It is considered one of the largest disinformation campaigns in the EU: the “doppelganger campaign” controlled by Russia. Alexei Hawk and Max Bernhard of research platform Correctiv spoke at the 38th Chaos Communications Congress on Monday (38c3) in Hamburg provided insight into the technology behind it. So actors use the toolbox of online fraudsters and other cyber criminals to spread their propaganda and fake news across the world. These primarily include identity theft, use of stolen credit cards, bulletproof hosting, use of obfuscation cloaking services, and multi-stage redirection mechanisms.
Advertisement
Bernhard said that the Humshakal campaign has been going on for more than two years. It began immediately after the beginning of the Russian war of aggression on Ukraine. The focus is on fake news websites, which mainly imitate German, French and American media such as Spiegel, Le Parisien or Fox News. There are also specialized blogs such as Reliable Recent News, although the “Russian” in the title was later changed. Trawl factories have long been known in St. Petersburg and other Russian cities. For Doppelganger, the journalists identified Structura, the Social Design Agency, and Argon Labs as the executing companies, in collaboration with Swedish partner organization Curium.
Bernhard stressed that these companies placed on sanctions lists by the EU and Great Britain are directly subordinate to the Russian Presidential Administration and the Defense Ministry. He was appointed by the Kremlin to conduct operations for “large-scale digital influence”. To do this, they needed solid infrastructure, hosting, redirects, and mechanisms to distribute content through social media. Influencers, Telegram channels and content creators are hardly less essential.
(Image: CC BY 4.0 media.ccc.de)
Host providers are sometimes set up specifically
For example, its inspiration were ads on X, which look exactly like the doppelganger. “The German Bundesbank is suing Sahra Wagenknecht” can be read in the design of German news portals. Anyone who clicks on it usually ends up with a rip-off pyramid scheme for more or less real cryptocurrency.
Hawk explained, in such fraud campaigns and doppelganger campaigns, an obfuscated URL like v4utp3.djovn.shop eventually leads to a domain like spiegel.ltd through various detours. In between is a filtering process that ensures Facebook, X & Co.’s testing teams end up on a “white page.” Cloaking services are a way to circumvent social network controls, Bernhard said. Platform staff checked the redirect links and where they went. But the actual goal of such services may be unclear. It is possible to differentiate between social media moderation teams, bots, or real users. This kind of cloaking is a huge business in Russia. The biggest forum for this is FB-Killa. Payment is made anonymously with cryptocurrencies.
use promotional hosting site According to researchers Single-use, intermediate and so-called kitaro domains that change constantly. Bernhard pointed out that relevant providers are sometimes founded by young Russians specifically for such purposes. Many of those service providers are linked to AZA. One of these sub-companies is TNSecurity, whose founder is twenty-year-old Anastasija B. – reportedly a Latvian. When contacted, she introduced herself as a Russian woman who had recently left her job as a hairdresser. It is very doubtful that she runs the company. The company has now become adept at taking advantage of zero-day exploits.
Western companies have responded
According to Bernhard, the doppelganger also relies on Hetzner, VDSina.ru, Cloudflare, Hostinger, Shinjiru, Zomro and Stark Industries for hosting, the latter provider having been repeatedly used for DDoS attacks against Western countries. Cyber gang Fin7 is also included among its clients. Hawke reported that the invented and stolen identities were used for Western companies below. Approximately 70-putin-freunde.de or landwirtinnen.de were registered with the .de domain administration Denik for a certain Leonhard Repampe K. Freikorps.press and delfi.top are other addresses named after him. The money for it comes from Konstantin P., it is said in a FBI Seizure Order TemplateAccording to Hawke, K. Actually exists, but claims to be a victim of identity theft. The FBI has named two other relevant individuals with long domain lists.
Bernhard said disposable domains can also be rented through marketplaces like DMarket. But you don’t have to watch helplessly what is happening. At least some of the larger Western companies have stopped providing services to the impersonators, following signs of abuse of their services by lookalikes, Hawk said happily. So operators have to constantly restructure. The entire redirect chain did not work over the summer and fall, and the bot links went nowhere. Hawke admits: “The campaign can no longer cause any significant damage.”
According to Bernhard, Ukrainian cloaking service Kehr also shut down relevant accounts after evidence of lookalikes emerged. It is difficult to say how successful a given disinformation is. Campaigners ultimately tried to exploit existing narratives. But they are lying not only to their target audience, but also to the Kremlin by fudging the number of contacts. Bavarian State Office for the Protection of the Constitution Estimated in August: Nearly 8,000 individual campaigns delivered to over 700 targeted websites within 14 months via Doppelganger infrastructure. These alone would have reached nearly three-quarters of a million readers over the course of eight months.
(ea)
