Doppelgänger operation rushes to secure itself amid ongoing detections, German agency says

The Russian propaganda network known as Doppelgänger is struggling to maintain its operations amid a crackdown on its infrastructure, according to a recent report.

Following the recent disclosure that European hosting companies, knowingly or not, provided services to the Kremlin-linked disinformation campaign, Doppelgänger operators rushed to back up their systems and secure their data, according to findings by the Bavarian State Office for the Protection of the Constitution (BayLfV).

“The actor behind the Doppelgänger campaign would have had to anticipate that this disclosure could result in a termination or shutdown by the provider,” BayLfV said in a report published this week.

The agency, part of the Bavarian state government in Germany, spent several weeks quietly monitoring how Doppelgänger was operating and learned about the work methods and even the working hours of those running the network.

The Russian-language disinformation network has been operating in Europe since at least May 2022. According to BayLfV, it has created hundreds of thousands of fake profiles or identities on social media, dozens of fake websites of leading media outlets, and its own fake news portals to spread disinformation, primarily in Germany, France, the U.S., Ukraine, and Israel.

During the analysis, BayLfV found more evidence confirming Doppelgänger’s link to Russia, including the use of Russian IP addresses and the Cyrillic alphabet in commands and in the naming of campaigns. Additionally, the network’s activities were conducted during office hours in the Moscow and St. Petersburg time zones, while the threat actors took breaks on Russian holidays.

The report by German authorities followed an investigation by digital rights nonprofits Qurium and EU DisinfoLab, which uncovered infrastructure located or registered in at least ten European countries that is used by Doppelgänger.

German nonprofit journalism group Correctiv, which was also involved in the investigation, noted that German authorities were aware of the European infrastructure abuse by Doppelgänger but did not appear to be taking any action at that time.

In the latest report, BayLfV noted that Doppelgänger's recent operational overhaul was likely triggered by Qurium’s report, adding that the threat actor seemed to be acting under “significant time pressure.”

Facebook owner Meta, meanwhile, reports observing “notable shifts” in Doppelgänger's operational tactics on its platform in response to “aggressive enforcement.” Meta said on Thursday that since May, it has removed over 5,000 accounts and pages linked to Doppelgänger.

To adapt to ongoing detections, researchers have found that Doppelgänger is spoofing the websites of primarily nonpolitical and entertainment news outlets like Cosmopolitan, The New Yorker and Entertainment Weekly. Doppelgänger also is actively testing ways to avoid detection, with the majority of ads being caught before they run or within hours after submission, Meta said.

According to the social media company, ongoing enforcement against Doppelgänger has degraded the quality its efforts. “This suggests that even with the most persistent operators, persistent enforcement has a significant impact on their operational capabilities,” Meta said. “Our goal is to keep driving the operational cost of these campaigns up, making them less and less effective.”

Read More: Meta warns of troll networks from Russia, Iran ahead of US elections

Editor's Note: Story updated 11 a.m. Eastern U.S. time with details from Meta's report.