The DoppelGänger campaign, a Russian influence operation, has been identified as utilizing fake news websites to spread disinformation, particularly targeting Ukraine. Structura and SDA are the masterminds behind this campaign, which began in May 2022 and is focused on countries like France and Germany.
The campaign involves the use of inauthentic social media accounts, specifically on video platforms, to amplify fake news articles. Interestingly, the timing of the campaign’s activities seems to align with real-world events such as protests, aid decisions, and national budget votes, indicating a deliberate attempt to take advantage of sensitive situations.
To execute this campaign, a three-stage redirection process is employed. The first stage involves providing social media platforms with thumbnail metadata, while the second stage fetches and executes an obfuscated JavaScript script from the third stage, ultimately redirecting users to disinformation websites. Stage three utilizes Keitaro for campaign performance monitoring, with a new cluster linked to the campaign being managed by a control panel designed to handle multiple disinformation websites simultaneously.
The primary target audience for the disinformation spread through the DoppelGänger campaign appears to be Russian-speaking individuals. This shift in focus suggests that the Russian agencies behind the campaign may also be involved in other propaganda efforts aimed at Russian audiences. The network of fake websites uses sophisticated audience targeting techniques, including language customization, cultural references, and political alignment, to influence specific demographics and online communities.
The infrastructure supporting the DoppelGänger campaign is multi-layered and intricate. Social media posts with controversial themes serve as the initial bait, leading users through a series of redirection techniques to articles hosted on compromised legitimate news outlets or newly created fake websites. An open-source Traefik control panel has been discovered, likely managing disinformation websites for the campaign, with detailed statistics available on server health and website performance.
Analysis of logs has uncovered requests for non-existent articles and identified potential redundancy solutions involving mirrored content on different IP addresses. Researchers at Sekoia have linked this new DoppelGänger cluster targeting Russian speakers to the same actors behind previously known campaigns. Websites like newsroad.online, which use Cloudflare CDN to mask their IP addresses, have been exposed through vulnerabilities in their Content Management System, such as a misconfigured WordPress pingback function.
Overall, the DoppelGänger campaign represents a sophisticated and coordinated effort to spread disinformation and influence public opinion. By exploiting social media platforms, fake news websites, and audience targeting techniques, the perpetrators behind this campaign are able to manipulate narratives and sow discord in target countries. Vigilance and awareness are crucial in combating such information warfare tactics and protecting democratic processes worldwide.