Cyber Security
Investigations
Capacity Building
Insights
About
Digital Threat Digest Insights Careers Let's talk

Costly distractions - Digital Threat Digest

PGI’s Digital Investigations Team brings you the Digital Threat Digest, SOCMINT and OSINT insights into disinformation, influence operations, and online harms.

Ceiling

Cost imposition—the idea that you try and make life as difficult as you can for your adversary—is common across cyber security, counterespionage, and increasingly considered in the detection and mitigation of influence operations. However, one element we consider less frequently is that our adversaries are doing exactly the same; trying to impose costs on us, the detection side. The idea of counter-counterespionage, if you will.

Doppelganger is a long-running Russian influence operation primarily targeting Europe. There are two strands to the campaign, one is the creation of web infrastructure to host biased content. The other is the creation of thousands upon thousands of inauthentic social media assets, which seed and amplify links to the web media content. The campaign is named Doppelganger because a chunk of its web infrastructure impersonates legitimate media entities. Spiegel[.]de is the authentic site for the German language media publication. Spiegel[.]ltd is the doppelganger clone, the evil twin.

Since it was first detected, the campaign hasn’t really evolved. The web infrastructure is cheap and disposable – once a domain is blocked, the campaign simply pivots to a fresh one. Some thousand domains have been blocked so far, and they have had a fresh thousand sitting ready to go. This ephemeral nature does, however, mean that the websites tend to generate little traffic. The same is true of the social media assets which—largely based on Twitter—fail to generate significant followings or interactions.

So, what’s the point of the campaign? It’s not that cheap to run - there are human and financial costs incurred by creating content, distributing content, registering domains, purchasing privacy guards, creating emails and associated social media profiles. So why keep putting in all that effort and resource if the campaign has been detected and attributed? We know the two companies responsible for running Doppelganger. We know who founded them, who works there, and who likely runs the campaign day-to-day. So, if the campaign isn’t influencing its target audience, what effect is it having?

It's imposing a cost on us. In the last six months or so, every single company working in this space has devoted resources to writing about the same damn campaign using the same damn tactics and drawing the same damn conclusions. They spend time visualising the data differently, some make a nice network graph of all the Twitter accounts, some make a lovely time series showing the batch registration dates of domain infrastructure. The same is true of the platforms, where it’s probably someone’s job to log on at 0900 each day and pop two hours in the timesheet to play whack-a-mole restricting the latest domain infrastructure.

What am I getting at exactly? We know Doppelganger exists, but we shouldn’t worry about the high output volume campaign that’s making noise. We should worry about the small but malicious campaigns that sneak past our detection infrastructure because we’ve been unwittingly distracted.


More about Protection Group International's Digital Investigations

Our Digital Investigations Analysts combine modern exploitative technology with deep human analytical expertise that covers the social media platforms themselves and the behaviours and the intents of those who use them. Our experienced analyst team have a deep understanding of how various threat groups use social media and follow a three-pronged approach focused on content, behaviour and infrastructure to assess and substantiate threat landscapes.

Disclaimer: Protection Group International does not endorse any of the linked content.