Full Report
This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. It was last updated on October 31, 2024.JulyWe terminated 89 You…
Analysis Summary
# Threat Actor: Doppelganger (and associated state-sponsored influence campaigns)
## Attribution & Identity
Multiple state-affiliated influence operations were terminated in Q3 2024. Specific groups identified or linked include:
* **Russia:** Multiple campaigns, one linked specifically to the **Internet Research Agency (IRA)** and another linked to an unnamed **Russian consulting firm**.
* **People’s Republic of China (PRC)**
* **Azerbaijan**
* **Iran**
* **Ecuador**
* **United States (entities operating within)**
The actor publicly tracked as **Doppelganger** was linked to one of the Russian-linked campaigns.
## Activity Summary
The article details the termination of numerous Coordinated Influence Operations (CIOs) during Q3 2024, primarily targeting information ecosystems across YouTube, Google News, and Discover.
**Key Campaigns/Activities:**
* **Russia:** Numerous interconnected campaigns involved content in English, Polish, French, Russian, German, Italian, Hungarian, Czech, Dari, Georgian, and Armenian. Objectives included supporting Russia, criticizing Ukraine and Western institutions (US, West), and interfering in French politics. One large Russian campaign involved 7,319 terminated YouTube channels linked to a Russian consulting firm.
* **PRC:** Ongoing campaigns uploaded content in Chinese and English concerning China and U.S. foreign affairs.
* **Iran:** Campaigns targeted Middle Eastern current events, supporting the Iranian government and Palestine while criticizing Israel. They also shared content related to the US election.
* **Azerbaijan:** Campaigns supported Azerbaijan while criticizing Armenia and critics of the Azerbaijani government.
* **Ecuador:** A campaign shared Spanish content concerning Mexican and Ecuadorian politics.
* **United States:** A campaign sought to persuade voters in the US to run as independent candidates.
## Tactics, Techniques & Procedures
The primary TTPs observed revolve around controlling narratives across major platforms:
* Termination of **YouTube channels** used for disseminating synchronized content.
* Blocking **domains** from eligibility on Google News surfaces and Discover.
* Use of **Ads accounts** and **AdSense accounts** (Iran campaign).
* Content dissemination across multiple languages (e.g., Russia utilized nearly ten languages in one campaign).
* Leveraging external leads (Meta, OpenAI) for investigation support.
*Note: Specific MITRE ATT&CK IDs were not provided in the source text.*
## Targeting
* **Sectors:** Information ecosystem/Political Discourse (All actors); potentially specific political figures (Russia targeting French ones).
* **Geography:** Global reach, with specific focus on the **US**, **Western Europe**, **Ukraine**, **Russia**, **Middle East**, **Mexico**, **Ecuador**, **Armenia**, and **Georgia**.
* **Victims:** General public/Voters (US election narratives), Armenian interests (Azerbaijan campaigns), Israeli interests (Iran campaigns).
## Tools & Infrastructure
* **Malware families used:** None explicitly mentioned, as the focus is on information operations rather than malware delivery.
* **Infrastructure (C2, domains, IPs):**
* YouTube channels (thousands terminated across actors).
* Blogger blogs (hundreds terminated in PRC and one in IRA-linked campaigns).
* Domains blocked from Google News/Discover surfaces (specific numbers cited for Russia, PRC, Iran).
* Ads accounts and AdSense accounts.
## Implications
The Q3 2024 activity highlights sustained, large-scale, multi-actor influence operations targeting democratic processes and geopolitical narratives globally. The sheer volume of terminated entities (e.g., 7,319 YouTube channels linked to a Russian firm) suggests sophisticated, industrialized influence efforts by state or state-aligned actors, with Russia displaying the highest frequency and diversity of language operations. The US election remains a key cross-cutting target vector.
## Mitigations
* Continuous monitoring and proactive cooperation between platforms (e.g., utilizing leads from partners like Meta and OpenAI).
* Rapid detection and termination of large-scale inauthentic networks across video and news domains.
* Focusing detection efforts on known state actors (Russia, PRC, Iran) engaging in narrative manipulation targeting critical events (e.g., US elections, Ukraine conflict).
* Analyzing and responding to cross-language content delivery techniques used by these influence networks.