Under the hood of a Doppelgänger


Media clones serving Russian propaganda

This work is the result of a collaboration with EU DisinfoLab an independent non-profit organization focused on tackling sophisticated disinformation campaigns targeting the EU.

EU DisinfoLab has during the past three months been investigating a large disinformation campaign targeting western audience with pro-Russian propaganda. While our partner has focused on the actual disinformation being spread, Qurium has looked into the technical infrastructure in use to better understand how the campaign has been setup and operated.

The complete report from EU Disinfo Lab can be found here: Doppelganger.

Below follows the results of Qurium’s digital forensics investigation and a list of more than 50 domains used in the disinformation campaign.


In late August, the EU DisinfoLab made us aware of a series of websites that had cloned the look-and-feel of several major news sites mainly in Germany, but also the UK, France and Italy. The cloned websites, whose links were disseminated via social media (mainly Facebook and Twitter), spread dis-informative articles and videos, and impersonated journalists and media.

The purpose of the disinformation campaign is clear as it fully aligns with Russian propaganda related to the war in Ukraine. The disinformation undermines the Ukrainian government, its citizens, and Western governments supporting Ukraine and supports the lift of sanctions against Russia.

Although we have not been able to attribute the actors behind the disinformation campaign, some conclusions can be drawn:

  • The major target of the disinformation campaign is Germany where eight of its major news agencies (Bild, Der Spiegel, Süddeutsche Zeitung, Tagesspiegel, T-Online, Welt, Frankfurter Allgemeine Zeitung and Neues Deutschland) have been targeted.
  • Judging by how the 50+ fake news sites have been set up (hosting, CDN, SSL certificates, domain registrar), they are likely to be operated by one single actor.
  • Although disinformation is being spread in no less than seven languages, the actor does not seem to possess these language skills but is using automatic translation services to localize the content.
  • The actor works with staff in at least three time zones (UTC, GMT+2, GMT+8), corresponding to western Europe and the Irkutsk region in Russia.
  • The use of the capabilities of tracking software Keitaro suggests that the operatives need to report on its success back to its supervisor or client.


Qurium started its forensics instigation by looking into the websites of the main targets of the campaign, Bild, Spiegel and T-online, and the fake online versions of those media.

An article in the fake Bild site, saying “Olaf Scholtz has betrayed the German economy.”

The fake websites share some common properties:

  • The front page of the cloned websites redirects to the authentic media.
  • Fake articles focus on the energy crisis, war refugees, Ukraine and the military conflict.
  • Videos included in the articles are located on the same hosting server and and not streamed from a third party platform.
  • Videos included in the articles share name format and metadata.
  • The fake websites often use the subdomains redir, videos, m and news.
  • The fake domains also use the form www-t-online-de.tonline[.]cfd www-spiegel-de.spiegel[.]fun
  • The fake websites remotely load assets from the original websites.

Where are the fake websites hosted?

The first fake websites that we investigated were registered in July 2022 and hosted behind Cloudflare CDN to hide the backend server.

arturo.ns.cloudflare.com dell.ns.cloudflare.com | bild.asia | 2022-07-12t05   
arturo.ns.cloudflare.com dell.ns.cloudflare.com | bild.vip | 2022-07-12t05 
arturo.ns.cloudflare.com dell.ns.cloudflare.com | spiegel.fun | 2022-07-18t08 
arturo.ns.cloudflare.com dell.ns.cloudflare.com | tonline.cfd | 2022-07-18t08  
arturo.ns.cloudflare.com dell.ns.cloudflare.com | tonline.life | 2022-07-18t08 

By looking into the domain bild[.]asia, we find a digital certificate on the IP address 46.246.96[.]73.

An SSL certificate of bild[.]asia links the site to ip address 46.246.96[.]73.

We soon discovered that other similar clones use new TLDs like ltd, fun, ws, today, cfd, asia and vip so we wrote a few scripts to actively discover any domains in these TLDs and collected their SSL certificates. With information from the SSL certificates we search for the hidden hosting and confirmed that the domains were actually operated from very few hosting locations.

Tracing the redirects of the fake domains provided a very distintive signature
Hidden locations leaked the fake domain names in the SSL certificates
Whois data from Bild.eu[.]com

Our research discovered the hidden location of the websites associated to these hosting providers.

  • Webzilla/XBT Holding (USA, Luxembourg)
  • TimeWeb (Russia)
  • BlueVPS/Glesys (Estonia, Sweden)
  • JavaPipe (Netherlands)

What other domains have been used?

Although we started our research by looking into five domains, by the time of this writing we have discovered more than 50 domains closely connected to the disinformation operation impersonating media from Germany, Italy, UK, USA, France, Ukraine, Latvia, Lithuania and Estonia.

Germany

Bild (authentic domain: bild.de)

  • bild[.]asia
  • bild[.]eu.com
  • bild[.]llc
  • bild[.]pics
  • bild[.]vip
  • blld[.]live
  • bild[.]work
  • bild[.]ws

Der Spiegel (authentic domain: spiegel.de)

  • spiegel[.]agency
  • spiegel[.]co.com
  • spiegel[.]fun
  • spiegeli[.]life
  • spiegel[.]ltd
  • spiegel[.]pro
  • spiegel[.]work
  • spiegel[.]cab
  • spiegelr[.]today

Süddeutsche Zeitung (authentic domain: sueddeutsche.de)

  • sueddeutsche[.]me
  • sueddeutsche[.]cc
  • sueddeutsche[.]co
  • sueddeutsche[.]online (*)

Tagesspiegel (authentic domain: tagesspiegel.de)

  • tagesspiegel[.]ltd
  • tagesspiegel[.]co

Fraies Vok

  • fraiesvolk[.]com

T-Online (autentic domain: t-online.de)

  • tonline[.]cfd
  • tonline[.]life
  • t-onlinl[.]life
  • t-onlinl[.]live
  • t-onlinl[.]today
  • t-onlinr[.]life
  • t-onlinr[.]live
  • t-onlinr[.]today

Welt (authentic domain: welt.de)

  • welt[.]ltd

Frankfurter Allgemeine Zeitung (authentic domain: faz.net)

  • faz[.]ltd
  • faz[.]agency

Neues Deutschland (authentic domain: nd-aktuell.de)

  • nd-aktuell[.]net
  • nd-aktuell[.]pro
  • nd-aktuell[.]co

United Kingdom

Mail Online (authentic domain: dailymail.co.uk)

  • dailymail[.]cfd

The Guardian (authentic domain: theguardian.com)

  • theguardian[.]co.com

France

  • 20minuts[.]com (France)

Ukraine

  • rbk[.]kiev.ua (Ukraine)
  • rbk[.]today (Ukraine) (*)
  • obozrevatels.com (Ukraine)

Other countries

  • ansa[.]ltd (Italy)
  • delfl[.]cc (Estonia, Latvia, Lithuania)
  • lsm[.]li (Latvia)
  • reuters[.]cfd (USA)

Where have the domains been registered?

The domains have been registered in multiple registrars:

  • GoDaddy
  • NameCheap
  • Nic.ru
  • Panamanames (Webzilla/XBT)

Where are the websites hosted?

Searching for the SSL certificates of the websites we located the websites in the following IP addresses:

  • 46.246.96[.]73 (bild + spiegel) – Glesys Cloud
  • 89.223.120[.]166 (redir.faz + redir.welt) – Timeweb VDS
  • 206.54.190[.]198 (faz + welt) – XBT Holding/Fozzy/Webzilla (Colo4 TierPoint Dallas)

SSL certificate of domain bild[.]asia allowed to find the hidden origin.
Many of the domain names have been hosted at 206.54.190[.]198 at Webzilla.

When were the fake websites created?

The first fake websites were registered the first week of June 2022. The subdomains www-bild-de.bild[.]pics and www-bild-de-politik-ausland.bild[.]pics were rollout the second and third week of June 2022.

During a period of ten weeks, more than 50 fake websites have been deployed:

June 2022

  • 2022-06-05 blld[.]live
  • 2022-06-06 bild[.]pics
  • 2022-06-28 20minuts[.]com
  • 2022-06-28 ansa[.]ltd
  • 2022-06-28 rbk[.]kiev.ua
  • 2022-06-29 spiegel[.]ltd

July 2022

  • 2022-07-06 lsm[.]li
  • 2022-07-07 theguardian[.]co.com
  • 2022-07-12 bild[.]asia
  • 2022-07-12 bild[.]vip
  • 2022-07-12 reuters[.]cfd
  • 2022-07-12 rbk[.]today
  • 2022-07-14 dailymail[.]cfd
  • 2022-07-14 delfl[.]cc
  • 2022-07-18 spiegel[.]fun
  • 2022-07-18 tonline[.]cfd
  • 2022-07-18 tonline[.]life
  • 2022-07-20 spiegel[.]pro
  • 2022-07-24 bild[.]eu.com
  • 2022-07-25 bild[.]llc
  • 2022-07-26 spiegel[.]co.com
  • 2022-07-28 spiegeli[.]life
  • 2022-07-28 welt[.]ltd
  • 2022-07-30 faz[.]ltd
  • 2022-07-31 t-onlinr[.]life
  • 2022-07-31 t-onlinr[.]live
  • 2022-07-31 t-onlinr[.]today

August 2022

  • 2022-08-06 spiegel[.]agency
  • 2022-08-09 tagesspiegel[.]ltd
  • 2022-08-14 spiegelr[.]today
  • 2022-08-14 t-onlinl[.]life
  • 2022-08-14 t-onlinl[.]live
  • 2022-08-14 t-onlinl[.]today
  • 2022-08-18 sueddeutsche[.]me
  • 2022-08-20 sueddeutsche[.]online
  • 2022-08-23 nd-aktuell[.]net

September 2022

  • 2022-09-09 obozrevatels[.]com
  • 2022-09-13 faz[.]agency
  • 2022-09-12 sueddeutsche[.]cc
  • 2022-09-13 sueddeutsche[.]co
  • 2022-09-12 nd-aktuell[.]pro
  • 2022-09-12 bild[.]ws
  • 2022-09-12 welt[.]ws
  • 2022-09-13 nd-aktuell[.]co
  • 2022-09-13 spiegel[.]work
  • 2022-09-13 tagesspiegel[.]co
  • 2022-09-14 bild[.]work
  • 2022-09-15 spiegel[.]agency
  • 2022-09-15 spiegel[.]cab
  • 2022-09-15 faz[.]life
  • 2022-09-15 welt[.]media
  • 2022-09-15 tagesspiegel[.]ltd
  • 2022-09-17 fraiesvolk[.]com

Domains and DNS servers

bild[.]asia. | dell arturo
bild[.]vip. | dell arturo
reuters[.]cfd. | dell arturo
spiegel[.]fun. | dell arturo
tonline[.]cfd. | dell arturo
tonline[.]life. | dell arturo
bild[.]pics. | grace dean
blld[.]live. | grace dean
dailymail[.]cfd. | grace dean
spiegeli[.]life. | grace dean
spiegeli[.]live. | grace dean
spiegeli[.]today. | grace dean
t-onlinr[.]life. | grace dean
t-onlinr[.]live. | grace dean
t-onlinr[.]today. | grace dean
20minuts[.]com. | plato joselyn
ansa[.]ltd. | plato joselyn
bild[.]eu.com. | plato joselyn
bild[.]llc. | plato joselyn
bild[.]work. | plato joselyn
delfl[.]cc. | plato joselyn
faz[.]agency. | plato joselyn
faz[.]life. | plato joselyn
faz[.]ltd. | plato joselyn
fraiesvolk[.]com. | plato joselyn
lsm[.]li. | plato joselyn
nd-aktuell[.]co. | plato joselyn
nd-aktuell[.]net. | plato joselyn
nd-aktuell[.]pro. | plato joselyn
obozrevatels[.]com. | plato joselyn
rbk[.]kiev.ua. | plato joselyn
spiegel[.]agency. | plato joselyn
spiegel[.]cab. | plato joselyn
spiegel[.]co.com. | plato joselyn
spiegel[.]ltd. | plato joselyn
spiegel[.]pro. | plato joselyn
spiegel[.]work. | plato joselyn
sueddeutsche[.]cc. | plato joselyn
sueddeutsche[.]co. | plato joselyn
sueddeutsche[.]me. | plato joselyn
tagesspiegel[.]co. | plato joselyn
tagesspiegel[.]ltd. | plato joselyn
theguardian[.]co.com. | plato joselyn
welt[.]ltd. | plato joselyn
welt[.]media. | plato joselyn
welt[.]ws. | plato joselyn
spiegelr[.]today. | sima leonard
spiegelr[.]life. | sima leonard
spiegelr[.]live. | sima leonard
sueddeutsche[.]online. | sima leonard
sueddeutsche[.]life. | sima leonard
sueddeutsche[.]today. | sima leonard
t-onlinl[.]life. | sima leonard
t-onlinl[.]live. | sima leonard
t-onlinl[.]today. | sima leonard
rbk[.]today. | rosemary giancarlo (*)

Analyzing meta data from disinformation videos

To analyze the videos disseminated by the fake websites, we downloaded 15 videos.

Although the files came from different fake websites, they all matched the format DDMM[A-Z]{4-6}[_,1]{0,6}.’mp4′, which suggests that the same actor produced video content across the network of fake sites.

0108OKGCS.mp4
0208OKGBB.mp4
0208OKGCT.mp4
0308OKGCB.mp4
0408OKGCS_1_1.mp4
0508OKGBT_1_1.mp4
0606ONCGB.mp4
0906OBGB.mp4
1507OKGBE_1_1.mp4
1807OKGCD_1_1_1.mp4
1807OKGCD.mp4
2107OKGCS.mp4
2207OKKGBB.mp4
2307OKGBT_1_1.mp4
2407OKGBT.mp4

A large amount of interesting meta data were left in the video files. We learned that the video files had been created using Adobe Premiere Pro, Adobe Photoshop and Adobe After Effects.

In several of the files we could extract the “Ingredients” of the videos that allowed us to trace back the original videos that had been manipulated. The screenshot below shows how the video 0108OKGCS.mp4 consists of a number of mp4 and mov files, with file names in Russian and German. The logos of the media are inserted with videos with the extension .mov as “der spiegel logo.mov”

The “Ingredients” list of the video files shows the name of the original files that have been used to compose the final video.

Another interesting finding was the presence of three different timezones formats in the metadata of the video files, suggesting that the editing had been made from three different geographical locations.

  • GMT +08:00 (Irkutsk region Russia)
  • GMT +02:00 (Central Europe)
  • UTC (UK and others)

One of the videos was edited in devices with two different timezones (GMT +02 and GMT +08) and using different versions of Adobe XMP. A few videos contained no metadata at all.

Original file names were in Russian.

Loading assets from original websites

We also observed that the fake websites link to assets from the authentic newspapers triggering CORS (Cross-origin resource sharing) errors.

CORS is a mechanism that allows restricted resources on a web page to be requested from an external domain outside the domain from which the first resource was served.

Geolocation-based redirects

The investigation also revealed that many fake articles advertised in social media contained the .php extension.

When requesting the articles from the fake websites we observed different results depending on the geolocation of our IP address. For example, asking for the fake article https://news[.]tagesspiegel.ltd/0497156.Lloyd-Austin-kommt-nach-Deutschland.php from Germany would redirect and render the article from another doppelganger website https://www[.]nd-aktuell.net/artikel/0497155.Lloyd-Austin-kommt-nach-Deutschland.html

When requesting the articles outside of Germany, the website displayed a text from “Old Sultan“, a German fairy tale collected by the Brothers Grimm.

The “Old Sultan” tale is rendered if requesting the page from an IP address outside of Germany.
Final page when request comes from an IP address from Germany
LTD GEOLOCATED REDIRECTS
- https://news[.]tagesspiegel.ltd/0497156.Lloyd-Austin-kommt-nach-Deutschland.php
→ https://www[.]nd-aktuell.net/artikel/0497155.Lloyd-Austin-kommt-nach-Deutschland.html
- https://news[.]welt.ltd/politik/deutschland/article240128277/Trittbrettfahrer.php
→ https://www[.]welt.ltd/politik/deutschland/article240128277/Trittbrettfahrer.html
- https://news[.]welt.ltd/politik/deutschland/article240128277/Immer-mehr-B%C3%BCrgermeister-deutscher-St%C3%A4dte-unterschreiben-den-Brief-mit-dem-Aufruf-aus-dem-Sanktionsregime-auszusteigen3.php →
→ https://www[.]welt.ltd/politik/deutschland/article240128277/Immer-mehr-B%C3%BCrgermeister-deutscher-St%C3%A4dte-unterschreiben-den-Brief-mit-dem-Aufruf-aus-dem-Sanktionsregime-auszusteigen.html
- https://news[.]faz.ltd/aktuell/politik/ausland/Weniger-Brot-Butter-und-Bier-26077247.php
→ https://www[.]faz.ltd/aktuell/politik/ausland/Weniger-Brot-Butter-und-Bier-26077247.html

FAZ.AGENCY GEOLOCATED REDIRECTS

- https://news[.]faz.agency/aktuell/politik/ausland/Die-Energiekrise-was-passiert-mit-Europa-19129402.php 
→ https://www[.]faz.ltd/aktuell/politik/ausland/Die-Energiekrise-was-passiert-mit-Europa-19129402.php
- https://news[.]faz.agency/aktuell/politik/ausland/Die-schreckliche-Inflation-vernichtet-die-Einnahmen-der-Deutschen-25892217.php
→ https://www[.]faz.ltd/aktuell/politik/ausland/Die-schreckliche-Inflation-vernichtet-die-Einnahmen-der-Deutschen-25892217.php
- https://news[.]faz.agency/aktuell/politik/ausland/Warum-wird-der-Treibstoffpreis-in-Deutschland-unabh%c3%a4ngig-von-den-%c3%96lpreisen-weiter-steigen-47842915.php
→ https://www[.]faz.ltd/aktuell/politik/ausland/Warum-wird-der-Treibstoffpreis-in-Deutschland-unabh%C3%A4ngig-von-den-%C3%96lpreisen-weiter-steigen-47842915.php
Summary of redirects from .php articles

The mysterious kclient.php

During the investigation, it was also noted that the fake website news[.]faz.agency and news[.]faz.ltd had “Index Listing” open and we could see several versions of articles distributed with the .php extension. We already knew that the .php articles were redirecting to articles to their correspondent .html version depending on the geolocation of the IP addresses, but the file kclient.php did not seem to be an article. What is that kclient.php doing?

File listing of websites news.faz[.]ltd with timestamps

File listing of news.faz[.]agency when the files were moved from .ltd

We decided to look into this mysterious file “kclient.php” to find further leads. In order to look for hints, we decided to record the web requests to the .php files from Germany and we noticed that the website was always placing three different cookies in our browser (set-cookie):

set-cookie: PHPSESSID=3chf2170q68t4gdrhn1or1gl0d; path=/ 
set-cookie: _subid=1nv69b8esq; expires=Tue, 20-Sep-2022 07:09:49 GMT; Max-Age=86400; path=/; domain=.news.tagesspiegel.ltd 
set-cookie: 485d6=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1wic3RyZWFtc1wiOntcIjE2MVwiOjE2NjM1NzU5NzF9LFwiY2FtcGFpZ25zXCI6e1wiODFcIjoxNjYzNTc1OTcxfSxcInRpbWVcIjoxNjYzNTc1OTcxfSJ9.8LVhD2oVJdJMLL5TNIKDVzRMrKT4i3wsulrOD5QPvd8; expires=Tue, 20-Sep-2022 07:09:49 GMT; Max-Age=86400; path=/; domain=.news.tagesspiegel.ltd 

This is what we learned from each of the cookies:

  • PHPSESSID: It is a PHP session cookie
  • _subid: 10 characters [0-9a-v]{9}. _subid increases every connection.
  • 485d6: The cookie is encoded as a JSON Web Token (JWT), that encodes the header and payload in base64 and signs the message using HMAC SHA256

Once we figure out the encoding format of the 485d6 cookie, we were able to read the contents of these “cookies”.

The JWT Cookie reassembles the cookies used by the software Keitaro, an all-in-one tracker that has built-in landing page management, traffic distribution and reporting system. Looking into the github of Keitaro we could find the mysterious file kclient.php with size 26K and a call to variable _subid.

Once we discovered that Keitaro is being used to track each of the links of their campaigns, we collected hundreds of cookies for each of the websites and decoded each of the 485d6 cookies.

We did the same for all the files we found in news.faz[.]ltd and we found that the campaigns identifiers were increasing with each of the different files as the date was also increasing. This finding suggests that each of the fake articles was being tracked as a different “campaign” inside of Keitaro.

Conclusion

Since June 2022 and for the period of three months at least 50 websites have been created to spread disinformation. The forensics information gathered in this report that includes the analysis of infrastructure signatures, content metadata and historical data of SSL certificates strongly suggests that all websites are operated in a coordinated manner by the very same actor.

Acknowledgments

This research has been possible thanks to the access to OSINT tools as: Censys, Community RiskIQ, Farsight Passive DNS. Special thanks goes to SURBL who helped us digging into the fake domains as soon as they were registered.

FAQ

We have received several questions from media and researchers. Here it is a summary of our answers.

How did you find the domains? We started by looking into the few domains that there were already spotted by the German media and found very distinctive patterns like the domains had the redir. subdomain or the front page was redirecting the legitimate media. We also discovered several hosting locations as SSL certificates leaked out. What started with five initial domains quickly turned out to be dozens of domains more in the campaign. Since the end of August, we searched manually each of the domains inside Facebook to discover each of the fake articles. It was lots of manual work.

When did you discovered that geolocation was used? Discovering the domain faz[.]ltd was key in the investigation as we could list the hidden articles in one of their servers. It was then when we discovered that we needed a German IP address to be redirected to the fake articles.

Why do you think Keitaro was used as a tracker? We do not know really why they decided to use this specific software to implement some of the functionality they needed. We can only speculate that the Doppelganger development team is familiar with the advertisement industry.

How did you get involved in this case? The EU Disinfo Lab team reached out when they started to work on the case and what started with a few hours looking into the case together ended up in a fascinating collaboration.

Are the domains still active? Yes, many of the domains are still active. The Doppelganger team bought more than 50 domain names in two registrars alone: Namecheap and Godaddy. A few domain names were purchased in Pananames part of the XBT Holding.

Notes

(*) the website rbk[.]today has been linked in different disinformation articles but does not share infrastructure signatures with the rest of the domains found in this research.