The Invisible Internet: How Russian State Media Evade Sanctions Using Proxy Domains
By Brandon Janes, Naushad UzZaman, Paul Burkard
A Blackbird.AI RAV3N analysis reveals that despite EU and US bans, an expansive network of Russian state media sites, like RT, remain online, thanks to an intricate network of lookalike websites.
When you click a link on a social media post, you never quite know what will happen next. Will you land on the link you anticipated or something more nefarious? Narrative attacks can spread faster than legitimate news, and brands must ensure their advertisements do not inadvertently fund or appear alongside harmful content. The proliferation of mirror sites and proxy domains by state actors like Russian state media undermines geopolitical stability and poses a significant risk to brand integrity and consumer trust.
LEARN MORE: What Is Narrative Intelligence?
Consider this post by a German user on a Social Media Platform (translated from German):
*OUTRAGEOUS‼️ » On January 27, 2025, the 80th anniversary of the liberation of Auschwitz-Birkenau will be celebrated – but without Russian participation. The memorial said on Monday that Russian representatives were not invited to the ceremony. « https://freedert.online/europa/220241-russland-vom-80-jahrestag-befreiung/*
Behind this URL lies a sophisticated network of websites designed to hide the URL’s true origin from the world’s top governments and transnational media corporations.
The link points to a website called freedert.online, which is a perfect copy or “mirror site” of de.rt.com, the main German-language version of the news site RT, formerly Russia Today, an organization President Biden calls “a fully-fledged member of the intelligence apparatus and operation of the Russian government.”
Besides sharing the identical masthead and continuously updated content with its parent site, the connection between freedert.online and de.rt.com can be proven using a domain intelligence technology developed by Blackbird.AI utilizing Information Laundromat, an OSINT tool developed by the Alliance for Securing Democracy. Blackbird.AI’s Domain Intelligence enables analysts to identify patterns in the underlying architectures of banned state media websites and continuously surface new bad actor domains as soon as they are shared on social media.
LEARN MORE: 8 Ways for Security Leaders to Protect Their Organizations from Narrative Attacks
EU, US bans RT, Sputnik
Immediately following Russia’s invasion of Ukraine in March 2022, the E.U., UK, and Canada banned RT and Sputnik in those regions. In September of this year, the U.S. Department of Justice unsealed an indictment against two entities affiliated with RT, Rossiya Segodnya and TV-Novosti, for engaging in “information operations, covert influence, and military procurement” in Russia’s effort to interfere with Moldovan elections.
“As part of RT’s expanded capabilities, the Russian government embedded within RT a unit with cyber operational capabilities and ties to Russian intelligence. RT’s leadership had direct, witting knowledge of this enterprise,” said U.S. Secretary of State Anthony Blinken during a press conference in September 2024.
According to the indictment, RT Deputy Editor-in-Chief and Head of International Broadcasting for Sputnik Anton Anisimov administered an RT-run social media crowdfunding program to provide material support and weaponry to Russia’s military units in Ukraine.
LEARN MORE: TAG Infosphere Report: How Narrative Attacks Represent a New Threat Vector
Last month, Meta and YouTube quickly moved to delete accounts linked to RT from their platforms.
Closing these channels is significant because social media remains a major traffic driver for RT. According to a study by the Institute for Strategic Dialogue, social media helps spread Russian narrative attacks and drives revenue for the state media entity from ads on news sites.
LEARN MORE: Social Media Narrative Attack Readiness and Response Checklist
Domain alternatives
Blackbird.AI, a world leader in narrative intelligence, uses its proprietary Actor Intelligence System to monitor harmful narratives across social media and identify new domains shared by known Russian state social media users. This Actor Intelligence System is dynamically updated with real-time data.
Take, for example, the primary Spanish-language RT news site, actualidad.rt.com. According to an analysis by Blackbird.AI, during August and September of 2024, known Russian state media accounts shared variations of the actualidad.rt.com domain, such as esrt.press, esrt.site, and esrt.space, to get around the E.U. blocking technologies. Using these simple variations of actualidad.rt.com’s domain, shares of these sites escape detection from the automated systems designed to block them and keep RT’s narrative attack content swimming through social media feeds.
In some cases, RT makes surprisingly little effort to hide. When cloaking its German content, RT uses developmental test site domains such as test.ride.life and test.ride.website or even just shares raw IP addresses, e.g., 89.191.237.192, to avoid detection.
Blocking this type of attack is challenging when the cost to share is low. An automated solution is needed.
Some Russian proxy domains even include anti-censorship slogans in their names, such as gegenzensur.rtde.world and pressefreiheit.rtde.tech; in German gegenzensur means “against censorship” and pressefreiheit means “freedom of the press.” But make no mistake: these developers are not freedom of expression activists. This is the Russian government at war.
LEARN MORE: What is Cognitive Security?
Follow the money
RT’s ability to earn money from ads on mirror and mainstream sites could be the undoing of this domain-scrubbing operation.
Blackbird.AI has visibility into the websites of suspected bad-actor domains. Storing up to 150 metadata points per domain, the tool can systematically find mirror sites. When two domains share the same metadata, it strongly indicates that the same entity operates both sites. A similarity-based algorithm is used to match site metadata.
Because of their uniqueness, the highest-value indicators are generally IDs, such as Google Adsense IDs—accounts required for earning money off of ads on the site—and Google Analytics IDs—accounts to monitor website traffic. These indicators often provide a leading indicator that the sites share ownership.
For example, the domain de.rt.com shared identical metadata with freedert.online in five different high-value indicators:
- Facebook Pixel ID – code placed on websites to track visitor activity, used for advertising and analytics
- Shodan hostname – a website address registered in Shodan, a search engine for internet-connected devices
- Google Analytics ID – a web analytics service account
- Site Verification ID – used to prove ownership of a website to external services
- Google Tag Manager ID – a tag management system account for tracking codes
LEARN MORE: Unlocking the Power of Narrative Intelligence
Other powerful links can be drawn from website properties such as shared CSS classes, iframe ID tags in the site HTML, and crypto wallet IDs. Russian state website administrators can easily spin up new domains, but creating new bank accounts takes more time and effort.
Manually blocking domains results in an endless game of whack-a-mole unless automated systems are employed to detect problematic domains as they appear.
Automatic lead generation
At any given moment, an incomprehensible deluge of new user accounts, posts, shares, likes, and comments is created on social media, flooding feeds with terabytes of data. Detecting a threat in this mess becomes an insurmountable challenge. Blackbird.AI’s Actor Intelligence System brings order to this disorder by targeting known bad actors and the users who interact with–i.e., comment, like, or share–posts from known bad actors. The algorithm works like following a trail of breadcrumbs left behind by users already known to be associated with certain types of content to discover new users with similar behaviors.
When a user like XYZ shares a post or a domain from a known Russian state media user account, such as RT, Blackbird.AI’s Actor Intelligence system applies a score to this user, incorporating XYZ’s indirect association with Russian state media into its so-called “user-cohort exposure score” classification. The more such interactions he makes, the higher his Russian state media exposure score.
These user-level scores help analysts search for posts likely to contain information related to a specific group, e.g. the Russian state media. If opposing groups of users exist, such as pro-Russia and pro-Ukraine users, the interactions from both groups can be incorporated into the post-level ranking, reducing noise and allowing for greater precision in the search.
This user-cohort-based post ranking is invaluable for finding mirror sites because it can be applied at scale across all users. XYZ has reshared RT domains, and he is likely to do so again. By having visibility into these high-probability domains surfaced with Blackbird.AI’s Actor Intelligence, the new domains can be matched against Blackbird.AI’s growing database of domain metadata.
Using the Domain Intelligence system to scan social media data, Blackbird.AI uncovered nine public domains not previously known to be linked to RT and Sputnik. Among the total posts containing URLs that ultimately lead to RT and Sputnik content, 42 percent were found to be mirror sites rather than official Russian state media domains. In fact, the mirror site esrt.site was the second most frequently shared Russian state media domain, with only rt.com appearing more often.
Once a domain, such as freedert.online or esrt.site, can be linked to the Russian state, or any other bad actor, its metadata is maintained as a resource to find more connections to other sites in the future, a virtuous loop of domain detection. Blackbird.AI’s Dynamic Domain DB can be used in ad safety technology to manage brand risk and improve ad targeting.
LEARN MORE: Fighting Fiction with Facts: Your Quick Guide to Narrative Attacks
Enhancing Ad-Tech Safety through Real-Time Narrative Attack Detection
In an era where narrative attacks can spread faster than legitimate news, brands face the critical challenge of ensuring their advertisements do not inadvertently fund or appear alongside harmful content. The proliferation of mirror sites and proxy domains by state actors like Russian state media undermines geopolitical stability and poses a significant risk to brand integrity and consumer trust.
Blackbird.AI’s innovative solutions empower brands and ad-tech companies to navigate this complex landscape effectively. By providing real-time, nuanced insights into domains disseminating narrative attacks and associating with harmful cohorts, such as Russian State Actors, these tools enable organizations to make informed decisions about where their advertising dollars go. This proactive approach not only safeguards brands from the reputational damage of being linked to narrative attacks but also helps reallocate resources toward legitimate sources, thereby reducing the reach of harmful narratives.
The focus on brand safety transcends mere compliance; it’s about taking a stand against the monetization of narrative attacks and contributing to a more trustworthy digital ecosystem. By leveraging advanced AI and continuously updated data, brands can protect themselves and their audiences from the pitfalls of the ever-evolving narrative attack landscape.
Real-time solutions are imperative as the digital world becomes increasingly intricate and sophisticated. Blackbird.AI stands at the forefront of this mission, offering unparalleled visibility and actionable intelligence. By making smarter decisions about ad placements and content associations, brands protect their reputations and play a crucial role in diminishing the influence of narrative attacks. In doing so, they contribute to a healthier information environment where truth and integrity are prioritized over deceit and manipulation.
LEARN MORE: 8 Ways for Security Leaders to Protect Organizations from Narrative Attacks
The Way Forward – Key Takeaways For Organizational And Security Leaders:
Evasion of Regulations by State Actors: Russian state media’s use of mirror sites to bypass bans highlights the need for advanced monitoring tools to detect and block covert dissemination tactics undermining regulatory efforts.
Brand and Ad-Tech Safety Risks: Organizations risk inadvertently funding or associating their brands with harmful content. Real-time narrative attack detection tools can safeguard brand integrity by ensuring ads don’t appear on proxy sites linked to state actors.
Continuous Evolution of Threat Actor Tactics: State-sponsored entities can quickly adapt and create new domains, making it crucial for security leaders to employ tools like Blackbird.AI’s Domain Intelligence, which can detect and respond to new threats as they emerge.
Automated Solutions to Combat Narrative Attack: Manual intervention alone is insufficient in combating the speed and scale of narrative attacks. Security leaders need automated systems that detect problematic domains and prevent narrative attacks from proliferating.
Enhancing Organizational Resilience Against Influence Operations: By leveraging Blackbird.AI’s tools, organizations can proactively identify harmful narratives and state-affiliated networks, strengthening their defense against geopolitical narrative attacks campaigns.
To learn more about how Blackbird.AI can help you with election integrity, book a demo.