DOJ Counters Russian Election Interference

Big Events have a way of changing editorial calendars. Before taking a brief Labor Day break, Iran’s Election Interference was next on our calendar. But things changed on 4-September with DOJ’s court filings on Russian Election Interference in the 2024 U.S. elections. The Filing documents, which included an Indictment and a 277-page ‘AFFIDAVIT IN SUPPORT OF SEIZURE WARRANT’, provided new evidence and insights into Russian Disinformation strategy and tactics, and precipitated a storm of reporting on the latest chapter in Russian interference in U.S. elections. 

This post offers insights for cyber threat intelligence analysts responsible for election security. It provides practical examples of how analysts can use Generative AI (GenAI) and cyber threat intelligence in their work. In this post, we:

  • Examine key findings from new evidence and research.
  • Summarize intelligence on the Tenet Media campaign.
  • Share cyber threat intelligence on DOJ’s seizure of 32 domains.
  • Analyze Russian Doppelganger operations.
  • Provide examples of election targeting.
  • Offer an outlook and recommendations for the remainder of the 2024 U.S. elections.

Bottom line: Russian influence operations strategy is well-known –  weaken the U.S. and its allies by sowing division and chaos. Russia remains persistent, blatant, agile, and undeterred. While their methods evolve, disinformation and cyber-attacks continue to be effective and favored weapons in their arsenal. We expect these campaigns to persist and intensify as the election approaches.

Indictment Overview 

The DOJ filings outline U.S. actions to counter Russia’s sophisticated efforts to influence American voters. These efforts involved Russian proxies, including state-run media (RT), contractors, networks of fake news producers, and a U.S. media company. Key highlights include:

  • Indictments of Russian individuals working for RT (Russia Today) and sanctions on 10 individuals and entities associated with RT and Russian contractors.
  • Seizure of 32 domain names that impersonated legitimate media outlets in covert propaganda operations, known as ‘Doppelganger,’ which began in 2022 and continue today.
  • Exposure of social media influence operations conducted through a small  U.S. company, later identified as Tenet Media Group, based in Tennessee.
  • Disclosure of a Russian strategy documents detailing methods, dashboards, and key performance indicators (KPIs) used to target U.S. voters.

The DOJ affidavit includes a Russian document titled ‘Good Old USA,’ which explicitly outlines the Kremlin’s preferred election outcome. As shown in Figure 1, it clearly identifies ‘Political Party B’ as the Democrats and ‘Political Party A’ as the Republicans. The document also describes a strategy to target voters in swing states, segment audiences by demographic groups, and develop messaging campaigns designed to exploit divisive social issues.

Tenet Media Campaign

The Tenet Media Campaign illustrates the adaptability of Russian influence operations and their ability to develop new tactics. The campaign involved funneling money to a small media company, co-founded by a former RT employee, with the goal of connecting Russia with established and receptive audiences in swing states.

In December 2023, Clemson researchers Linvill and Warren described campaigns powered by fake news and media sites, featuring fabricated editorial teams and personas publishing content either stolen from other websites or generated by AI. [14]

The Tenet Media campaign did not follow this model. Russia took a different approach by buying content from far-right influencers who already had established audiences. As Renée DiResta, technical research manager at the Stanford Internet Observatory, notes: “Buying authentic influencers is a far better use of funds than creating fake personas because they bring their own trusting audiences and are, in fact, real. Funding front media outlets is a classic state propaganda strategy.”

Figure 2 shows a concept diagram we developed for the Tenet Media operation. Starting on the left, the program was funded and directed by RT (Russia Today), which is considered to be Russian State media and Putin’s mouthpiece.  Beginning in the fall of 2023, RT paid $10M to the virtually unknown Tenet Media which was founded in 2022 and began operations in the Fall of 2023. Tenet in turn paid six far-right influencers and conspiracy theorists to produce 2,000 videos and to engage each influencer’s subscribers. This funding represented 90% of Tenet’s revenues. [4]

The program proved to be highly profitable for the influencers and effective for their Russian backers. For an investment of around $10 million, Russia gained access to over 300,000 users who were receptive to its propaganda narratives. The economics of the partnership  are  summarized in Table 1. 

Joe Bodnar, Senior Research Manager at the Institute for Strategic Dialogue (ISD), showed in Figure 3 that Tenet Media produced 1,986 videos on YouTube, garnering 16.6 million views and 316,000 subscribers. From a digital marketing perspective, this $10 million investment yielded a cost per view of $0.60 and a cost per subscriber of $31.65.

Following the DOJ filings, Tenet Media’s operations collapsed. Mother Jones reported that Tenet shut down, and YouTube and TikTok terminated its channels. [12] Tenet Media’s influencers claim to be victims, and some are cooperating with the FBI. As of September 7, our own testing confirms that YouTube and TikTok channels associated with Tenet are no longer operational. (Figure 4) 

Domain Seizures

Another important DOJ action was the seizure by the FBI of 32 website domains that the Kremlin used to covertly spread Russian propaganda as part of the Doppelganger campaign. Doppelganger has been directed by Sergei Kiriyenko since 2022, a former prime minister who is now Vladimir Putin’s first deputy chief of staff. [3] The seized domains impersonated U.S. and international news outlets, with influencers and fake social media profiles on platforms like Facebook, X, Truth Social, and YouTube driving traffic to these sites.[6]

We compiled the 32 domain names we believe were seized by the FBI using the Named Entity Recognition (NER) capabilities of GPT-4. (Table 2) These domain names were extracted from the 277-page DOJ affidavit and then loaded into our intelligence collections in DomainTools for enrichment, analysis, and management. Key findings related to the seized domains include:

  • Media Impersonation: Many of the domains used typosquatting techniques to impersonate U.S. or international media organizations, e.g., Fox News, The Washington Post, Le Monde (French), Bild (German). We used GPT-4 to help identify brand impersonation.
  • Domain Registrars: 50% of the domains were registered through NameCheap, while 13% were registered through GoDaddy.
  • IP Hosting Locations: 78% of the domains were hosted in the U.S. 
  • ISPs: 75% of the domains were hosted by either Cloudflare or NameCheap
  • New: 25% of the domains had been registered in 2024 with 56% registered in 2023.
  • Risk: 75% of the domains had a high DomainTools risk score (>70).

Note: Our Generative AI process extracted a total of 61 unique domain names from the affidavit. However, many of these domains are no longer active, which may explain why only 32 were seized.

Doppelganger Plus

Russia has a long history of election interference and their playbook is well documented. The Doppelganger campaign, which has been active since 2022, is one of the most prominent disinformation operations run by the Russian government and its proxies. These campaigns have been extensively covered by both threat intelligence experts and governments. [13-24). 

Since 2022, we have reported on Doppelganger six times, including December 2023February 2024July 2024. Currently we are managing over 20 intelligence collections and tracking close to 300 domain names and their supporting network infrastructure on Doppelganger and other adversary groups targeting elections. These collections are sourced from authoritative providers of cyber threat intelligence, such as Meta, Google-Mandiant, Microsoft, RecordedFuture, SentinelOne, and NewsGuard. Additionally, we use domain threat hunting techniques with tools like DomainTools and GenAI to develop our own intelligence sources.

The characteristics of our expanded Doppelganger collection of close to 300 are summarized below. They are consistent with the findings for the seized domain collection described earlier. Key highlights are:

  • Domain Semantics: We used GPT-4 to analyze the semantics of the domain names in our collection. A simple taxonomy revealed that 11% of the sites impersonated media brands, 25% posed as local media outlets (e.g., heartlandherald.us), and 14% represented state, county, or metropolitan areas.
  • Domain Registrars: 66% of the domains were registered through NameCheap, and 4% through GoDaddy.
  • IP Hosting Locations: 86% of the domains were hosted in the U.S.
  • ISPs: 68% of the domains were hosted by either Cloudflare or NameCheap.
  • New Domains: 67% of the domains were registered in 2024, while 20% were registered in 2023.
  • Risk: 54% of the domains had a high DomainTools risk score (>70).

Unfortunately, most of these sites have not been seized, and many remain active.

Elections Examples

In this section, we provide examples from our collections that have been confirmed or are likely cases of Russian election interference. Some of these domains are currently active.

Electionwatch domains: We are monitoring three variants of Electionwatch domains. 

  • Electionwatch[.]live: Listed in the DOJ affidavit but not seized. Last observed resolving on June 11, 2024.
  • Electionwatch[.]io: Also listed by the DOJ but not seized. It remains active as of September 7, 2024. Created on July 13, 2024, through the German registrar 1API GmbH, it has a DomainTools risk score of 100 and is hosted in the U.S. (Figure 5)
  • Electionwatch[.]info: Not listed in the DOJ report but still resolving as of September 6, 2024. Similarweb traffic data shows nearly 5,000 monthly views in August, primarily from users in the U.S. and Canada. (Figure 6) 

50statesoflie Domains:

  • 50statesoflie[.]media: Seized by the FBI.
  • 50statesoflie[.]com: No longer active, last observed on August 7, 2024. (Figure 7)

Spicyconspiracy Domains:

  • Spicyconspiracy[.]io: Listed in the affidavit but not seized. Still active as of September 7, 2024. Like Electionwatch[.]io, it was created on July 13, 2024, through the German registrar 1API GmbH. It has a DomainTools risk score of 100 and is hosted in the U.S. (Figure 8]

Swing State Activity: To investigate mentions of these domains in swing states, we used a Google Dork search (‘site: example.com’ followed by the state name). As shown in Table 3, we found mentions of swing states for the domains we tested.

Local Media Domains: Generative AI can help analysts discover more from their collections. For example, a senior analyst could quickly identify lexical or semantic patterns in domain names, suggesting associations with geographical locations, media types, or political ideologies. In this example, we asked Anthropic’s Claude to do a semantic analysis for geographic place names from a list of 122 domains associated with Russian influence operations provided by Recorded Future .  As shown in Figure 9, GenAI generated a list of domains whose domain names were semantically or lexically associated with media organizations and place names. Of these, 13 referenced swing states or counties in swing states.

As of September 8, 2024, the Madison-gazette[.]org site remains active. The landing page content closely aligns with the “Good Old America” strategy outlined earlier. This site was created on May 12, 2024, using NameCheap as the registrar. It has a DomainTools risk score of 100 and is hosted in the U.S. (Figure 10]

Outlook

In the near term, we expect elevated levels of disinformation. We recommend that analysts adopt Generative AI (GenAI) in their counter-operations and that law enforcement, cyber infrastructure providers, media companies, and governments implement more aggressive countermeasures.

With election day less than two months away, we anticipate, based on experiences from the 2020 elections, that election-related disinformation will persist through inauguration day on January 20, 2025. Cyber threat analysts should prepare for a heightened threat environment through January.

In Figure 11 we see a calendar generated by GPT-4o of key election events for swing states that analysts could use for planning purposes.

We also recommend a more aggressive pursuit of:

  • Domain takedowns by registrars and technology companies.
  • Sanctions, seizures, and indictments by law enforcement.
  • Hunt forward operations, supported by U.S. Cyber Command (USCYBERCOM).

And finally, we are reminded of Meta’s recommendation for stronger and more coordinate response by technology companies, domain registrars and hosting providers, and governments as we noted in one of our previous posts from June 2024. 

Editor’s Note:

  • Credit to our chatbots for their valuable assistance with threat analysis research and proofreading. 
  • Correction! Thanks to an astute reader, the Georgia information in Figure 11 is incorrect. Per Georgia Secretary of State, The Registration Deadline is 10/07/2024. This is another reminder that the results of GenAI content needs to be verified.

References

  1. U.S. Department of Justice – Two RT Employees Indicted for Covertly Funding and Directing U.S. Company that Published Thousands of Videos in Furtherance of Russian Interests, 4-Sept-2024
  2. DOJ: United States of America vs Certain Domains – AFFIDAVIT IN SUPPORT OF SEIZURE WARRANT , Document 4, filed 4-Sept-2024
  3. NYTimes – U.S. Announces Plan to Counter Russian Influence Ahead of 2024 Election, 4-Sept-2024
  4. NYTimes – Russia Secretly Worms Its Way Into America’s Conservative Media, 7-Sept-2024
  5. The Atlantic – The Russian Propaganda Attack on America, 5-Sept-2024
  6. Substack: Heather Cox Richardson, Letters from an American – September 4, 2024 
  7. Substack: Heather Cox Richardson, Letters from an American – September 6, 2024
  8. Renee.Diresta – Threads, 4-Sept-2024 
  9. Joe Bodnar – Threads, 4-Sept-2024 
  10. NPR – How Russian operatives covertly hired U.S. influencers to create viral videos, 9-5-2024
  11. Reuters – YouTube terminating Tenet Media channel after US indictment, 5-Sept-2024
  12. Mother Jones – Tenet Media Shutters After Being Accused of Taking $10 Million in Covert Kremlin Funding, 6-Sept-2024
  13. Justice.gov – Justice Department Leads Efforts Among Federal, International, and Private Sector Partners to Disrupt Covert Russian Government-Operated Social Media Bot Farm, 9-July-2024
  14. Linvill, Darren and Warren, Patrick, Infektion’s Evolution: Digital Technologies and Narrative Laundering, 15-Dec-2023.
  15. U.S. Department of the Treasury – Treasury Sanctions Actors Supporting Kremlin-Directed Malign Influence Efforts, 20-March-2024
  16. U.S. Cyber Command – Russian Disinformation Campaign “Doppelgänger” Unmasked: A Web of Deception, 3-Sept-2024
  17. EU Disinfo Lab – What is the Doppelganger operation? List of resources July 2024
  18. Meta – SECOND QUARTER Adversarial Threat Report , August 2024
  19. Facebook | GitHub – Threat Research Doppelganger CIB Indicators, August 2024
  20. Recorded Future: Insikt Group – Russia-Linked CopyCop Expands to Cover US Elections, Target Political Leaders  , 24-June-2024
  21. Recorded Future: Insikt Group – Russia-Linked CopyCop Uses LLMs to Weaponize Influence Content at Scale , 9-May-2024
  22. The Economist – A Russia-linked network uses AI to rewrite real news stories , 10-May-2024
  23. The Wall Street Journal – How Russian Trolls Are Trying to Go Viral on X , 21-August-2024
  24. NBC (Patriots Run Project) – Russian propagandists are still targeting Americans in influence operations, Meta says, 15-August-2024

Leave a Comment

Your email address will not be published. Required fields are marked *

Pin It on Pinterest