Doppelgänger operation rushes to secure itself amid ongoing detections, German agency says

Summary: The Russian propaganda network Doppelgänger is facing operational challenges due to increased scrutiny and enforcement from European authorities and social media platforms. Recent investigations revealed its extensive disinformation activities across Europe, prompting the network to adapt its tactics in response to ongoing crackdowns.

Threat Actor: Doppelgänger | Doppelgänger
Victim: European public and social media users | European public and social media users

Key Point :

  • Doppelgänger has created hundreds of thousands of fake profiles and websites to spread disinformation primarily in Germany, France, the U.S., Ukraine, and Israel.
  • In response to enforcement actions, the network is adapting its tactics, including spoofing nonpolitical websites and testing methods to evade detection.
  • Meta reported significant operational shifts in Doppelgänger’s activities, including the removal of over 5,000 accounts linked to the network since May.

The Russian propaganda network known as Doppelgänger is struggling to maintain its operations amid a crackdown on its infrastructure, according to a recent report.

Following the recent disclosure that European hosting companies, knowingly or not, provided services to the Kremlin-linked disinformation campaign, Doppelgänger operators rushed to back up their systems and secure their data, according to findings by the Bavarian State Office for the Protection of the Constitution (BayLfV).

“The actor behind the Doppelgänger campaign would have had to anticipate that this disclosure could result in a termination or shutdown by the provider,” BayLfV said in a report published this week.

The agency, part of the Bavarian state government in Germany, spent several weeks quietly monitoring how Doppelgänger was operating and learned about the work methods and even the working hours of those running the network.

The Russian-language disinformation network has been operating in Europe since at least May 2022. According to BayLfV, it has created hundreds of thousands of fake profiles or identities on social media, dozens of fake websites of leading media outlets, and its own fake news portals to spread disinformation, primarily in Germany, France, the U.S., Ukraine, and Israel.

During the analysis, BayLfV found more evidence confirming Doppelgänger’s link to Russia, including the use of Russian IP addresses and the Cyrillic alphabet in commands and in the naming of campaigns. Additionally, the network’s activities were conducted during office hours in the Moscow and St. Petersburg time zones, while the threat actors took breaks on Russian holidays.

The report by German authorities followed an investigation by digital rights nonprofits Qurium and EU DisinfoLab, which uncovered infrastructure located or registered in at least ten European countries that is used by Doppelgänger.

German nonprofit journalism group Correctiv, which was also involved in the investigation, noted that German authorities were aware of the European infrastructure abuse by Doppelgänger but did not appear to be taking any action at that time.

In the latest report, BayLfV noted that Doppelgänger’s recent operational overhaul was likely triggered by Qurium’s report, adding that the threat actor seemed to be acting under “significant time pressure.”

Facebook owner Meta, meanwhile, reports observing “notable shifts” in Doppelgänger’s operational tactics on its platform in response to “aggressive enforcement.” Meta said on Thursday that since May, it has removed over 5,000 accounts and pages linked to Doppelgänger.

To adapt to ongoing detections, researchers have found that Doppelgänger is spoofing the websites of primarily nonpolitical and entertainment news outlets like Cosmopolitan, The New Yorker and Entertainment Weekly. Doppelgänger also is actively testing ways to avoid detection, with the majority of ads being caught before they run or within hours after submission, Meta said.

According to the social media company, ongoing enforcement against Doppelgänger has degraded the quality its efforts. “This suggests that even with the most persistent operators, persistent enforcement has a significant impact on their operational capabilities,” Meta said. “Our goal is to keep driving the operational cost of these campaigns up, making them less and less effective.”

Read More: Meta warns of troll networks from Russia, Iran ahead of US elections

Editor’s Note: Story updated 11 a.m. Eastern U.S. time with details from Meta’s report.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

Source: https://therecord.media/doppelganger-influence-operation-struggle-bavarian-baylfv-report