Doppelganger

The Justice Department announced 04 September 2024 the ongoing seizure of 32 internet domains used in Russian government-directed foreign malign influence campaigns colloquially referred to as "Doppelganger," in violation of U.S. money laundering and criminal trademark laws. Among the methods Doppelganger used to drive viewership to the cybersquatted and unique media domains were the deployment of “influencers” worldwide, paid social media advertisements (in some cases created using artificial intelligence tools), and the creation of fake social media profiles posing as U.S. (or other non-Russian) citizens to post comments on social media platforms with links to the cybersquatted domains, all of which attempted to trick viewers into believing they were being directed to a legitimate news media outlet’s website.

As alleged in an unsealed affidavit, the Russian companies Social Design Agency (SDA), Structura National Technology (Structura), and ANO Dialog, operating under the direction and control of the Russian Presidential Administration, and in particular First Deputy Chief of Staff of the Presidential Executive Office Sergei Vladilenovich Kiriyenko, used these domains, among others, to covertly spread Russian government propaganda with the aim of reducing international support for Ukraine, bolstering pro-Russian policies and interests, and influencing voters in U.S. and foreign elections, including the U.S. 2024 Presidential Election. KIRIYENKO has been sanctioned and described by OFAC as “the First Deputy Chief of Staff of the Presidential Office” and reportedly “Putin’s domestic policy curator.” KIRIYENKO is frequently referred to in Russian and Western media as “Putin’s right-hand man.”

Documents from the Russian companies Social Design Agency (“SDA”) reveal that SDA extensively monitors and collects information about a large number of media organizations and social media influencers. One document revealed a list of more than 2,800 people on various social media platforms like Twitter, Facebook and Telegram, spanning 81 countries, that SDA identified as influencers, including television and radio hosts, politicians, bloggers, journalists, businessmen, professors, think-tank analysts, veterans, professors, and comedians. When referring to politicians, the list often mentioned which US state and/or political party they represent and the position they hold in Congress. The US-based influencers accounted for approximately 21% of the accounts being monitored by SDA. On another list of over 1,900 “anti-influencers” from 52 countries, the USbased accounts comprised 26% of the total accounts being monitored by SDA.Th FBI assessed that “antiinfluencer” indicates that the account posts content that SDA views as contrary to Russian objectives.

SDA required a large number of “perishable” accounts to disseminate this content because of enforcement efforts by U.S. social media companies to identify and deactivate accounts associated with Doppelganger. SDA records revealed another influence campaign aimed at avoiding detection and mitigation by U.S. social media companies by creating and developing “a network of 200 accounts in Twitter, four in each of the 50 states: two active and two ‘dormant’ ones. SDA actively sought to “eliminate the possibility of detection of the ‘Russian footprint’ in the proposed project, a multi-level protection of the infrastructure will be built. It will contain VPN services, physical servers located in the United States, etc.”

The fake Russian fact-checking website War on Fakes, 52 Case 2:24-mj-01395 Document 4 Filed 09/04/24 Page 53 of 277 launched a few hours after Russia invaded Ukraine. Quickly identified for its role in legitimizing the Russian ‘special military operation’ and discrediting the Ukrainian State, War on Fakes has also been amplified by at least 65 official Facebook pages and official Twitter accounts of the Russian diplomatic network. Moreover, War on Fakes the administrator’s login page has been set up to redirect traffic to rrussianews.com, thereby establishing a technical link between the two websites.

In July 2023, the European Union (“EU”) sanctioned seven Russian individuals and five Russian entities for their role in Doppelganger. Among the entities and individuals sanctioned by the EU were SDA, STRUCTURA, GAMBASHIDZE, and ANO Dialog. In so doing, the EU explained: "Russian actors have conducted a digital information manipulation campaign named ‘RRN’ (Recent Reliable News) aiming at manipulating information and disseminating propaganda in support of Russia’s war of aggression against Ukraine. That campaign, in which government bodies or bodies affiliated to the Russian State have participated, relies on fake web pages usurping the identity of national media outlets and government websites as well as fake accounts on social media.""

On July 19, 2023, the Viginum Agency (“VIGINUM”), a French government agency tasked with vigilance and protection against foreign digital interference, which operates under the authority of the Secretariat-General for National Defense and Security, highlighted Doppelganger’s creation and operation of cybersquatted domains: "Since February 2023, VIGINUM has noticed an increasing number of impersonations of major French and foreign media outlets, in order to publish pro-Russian articles linked to the war in Ukraine. . . The appearance of typosquatted websites is in every way similar to that of the media outlets they are impersonating, the only difference being the visited URL. "

Mandiant, an American cybersecurity firm and a subsidiary of Google, tracks the “Doppelganger Information Operations Campaign” and publishes a monthly report with updates to the state of the campaign in a document Mandiant calls a “Narrative Tracker.” In their April 2024 report, Mandiant noted in addition to the continued use of cybersquatted websites, the Doppelganger campaign had begun using other domains to target American audiences. Spicy Conspiracy describes itself as “Uncovering the truth behind the veil. Your source for in depth coverage of conspiracies, secret agendas, and hidden realities.” Election Watch focuses on U.S. elections, including the 2024 U.S. presidential election, political candidates, purported corruption, and polling results. Truth Gate and Shadow Watch are English language websites that focused on disseminating corruption and conspiracy disinformation targeting the U.S. Artichoc io is a French language website with a tagline that translates to “Art that Shocks.”

In conjunction with the domain seizures, the U.S. Treasury Department announced the designation of 10 individuals and two entities as part of a coordinated response to Russia's malign influence efforts targeting the 2024 U.S. presidential election. This announcement follows the designation of actors involved in Doppelganger announced by the Treasury Department in March 2024.

"The Justice Department is seizing 32 internet domains that the Russian government and Russian government-sponsored actors have used to engage in a covert campaign to interfere in and influence the outcome of our country's elections," said Attorney General Merrick B. Garland. "As alleged in our court filings, President Vladimir Putin's inner circle, including Sergei Kiriyenko, directed Russian public relations companies to promote disinformation and state-sponsored narratives as part of a campaign to influence the 2024 U.S. Presidential Election. An internal planning document created by the Kremlin states that a goal of the campaign is to secure Russia's preferred outcome in the election. The sites we are seizing today were filled with Russian government propaganda that had been created by the Kremlin to reduce international support for Ukraine, bolster pro-Russian policies and interests, and influence voters in the United States and other countries. Our actions today make clear that the Justice Department will be aggressive in countering and disrupting attempts by the Russian government, or any other malign actor, to interfere in our elections and undermine our democracy."

"The Department's seizure of 32 internet domains secretly deployed to spread foreign malign influence demonstrates once again that Russia remains a predominant foreign threat to our elections," said Deputy Attorney General Lisa Monaco. "At Putin's direction, Russian companies SDA, Structura, and ANO Dialog used cybersquatting, fabricated influencers, and fake profiles to covertly promote AI-generated false narratives on social media. Those narratives targeted specific American demographics and regions in a calculated effort to subvert our election. Our republic depends on elections that are free from foreign interference, and we will not rest in our efforts to expose foreign malign influence operations and protect our democracy, without fear or favor."

"Today's announcement exposes the scope of the Russian government's influence operations and their reliance on cutting-edge AI to sow disinformation," said FBI Director Christopher Wray. "Companies operating at the direction of the Russian government created websites to trick Americans into unwittingly consuming Russian propaganda. By seizing these websites, the FBI is making clear to the world what they are, Russian attempts to interfere in our elections and influence our society. The FBI will continue to work with our partners to expose and shutdown these covert influence campaigns."

"This seizure illustrates vividly what the U.S. government and private sector partners have warned for months: the Russian government and its proxies are aggressively accelerating the Kremlin's covert efforts to seed false stories and amplify disinformation directed at the American public," said Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division. "Today's announcement reveals Russia is willing to impersonate our free and open press in its egregious schemes. This is our third disruption of Russian foreign malign influence operations in two months, and the Justice Department remains relentless in protecting Americans from such unacceptable conduct. To Russia, and any other government seeking to stoke discord in our society: know that we will spare no effort and use every available tool to disrupt and expose this malign activity and defend our democratic institutions."

"Protecting our democratic processes from foreign malign influence is paramount to ensure enduring public trust," said U.S. Attorney Jacqueline C. Romero for the Eastern District of Pennsylvania. "As America's adversaries continue to spew propaganda and disinformation towards the American electorate, we'll use every tool at our disposal to expose and dismantle their insidious foreign influence campaigns."

The propaganda did not identify, and in fact purposefully obfuscated, the Russian government or its agents as the source of the content. The perpetrators extensively utilized "cybersquatted" domains, a method of registering a domain intended to mimic another person or company's website (e.g., registering washingtonpost.pm to mimic washingtonpost.com), to publish Russian government messaging falsely presented as content from legitimate news media organizations. In other instances, the perpetrators sought to create their own unique media brands to promote Doppelganger content (e.g., Recent Reliable News). Among the methods Doppelganger used to drive viewership to the cybersquatted and unique media domains was the deployment of "influencers" worldwide, paid social media advertisements (in some cases created using artificial intelligence tools), and the creation of social media profiles posing as U.S. (or other non-Russian) citizens to post comments on social media platforms with links to the cybersquatted domains, all of which attempted to trick viewers into believing they were being directed to a legitimate news media outlet's website.

The affidavit describes the perpetrators' own internal strategy meeting notes, project proposals, and other records obtained during the course of the investigation. Several notable propaganda project proposals directed against the United States included:

• Good Old USA Project
• The Guerilla Media Campaign
• U.S. Social Media Influencers Network Project

Doppelganger's foreign malign influence efforts were not directed solely against audiences in the United States. Other targets of the perpetrators' propaganda included Germany, Mexico, and Israel, among others. Doppelganger's influence campaigns sought to influence the citizenry of those countries to support Russian government objectives, including by undermining the United States' relationship with those countries.

Doppelganger's use of the U.S.-based domain names at the direction and control of, and for the benefit of, sanctioned persons, including Sergei Vladilenovich Kiriyenko, SDA, and Structura, violates the International Emergency Economic Powers Act (IEEPA). As a result, the accompanying payments for Doppelganger's online infrastructure violate federal money laundering laws. In addition, Doppelganger's publication of content on cybersquatted domains with names and content that mimic legitimate media outlets violates federal criminal trademark laws because those domains feature trademarks registered on the Principal Register maintained by the U.S. Patent and Trademark Office.

Autonomous Non-Profit Organization (ANO) Dialog (ANO Dialog) is a Russian nonprofit organization founded in 2019 by the Moscow city government that leverages AI technology in online Russian disinformation for use against election campaigns. ANO Dialog Regions (Dialog Regions) is ANO Dialog’s subsidiary organization that is co-located at their Moscow headquarters and also has offices throughout Russia. Vladimir Grigoryevich Tabak (Tabak) is the Director General of both ANO Dialog and Dialog Regions. He previously held several positions in the Russian Presidential Administration.

ANO Dialog is linked to Doppelgänger — a Russia-linked influence operation network identified in 2022 — that used deep fake content to develop Russian disinformation campaigns. In fall 2022, Tabak was expected to attend a meeting with senior Russian government officials. The meeting discussed the presumed success of the Doppelgänger activity and provided feedback and guidance on future projects.

In July 2022, ANO Dialog and Tabak provided services to the Russian government, working on a project for the creation of fake online posts on popular social media accounts, including “Reliable Recent News” (“RRN”) and “War on Fakes”—a Russian disinformation website publicly linked to the Doppelgänger activity—that would be composed of counterfeit documents, among other material, in order to elicit an emotional response from the audiences of these accounts. An ANO Dialog advisor purchased RRN’s new domain, “rrn.world” in order to avoid using the former domain, “rrussianews.com,” which would have maintained a connection to Russia. Tabak also coordinated with ANO Dialog and the Russian government on the payment of services for an RRN-affiliate translator.

In late fall 2023, ANO Dialog personnel identified U.S., UK, and other public figures as potential targets for deepfake projects. Because of this, the EU sanctioned ANO Dialog for its role in the disinformation network and specifically as the owner and operator of the “War on Fakes” website. In May 2024, Tabak and several Dialog Regions officials coordinated with Russian government officials regarding the creation of bot accounts on popular social media messaging platforms for use in a misinformation campaign regarding voting locations in the U.S. 2024 election.