Summary:
Keypoints:
- 32 websites seized as part of the Doppelganger campaign.
- Campaign believed to be Russian-sponsored cyberpropaganda.
- Domains used for distributing fake news and disinformation.
- Half of the seized domains were found to be cybersquatting on legitimate news sites.
- Analysis revealed connections to numerous other domains and IP addresses.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Phishing (T1566): Engages in deceptive practices to trick individuals into revealing sensitive information.
- Malware (T1203): Deploys malicious software to exploit vulnerabilities in systems.
- Domain Generation Algorithms (T1483): Uses algorithms to generate domain names for command and control purposes.
- Credential Dumping (T1003): Extracts account login credentials from compromised systems.
The U.S. Office of Public Affairs issued a statement on 4 September 2024 regarding the seizure of 32 websites that are believed to be part of the so-called “Doppelganger” campaign. According to the press release, Doppelganger could be a Russian-sponsored cyberpropaganda campaign designed to target the U.S. and other nations using fake news distributed through cybersquatting and other specially crafted domains.
While the statement did not disclose the seized domain names, we were able to get the complete list from The Hacker News. Upon closer examination, not all of the domains mimicked popular news sites the world over, some seem to have been specifically created to peddle disinformation. Take a look at the table below for more details.
| SEIZED DOMAIN | MIMICKING | DESCRIPTION |
|---|---|---|
| 50statesoflie[.]media | Fake news site | |
| acrosstheline[.]press | Fake news site | |
| artichoc[.]io | Fake news site | |
| bild[.]work | bild[.]de | German tabloid |
| faz[.]ltd | faz[.]net | German newspaper |
| forward[.]pw | forward[.]com | U.S. Jewish news site |
| fox-news[.]in | foxnews[.]com | U.S. news channel site |
| fox-news[.]top | foxnews[.]com | U.S. news channel site |
| grenzezank[.]com | Fake news site | |
| holylandherald[.]com | Fake news site | |
| honeymoney[.]press | Fake news site | |
| lemonde[.]ltd | lemonde[.]fr | French newspaper |
| leparisien[.]ltd | leparisien[.]fr | French newspaper |
| levinaigre[.]net | Fake news site | |
| lexomnium[.]com | Fake news site | |
| meisterurian[.]io | Fake news site | |
| mypride[.]press | Fake news site | |
| pravda-ua[.]com | pravda[.]com[.]ua | Ukrainian newspaper |
| rbk[.]media | rbc[.]ru | Russian media site |
| rrn[.]media | Fake news site | |
| shadowwatch[.]us | Fake news site | |
| spiegel[.]agency | spiegel[.]de | German news site |
| sueddeutsche[.]co | sueddeutsche[.]de | German newspaper |
| tagesspiegel[.]co | tagesspiegel[.]de | German newspaper |
| tribunalukraine[.]info | Fake news site | |
| truthgate[.]us | truthgate[.]so | Blog |
| ukrlm[.]info | ukrlm[.]so | Blog |
| uschina[.]online | uschina[.]org | Nonprofit organization site |
| vip-news[.]org | Fake news site | |
| warfareinsider[.]us | Fake news site | |
| waronfakes[.]com | Fake news site | |
| washingtonpost[.]pm | washingtonpost[.]com | U.S. newspaper |
In fact, our online searches revealed that only half of the seized domains were seemingly cybersquatting on legitimate news or information sources. Nevertheless, we performed an expansion analysis for the 32 domain names to identify other connected artifacts. Our DNS deep dive led to the discovery of:
- 384 registrant-connected domains
- 123 email-connected domains
- 64 IP addresses, 54 of which turned out to be malicious
- 2,463 string-connected domains, six of which turned out to be associated with various threats
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Facts about the Doppelganger Domains
We began our analysis by performing a bulk WHOIS lookup for the 32 domains, which showed that:
- Five domains had public registrant details. The domains lemonde[.]ltd and leparisien[.]ltd had public registrant organizations while shadowwatch[.]us, truthgate[.]us, and warfareinsider[.]us had public registrant email addresses and names.
The domains were split among 10 registrars led by Namecheap, Inc. with 14 domains. GoDaddy.com LLC took the second spot with four domains. NameSilo LLC accounted for three domains while Nameshield SAS; PDR Ltd.; Sarek Oy; and Tucows, Inc. administered two domains each. The three remaining domains were administered by GMO Internet, Inc.; Long Drive Domains LLC; and REG.RU LLC.
-
The seized domains were created between 2022 and 2024. Six were specifically created in 2022, 18 in 2023, and eight in 2024.
-
Thirty of the 32 domains were registered in six different countries topped by Iceland with 11 domains. The U.S. took second place with 10 domains while France came in third with five domains. Saint Kitts and Nevis accounted for two domains while Cyprus and Japan had one domain each. Note that two domains did not have registrant countries in their current WHOIS records.
The Hunt for Doppelganger-Connected Web Properties
To find other web properties that could have ties to the Doppelganger disinformation campaign, we performed reverse WHOIS searches using the registrant information we obtained from our bulk WHOIS lookup earlier. We found 384 registrant-connected domains after filtering out duplicates and the seized domains.
Next, we queried the 32 seized domains on WHOIS History API, which led to the discovery of 30 email addresses in their historical WHOIS records. Eleven of those email addresses were public.
We queried the 11 public email addresses on Reverse WHOIS API, which allowed us to uncover 123 email-connected domains after duplicates, the seized domains, and the registrant-connected domains identified in the prior step were filtered out.
After that, we performed DNS lookups on the 32 seized domains and found that they resolved to 64 unique IP addresses.
When queried on Threat Intelligence API, 54 of the 64 IP addresses turned out to be associated with various threats. Take a look at five examples below.
| 172[.]67[.]191[.]9 | Generic Phishing |
| 104[.]21[.]53[.]189 | Malware Phishing Suspicious |
| 172[.]67[.]176[.]235 | Attack |
| 172[.]67[.]199[.]6 | Malware Attack Phishing Generic |
| 104[.]21[.]31[.]110 | Malware Command and control (C&C) |
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Source: Original Post