Russian Influence Campaign: A Deep Dive into Cyber Tactics and Accusations

Russian Influence Campaign: A Deep Dive into Cyber Tactics and Accusations

Yesterday, we saw breaking news about a coordinated influence campaign involving a “U.S. Company 1,” which utilized media influencers to spread false information. This was revealed in an unsealed indictment from the U.S. Department of Justice.

Today, the U.S. Department of Justice has released another significant document UNITED STATES OF AMERICA v. CERTAIN DOMAINS: a 277-page affidavit supporting a seizure warrant. This affidavit details a Russian-backed cyber-driven influence campaign known as “Doppelganger” primarily aimed to undermine elections and diminish international support for Ukraine. Additionally, describes how Russian entities, under the direction of high-ranking officials, employed cybersecurity tactics and disinformation techniques to manipulate public opinion in the U.S. and other countries.

Cybersecurity Tactics at the Core of Doppelganger Campaign

The Doppelganger campaign employed a wide array of cybersecurity tools to obfuscate its true origin, often masking the involvement of the Russian government. Central to this operation was the use of Virtual Private Servers (VPSs) and Virtual Private Networks (VPNs). These tools allowed operatives to mask their true locations and appear to be operating from within the U.S. By layering multiple VPS services, they were able to further conceal their identities and locations, making it harder for cybersecurity experts and law enforcement to detect the true origins of the operation (p. 38).

Additionally, Doppelganger operatives purchased compromised IP addresses on cybercriminal forums, allowing them to further mask their activities. Spur, a U.S. cybersecurity firm that analyzed the operation, noted that many of these VPSs were paid for using cryptocurrency, complicating efforts to trace the payments. According to the indictment, some payments were made via cryptocurrency to U.S.-based domain registrars, adding additional layers of anonymity to the operation (p. 35-61)."

Fake News Websites and Social Media Manipulation

A core component of the Doppelganger campaign was to impersonate “news websites, staged videos, and fake social media accounts” (p.12). For example, the creation of fake news websites closely mimicked the branding and appearance of legitimate outlets like The Washington Post, Fox News, and Forward (see exhibit 1, p. 88-107). These websites were designed to deceive users into believing they were accessing trusted news sources. This tactic allowed the operatives to spread false news stories and pro-Russian narratives under the guise of legitimate journalism, a hallmark of the campaign.

The Doppelganger campaign also extensively utilized artificial intelligence (AI) to generate fake social media profiles, posing as U.S. citizens or residents of other target countries. According to the indictment, "Among the methods Doppelganger used to drive viewership to the cybersquatted and unique media domains were the deployment of 'influencers' worldwide, paid social media advertisements (in some cases created using artificial intelligence tools), and the creation of fake social media profiles posing as U.S. (or other non-Russian) citizens to post comments on social media platforms with links to the cybersquatted domains, all of which attempted to trick viewers into believing they were being directed to a legitimate news media outlet's website." (p. 2)

Hacking and Technical Infrastructure

In addition to VPS layering and domain spoofing, the indictment reveals that hacking played a key role in Doppelganger’s operations. For example, servers used to host these cybersquatted domains were linked to cybercriminal networks that had been previously involved in hacking activities. The indictment notes that some of these servers had been accessed via known cybercriminal IP addresses and were registered using false identities.

"The IP addresses used to access the registrars all resolved to either VPS services, or IP addresses that the cybersecurity company Spur previously associated with criminal cyber actors who compromise IP addresses and sell access to them, to allow buyers to gain further anonymity online. Even the VPS services used by the personas were accessed through other VPS services and paid for using cryptocurrency." (p.37)

Furthermore, Doppelganger operatives employed botnets, networks of automated accounts, to amplify their disinformation on social media. The bots were used to post links to the fake news articles across social media platforms, creating the illusion of grassroots support for the Russian narratives. The indictment describes how these bots were programmed to mimic the behavior of real users, sharing posts and commenting on them in ways that would appear genuine to the average social media user (p.30). Given these tactics, the document presents evidence of countermeasure efforts implemented by various government and private agencies across Germany, France, the US, and Israel, as well as major online platforms and fact-checkers. Since September 2022, these efforts have included publishing articles critiquing the project's impact on public opinion.on exhibit 2A (p. 108-116)

Social Media Manipulation and AI

The Doppelganger campaign made extensive use of artificial intelligence (AI) to generate fake profiles and posts on social media. These profiles, which posed as U.S. citizens or residents of other target countries, were used to share links to cybersquatting domains and to comment on political topics in order to manipulate public discourse. According to the indictment, social media profiles were created using AI-generated images and used to engage in discussions and share disinformation articles” (p. 123).

"Among the methods Doppelganger used to drive viewership to the cybersquatted and unique media domains were the deployment of “influencers” worldwide, paid social media advertisements (in some cases created using artificial intelligence tools), and the creation of fake social media profiles posing as U.S. (or other non-Russian) citizens to post comments on social media platforms with links to the cybersquatted domains, all of which attempted to trick viewers into believing they were being directed to a legitimate news media outlet’s website." (pg 2)

In fall 2023, the Russian company, Social Design Agency (SDA), developed "The Good Old U.S.A. Project" to influence U.S. public opinion ahead of the 2024 federal elections. The project aimed to shift sentiment toward prioritizing domestic issues over foreign spending, particularly in Ukraine. The strategy involved targeting social media users with misleading content disguised as news, using social media advertising, influencers, and bots to amplify "bogus stories" and false narratives. The campaign also employed targeted advertising to track and influence American reactions in real time, adjusting strategies based on user responses. Records from Meta, obtained through a warrant, revealed that Doppelganger used AI tools to create negative ads about U.S. politicians and operated Meta pages with names similar to legitimate news organizations. Additionally, U.S. credit cards were used to purchase ads on Facebook. As detailed on page 31 "Meta records also revealed that Doppelganger used credit cards issued by U.S. financial institutions to purchase Facebook advertisements".

Another notable component of the overall campaign was the “Guerrilla Media Campaign in the United States.” This proposal outlined a strategy for exploiting the perceived polarization of U.S. society by focusing on eight distinct “Campaign Topics.” It anticipated utilizing social media platforms such as Facebook, X (formerly known as Twitter), YouTube, and Truth Social. The campaign's plan included creating multiple “perishable” accounts to manage comments and disseminate propaganda through posts, memes, and “video content, including news stories in the Fox News style”(p.32). The goal was to use a mix of realistic information and minimal fake news to create a perception of reality that contradicted official media narratives.

The indictment further notes that the campaign involved creating numerous fake accounts due to enforcement efforts by U.S. social media companies aimed at identifying and deactivating accounts linked to Doppelganger. These fake profiles, combined with paid advertisements funded by cryptocurrency transactions, were designed to blend in with legitimate political ads, obscuring their true purpose. This AI-driven approach was part of a broader strategy to “engage in targeted social engineering based on information trends and users’ emotional attitudes” (p. 150).

The Accusations:

The Doppelganger operatives are facing serious accusations, including:

1. Money Laundering: The operatives are accused of using cryptocurrency to fund their activities, including purchasing VPS services and domains from U.S.-based registrars. This financial obfuscation was key to maintaining the anonymity of the operation, bypassing traditional financial systems, which complicates law enforcement efforts to trace the funds.

2. Conspiracy: The alleged central actors, including Sergei Kiriyenko, Ilya Gambashidze, and Nikolai Tupikin, are charged with conspiring to influence U.S. elections and reduce international support for Ukraine. The indictment outlines their direct involvement in planning and executing the Doppelganger operation, noting, that these individuals conspired to deploy disinformation aimed at U.S. voters, seeking to exploit political divisions to advance Russian geopolitical interests.

3. Trafficking in Counterfeit Goods: By creating fake news websites that closely mimicked legitimate media outlets, the operatives engaged in the illegal use of copyrighted logos and designs. On page 18, it states that their "use of the marks is likely to cause confusion, mistake, or to deceive the public".

4. Violation of the International Emergency Economic Powers Act (IEEPA): The operatives are also accused of violating U.S. sanctions imposed on Russian entities. By purchasing domains and services from U.S. companies without obtaining the necessary licenses, they violated economic sanctions. Based on the document, the defendants knowingly engaged in prohibited transactions with U.S. entities, including domain registrars, in violation of IEEPA. (p. 18).

The indictment of the Doppelganger campaign exposes the growing threat of cyber-driven disinformation and the sophistication of state-sponsored cyber operations. By using VPSs, compromised IP addresses, AI-generated social media profiles, and bots, the operatives behind Doppelganger were able to carry out a covert influence campaign aimed at manipulating elections and public discourse. As cybersecurity professionals continue to grapple with the challenges posed by disinformation and hacking, this case serves as a stark reminder of the importance of vigilance in the face of evolving cyber threats.