Doppelgänger - Russia-aligned influence operation targets Germany
February 2024 by SentinelLabs and ClearSky
SentinelLabs and ClearSky Cyber Security have been tracking a propaganda and disinformation campaign since late November 2023, highly likely orchestrated by Doppelgänger, a suspected Russia-aligned influence operation network known for its persistent and aggressive tactics. Initially focusing on disseminating anti-Ukraine content following the onset of the Russo-Ukrainian conflict, Doppelgänger has since broadened its scope, targeting audiences in the US, Israel, Germany, and France.
SentinelLabs observed a significant emphasis by Doppelgänger on targeting German audiences. The network’s activities are characterised by consistent efforts to disseminate propaganda and disinformation content, particularly by exploiting current topics of geopolitical and socio-economic significance among the population. The majority of the content seizes every opportunity to criticise the ruling government coalition and its support for Ukraine.
With Doppelgänger activities intensifying in times of frequent political shifts in Germany, SentinelLabs suspects that the network’s goal is to erode support for the coalition in light of upcoming European Parliament, municipal, and federal state elections, culminating in federal government elections scheduled for 2025.
While SentinelLabs was documenting the Doppelgänger campaign, the German Ministry of Foreign Affairs and the prominent German media outlet Der Spiegel reported on overlapping activities, highlighting a growing concern about election interference.
This research focuses on Doppelgänger activities targeting German audiences; a complementary report by Clearsky Cyber Security delves into the network’s targeting of Israel, the United States, and Ukraine. The activities the researchers observed closely resemble and partially overlap with those previously reported by Recorded Future and Meta, indicating the persistent nature of Doppelgänger.
SentinelLabs observed Doppelgänger orchestrating the operation of a large coordinated network of X (formerly known as Twitter) accounts. These accounts propagate content from third-party websites whose content aligns with Doppelgänger propaganda goals, as well as from sites that Doppelgänger itself has created.
The posts from these accounts contain links that redirect visitors through two stages to the destination articles intended for consumption. These stages implement obfuscation and tracking techniques. Coupled with the carefully constructed infrastructure management practices the researchers observed Doppelgänger implementing, this underscores the network’s determination to operate without interruptions while effectively tracking the performance of its influence operations.
Key findings
SentinelLabs and ClearSky Cyber Security have been tracking the activities of a suspected Russia-aligned influence operation network named Doppelgänger.
Doppelgänger was observed intensively targeting German audiences, coinciding with recent reports from the German Ministry of Foreign Affairs and Der Spiegel.
The network spreads propaganda and disinformation through news articles focused on current socio-economic and geopolitical topics relevant to the general population.
Doppelgänger disseminates content criticising the ruling government coalition and its support for Ukraine, likely aiming to influence public opinion before the upcoming elections in Germany.
Doppelgänger leverages a substantial network of X accounts, actively participating in coordinated activities to enhance visibility and engage audiences.
Conclusion
Doppelgänger represents an active instrument of information warfare, characterised by strategic use of propaganda and disinformation to influence public opinion. The campaign targeting Germany SentinelLabs discussed in this report serves as a compelling example of the persistent and continually evolving nature of Russia-aligned influence operations, which exploit social media and current topics of geopolitical and socio-economic significance to shape perceptions.
It is anticipated that Doppelgänger’s activities, targeting not only Germany but also other Western countries, will persist and evolve, particularly in light of the major elections scheduled across the EU and the USA in the coming years. The researchers expect Doppelgänger to continue innovating its infrastructure and obfuscation tactics to make its activities more difficult to detect and disrupt.
Countering influence operations requires a comprehensive and collaborative approach, involving enhancing public awareness and media literacy to identify and resist manipulation, alongside prompt and effective actions by social media platforms and infrastructure operators to limit the spread of propaganda and disinformation online.
SentinelLabs continues to monitor Doppelgänger activities and remains committed to timely reporting on its operations to improve public awareness of this threat and mitigate its impact.