Leveraging DomainTools for Early Detection of Russian Disinformation Operations
Blog DomainTools Investigations

Leveraging DomainTools for Early Detection of Russian Disinformation Operations

Russian Disinformation Used for Propaganda

Russian disinformation campaigns rely on strategically registered domains to push propaganda, impersonate legitimate media, conduct phishing campaigns, and manipulate public perception. A successful detection framework must:

  • Identify domains at registration before activation.
  • Track hosting, infrastructure, and metadata for clustering.
  • Correlate domain clusters linked to known Russian disinformation networks.
  • Detect spoofed domains impersonating media, government, and organizations.

DomainTools provides a range of features that align directly with these needs. Below is an overview of how specific DomainTools solutions can be used to detect, track, and mitigate Russian disinformation operations.

DomainTools Solutions for Early Detection of Russian Disinformation

Farsight DNSDB

  • Tracks how disinformation domains resolve over time.
  • Links domains to additional infrastructure (IP Address, Name Server, Netblock, etc.)
  • Enables discovery of connected domains.

Iris Investigate

  • Maps domain relationships based on registrar, hosting, SSL, and ASN data.
  • Connects newly detected domains to previously identified Russian disinfo networks.
  • Links domains to known malicious infrastructure.

Iris Detect

  • Monitors and alerts on suspicious domain registrations.
  • Helps detect bulk purchases of typosquatting or homoglyph domains.

Whois/RDAP History

  • Provides historical domain ownership and infrastructure shifts.
  • Identifies patterns in domain lifecycles linked to disinformation actors.

Domain Risk Score

  • Flags likely malicious or disinformation-linked domains before they are activated.
  • Prioritizes domains that match historical Russian tactics, techniques and procedures (TTPs).

Reverse Whois/RDAP and Registrant Correlation

  • Uncovers networks of domains registered under the same entity.
  • Identifies bulk domain purchases by known actors.

SSL Certificate Monitoring

  • Detects shared certificates across related disinformation domain clusters.
  • Maps infrastructure using common TLS fingerprints.

Typosquatting and Homoglyph Detection

  • Identifies domains impersonating government agencies, news organizations, and non-government organizations (NGOs).
  • Detects domains that use lookalike characters to mislead users.

Domain Registration and Whois/RDAP Tracking

Relevant DomainTools Solutions

  • Iris Detect for real-time discovery of domains typosquatting specific organizations or terms.
  • Whois/RDAP History for tracking domain lifecycle and past registrants.
  • Reverse Whois/RDAP for connecting multiple domains to the same actor.

Approach

  • Identify newly registered domains using suspicious TLDs such as “.ltd,” “.top,” “.icu,” “.ws,” and “.beauty.”
  • Detect bulk domain registrations associated with known Russian-linked registrars such as Reg.ru and R01.
  • Track reused Whois/RDAP details across multiple domains, even when privacy protection is enabled.

Example Workflow

  1. A new domain, “bundespolizei[.]pe,” is registered.
  2. Iris Detect flags the domain due to its related name to the German Federal police.
  3. Reverse Whois/RDAP reveals that the same registrant also owns “govv[.]pw” and “nato[.]ws” 
  4. Whois/RDAP History confirms that the registrant previously controlled domains linked to Russian disinformation.
  5. Passive DNS shows when the domains were first and last seen resolving in DNS.
  6. Subdomain enumeration for each domain is accomplished using Farsight DNSDB.

Infrastructure Analysis and Hosting Attribution

Relevant DomainTools Solutions

  • Iris Investigate for tracking hosting infrastructure.
  • Passive DNS for resolving domain-to-IP relationships.
  • SSL Certificate Monitoring for linking domains with common certificates.

Approach

  • Identify domains using Fast Flux hosting techniques, which rotate IPs rapidly.
  • Track name server configurations that indicate use of bulletproof hosting.
  • Correlate domains hosted within known Russian infrastructure, including ASNs in Russia, Moldova, and the Netherlands.

Example Workflow

  1. The domain “pravda-ua[.]space” is flagged.
  2. Passive DNS reveals that it resolves to an IP associated with a previous Russian influence operation.
  3. Iris Investigate links the domain to “rrn[.]media” and “ukrlm[.]info” via shared hosting visible in passive DNS data.
    1. “pravda-ua[.]space” and “ukrlm.info” both used 188.114.96[.]0 and 188.114.97[.]0
    2. “pravda-ua[.]space” and “rrn.media” both used 172.64.80[.]1
  4. SSL Certificate analysis finds that multiple fake news domains use the same certificate, confirming a coordinated network.

Typosquatting and Homoglyph Attack Detection

Relevant DomainTools Solutions

  • Iris Detect for discovering and tracking newly registered typosquatting domains.
  • Iris Investigate for uncovering connected domains.
  • Domain Risk Score for predicting likelihood of malicious intent.

Approach

  • Identify domains that closely mimic legitimate organizations.
  • Detect homoglyph domains that use visually similar characters to trick users.
  • Flag impersonations of major news organizations, such as “fox-news[.]top,” “bild[.]beauty,” and “washingtonpost[.]ltd.”

Example Workflow

  1. The domain “washingtonpost[.]ltd” is registered.
  2. Iris Detect flags it as a potential impersonation based on a  “washingtonpost” monitor.
  3. Pivoting on the two Name Server Hostnames being used shows domains like “bild[.]bz” and “foxnews[.]cx” amongst other domains using the Russian language.
  4. Domain Risk Score assigns a high probability of malicious intent.
    1. Other domains seen based on the combined Name Server Hostnames pivot show multiple domains with a Domain Risk Score of 100, indicating the domain is associated with multiple domains seen on threat intelligence feeds.
  5. Passive DNS tracking shows that the domain “fox-news[.]top” has had many short-lived subdomains used on a single IP that could indicate an evasive tactic being employed.

Narrative and Thematic Detection

Relevant DomainTools Solutions

  • Iris Detect for monitoring registration patterns.
  • Domain Risk Score for identifying domains predicted to be used with malicious intent. 
  • SSL Certificate Monitoring for identifying clusters of fake news sites.

Approach

  • Identify domains aligned with specific Russian disinformation themes, such as anti-NATO messaging or election fraud claims.
  • Link new domains to past campaigns based on linguistic and topical similarities.
  • Monitor domains related to known Kremlin-aligned propaganda networks.

Example Workflow

  1. Domains “electionwatch[.]live” and “50statesoflie[.]com” are registered.
  2. Iris Investigate finds that both domains share hosting infrastructure with “shadowwatch[.]us.”
  3. Passive DNS confirms that the domains are using a FastFlux network.
  4. Domain Risk Score assigns a high probability of coordinated activity.

Threat Hunting and Takedown Acceleration

Relevant DomainTools Solutions

  • Reverse Whois/RDAP for identifying domain networks.
  • SSL Certificate Tracking for correlating related domains.
  • Threat Intelligence API for integrating findings with other security tools.

Approach

  • Identify networks of disinformation domains before they become fully active.
  • Provide evidence to law enforcement and cybersecurity teams for rapid takedown.
  • Correlate new domains with historical Russian influence operations.

Example Workflow

  1. Iris Detect finds 100 new domains linked to “pravda-ua[.]space.”
  2. Reverse Whois/RDAP shows that the registrant has previously controlled GRU-affiliated domains.
  3. SSL Certificate Tracking confirms that the network is using shared infrastructure.
  4. Passive DNS confirms recent activity in DNS (or not).
  5. The evidence package is compiled and submitted for takedown.

Integrating DomainTools into Disinformation Detection Workflows

Key Use Cases and Recommended Tools

  • Detecting new disinformation domains: Iris Detect and Whois/RDAP Monitoring.
  • Mapping hosting infrastructure: Iris Investigate and Passive DNS.
  • Identifying media and government impersonation: Typosquatting Detection 
  • Tracking connected disinformation domains: Reverse Whois/RDAP and SSL Certificate Monitoring.
  • Supporting takedowns and intelligence sharing: Threat Intelligence API and Takedown Facilitation.

Next Steps for Implementation

  • Deploy automated monitoring for high-risk TLDs and registrars known for disinformation activity.
  • Set up real-time alerts for domains that mimic NATO, EU, elections, and Ukraine-related websites.
  • Integrate Passive DNS and SSL tracking to identify infrastructure overlaps with past disinformation campaigns.

Proactively Monitoring and Disrupting Russian Disinformation Networks

DomainTools provides the necessary capabilities to track, classify, and disrupt Russian disinformation networks. By proactively monitoring domain registrations, hosting patterns, and thematic trends, security teams can move from reactive responses to early intervention, reducing the impact of influence operations before they escalate.

Want to learn more? Schedule a demo with DomainTools: