Narrative Laundering in Russian Influence Operations – Part 2

With recent reporting from The New York Times on March 7 and research from Clemson University, our Russian Narrative Laundering collection has expanded to include additional Russian mock news sites and campaigns. In this post we review a new load of ‘narrative laundering’ news sites and offer recommendations for countermeasures. This analysis is enabled by DomainTools and our GenAI (Generative AI) toolkit, which includes ChatGPT 4.0, Microsoft Copilot, and Perplexity.ai. GenAI was used as a research assistant and to provide editorial review.

Top Insights:

• The Kremlin’s disinformation laundering campaign continues, targeting U.S. local news audiences through five newly identified mock news sites.
• On a positive note, one such mock news site has been taken down, indicating progress in the fight against disinformation.
• Recommended countermeasures include stronger regulations, more aggressive pursuit of domain takedowns, proactive domain threat hunting, and launching counter narratives awareness campaigns.

Background

The NYTimes 7-March report profiled five Kremlin-controlled websites purporting to be U.S. news websites. This discovery expands upon Clemson University’s December 2023 research into Russian Narrative Laundering campaigns. [1-3] These operations are both a manifestation of the long history of Kremlin influence campaigns and a prelude to new campaigns targeting the U.S. 2024 elections. While Russia has demonstrated an appetite and skill at weaponizing digital and social media technologies going back to the 2016 and 2020 U.S. elections, the addition of GenAI (Generative AI) to their arsenal promises to significantly enhance their capability to influence the upcoming 2024 elections. 

Of particular interest in the NYTimes article were the names of the five mock news sites: the New York News Daily, the Chicago Chronicle, the Miami Chronicle, and D.C. Weekly. These were chosen to convey a geographic context, mimic local news outlets, and tailor messaging for key battleground states and districts.

These fraudulent websites serve to launder claims from lesser known websites and boost traffic to social media sites such as Telegram, X, Gab, Reddit, Facebook, and Trust Social. Ultimately the narratives are picked up by more well-known news outlets. The sites are designed to provide a veneer of authenticity and credibility. The content may be topical, plausible, fabricated conspiracy, real news directly copied from respected media sites, or generated by AI. Regardless, the objective is to sway the audience in favor of Russian interests, adhering to a well-documented Kremlin strategy for influence operations.

By identifying the names of the mock new sites, the NYTimes report provides valuable intelligence in terms of Russian Influence Operations targeting the U.S. However, as it does not provide any website domain name information, it’s value for cyber threat intelligence (CTI) is limited. Enriching the data with website domain intelligence helps us develop additional insights. Thankfully, Clemson provided us with the correct domain names for these sites. Kudos for a critical information sharing assist!

Cyber Data Enrichment

Once we had the correct website domain names, the next step in the enrichment process was to load the domain names into the Iris Investigation platform from DomainTools and tag the domains in the relevant intelligence collections. DomainTools enrichment provides over 250 attributes per domain name. A summary of the key attributes is shown in Table 1. Column 1 is the name of the mock news site extracted from NYTimes. Column 2 was the input provided by Clemson. The remaining columns are key enrichment data types and values from DomainTools.  

A CTI analyst will be interested in some of this data, such as:

• Registrar: LiquidNet was identified as the registrar for four out of the five domains, suggesting a pattern in the choice of registrars. 
• Temporal Insights: Most of the domains were relatively new, with four being first seen within the last six months, including three within the most recent three months. This temporal proximity indicates a potentially coordinated effort. 
• Risk Score: Two domains were flagged with high risk scores (above 70), according to DomainTools classifiers.
• Hosting Details: Cloudflare was the hosting provider for four out of the five domains, providing insights into the infrastructure preferences of the operators.
• Operational Status: While four of the domains remain active, one has been successfully taken down. The take-down status warrants further investigation, as detailed in the next section.

Domain Takedown

The successful takedown of one of the mock news site domains is an encouraging indicator. Takedowns are one remedy for combatting malicious sites. Takedown requests can be made by cybersecurity firms and law enforcement agencies directly to domain registrars and hosting providers, targeting sites that violate Acceptable Use Policies (AUP).

As shown in Figure 1, the Chicago Chronicle site, chicagochron[.]com, was taken down by the domain registrar, LiquidNet, for unspecified violations of the registrar’s Acceptable Use Policy (AUP). 

Takedowns are a necessary response to malicious websites. Meta’s comments as seen in Figure 2 capture their importance to combatting disinformation. [4-6]  Stronger regulations and regulations around domain registration and takedown policies can combat cyber and disinformation threats. This is an area which the U.S. needs to address, and where Europe provides a reference model for stronger regulations. 

Countermeasures

Russia’s disinformation and influence operations have been honed over many years of practice. Now, with the benefit of adversarial AI and highly polarized election environment, the consensus assessment is that we should expect a dramatic increase in attacks. To counter these threats, we recommend the following:

• Pass Stronger Regulation: Tighter regulations can provide the legal framework needed to combat disinformation more effectively.
• Launch Counter Narrative Campaigns: Increasing public awareness of disinformation threats and incidents can immunize the public against false narratives.
• Intensify Takedown Efforts: Adopting more rigorous policies will directly disrupt and impose costs on disinformation sources.
• Proactive Threat Hunting: Monitoring new domain registrations, particularly those that mimic local media or newspapers, can identify threats as soon as domains are registered. 

We’ll conclude with an example for proactive threat hunting for monitoring new media domain registrations. Russia’s choice of domain names for their mock websites is an intentional attempt to pass themselves off as a local media or newspapers. A countermeasure would be to monitor new domain registrations for terms associated with newspaper, media, or target geographic audiences. 

GenAI could be used to research and feed data to drive DomainTools monitors, filters, and alerts. Figures 3 and 4 show how we use ChatGPT for basic NLP (Natural Language Processing) functions like word frequency analysis and word cloud generation based on the top 100 newspapers in the U.S. These terms would then be used to monitor domains.  [11]

References

1. NYTimes – Spate of Mock News Sites With Russian Ties Pop Up in U.S. , 7-March-2024
2. Linvill, Darren and Warren, Patrick, “Infektion’s Evolution: Digital Technologies and Narrative Laundering”. (2023). Media Forensics Hub Reports. https://tigerprints.clemson.edu/mfh_reports/3
3. Cybercrank.net – Narrative Laundering in Russian Influence Operations , 26-Feb-2024
4. Cybercrank.net – Profiling and Countering Russian Doppelgänger Info Ops , 10-Dec-2023
5. Meta – Adversarial Threat Report: Third Quarter, 2023  , 30-Nov-2023.
6. EU DisinfoLab – Doppelganger  Media clones serving Russian propaganda , 27-Sept-2022
7. The Washington Post – Kremlin runs disinformation campaign to undermine Zelensky, documents show, 16-Feb-2024
8. NewsGuard Substack: Reality Check  – Kremlin’s World-Class Dashboard Maximizes Disinformation, at 26 Cents Per Lie , 21-Feb-2024
9. Cybercrank.net – Profiling and Countering Russian Doppelgänger Info Ops , 10-Dec-2023
10. Blackbird.ai – How Disinformation Campaigns Magnify Cyberattacks: Insights And Strategies For Defense , 22-Feb-2024
11. Infoplease.com – Top 100 Newspapers in the U.S., update 5-Aug-2020