Full Report
This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2024. It was last updated on July 8, 2024.JanuaryWe blocked 4 domains …
Analysis Summary
This article summarizes several distinct, state-linked or state-aligned Coordinated Influence Operations (CIOs) identified and terminated across Q1 2024. Since multiple actors/operations are described, the summary will address each identifiable entity mentioned separately where possible, focusing on the specific operations detailed.
# Threat Actor: (Multiple CIO Actors/State-Linked Operations)
## Attribution & Identity
The report details multiple, independent influence operations linked to the following nation-states or regions: Italy, Israel, Turkey, Kuwait, Indonesia, the People's Republic of China (PRC), Iran, Pakistan, Russia, Afghanistan, Taiwan, Cameroon, Haiti, India.
One operation linked to **Russia** specifically mentions an actor publicly tracked as **Doppelganger**.
## Activity Summary
The activities described are large-scale Coordinated Influence Operations (CIOs) terminated during Q1 2024 (January, February, and March). The primary goal across most operations was the dissemination of specific political narratives aligned with the sponsoring government's interests, covering topics like geopolitical conflicts (Ukraine war, Israel-Gaza conflict), domestic politics, and foreign policy critiques.
| Month | Country/Region | Scope of Activity (Examples) |
| :--- | :--- | :--- |
| Jan | Italy | Pro-Russian government content regarding the war in Ukraine (English, Czech, Farsi). |
| Jan | Israel | Claims regarding future Hamas attacks on Europe/West (Arabic, Hebrew, English, etc.). |
| Jan | Turkey | Content about the Israel-Gaza war and Yemeni government (Arabic). |
| Jan | Indonesia | Pro-Indonesian ruling party content (Bahasa Indonesia). |
| Feb | Iran | Content critical of the Israeli government and sharing content depicting alleged cyber attacks targeting Israeli organizations (English, Hebrew). |
| Feb | Russia | Pro-Russian and anti-Ukraine/Western Europe content (Russian, German, Arabic). Linked to **Doppelganger**. |
| Feb | PRC | Content critical of US technology and promoting Chinese technology; content related to China/US foreign affairs; content critical of Taiwan government. |
| Mar | Afghanistan | Content supportive of Palestine and critical of Israel, aligned with Iran/Yemen narratives. |
| Mar | India | Content supportive of the Indian government and critical of Pakistan; content supportive of state governments (Maharashtra). |
| Mar | Cameroon/Haiti linked | Pro-China and anti-West content (French). |
## Tactics, Techniques & Procedures
The primary TTP observed across all actors is Coordinated Inauthentic Behavior focused on content dissemination across Google platforms:
- Content sharing across linked accounts/domains to amplify specific narratives.
- Utilization and termination of:
- YouTube channels (up to 5,306 terminated for PRC).
- Blogger blogs.
- Ads accounts (for paid promotion).
- AdSense revenue generation accounts.
- Domains blocked from Google News/Discover surfaces.
*(Note: Detailed technical TTPs or MITRE ATT&CK IDs were not provided in this operational report context, which focuses on infrastructure takedowns.)*
## Targeting
Targeting appears primarily focused on narrative shaping for audiences relevant to the geopolitical interests of the sponsoring nation-state.
- **Sectors:** Broad political discourse, foreign policy analysis, coverage of ongoing conflicts (Ukraine, Israel-Gaza).
- **Geography:** Content was dispersed globally, targeting audiences capable of reading the specific languages used by each campaign (e.g., Arabic, English, Farsi, Russian, Chinese, Bahasa Indonesia, Hebrew, German, French, Spanish, Czech).
- **Victims:** Narratives specifically targeted (or supported) governments/political entities in Israel, US, Taiwan, Pakistan, and Western Europe.
## Tools & Infrastructure
The primary infrastructure targeted consisted of online publishing and syndication channels:
- **Malware families used:** None specified (this report focuses on influence operations, not malware deployment).
- **Infrastructure (C2, domains, IPs):**
- YouTube channels (up to 5,306 terminated).
- Blogger blogs (up to 540 terminated).
- Ads accounts (terminated).
- AdSense accounts (terminated).
- Domains blocked from Google News/Discover eligibility.
## Implications
These findings confirm sustained, high-volume influence operations by multiple state and state-aligned actors conducted during Q1 2024 aimed at shaping global perception regarding key geopolitical events, including the wars in Ukraine and Gaza, and advancing domestic political agendas (e.g., supporting ruling parties in Indonesia). The PRC campaign remains the largest by volume of terminated assets. The linkage of one Russian operation to the known actor **Doppelganger** suggests ongoing activity by established influence networks.
## Mitigations
Defense recommendations must focus on platform integrity and monitoring for coordinated inauthentic behavior:
- Continuous monitoring and rapid termination of large-scale networks across YouTube, Blogger, and advertising platforms when coordinated inauthentic behavior is detected (as demonstrated by the scale of terminations).
- Domain analysis and blocking across news aggregation surfaces (Google News/Discover) to prevent weaponized dissemination of propaganda narratives.
- Cross-platform collaboration (e.g., Mandiant leads mentioned in PRC investigation) to uncover and dismantle complex influence networks.