Costly distractions - Digital Threat Digest
PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.
PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.
Cost imposition—the idea that you try and make life as difficult as you can for your adversary—is common across cyber security, counterespionage, and increasingly considered in the detection and mitigation of influence operations. However, one element we consider less frequently is that our adversaries are doing exactly the same; trying to impose costs on us, the detection side. The idea of counter-counterespionage, if you will.
Doppelganger is a long-running Russian influence operation primarily targeting Europe. There are two strands to the campaign, one is the creation of web infrastructure to host biased content. The other is the creation of thousands upon thousands of inauthentic social media assets, which seed and amplify links to the web media content. The campaign is named Doppelganger because a chunk of its web infrastructure impersonates legitimate media entities. Spiegel[.]de is the authentic site for the German language media publication. Spiegel[.]ltd is the doppelganger clone, the evil twin.
Since it was first detected, the campaign hasn’t really evolved. The web infrastructure is cheap and disposable – once a domain is blocked, the campaign simply pivots to a fresh one. Some thousand domains have been blocked so far, and they have had a fresh thousand sitting ready to go. This ephemeral nature does, however, mean that the websites tend to generate little traffic. The same is true of the social media assets which—largely based on Twitter—fail to generate significant followings or interactions.
So, what’s the point of the campaign? It’s not that cheap to run - there are human and financial costs incurred by creating content, distributing content, registering domains, purchasing privacy guards, creating emails and associated social media profiles. So why keep putting in all that effort and resource if the campaign has been detected and attributed? We know the two companies responsible for running Doppelganger. We know who founded them, who works there, and who likely runs the campaign day-to-day. So, if the campaign isn’t influencing its target audience, what effect is it having?
It's imposing a cost on us. In the last six months or so, every single company working in this space has devoted resources to writing about the same damn campaign using the same damn tactics and drawing the same damn conclusions. They spend time visualising the data differently, some make a nice network graph of all the Twitter accounts, some make a lovely time series showing the batch registration dates of domain infrastructure. The same is true of the platforms, where it’s probably someone’s job to log on at 0900 each day and pop two hours in the timesheet to play whack-a-mole restricting the latest domain infrastructure.
What am I getting at exactly? We know Doppelganger exists, but we shouldn’t worry about the high output volume campaign that’s making noise. We should worry about the small but malicious campaigns that sneak past our detection infrastructure because we’ve been unwittingly distracted.
More about Protection Group International's Digital Investigations
Our Digital Investigations Analysts combine modern exploitative technology with deep human analytical expertise that covers the social media platforms themselves and the behaviours and the intents of those who use them. Our experienced analyst team have a deep understanding of how various threat groups use social media and follow a three-pronged approach focused on content, behaviour and infrastructure to assess and substantiate threat landscapes.
Disclaimer: Protection Group International does not endorse any of the linked content.
Everything that I have learned about the US elections this year has been against my will. Don't get me wrong, I am well aware that whoever controls the White House has significant impact around the world, and I will admit that keeping up with American politics makes me a better analyst.
Digital threat intelligence helps us respond to harmful entities and their activities online. As our professional investigation capability evolves, so do the online tactics of threat actors themselves, in something of a perpetual cat and mouse game.
I don’t think many people have escaped the devastating news about the recent hurricanes that have hit the US in recent weeks.