X-Industry

SentinelLabs and ClearSky Cyber Security have been tracking a propaganda and disinformation campaign since late November 2023, highly likely orchestrated by Doppelgänger, a suspected Russia-aligned influence operation network known for its persistent and aggressive tactics.  Initially focusing on disseminating anti-Ukraine content following the onset of the Russo-Ukrainian conflict, Doppelgänger has since broadened its scope, targeting audiences in the US, Israel, Germany, and France.

Analysts observed a significant emphasis by Doppelgänger on targeting German audiences. The network’s activities are characterized by consistent efforts to disseminate propaganda and disinformation content, particularly by exploiting current topics of geopolitical and socio-economic significance among the population.  Most content seizes every opportunity to criticize the ruling government coalition and its support for Ukraine.[1]

With Doppelgänger activities intensifying in times of frequent political shifts in Germany, we suspect that the network’s goal is to erode support for the coalition in light of upcoming European Parliament, municipal, and federal state elections, culminating in federal government elections scheduled for 2025.  While Sentinel was documenting the Doppelgänger campaign, the German Ministry of Foreign Affairs and the prominent German media outlet Der Spiegel reported on overlapping activities, highlighting a growing concern about election interference.  In this post, we supplement existing reporting by providing additional technical indicators and insights into Doppelgänger’s tactics and disseminated content, aiming to heighten public awareness of this threat further.

This report focuses on Doppelgänger activities targeting German audiences; a complementary report by Clearsky Cyber Security delves into the network’s targeting of Israel, the United States, and Ukraine.  The activities we observed closely resemble and partially overlap with those previously reported by Recorded Future and Meta, indicating the persistent nature of Doppelgänger.

Sentinel observed Doppelgänger orchestrating an extensive coordinated network of X (formerly known as Twitter) accounts. These accounts propagate content from third-party websites whose content aligns with Doppelgänger propaganda goals and from sites that Doppelgänger itself has created.

Most X accounts discovered as part of our investigation had not been deactivated at the time of writing.  To maximize visibility and audience engagement, these accounts participate in coordinated activities, such as regularly posting and reposting content from trendy profiles and engaging with posts from other suspected Doppelgänger-managed accounts.  The posts from these accounts contain links that redirect visitors through two stages to the destination articles intended for consumption.  These stages implement obfuscation and tracking techniques.  Coupled with the carefully constructed infrastructure management practices observed Doppelgänger implementing, this underscores the network’s determination to operate without interruptions while effectively tracking the performance of its influence operations.

Redirection Stages - The first-stage websites, which Doppelgänger distributes on X, use thumbnail images hosted at telegra[.]ph to obfuscate the website thumbnails and redirect to second-stage sites.

First-stage website - The second-stage websites contain text unrelated to the campaign and execute a JavaScript code obfuscated using Base64-encoding.

Second-stage website - The JavaScript code samples we analyzed issue a request to ggspace[.]space (reported as part of previous Doppelgaenger campaigns) or sdgqaef[.]site.  The request includes tracking information, which is likely a campaign identifier.  These are in the format of [country]-[day]-[month]_[domain], where [domain] refers to the domain hosting the destination article (DE-02-01_deintelligenz for an article hosted at deintelligenz[.]com).  The IOC table at the end of this post lists some of the observed campaign identifiers.

Second-stage website: Deobfuscated

Second-stage website: Deobfuscated JavaScript code

In addition, the JavaScript code executed by second-stage websites dynamically loads another JavaScript code provided by ggspace[.]space or sdgqaef[.]site, which implements the logic for generating web content that redirects to a destination article.

JavaScript code from sdgqaef[.]site

sdgqaef[.]site and ggspace[.]space host at the /admin URL path a login page, which has been assessed as of the Keitaro Tracking System. Doppelganger possibly uses Keitaro to track the effectiveness of its campaigns.

Login page hosted at sdgqaef[.]site

Social Media Activities - Probably in an attempt to increase their visibility, some of the suspected Doppelgänger-managed X accounts we identified regularly post content which does not necessarily contain first-stage websites. In contrast, others remain idle for relatively long periods.

An active and idle suspected Doppelgänger account

Analysts observed accounts posting content linking to first-stage sites in multiple languages of the targeted audiences.  Further, the Doppelgänger’s account network is probably attempting to increase the engagement metrics of posts that link to first-stage websites in a targeted manner through reposts and views.  This becomes evident when these metrics are compared with the metrics of posts by the same accounts that do not link to first-stage websites.

Multi-language posts tailored to the targeted audiences

Engagement metric discrepancies

Multiple clusters of suspected Doppelgänger-managed accounts that joined the X platform within the same month were identified.  Analysts observed a significant level of coordination in the activities of the accounts within the same cluster, suggesting centralized control.  This includes reposting the same content almost simultaneously, typically that of trendy profiles.  In addition, engagement metrics of posts that link to first-stage sites by suspected Doppelgänger accounts within the same cluster often have very similar engagement metrics.

Coordinated activities

Engagement metric similarities

Sentinel’s analysis of the engagement metrics for almost all the accounts we identified revealed a range of reposts between 700 and 2000, with a median value of 883, and a range of views between 613 and 14000, with a median value of 5000.

Propaganda and Disinformation Content - Doppelgänger has been very active in creating websites that host articles for consumption by targeted audiences through the previously described multi-stage approach.  There are domains and websites impersonating third-party news outlets, including mimicking their design, structure, and domain names, such as welt[.]pm (inauthentic) vs. welt[.]de (authentic) and faz[.]ltd (inauthentic) vs. faz[.]net (authentic).  Sentinel assesses that Doppelgänger has created the rest of the websites we observed with original design and structure and no indications of impersonating established news platforms.  In most cases, we observed consistent and regular publishing of new content, with only occasional idle periods lasting a few days.  Some of the content consists of a blend of materials sourced from other websites and translated into the languages of the targeted audiences.

A closer look at the custom-built websites indicates that Doppelgänger has been making a fast-paced effort to bring its websites online and start distributing content.  For example, some sites include template text or exhibit errors in search functionalities.  Furthermore, nearly all of these websites lack a social media presence. They display icons of social media platforms that link to the domains of these platforms rather than specific profiles.

Template text (emphasis added)

Many custom-built websites have been built and managed using the WordPress content management system. Some websites displayed status messages in Russian when users performed content searches, and the activity failed with an error indicating the use of Russian-language WordPress components.

WordPress status message translates to “Search for.”

The majority of the articles Doppelgänger distributes have a strong anti-government narrative, especially in regard to the government’s support of Ukraine.  The article snippets we present below are machine-translated from German into English.  An article at arbeitspause[.]org discusses a recent series of strikes by workers in German public transport demanding better wages and working conditions.  The challenges relating to the state of workers in this sector, such as rising living costs due to inflation and shortage of workers, are a pressing concern in Germany that captures the attention of the broader population.

Article snippet from arbeitspause[.]org, referencing Scholz, the German chancellor (emphasis added)

On a similar note, another article at arbeitspause[.]org focuses on the recent strikes by German farmers, which involved the blockade of major roads and were motivated by rising living costs and the government’s plan to phase out agricultural subsidies.  Overlapping at times with the strikes in the public transport sectors, the farmers’ strikes have been disrupting mobility and garnered the attention of the population and mass media.  Doppelgänger has attempted to capitalize on the momentum by criticizing the government’s plan regarding agricultural subsidies, drawing a connection to the government’s support for Ukraine.

Article snippet from arbeitspause[.]org

An article at derglaube[.]com focuses on the German immigration policy, which, according to some polls, ranks among the top issues for voters in Germany.  The media frequently covers topics relating to the government’s allocation of funds for immigration-related programs and services.  Consistent with typical Doppelgänger practices, the influence operation network uses this opportunity to cast the government in a negative light and introduce its support for Ukraine into the narrative.

Article snippet from derglaube[.]com (original emphasis)

To blend political-oriented propaganda or disinformation among other topics, some websites host articles covering broader subjects such as health, sports, and culture.  Observed were attempts to introduce propaganda even in such articles.  For example, an article hosted at miastagebuch[.]com initially discusses headaches from a medical perspective only to later indicate the German government as one of the major causes of headaches.

Anti-government statements in a health-themed article (emphasis added)

Doppelgänger also targets Germany through articles published by third-party outlets, such as telepolis[.]de, freiewelt[.]net, overton-magazin[.]de, and deutschlandkurier[.]de.  The articles from these outlets that Doppelgänger disseminates focus on both domestic and international topics, some with a strong anti-Western narrative.  For instance, an article from overton-magazin[.]de portrays the West as profiteering from the Russo-Ukrainian conflict, while depicting Ukraine as a plaything of Western global players (cit.).

Article snippet from overton-magazin[.]de (emphasis added)

Additionally, an article from osthessen-news[.]de highlights factors such as the Ukraine war and inflation as contributors to economic challenges in Germany, prompting medium-sized companies to consider restructuring due to escalating costs.  Issues concerning small- and mid-sized companies are particularly relevant to the broader German audience, given their significant contribution to the country’s economy.

Article snippet from osthessen-news[.]de

Infrastructure - The Doppelgänger infrastructure can be structured into four parts subject to different infrastructure management and control practices, with each part designated to hosting the various entities involved in disseminating content for consumption by targeted audiences: the first-stage and second-stage redirection websites, the servers likely used for monitoring campaign performance (ggspace[.]space and sdgqaef[.]site), and the destination websites.

First- and second-stage websites often shift between hosting providers, such as Hostinger, Global Internet Solutions, and Digital Ocean.  The domains of these websites typically have short lifespans, lasting only several days at a time and recurring multiple times over a few years. We observe that Doppelgänger activates the domains briefly during its campaigns before deactivating them.

The domains of the first-stage websites have a diverse range of top-level domains (TLDs), including generic TLDs such as .buzz, .art, .store, .site, and .online, as well as country code TLDs like .co.uk and .br.  The domains’ format suggests an automated generation approach involving the creation of subdomains and numerical suffixes:pcrrjx.kredit-money-fun169[.]buzz and yzrhhk.kredit-money-fun202[.]buzz.

This strategy, combined with the frequent rotation between hosting providers and the cyclical nature of the domains, indicates an effort by Doppelgänger to evade detection and tracking of its first-stage infrastructure, which is exposed on social media platforms and, therefore, more likely to be subjected to scrutiny.  Doppelgänger does not apply the same domain naming convention to second-stage websites that are not directly exposed to social media platforms.

Playing a central role in Doppelgänger’s campaigns, ggspace[.]space and sdgqaef[.] sites are responsible for redirection and presumably monitoring campaign performance.  They are hosted behind a Cloud-based reverse proxy infrastructure, likely implemented as a security measure to obfuscate their true hosting locations.  In contrast to the first-stage and second-stage domains, the active periods of these domains typically span several months during Doppelgänger’s campaigns.  Many servers hosting the destination websites are managed using cPanel, and some implement geofencing, which restricts traffic to IP addresses from targeted countries.  This practice is likely intended to minimize exposure of their infrastructure and content to scrutiny and monitoring by researchers or authorities outside those regions, reducing the likelihood of detecting and investigating Doppelgänger’s activities.

The domains of the majority of these websites were first registered in the first quarter of 2023, and some as early as mid-2022, remaining active as of the time of writing.  A smaller subset of domains, such as derglaube[.]com, which we assess with high confidence as being managed by Doppelgänger at this time, have been active for nearly 10 years, with intermittent periods of inactivity lasting a few years at most.

Conclusions - Doppelgänger represents an active instrument of information warfare, characterized by strategically using propaganda and disinformation to influence public opinion.  The campaign targeting Germany we discussed in this post is a compelling example of the persistent and continually evolving nature of Russia-aligned influence operations, which exploit social media and topics of geopolitical and socio-economic significance to shape perceptions.

Sentinel anticipates that Doppelgänger’s activities, targeting Germany and other Western countries, will persist and evolve, particularly in light of the major elections scheduled across the EU and the USA in the coming years.  Doppelgänger will continue innovating its infrastructure and obfuscation tactics to make its activities more challenging to detect and disrupt.

Countering influence operations requires a comprehensive and collaborative approach involving enhancing public awareness and media literacy to identify and resist manipulation alongside prompt and effective actions by social media platforms and infrastructure operators to limit the spread of propaganda and disinformation online.

Sentinel will continue to monitor Doppelgänger's activities and remains committed to timely reporting on its operations to improve public awareness of this threat and mitigate its impact.

Indicators of Compromise

Due to the extensive volume of observed indicators, Sentinel presents only a selection, including indicators from parallel campaigns targeting France alongside those targeting German audiences.

Domains

Campaign Identifiers

DE-02-01_deintelligenz
DE-09-01_derrattenfanger
DE-13-01_nachdenkseiten_-2
DE-13-01_telepolis_-2
DE-15-11_deutschlandkurier
DE-17-11_jungefreiheit
DE-21-11_freiewelt
DE-23-12-2_arbeitspause
DE-23-12-2_arbeitspause
DE-24-11_grunehummel
DE-25-01_brennendefrage
DE-25-01_derglaube
DE-25-01_welt
DE-27-12_faz
DE-27-12_miastagebuch_-2
DE-27-12_sueddeutsche
DE-29-01_derbayerischelowe
FR-03-02_candidat
FR-03-02_lexomnium_-2
FR-04-02_allons-y
FR-13-01_original
FR-19-01_bfmtv_s
FR-23-12-2_franceeteu
FR-23-12-2_leparisien
FR-25-01_la-sante
FR-26-12_hungarianconservative
FR-26-12_lepoint_-2
FR-26-12_voltairenet
FR-27-12_ledialogue
FR-27-12_lesfrontieres

Suspected Doppelgänger-managed X/Twitter Accounts

AyniyeMcca18343
Brent8332812692
ButzlaffF6068
chareaterc59681
Chris423806
Dan2082135
elasagev1981744
Equinoxevt4
Eric69112331297
Eric81026324555
izaguine65954
jacksanbac66126
Jermaine1384705
Jermaine1384705
Jim388251815042
Joseph673224507
Joseph673224507
Kevin1135109
Kristin1039811
Marc182057
Marc1826509
Mark5768674550
MeadowOf43589
MehetabelW87922
MGlasscock91268
Mike3614071710
MingoGerri92116
MissyVoorh3954
MitchamNis5726
MKarg84246
ModestiaH56404
ModestineF72279
MonteroTer52325
MontesRodi62373
moore_tess5916
MorelockSo28285
MorganMcqu33699
MunroHelen78796
MurdockTip96177
myrta53009
NancyOrona49857
NannySpeer51042
NatalaWelb47593
Natasha90680770
NaylorVida41053
NCraighead92692
NFridley71438
Nikki9265841534
NikoliaE39574
NJean52219
NKuehner28951
OClodfelte8787
of_navy23563
of_novelis81275
OlguinElsy987
Oliver1325592
Omar37785134192
Pam807954589169
PauliHarry9140
PegeenD80598
Pete1192428369
Rayshaw78069964
Rounak1685212
Tim298432442090

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

[1] https://www.sentinelone.com/labs/doppelganger-russia-aligned-influence-operation-targets-germany/