July 11, 2024

by Alexandre Alaphilippe, Executive Director, EU DisinfoLab

On July 11, Qurium, in partnership with multiple investigative news outlets, published a new set of evidence around the Doppelganger disinformation operation.

This new publication dives deep into the Internet infrastructure that Doppelganger operators have meticulously built and use to conduct their operations. The findings show how crucial European companies and individuals have been in enabling and supporting this campaign. This support included setting up servers and renting IP addresses that were used to obfuscate the real origin of the malicious actors, which, unsurprisingly, is Russia.

These new insights also show the convergence between cyber-criminal activities and information operations. Indeed, some of the key actors described in Qurium’s investigations have also been hosting malware and other malicious code intended to attack or ransom companies.

But the main story is perhaps not the one that is written. Between the lines of this additional evidence, built up over more than two years of extensive research by a wide community, there is a more worrying story that needs to be told, and it’s not a pretty one.

Maybe Russians aren’t that good; maybe we just suck.

Since 2022, the Doppelganger operation and its side operations such as Matriochka, Overload, and the Blue Stars of David have shown how bad Europe is at dealing with such threats. For two years, multiple sets of evidence have been gathered on: 

  • How easy it is to impersonate dozens of online media brands, governments, and international institutions by buying cheap alternative web domains. 
  • How easy it is to bypass daily all advertising transparency requirements of online platforms to target malicious content to European audiences. 
  • How easy it is to create and run hundreds of thousands, if not millions, of fake accounts on platforms to artificially propagate an untrue or misleading story on social media. 
  • How easy it is to use these fake accounts to make it seem, including to journalists, that these stories are gaining organic traction without any evidence of such virality. 
  • How easy it is to set up cyber-criminal infrastructure activities inside Europe, even in a very  high-profile operation, without any consequences for the offenders and intermediaries that allow these operations to run.

Additionally, revelations from the online media outlet The Insider on 4 July shed light on how the Russian military intelligence has been designing, with apparently unlimited impunity, aggressive campaigns aimed at destroying democracy and sowing fear in our societies.

These facts have been repeatedly documented, presented publicly, and brought to the public eye to alert policy-makers about the harm these operations could cause, to raise awareness of such manipulations, and to prevent people from falling into the trap of disinformation. Yet, here we are again, feeding yet another news cycle, with recycled calls for more evidence to be provided, promises for more sanctions to be imposed, and wishful thinking for more cooperation to be designed.

On 27 June, the European Council conclusions were already preparing that line:

In response to Russia’s destabilising actions abroad, the European Council reiterates its call for work to be taken forward in the Council to establish a new sanctions regime. The European Union will also continue to work closely with partners to detect and counter hybrid activities by third countries, including false narratives and disinformation.”

The problem is not a lack of research or evidence about disinformation and how to tackle it. The problem is that there is a clear lack of enforcement from authorities to act on such illegal operations.

We know the stakes for our democracy, we know the adversary, we know the political tactics, we know the vulnerabilities that are being exploited. The EU must, finally, act together, decisively and comprehensively. The damage is already plain to see. As are the measures that need to be taken.