroborating signals both in the infrastructure and in the operation’s content, we are unable to make a conclusive and specific attribution. For these reasons, we cannot entirely exclude the possibility of a false flag operation. We hope that the elements we bring to the community will help future work towards a more formal attribution.

This calls for a series of European actions such as:

  • A better regulation of the domain name industry, to protect authentic actors from being impersonated;
  • Taking appropriate measures so that EU-based legally registered software and infrastructure cannot be used to serve malicious covert influence operations without consequences;
  • Putting an end to the non-accountability of opaque and ill-intentioned organisations. This calls for far greater cooperation between institutions that can attribute information operations and those that enforce laws such as trademark laws and GDPR;
  • To provide better data to European researchers working for the public interest.

“The publicly available data raises doubts about the success of Doppelganger. But the very fact that the operation is still ongoing after months of breaching European trademark laws, GDPR, using EU-based servers and software, likely without consequences for its authors, is troubling. This is where much improvement needs to happen,” said Alexandre Alaphilippe, Executive Director at EU DisinfoLab.

Check our #Doppelganger Twitter thread