Russia's AI-Powered Disinformation Operation Targeting Ukraine, U.S., and Germany

Cyber Security Threat Summary:
An influence operation dubbed Doppelganger associated with Russia has emerged, the campaign is actively targeting Ukrainian, U.S, and German audiences. Using a combination of fake news websites and social media accounts, seeking to undermine Ukraine while spreading sentiments questioning U.S. military competence, and highlighting Germany’s social and economic issues.

Described by Meta as one of the most persistent Russian origin operations, Doppelganger is known for its Anti-Ukranian propaganda and has been active since at least February 2022. It’s associated with companies named Structura National Technologies and Social Design Agency. Employing brandjacking techniques by creating fake websites mimicking legitimate media sources, the operation also utilizes advanced tactics such as AI-generated content to disseminate adversarial narratives. With more than 800 social media accounts and the use of domain redirects, including the Keitaro Traffic Distribution System, highlights Doppelganger's evolving tactics.

Security Officer Comments:
Specifically, in the U.S. and Germany, Doppelganger utilized bogus media outlets such as Election Watch, MyPride, and Warfare Insider to publish malign content. However, despite these efforts, their actual impact appears minimal, lacking engagement from genuine users. The campaign underscores the persistent nature of Russian information warfare, aiming to manipulate public opinion. Meta’s recent report highlighted new websites associated with Doppelganger focusing on the U.S. and European political topics, copying and altering content from mainstream U.S. sources to question democracy and promote conspiracy theories.

Suggested Correction(s):
Researchers at Recorded Future have published IOCs associated with the Doppelganger campaign and recommend the following mitigations:

  • Administrators of domains should continue to strengthen their defenses against cyberattacks, such as account hijacking, that threat actors can use to spread malign influence narratives and promote inauthentic news outlets hidden behind unrelated domains.
  • We recommend that the counter-malign influence research community — including cybersecurity and threat intelligence firms, fact-checking organizations, journalists and media, research firms, independent researchers, and the public sector — continue cooperating and collaborating on monitoring, exposing, and countering Doppelgänger.
  • Media organizations should also actively conduct brand monitoring to detect potential brand abuse from typosquatting domains, unauthorized use of organization logotype, and organization impersonation as well as journalist impersonation on social media and other open sources.