The U.S. Office of Public Affairs issued a statement on 4 September 2024 regarding the seizure of 32 websites that are believed to be part of the so-called "Doppelganger" campaign. According to the press release, Doppelganger could be a Russian-sponsored cyberpropaganda campaign designed to target the U.S. and other nations using fake news distributed through cybersquatting and other specially crafted domains.

While the statement did not disclose the seized domain names, we were able to get the complete list from The Hacker News. Upon closer examination, not all of the domains mimicked popular news sites the world over, some seem to have been specifically created to peddle disinformation. Take a look at the table below for more details.

In fact, our online searches revealed that only half of the seized domains were seemingly cybersquatting on legitimate news or information sources. Nevertheless, we performed an expansion analysis for the 32 domain names to identify other connected artifacts. Our DNS deep dive led to the discovery of:

A sample of the additional artifacts obtained from our analysis is available for download from our website.

We began our analysis by performing a bulk WHOIS lookup for the 32 domains, which showed that:

To find other web properties that could have ties to the Doppelganger disinformation campaign, we performed reverse WHOIS searches using the registrant information we obtained from our bulk WHOIS lookup earlier. We found 384 registrant-connected domains after filtering out duplicates and the seized domains.

Next, we queried the 32 seized domains on WHOIS History API, which led to the discovery of 30 email addresses in their historical WHOIS records. Eleven of those email addresses were public.

We queried the 11 public email addresses on Reverse WHOIS API, which allowed us to uncover 123 email-connected domains after duplicates, the seized domains, and the registrant-connected domains identified in the prior step were filtered out.

After that, we performed DNS lookups on the 32 seized domains and found that they resolved to 64 unique IP addresses.

When queried on Threat Intelligence API, 54 of the 64 IP addresses turned out to be associated with various threats. Take a look at five examples below.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.