Archived link
In September 2022 Qurium in collaboration with EU DisinfoLab exposed for the first time a Russia-based influence operation network that had been operating in Europe since at least May 2022, that later became known as “Doppelganger“.
Now a new investigation finds that - rather than operating from a hidden data center somewhere in the Eastern outskirts of a remote Russian military base - Doppelganger has established operating infrastructure inside of Europe using UK registered companies to constantly set up new Internet providers (Autonomous Systems) peering with a few upstream providers with presence in Germany.
The criminal network is also operating in in close association with affiliate advertisement networks. Therefore, Qurium notes that "disinformation is a sad example of a broken advertising industry".
The main strategy of Doppelganger is to disseminate false articles making use of websites that reassemble the design of a real newspaper. The fake outlets run using domain names with different top level domains and are hidden behind Cloudflare CDN.
Qurium has looked specifically into how thousands of articles are being distributed inside Twitter since October 2023. The distribution of the fake articles is done using the same techniques used for the distribution of malware or phishing websites. The main idea is to advertise the content using hundreds of expendable domain names that will redirect to a chain of other domains to ultimately ensure that the reader arrives to the intended content.
The goal of this research is to describe the architecture and design of Doppelganger with special emphasis in attributing those services providers that make it possible. To achieve its goals Doppelganger makes use of several technical and physical infrastructure elements common in cyber crime operations.
Qurium has identified and published technology providers and personalities involved in Russia's hybrid warfare against Europe and the West.