Illegal Russian Influence Operations Continue Despite Sanctions

23 Dec 2024 | Reports

Author:
Saman Nazari, Alliance4Europe. 

Contributor:
Lea Frühwirth, CeMAS. 

A special thank you to Lars Wienand from T-online for informing us that the Doppelganger links are working again. 

This flash report was made possible through collaborations facilitated through the Counter Disinformation Network.

Summary

 

In this report, we will show how X has still not addressed the Russian influence operation Doppelganger, the latest technical developments we have uncovered with the operation, and give a short overview of the narratives the influence operation is currently employing. 

Between November 3rd and December 4th 2024, 959 Doppelganger tweets were identified. 

A portion of the narratives shows Russia trying to pressure Ukraine into a cease-fire and peace negotiations. This narrative line may be an indication of the underlying Russian government’s strategic objectives of ending the war given the losses and damage they have sustained.

We also highlight that the Social Design Agency (SDA), the entity behind Doppelganger, is a sanctioned entity, meaning that X and Meta would apparently be violating sanctions by not addressing the influence operation. 

We call upon X, as well as all relevant tech platforms, to address the influence operation that we so simply can track and stop it from interfering in the upcoming German elections.

We also provide an updated DISARM Red Framework encoding and analysis of the Doppelganger influence operation, showing the tactics and techniques used by the influence operation. 

 

Ongoing Unaddressed Influence Operation

 

Since June 2024, Alliance4Europe, CeMAS and members of the Counter Disinformation Network have been monitoring a specific coordinated inauthentic behaviour (CIB) associated with Doppelganger influence operation. Following our September report, we have been evaluating X’s response to our findings. 

 

 

This report will not repeat the analysis of the influence operation. For more on that, we encourage you to read about it in our previous report

Since we reported on the influence operation and the method of which we use to track it, there has been no change in the behaviour that allows us to track them. As far as we see, there are no detectable actions taken by X in this regard. 

 

Re-directions not Working – Lazy Contractors?

 

Doppelganger uses a geolocation-based redirect method that directs users either to a Doppelganger website if they have an IP address from the country targeted, or sends the users to a junk website with gibberish text.

 

 

For several months, the Doppelganger domains on Twitter did not work, not redirecting users to the correct domain. The operation continued posting tweets with these broken links. 

At the end of November, the front domains included in the Doppelganger tweets started redirecting users again. At the time, the links were only accessible via a phone browser. It is unknown if this was a mistake or intentional obfuscation technique.  In December, the links started working again, re-directing users to Doppelganger websites. Now it seems like the re-direction mechanism has broken, redirecting all users to the Doppelganger website regardless of their IP address. 

 

New Tracking Method – Front Domain IPs. 

 

The operation should also be easy to track for X due to it using the same few IP addresses across different front domains. Front domains are the domains that are used in the URLs in the tweets. When these are clicked, they bring you through a redirect chain. If you are based in a relevant location, it will bring you to a Doppelganger article. If not, it will bring you to a website with nonsense text on it. 

On a given day, the Doppelganger tweets might use different URLs, but the IP addresses behind them stay the same. X could track the influence operation based on these different URLs leading to the same IP being posted in very quick succession. 

In our dataset, based on the URLs we could analyse before they were taken offline, we repeatedly identified: 147.79.117.64, 185.216.71.122, and 145.223.27.230.

The IP 31.187.76.96 was also identified by another researcher in our extended network. 

Even if these IP addresses change over time, the repeated pattern of behaviour where only a few IP addresses are used across a large set of domains being posted within a specific time frame should be simply traceable for a social media platform.  

 

Doppelganger Domains:

 

In our dataset, we detected the use of a four different Doppelganger domains:

 

Welt(.)pm

 

 

Imitating the German newspaper Die Welt. Die Welt’s domain name is welt.de. This website has previously been attributed to Doppelganger

 

Spiegel(.)cx 

 

Imitating the German newspaper Der Spiegel. Der Spiegel’s domain name is spiegel.de.

Spiegel(.)cx seems to be a new Doppelganger domain that was registered on 2024-11-29 using the CentralNic Registry, which is headquartered in London. The website is hiding its IP behind Cloudflare. 

We have not seen any public reporting about it. 

News(.)walla(.)top

 

Website imitating the Israeli newspaper Walla!. Walla!’s domain name Walla.co.il.

News(.)walla(.)top seems to be a new Doppelganger domain that was registered on 2024-09-19 using the Canadian Registrar Tucows. The website is hiding its IP behind Cloudflare.

We have not seen any public reporting about it. 

Leparisien(.)fyi 

 

Website imitating the French newspaper Le Parisien. Le Parisien’s domain name is leparisien.fr.

Leparisien(.)fyi seems to be a new Doppelganger domain that was registered on 2024-07-31 using the Canadian Registrar Tucows. The website is hiding its IP behind Cloudflare.

We have not seen any public reporting about it. 

Lepoint(.)top 

 

Website imitating the French newspaper Le Point. Le Point’s domain name is lepoint.fr.

Lepoint(.)top seems to be a new Doppelganger domain that was registered on 2024-08-30 using the Canadian Registrar Tucows. The website is hiding its IP behind Cloudflare.

We have not seen any public reporting about it. 

Linkless Tweets

 

Out of the 959 tweets, 329 did not have Doppelganger links in them. 163 contained an image or video together with text and another 166 contained links to authentic news news articles. 

All of these tweets used the same sharing pattern and have the same profile characteristics, making it easy to attribute them to the influence operation. These are potentially similar to the accounts that Reset.Tech described in their latest report on “How X Profits From the Rise of a Pro-Kremlin Network”. Read more about this sub-set of channels here

 

Increase in Activity

 

Between November 3rd and December 4th 2024, 959 Doppelganger tweets were published. 

Between November 3rd and 10th, the influence operation posted on average 18 posts. Between the 10th and 23rd, the influence operation rarely posted anything. On the 24th, Doppelganger posted over 200 tweets. In the period between the 25th of November and the 4th of December, the influence operation posted on average 62 posts a day, showing a significant increase in activity. 

 

Views

 

According to X’s own metrics, the tweets received 4,135,274 views. These numbers are not reliable as it is possible that the Social Design Agency (SDA), the company behind Doppelganger, is trying to inflate their numbers by using bots to fulfil their KPIs. 

 

Doppelganger – Illegal content. 

 

The company behind the Russian influence operation known as the Social Design Agency (SDA) was sanctioned earlier this year by the European Commission.

In response to the Russian invasion of Ukraine, the EU enacted sanctions against several individuals and organizations offering support to the Russian war effort.

On May 14, 2024, the European Commission further clarified that the sanctions prohibit hosting content from these persons or entities or making them available to EU audiences on content-sharing platforms or search engines.

As the SDA is a sanctioned entity, Twitter not taking down their content would be a potential violation of sanctions. Science Feedback showed in a report how the content we flagged to X from the influence operation stayed up, meaning X is knowingly not dealing with illegal content. 

On a similar note, in our September report, we showed how Meta is receiving money from the SDA through their ad program. While they are significantly better at acting on the influence operations content, it is unclear if Meta keeping such revenue could be a violation of the sanctions. 

 

Content Analysis

 

A full narrative analysis was done in our September report, which we won’t repeat here. 

Looking at the 959 tweets we identified between November 3rd and December 4th 2024, we made a few observations. 

Most Doppelganger accounts pose as citizens of the country they are discrediting, formulating the tweets as if they were from the country they are discussing. 

The tweets are in English, German, French, and Polish. The countries targeted include Israel (being supported), France (attacked), Germany (attacked), the U.S. (attacked), Poland (attacked), Sweden (attacked), Romania (attacked), and Norway (attacked). 

Most of the narratives are the same as the ones we covered in our September report. The more interesting themes covered in the 959 tweets include: 

1. Russia perceives Ukraine’s use of U.S. weapons against its territory as a direct attack by the United States. 

This subsection of the tweets covered accusations of U.S. troops on the ground in Ukraine, voicing fear of Russian retaliations, and statements that Russia has clarified beyond doubt that they will retaliate if U.S. weapons are used against Russia. 

The tweets are posted in a context where Russia has threatened to use nuclear weapons against the United States. Peter Dickinson of the Atlantic Council has shown how Russia has repeatedly used the threat of nuclear weapons to try to scare the West to not support Ukraine, but how these threats are empty.  

2. Calls for a cease-fire in Ukraine and peace negotiations.

This subsection of these tweets called for countries to stop supporting Ukraine, citing an alleged escalation of the conflict, human suffering as an effect of continued conflict, and the high cost of supporting Ukraine.

Russia is calling for a ceasefire with Ukraine under conditions that would solidify its control over the regions already occupied by Russia. Dickinson highlights how Putin’s position is far weaker than he would like us to believe. This hidden vulnerability could motivate these calls for a cease-fire, as Russia might consider giving up on the ambition of conquering the entirety of Ukraine. 

3. Calls for the change of European governments and for protests against European governments.

The operation also made tweets calling for the removal of heads of state and governments that are critical of Russia, including President Biden and Tusk and the German Trafic Light Coalition and their member parties.

Other tweets within this subsection are discrediting European governments, ruling parties, the U.S., the UN, and a wide set of political parties and political leaders critical of Russia. 

4. Support for Israel and spreading fear amongst European Jews

The last sub-section of the tweets worth highlighting expresses support for Israel, seemingly to try to get the U.S. to prioritise support for Israel over Ukraine. 

Some of these tweets are also making claims that European Jews are being attacked and widespread anti-Semitism in Europe. 

A small portion of the tweets are also promoting Trump’s policy towards Israel.

 

Recommendations and Conclusions


X should be fulfilling their obligations under the Digital Services Act and address the systemic risk that the Doppelganger influence operation might entail. 

We also call for further investigation by the European Commission into the legal implications of the influence operation by a sanctioned actor still being present and running on platforms despite continued reporting and flagging including addressing and clarifying the issue of ad revenue generated. 

It is concerning that despite continued reporting and coverage, the Doppelganger operation is still present on X/Twitter. Ahead of the German elections, it will be extra important to take down this influence operation to stop any chances of it breaking into the conversations happening around our democratic processes. 

 

Behaviours – DISARM Red Framework Analysis

 

The Counter Disinformation Network report on Doppelganger encoded the influence operation using the DISARM Red Framework. Since then, the DISARM Framework has been updated and we have updated the encoding.

 

Plan Objectives

 

Based on our analysis of the narratives of the 1.3k posts published by Doppelganger in June, we deduct that the likely objective of the influence operation is to degrade the image of Ukraine (T0066: Degrade Adversary) and discourage the targeted countries from supporting Ukraine (T0139.001: Discourage).

The secondary objectives of the influence operation were seemingly to feed polarisation in the targeted countries (T0135.004: Polarise) and cultivate support for political parties that align with Russia’s interests (T0136.006: Cultivate Support for Ally).

 

Develop Narratives

 

In the June report, we also observed how Doppelganger employs competing narratives, promoting opposing sides at times to target different target audiences, likely to fuel polarisation in society (T0004: Develop Competing Narratives).

Our content analysis has shown that the influence operation interacts with existing polarising debates in the societies it is targeting, including on topics such as migration and inflation (T0083: Integrate Target Audience Vulnerabilities into Narrative).

In our June report, we saw how the influence operation has utilised existing conspiracy theories when targeting Germany, the U.S., and Ukraine (T0022.001: Amplify Existing Conspiracy Theory Narratives).

 

Develop Content

 

Doppelganger has created fabricated news articles to spread their narratives to their target audience (T0085.003: Develop Inauthentic News Articles).

In our dataset for this report and the September report, we can see that the influence operation uses memes, images with text, and cartoons, to spread their narratives (T0086.001: Develop Memes).

 

Establish Assets

 

The Doppelganger influence operation has been tied to a Russian company called Social Design Agency, which is seemingly hired by the Kremlin to conduct influence operations such as Doppelganger (T0091.001: Recruit Contractors).

The Doppelganger influence operation is using free X accounts (T0146.001: Free Account Asset) to post their operational content.

Our September report highlighted how the Facebook pages used to promote Doppelganger content show signs of being created in bulk, including having similar naming schemes (T0150.008: Bulk Created Asset).

Our September report also shows how the content of the X accounts used by the influence operation suggests that they might have previously been used to promote cryptocurrencies (T0150.004: Repurposed Asset). It is possible that the influence operation purchased these X accounts (T0150.006: Purchased Asset).

As seen in our current dataset, the Doppelganger accounts try to get more legitimacy by adding profile pictures (T0145: Establish Account Imagery) that seem to depict real people, indicating that they might be stolen from other social media accounts (T0145.001: Copy Account Imagery). A large portion of the accounts use illustrated images (T0145.005: Illustrated Character Account Imagery).

To avoid X’s automated content moderation, Doppelganger uses front domains (T0149.001: Domain Asset) that redirect users through the FI-KE-D redirect chain (T0149.004: Redirecting Domain Asset), identified and defined by the Qurium Media Foundation. Simply said, the FI-KE-D infrastructure is a digital infrastructure that directs users through several domains and IPs (T0149.006: IP Address Asset) until they reach a lookalike Doppelganger domain (T0149.003: Lookalike Domain).

 

Establish Legitimacy

 

The influence operation’s content we identified posed the pages as belonging to citizens of the countries they targeted (T0143.002: Fabricated Persona, T0097.101: Local Persona).

The influence operation has leveraged existing inauthentic news sites (T0098.002: Leverage Existing Inauthentic News Sites), such as Welt(.)pm to deliver and legitimise their operational content and narratives. Doppelganger regularly creates new lookalike and inauthentic news websites (T0098.001: Create Inauthentic News Sites), such as the ones we highlighted in this report. Some of these websites impersonate existing news websites (T0143.003: Impersonated Persona, T0097.202: News Outlet Persona).

 

Microtarget

 

Our dataset shows that Doppelganger seems to have localised its content, focusing on country-specific issues and using the language of its target audience (T0101: Create Localised Content).

In our September report, we show that on Meta’s platform, the influence operation purchased targeted ads to reach their audience (T0018: Purchase Targeted Advertisements).

 

Select Channels and Affordances

 

In our September report, we show how on Meta, the Doppelganger influence operation used Facebook (T0151.001: Social Media Platform) pages to spread their operational content (T0151.003: Online Community Page) via Facebook ads (T0153.005: Online Advertising Platform).

On Twitter (T0151.008: Microblogging Platform) the influence operation is spreading links that took you to a Doppelganger website (T0152.004: Website Asset).

 

Deliver Content

 


On Meta, the influence operation delivered their operational content via Meta ads (T0114: Deliver Ads, T0114.001: Social Media).

As we showed in the September report, the main method of delivering the content to the target audience on X was to comment on other users’ posts by quote-tweeting the Doppelganger post (T0116.001: Post Inauthentic Social Media Comment).


Maximise Exposure


In our September dataset, we saw that the amplification of the tweets are all done within a very short time frame, indicating that the quote tweeting is likely automated (T0049.003: Bots Amplify via Automated Forwarding and Reposting).

A subset of the Doppelganger influence operation also relied on flooding existing trending hashtags with their content (T0049.002: Flood Existing Hashtag), as shown by Marcus Müller.

In our September report, we showed how Doppelganger on  Meta, used symbols and spaces to obfuscate words that could trigger automated content moderation (T0049.004: Utilise Spamoflauge).

As Qurium has shown, Doppelganger also used obfuscated URLs, hiding the final Doppelganger URL from X’ automated content moderation systems (T0121.001: Bypass Content Blocking).


Drive offline activity

 


In the September report’s Ukrainian language dataset, several calls to action were also observed, calling on people to demonstrate against the government (T0126.001: Call to Action to Attend). Similar observations were made in this report’s dataset.

 

Persist in the Information Environment


In the September report, we describe how the influence operation deactivated the redirection URLs after a few days to cover their tracks, making attribution harder (T0129.004: Delete URLs).

In our September report, we also showed how Doppelganger utilised bulletproof hosting services, a type of hosting provider that allows illegal activity on their servers and hides the identity of the entity behind it, to further avoid attribution, (T0130.002: Utilise Bulletproof Hosting).

In the September report, we also showed how the influence operation seems to have taken steps to conceal its Russian-linked identity, including registering the Twitter accounts used in the operation in other countries than Russia (T0129.001: Conceal Network Identity).

While the initial replies to the original posts published in June in our dataset from the September report appeared to stem from authentic accounts, reactions in July showed hints of inauthenticity. Then weeks after the publication of the original posts, other accounts could be observed replying to them positively. This is possibly an attempt to further amplify the original posts (T0060: Continue to Amplify).

 

Funding

 

The Counter Disinformation Network (CDN) is a collaborative platform that gathers more than 150 information manipulation-countering practitioners from over 35 civil society organisations, universities, news organisations, fact-checking organisations and independents mostly from Europe and North America. The network was initially convened by Alliance4Europe with the aim of protecting European democracy and information integrity. The network works to coordinate projects, respond to major events and crises, distribute research findings to actors who can use it, and facilitate exchange.

This report was written through the Information Defence Alliance project of the CDN, financed by the Ministry of Foreign Affairs of the Republic of Poland within the grant competition “Public Diplomacy 2024-2025 – the European dimension and countering disinformation.

The opinions expressed in this publication are those of the authors and do not reflect the views of the official positions of the Ministry of Foreign Affairs of the Republic of Poland.