How Russia uses EU companies for propaganda

7 July 2024

– Exposing The Evil Empire of Doppelganger Disinformation

Almost two years ago, Qurium in collaboration with EU Disinfo Lab exposed the modus operandi of Doppelganger – the Russia-based foreign influence operation that had been targeting European media with pro-Russian disinformation since the start of Russia’s full-scale war in Ukraine.

Two years after the release of the investigation, the disinformation campaign is still active but with refined methods to distribute links to fake content and new server infrastructure responsible for distributing the content.

Opposite to what one would believe, Doppelganger operates its infrastructure from European data centers, not from Russian soil. Data centers in Germany and the Czech Republic host large part of the malicious content. Qurium has partnered with German investigative media Correctiv and Czech investigative media Investigace.cz to perform on-site investigations of these hosting providers.

Qurium’s investigation reveals that disinformation is not an isolated activity of the cyber criminals, but rather one more service among many other cyber crimes offered by the same actors, such as data exfiltration, phishing or the distribution of scams using affiliate marketing. Hence, hosting and domain providers that offer a safe haven to disinformation also host a wide range of other criminal activities. The Lithuanian hosting and domain company Hostinger is one of the main actors identified, as well as the German Aurologic GmbH and Czech CDN77/Datacamp.

The ecosystem of Doppelganger has its hub in Aeza (International), a Russian provider with European presence. Aeza is a fast growing business with strong ties to at least a dozen bullet proof hosting providers in Russia known to shelter cyber crimes.

Legal entities in the United Kingdom, often run by very young Russian individuals, are used to channel the necessary volatile digital resources to the constant creation of new providers (autonomous systems) that share a few common international upstreams. The technical infrastructure of Doppelganger is extensive, comprising of more than 300 network prefixes and 100,000 IP addresses with a market value of 5 Million EUR or a leasing cost of approx 50,000 EUR/month. This massive infrastructure investment can only be sustained by serious financial support from external actors.

Qurium’s investigation presents strong evidence that there is a clear overlap of infrastructure used for disinformation and a wide range of cyber crimes.

Forensic reports

Qurium: Exposing The Evil Empire of Doppelganger Disinformation

Correctiv: Inside Doppelgänger – Wie Russland EU-Firmen für seine Propaganda nutzt

Contacts
Digital forensics: Tord Lundström <t at virtualroad.org> Technical Director
Media: Clara Zid <info at virtualroad.org> Media and Outreach Manager

Media coverage

Le Monde (France) Comment un même écosystème nourrit campagnes de désinformation et cybercriminalité [11/7/24]

EU Disinfo Lab (Belgium) Yet more evidence of Russia’s boundless impunity to spread misinformation in the EU [11/7/24]

The Insider (Russia) В работу кремлевской сети ботов Doppelgänger вовлечены европейские компании — расследование [11/7/24]

La Marea (Spain) “Doppelgänger”, la maquinaria de desinformación rusa, sigue activa a través de varias empresas europeas [11/7/24]

The Record Russian disinformation network’s infrastructure is spread across Europe, report says [11/7/24]

DayFR Euro (France) How the same ecosystem fuels disinformation campaigns and cybercrime [11/7/24]

De Standaard (Belgium) Rusland pompt zijn onlinepropaganda rond via Europese bedrijven [12/7/24]

Guildhall (Ukraine) Россия развернула инфраструктуру сети влияния Doppelgänger по всей Европе [12/7/24]

Cyprus (Russia) В работу кремлевской сети ботов Doppelgänger вовлечены европейские компании [12/7/24]

Next (France) Doppelgänger : des opérations de désinformation et de cybercriminalité se recoupent [12/7/24]

51CTO (China) 网络舆论战打响，俄罗斯虚假信息设施遍布欧洲 [12/7/24]

The Hacker News (United States) U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation [12/7/24]

Detector.media (Ukraine) У Європі викрили російську мережу дезінформації «Двійник», яка діє з весни 2022 року [12/7/24]

Mdr (Germany) “Finstere Zeiten tragen die Signatur der Entwirklichung” [12/7/24]

CyberDefence24 (Poland) Rosyjska operacja w Europie. Serwery ulokowane w Warszawie [12/7/24]

The Odessa Journal (Ukrania) The Russian disinformation network uses Europe’s infrastructure to spread fake news [12/7/24]

Catalin Cimpanu (Mastodon) A joint report between Correctiv and the Qurium Foundation… [11/7/24]

Severi Muona (Bluesky) How Russia uses EU companies for propaganda [12/7/24]

Zahid Front (Ukraine) Інформаційні двійники від росії заполонили європейсько-єврейський простір [14/7/24]

Ain (Ukraine) Російська мережа дезінформації використовує інфраструктуру Європи для поширення фейкових новин — дослідження [12/7/24]

163.com (China) 【安全圈】网络舆论战打响，俄罗斯虚假信息设施遍布欧洲 [12/7/24]

Nieuwsblad (Belgium) Hoe Rusland via Europese kranten onrust probeert te zaaien [12/7/24]

DataNet (South Korea) “러시아, 유럽 사업체 통해 거짓 선전전 벌여” [12/7/24]

Rozumaha (Telegram) Дослідники організацій Qurium і EU DisinfoLab… [12/7/24]

Feddit.org Swedish digital forensic group Qurium shows how Russia is using European companies for propaganda [16/7/24]

Risky Biz News (United States) Doppelganger infrastructure [12/7/24]

IT Security (Portugal) Infraestruturas de rede de desinformação russa espalhada pela Europa [15/7/24]

Reddit Exposing The Evil Empire of Doppelganger Disinformation [11/7/24]

ETDA Cyber Threat Intelligence Russian Disinformation Network’s Infrastructure Is Spread Across Europe, Report Says [12/7/24]

Cybersecurity Help (Czech Republic) Cyber Security Week in Review [12/7/24]

Reddit Memetic Warfare: Reviewing the DOJ takedown of the Meliorator network and Qurium’s report on bulletproof hosting and Doppelganger [16/7/24]

Quora (Ukraine) In Europe, the Russian disinformation network “Dvoinik” was exposed [14/7/24]

L’Opinione delle Libertà (Italy) Russia: Doppelgänger, l’arma della disinformazione [18/7/24]

Risky Biz News (United States) Doppelganger infrastructure shutdown [19/7/24]

Eesti Ekspress (Estonia) Vene propaganda kasutab Eesti ettevõtte tarkvara, firma juhi sõnul sellest tõendeid ei leitud [6/8/24]

Alliance4Europe (Germany) Fool Me Once: Russian Influence Operation Doppelganger Continues on X and Facebook [3/9/24]

Cookie	Duration	Description
adsight	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight1	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight2	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight3	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight4	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight5	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-functional	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.