NordVPN Promotion

Home / Industry

A DNS Investigation of the 32 Doppelganger Websites Seized by the U.S. Government

The U.S. Office of Public Affairs issued a statement on 4 September 2024 regarding the seizure of 32 websites that are believed to be part of the so-called “Doppelganger” campaign. According to the press release, Doppelganger could be a Russian-sponsored cyberpropaganda campaign designed to target the U.S. and other nations using fake news distributed through cybersquatting and other specially crafted domains.

While the statement did not disclose the seized domain names, we were able to get the complete list from The Hacker News. Upon closer examination, not all of the domains mimicked popular news sites the world over, some seem to have been specifically created to peddle disinformation. Take a look at the table below for more details.

SEIZED DOMAINMIMICKINGDESCRIPTION
50statesoflie[.]mediaFake news site
acrosstheline[.]pressFake news site
artichoc[.]ioFake news site
bild[.]workbild[.]deGerman tabloid
faz[.]ltdfaz[.]netGerman newspaper
forward[.]pwforward[.]comU.S. Jewish news site
fox-news[.]infoxnews[.]comU.S. news channel site
fox-news[.]topfoxnews[.]comU.S. news channel site
grenzezank[.]comFake news site
holylandherald[.]comFake news site
honeymoney[.]pressFake news site
lemonde[.]ltdlemonde[.]frFrench newspaper
leparisien[.]ltdleparisien[.]frFrench newspaper
levinaigre[.]netFake news site
lexomnium[.]comFake news site
meisterurian[.]ioFake news site
mypride[.]pressFake news site
pravda-ua[.]compravda[.]com[.]uaUkrainian newspaper
rbk[.]mediarbc[.]ruRussian media site
rrn[.]mediaFake news site
shadowwatch[.]usFake news site
spiegel[.]agencyspiegel[.]deGerman news site
sueddeutsche[.]cosueddeutsche[.]deGerman newspaper
tagesspiegel[.]cotagesspiegel[.]deGerman newspaper
tribunalukraine[.]infoFake news site
truthgate[.]ustruthgate[.]soBlog
ukrlm[.]infoukrlm[.]soBlog
uschina[.]onlineuschina[.]orgNonprofit organization site
vip-news[.]orgFake news site
warfareinsider[.]usFake news site
waronfakes[.]comFake news site
washingtonpost[.]pmwashingtonpost[.]comU.S. newspaper

In fact, our online searches revealed that only half of the seized domains were seemingly cybersquatting on legitimate news or information sources. Nevertheless, we performed an expansion analysis for the 32 domain names to identify other connected artifacts. Our DNS deep dive led to the discovery of:

  • 384 registrant-connected domains
  • 123 email-connected domains
  • 64 IP addresses, 54 of which turned out to be malicious
  • 2,463 string-connected domains, six of which turned out to be associated with various threats

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Facts about the Doppelganger Domains

We began our analysis by performing a bulk WHOIS lookup for the 32 domains, which showed that:

  • Five domains had public registrant details. The domains lemonde[.]ltd and leparisien[.]ltd had public registrant organizations while shadowwatch[.]us, truthgate[.]us, and warfareinsider[.]us had public registrant email addresses and names. The domains were split among 10 registrars led by Namecheap, Inc. with 14 domains. GoDaddy.com LLC took the second spot with four domains. NameSilo LLC accounted for three domains while Nameshield SAS; PDR Ltd.; Sarek Oy; and Tucows, Inc. administered two domains each. The three remaining domains were administered by GMO Internet, Inc.; Long Drive Domains LLC; and REG.RU LLC.
  • The seized domains were created between 2022 and 2024. Six were specifically created in 2022, 18 in 2023, and eight in 2024.

  • Thirty of the 32 domains were registered in six different countries topped by Iceland with 11 domains. The U.S. took second place with 10 domains while France came in third with five domains. Saint Kitts and Nevis accounted for two domains while Cyprus and Japan had one domain each. Note that two domains did not have registrant countries in their current WHOIS records.

The Hunt for Doppelganger-Connected Web Properties

To find other web properties that could have ties to the Doppelganger disinformation campaign, we performed reverse WHOIS searches using the registrant information we obtained from our bulk WHOIS lookup earlier. We found 384 registrant-connected domains after filtering out duplicates and the seized domains.

Next, we queried the 32 seized domains on WHOIS History API, which led to the discovery of 30 email addresses in their historical WHOIS records. Eleven of those email addresses were public.

We queried the 11 public email addresses on Reverse WHOIS API, which allowed us to uncover 123 email-connected domains after duplicates, the seized domains, and the registrant-connected domains identified in the prior step were filtered out.

After that, we performed DNS lookups on the 32 seized domains and found that they resolved to 64 unique IP addresses.

When queried on Threat Intelligence API, 54 of the 64 IP addresses turned out to be associated with various threats. Take a look at five examples below.

MALICIOUS IP ADDRESSASSOCIATED THREAT TYPES
172[.]67[.]191[.]9Generic
Phishing
104[.]21[.]53[.]189Malware
Phishing
Suspicious
172[.]67[.]176[.]235Attack
172[.]67[.]199[.]6Malware
Attack
Phishing
Generic
104[.]21[.]31[.]110Malware
Command and control (C&C)

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

NordVPN Promotion