|
The U.S. Office of Public Affairs issued a statement on 4 September 2024 regarding the seizure of 32 websites that are believed to be part of the so-called “Doppelganger” campaign. According to the press release, Doppelganger could be a Russian-sponsored cyberpropaganda campaign designed to target the U.S. and other nations using fake news distributed through cybersquatting and other specially crafted domains.
While the statement did not disclose the seized domain names, we were able to get the complete list from The Hacker News. Upon closer examination, not all of the domains mimicked popular news sites the world over, some seem to have been specifically created to peddle disinformation. Take a look at the table below for more details.
SEIZED DOMAIN | MIMICKING | DESCRIPTION |
---|---|---|
50statesoflie[.]media | Fake news site | |
acrosstheline[.]press | Fake news site | |
artichoc[.]io | Fake news site | |
bild[.]work | bild[.]de | German tabloid |
faz[.]ltd | faz[.]net | German newspaper |
forward[.]pw | forward[.]com | U.S. Jewish news site |
fox-news[.]in | foxnews[.]com | U.S. news channel site |
fox-news[.]top | foxnews[.]com | U.S. news channel site |
grenzezank[.]com | Fake news site | |
holylandherald[.]com | Fake news site | |
honeymoney[.]press | Fake news site | |
lemonde[.]ltd | lemonde[.]fr | French newspaper |
leparisien[.]ltd | leparisien[.]fr | French newspaper |
levinaigre[.]net | Fake news site | |
lexomnium[.]com | Fake news site | |
meisterurian[.]io | Fake news site | |
mypride[.]press | Fake news site | |
pravda-ua[.]com | pravda[.]com[.]ua | Ukrainian newspaper |
rbk[.]media | rbc[.]ru | Russian media site |
rrn[.]media | Fake news site | |
shadowwatch[.]us | Fake news site | |
spiegel[.]agency | spiegel[.]de | German news site |
sueddeutsche[.]co | sueddeutsche[.]de | German newspaper |
tagesspiegel[.]co | tagesspiegel[.]de | German newspaper |
tribunalukraine[.]info | Fake news site | |
truthgate[.]us | truthgate[.]so | Blog |
ukrlm[.]info | ukrlm[.]so | Blog |
uschina[.]online | uschina[.]org | Nonprofit organization site |
vip-news[.]org | Fake news site | |
warfareinsider[.]us | Fake news site | |
waronfakes[.]com | Fake news site | |
washingtonpost[.]pm | washingtonpost[.]com | U.S. newspaper |
In fact, our online searches revealed that only half of the seized domains were seemingly cybersquatting on legitimate news or information sources. Nevertheless, we performed an expansion analysis for the 32 domain names to identify other connected artifacts. Our DNS deep dive led to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our analysis by performing a bulk WHOIS lookup for the 32 domains, which showed that:
The seized domains were created between 2022 and 2024. Six were specifically created in 2022, 18 in 2023, and eight in 2024.
Thirty of the 32 domains were registered in six different countries topped by Iceland with 11 domains. The U.S. took second place with 10 domains while France came in third with five domains. Saint Kitts and Nevis accounted for two domains while Cyprus and Japan had one domain each. Note that two domains did not have registrant countries in their current WHOIS records.
To find other web properties that could have ties to the Doppelganger disinformation campaign, we performed reverse WHOIS searches using the registrant information we obtained from our bulk WHOIS lookup earlier. We found 384 registrant-connected domains after filtering out duplicates and the seized domains.
Next, we queried the 32 seized domains on WHOIS History API, which led to the discovery of 30 email addresses in their historical WHOIS records. Eleven of those email addresses were public.
We queried the 11 public email addresses on Reverse WHOIS API, which allowed us to uncover 123 email-connected domains after duplicates, the seized domains, and the registrant-connected domains identified in the prior step were filtered out.
After that, we performed DNS lookups on the 32 seized domains and found that they resolved to 64 unique IP addresses.
When queried on Threat Intelligence API, 54 of the 64 IP addresses turned out to be associated with various threats. Take a look at five examples below.
172[.]67[.]191[.]9 | Generic Phishing |
104[.]21[.]53[.]189 | Malware Phishing Suspicious |
172[.]67[.]176[.]235 | Attack |
172[.]67[.]199[.]6 | Malware Attack Phishing Generic |
104[.]21[.]31[.]110 | Malware Command and control (C&C) |
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byRadix
Sponsored byVerisign
Sponsored byCSC