Full Report
This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q4 2024. It was last updated on December 17, 2024.OctoberWe terminated 11…
Analysis Summary
This article describes multiple discrete coordinated influence operations terminated in Q4 2024, rather than detailing the lifecycle or TTPs of a single persistent threat actor. Therefore, the summary below captures the distinct entities identified within the provided text.
# Threat Actor: Doppelganger (Linked Influence Operation)
## Attribution & Identity
Attributed to **Russia**. This operation is specifically mentioned by its public tracker name/alias.
## Activity Summary
In October 2024, this specific campaign was linked to the actor publicly tracked as Doppelganger. The activity involved targeting audiences across several languages to promote narratives supportive of Russia and critical of Ukraine.
## Tactics, Techniques & Procedures
- Content dissemination via online platforms (implied in the context of influence operations).
## Targeting
- Sectors: Not explicitly defined (Focus is informational/political).
- Geography: Audiences consuming content in English, French, German, and Turkish.
- Victims: The general public and political spheres in countries targeted by the narratives (e.g., concerning European politics, US policy).
## Tools & Infrastructure
- Blocked 7 domains from eligibility to appear on Google News surfaces and Discover.
## Implications
Contributes to the broader Russian campaign of information warfare targeting Western and allied interests, focusing primarily on geopolitical conflicts (Ukraine) and domestic political events (US and European elections).
## Mitigations
- Monitoring and disruption of known actor infrastructure (domain blocking).
***
# Threat Actor: Unnamed Iranian State-Linked Operations (Multiple Instances)
## Attribution & Identity
Attributed to **Iran**. Several distinct campaigns were identified:
1. One campaign targeted by blocking domains on Google News/Discover.
2. A second, separate campaign involving the termination of YouTube channels, AdSense accounts, Blogger blogs, and one domain.
## Activity Summary
These operations propagated content across multiple languages concerning sensitive geopolitical topics:
1. **Campaign 1 (Domains Blocked):** Shared content in Arabic, English, French, and Spanish concerning the Israel-Palestine conflict, US military engagement in the Middle East, US social issues, and the US election, employing narratives from across the political spectrum.
2. **Campaign 2 (Accounts Terminated):** Shared content in English and Farsi that was supportive of Iran and Yemen and critical of Israel.
3. **Campaign 3 (YouTube Terminations):** Shared content in Arabic and Urdu supportive of Palestine and Iran, and critical of Israel and the US.
## Tactics, Techniques & Procedures
- Coordinated inauthentic behavior across YouTube, Blogger, and News surfaces.
## Targeting
- Sectors: Geopolitical audiences, general public.
- Geography: Global reach via distribution in multiple languages (Arabic, English, French, Spanish, Farsi, Urdu).
- Victims: General public; narratives aimed at influencing perception regarding Israel, the US, and regional politics.
## Tools & Infrastructure
- YouTube channels, AdSense accounts, Blogger blogs, and domains.
## Implications
Indicates a broad information operation effort by Iran targeting diverse global audiences concerning major geopolitical flashpoints and US domestic affairs.
## Mitigations
- Platform-specific removal of network nodes (channels, accounts, blogs).
***
# Threat Actor: Unnamed Russian State-Linked/Affiliated Operations (Multiple Instances)
## Attribution & Identity
Attributed to **Russia**. Several distinct, large-scale coordination operations were terminated, some explicitly linked to "Russian state-sponsored entities" or a "Russian consulting firm."
## Activity Summary
These operations involved massive takedowns of inauthentic networks across YouTube, focusing heavily on supporting domestic Russian narratives and undermining adversaries:
- Multiple campaigns supported Russia/Putin and were critical of Ukraine.
- One large campaign targeted criticism of Moldova.
- One highly active campaign targeted criticism of Ukraine and the West.
- One campaign focused on English-language content about French political figures.
- One campaign focused on English-language content regarding the US election.
## Tactics, Techniques & Procedures
- Mass coordination over YouTube (thousands of channels terminated).
- Dissemination primarily in Russian, but also English, French, German, Italian, Polish, and Turkish.
## Targeting
- Sectors: Political ecosystems in Ukraine, Moldova, France, and the US.
- Geography: Audiences consuming content in multiple European languages and Russian.
- Victims: Foreign governments and political entities (Ukraine, Moldova, French politicians).
## Tools & Infrastructure
- Thousands of YouTube channels (up to 6,318 in one network).
- AdSense and Ads accounts.
- Domains blocked from Google News/Discover.
## Implications
Represents a vast, multi-pronged influence apparatus targeting multiple nations simultaneously with geopolitical narratives, often involving state-sponsored or semi-official entities.
## Mitigations
- Aggressive monitoring and removal of large-scale inauthentic networks on video platforms.
***
# Other Identified, Unattributed Operations
| Origin/Attribution | Size/Activity | Primary Topics |
| :--- | :--- | :--- |
| **Moldova-linked** | 11 YouTube channels terminated | Content in Russian/Romanian supporting a candidate in the Moldovan presidential election. |
| **Ghana-linked** | 28 YouTube channels, 2 AdSense accounts terminated | Content in French supportive of the People’s Republic of China (PRC) and Russia. |
| **Azerbaijan-linked** | 2,282 YouTube channels terminated | Content in Azerbaijani supportive of Azerbaijan and critical of Armenia/critics of the Azerbaijani government. |
| **Bangladesh-origin** | 4 YouTube channels, 1 domain blocked | Content in Russian critical of the Moldovan government. |
| **PRC-linked (Technology/Marketing Company)** | 206 domains blocked | Content supportive of the PRC (e.g., 2024 Taiwan election) and critical of US foreign policy. |
| **People’s Republic of China (PRC)** | 6,318 YouTube channels terminated | Content in Chinese and English about China and US foreign affairs. |
| **Unnamed/General** | 1 domain blocked | Content in English about the US election. |
**Note on TTPs/Tools:** For these smaller, actor-specific summaries, the TTPs are generally broad coordinated inauthentic behavior (CIB) focused on content amplification/dissemination across platforms (YouTube, News surfaces). No malware or specific C2 infrastructure (IPs/URLs) were mentioned in the source text.