May 24, 2024

By Raquel Miguel, Maria Giovanna Sessa, and Alexandre Alaphilippe

The Doppelganger operation is a quintessential case study of a community-driven, open-source investigation, illustrating how media, civil society organisations (CSOs), platforms, and authorities collaboratively counteract foreign influence and misinformation (FIMI) campaigns. Despite a range of responses from key stakeholders, including sanctions and legal actions, the Doppelganger operation, now in its second year, persists. This necessitates reflecting on the cost-effectiveness of these responses, considering the expertise, time, and financial resources invested by the defender community to disrupt the Russian network.

Figure 1. Timeline of the Doppelganger operation (May 2022-April 2024)

Since the campaign’s first exposure, the ultimate goal has been its complete cessation, which has not been achieved yet. Consequently, we have operationalised the cost-effectiveness of tacking the operation into five categories, ranging from milder to stronger measures.

Situational awareness 

The defender community’s situational awareness is notably high, particularly among analysts. Initially, media outlets were the first to disclose the campaign, informing the public about the threat. Civil society organisations soon followed, leading to platform takedowns and attribution. Public institutions were the last to respond, likely due to bureaucratic processes and the need for cautious attribution of foreign interference.

Impact on malign actors’ capabilities 

Measures such as takedowns, deplatforming, and sanctions have indeed impacted the malign actors’ capabilities, causing a deceleration in content production and infrastructure distribution. However, these efforts have led to slowdowns rather than shutdowns. Doppelganger operators have consistently found ways to circumvent sanctions and improve their obfuscation techniques, resulting in even higher proliferation of URLs and ads and possibly new campaigns exploiting the same infrastructure.

Triggering new responses 

The responses to the Doppelganger operation can be seen in two directions. The defender community has managed to wound but not kill the operation. Overall, it is crucial to acknowledge that every exposure incurs significant costs, drawing from limited organisational budgets in terms of human resources, legal costs, and potential safety risks for researchers. Conversely, the threat actors appear well-equipped with resources and funds, continually adopting new Tactics, Techniques, and Procedures (TTPs) to sustain their operations. Despite the toughest measures, such as sanctions prompted by reports from Viginum and Meta, the Doppelganger infrastructure remains resilient.


Sanctions: 

  • European Union – In July 2023, the Council of the EU imposed restrictive measures against seven Russian individuals and five entities responsible for the Doppelganger/RRN operation (i.e., Social Design Agency, Struktura National Technologies, Inforos, ANO Dialog, and the Institute of the Russian Diaspora). These sanctions include asset freezes, travel bans, and prohibitions on transactions involving the sanctioned entities and individuals.
  • United States – In March 2024, the USA Department of the Treasury’s Office of Foreign Assets Control sanctioned two individuals (Ilya Andreevich Gambashidze and Nikolai Aleksandrovich Tupikin) and two entities (Social Design Agency and Struktura) for providing services to the Russian Federation. As a result, all transactions involving funds, goods (including properties), or services with these individuals and entities are prohibited.  

Attribution 

Attribution has been achieved despite its challenges and costs. The primary difficulty lies in the lack of standardised information for knowledge sharing among analysts, with some exceptions for reports containing technically advanced forensics. Access to data is crucial for improving platform accountability and transparency, as well as creating more attribution opportunities. The Digital Services Act (DSA) should play a key role in granting researchers access to large-scale platform data, enabling them to study systemic risks in-depth and support research tackling FIMI campaigns. To achieve this, we advocate for a broader definition of vetted researchers under Article 40, including CSOs. Additionally, funding is essential to support research that can tackle and attribute FIMI campaigns.

Deterrence

Unfortunately, deterrence remains unaccomplished. Given the various actions taken, engaging with domain name registries as the intermediary closest to the problem of impersonation is the most effective way to address issues such as impersonation. Identifying appropriate intermediaries is crucial, as some actions have had negligible effects or even accelerated the creation of assets and new obfuscation measures. Legislative grounds such as abusive domain name registration, trademark laws, copyright infringement, identity theft, and cybercrime offer pathways for prosecution. Additionally, the DSA presents potential avenues for enhancing situational awareness, attribution opportunities, reducing distribution, and ultimately deterring FIMI operations.


Legal actions:

  • Süddeutsche Zeitung – Between September and November 2022, Süddeutsche Zeitung used ICANN’s UDRP (Uniform Domain Resolution Procedure) to bring a case before the WIPO arbitration panel to have the domain sueddeutsche[.]me successfully transferred to the German newspaper.
  • Le Monde – In July 2023, lemonde[.]ltd was transferred to French newspaper Le Monde via UDRP.
  • French Ministry of Foreign Affairs – In October 2023, the World Intellectual Property Office (WIPO) ruled that NameCheap, responsible for selling the domain name diplomatie[.]gouv[.]fm should return it to the French Ministry of Foreign Affairs. 
  • Le Parisien – In February 2024, French registry operator AFNIC returned the domain name leparisien[.]re to Le Parisien.


DSA:

  • Meta under DSA’s scrutiny. On 30 April, the European Commission opened formal proceedings to assess whether Meta may have breached the Digital Services Act. One of the suspected infringements pointed out refers to Meta’s policies and practices relating to deceptive advertising and disinformation. “The Commission suspects that Meta does not comply with DSA obligations related to addressing the dissemination of deceptive advertisements, disinformation campaigns and coordinated inauthentic behaviour in the EU”, the statement reads. Meta’s key role in amplifying the Doppelganger campaign is a clear example of such behaviour. A recent AI Forensics report on a huge network of advertisements spreading the pro-Russian campaign may have been one of the triggers for the Commission’s decision.

The analysis of the Doppelganger operation’s cost-effectiveness offers a valuable benchmark applicable to other FIMI threats. This paves the way for new research opportunities to optimise resource allocation to counter influence and disinformation campaigns. Future studies could explore innovative, cost-efficient strategies for boosting situational awareness, refining attribution methods, and developing robust deterrence mechanisms, particularly leveraging legislative frameworks and technological advancements. To achieve this, accountability through data access, knowledge sharing, and enforcement of existing risk assessment and mitigation pathways is essential.