Storm-1099 | |
Other Names | Doppelgänger |
Location | Russia |
Date of initial activity | 2022 |
Government Affiliation | Yes |
Motivation | Spreading Misinformation and amplify divisive issues, Promote Russin Interests |
Overview
Storm-1099 is a sophisticated and strategically focused influence operation group affiliated with Russia. Emerging in Spring 2022, the group specializes in conducting pro-Russia influence campaigns against international supporters of Ukraine. Their operations are characterized by advanced techniques in misinformation and disinformation, aiming to manipulate public perception and advance Russian geopolitical interests.
Central to Storm-1099’s strategy is their use of sophisticated website forgery operations, notably under the alias “Doppelganger.” This initiative involves creating convincing yet false web content to deceive audiences and propagate misleading narratives. The group’s activities are designed to erode trust in credible information sources and distort public understanding of key geopolitical events.
Storm-1099 has been involved in several significant disinformation campaigns. They have spread false claims, such as suggesting that Hamas acquired Ukrainian weapons for an attack on Israel, which serves to create confusion and influence international sentiment. Additionally, they have amplified misleading images, such as graffiti in Paris, to insinuate Russian involvement in various activities, further aligning with Russia’s Active Measures playbook. Through these efforts, Storm-1099 seeks to achieve strategic objectives by influencing public opinion and shaping political discourse on a global scale.
Common targets
International Supporters of Ukraine: Their campaigns are aimed at undermining support for Ukraine by spreading disinformation about the conflict and its global ramifications.
Global Media Outlets: The group targets media channels to propagate misleading narratives and manipulate public perception.
Political Figures and Institutions: They seek to influence decision-makers and political institutions by spreading false information that aligns with their strategic objectives.
General Public: Through their disinformation campaigns, they aim to shape and sway public opinion on international geopolitical issues related to Russia and its adversaries.
Attack Vectors
- Website Forgery
- Social Media Manipulation
- Email Phishing
- Content Manipulation
- Online Communities
How they operate
One of Storm-1099’s notable tactics is their use of website forgery, known as the “Doppelganger” operation. This involves creating counterfeit websites that closely mimic legitimate ones to spread misleading or false information. Through these forged sites, Storm-1099 disseminates propaganda and distorts public understanding of critical events. For instance, they have propagated false claims suggesting that Hamas obtained Ukrainian weapons for attacks on Israel, a move designed to create discord and undermine support for Ukraine.
In addition to website forgery, Storm-1099 employs social media manipulation and email phishing as key vectors in their operations. They skillfully exploit these platforms to amplify false narratives and misinformation. By infiltrating online communities and engaging in content manipulation, they further distort public discourse and sway opinions in favor of Russian interests. This strategic use of digital channels reflects their alignment with Russia’s Active Measures playbook, which aims to influence public opinion and geopolitical dynamics through covert and deceptive means.
Overall, Storm-1099’s operations are characterized by their strategic use of disinformation and online manipulation to advance Russia’s geopolitical goals. By targeting international audiences and spreading false information, they aim to erode support for Ukraine and shape global perceptions in favor of Russian interests. Their sophisticated methods and relentless efforts underscore the ongoing importance of vigilance and resilience in the face of evolving disinformation threats.
MITRE Tactics and Techniques
T1071.001 – Application Layer Protocol: Web Protocols: Utilizing web protocols to spread disinformation and manipulate public opinion.
T1071.003 – Application Layer Protocol: HTTPS: Encrypting communications to protect the confidentiality of their operations and maintain anonymity.
T1071.004 – Application Layer Protocol: DNS: Leveraging DNS for various purposes, including hosting or redirecting content.
T1589 – Gather Victim Information: Collecting information about targets to tailor disinformation campaigns.
T1552.001 – Credentials from Password Stores: Password Storage: Obtaining and using compromised credentials to access accounts and propagate false information.
T1556 – Modify Authentication Process: Altering authentication processes or exploiting weak authentication mechanisms to gain access to and control online platforms for spreading disinformation.
T1486 – Data Encrypted for Impact: Encrypting or obfuscating data to protect sensitive operational details or prevent detection.
T1598 – Network Exploitation: Network Shares: Exploiting network shares to distribute propaganda or manipulate information.