More evidence that a group of conservative political activists is operating a network of websites meant to inflame pandemic-related tension in the U.S. and solicit donations has been uncovered by a Seattle-based cybersecurity company.
Threat intelligence firm DomainTools released research Friday indicating that pro-gun activist Aaron Dorr appears to be using widely available software to operate dozens of websites, many of which include “reopen” in the URL.
DomainTools researchers have conducted a technical examination of “reopen” sites — like “ReopenMN” and “ReopenWI” — to determine just how consolidated the sites are, despite the appearance that they exist as standalone entities. The sites are registered to local gun advocacy groups and utilize One Click Politics, a digital organizing service that allows a single person to manage dozens of websites, run email promotion and collect money.
The network starts with Dorr’s personal website on top, at least 13 gun rights coalition groups on the next level down, and many dozens of state “reopen” sites beneath that, according to DomainTools.
“All of the [domains] in our report are tied back to Dorr,” said senior security researcher Chad Anderson.
Many of the sites also rely on the same SSL certificates, a tool meant to protect websites which also provides investigators with clues about who is operating a URL. In this case, it appears that domain administrators used Dorr’s personal website to register many of the certificates.
“SSL certificates tie these domains together,” said Anderson. “And because they’re all on the same server, it means they’re at least operated by Dorr’s group, or they have a partnership running through them.”
The stated goal of the reopen websites is to end “excessive” quarantine orders enacted by state leaders in response to the coronavirus pandemic. In fact, many of the sites were registered by gun advocacy groups connected to Dorr and his three brothers, who have described the National Rifle Association’s stance on gun regulation as “too compromising.”
The Dorr brothers’ efforts only are the latest example of “astroturfing,” in which coordinated political efforts are meant to look like organic grassroots movements. It’s a similar technique to the tactics that Russia’s Internet Research Agency used to fabricate and then amplify protests around hot-button political issues before the 2016 U.S. presidential election.
Aaron Dorr did not respond to a request for comment from CyberScoop. His brother, Ben Dorr, told the Philadelphia Inquirer that reports about their activities were “fake news.”
Media outlets, including the Washington Post and KrebsOnSecurity, have previously reported on the Dorr brothers’ internet presence, and their efforts to promote the anti-quarantine protests that occurred throughout the U.S. in the past week. NBC News reported this week that the Dorr brothers operated the five largest Facebook pages dedicated to the anti-isolation demonstrations.
The Facebook pages had more than 200,000 followers. The protests they helped magnify have resulted in international news coverage and support from leading Republican lawmakers, including President Donald Trump. The Dorr brothers also have attracted scrutiny for their political activities, including the revocation of the tax-exempt status for at least one of their nonprofit organizations.
In the days since the brothers’ efforts have made headlines, they also appeared to have updated the donations sections on at least two gun websites, AmericanFirearmsCoalition[.]org and MissouriFirearmsCoalition[.]org, according to DomainTools. Those sites, which rely on similar website layouts, now direct donations to a page on Anadot, a donation collection platform. Prior to the Facebook promotions and anti-quarantine protests, those sites relied on an inactive Anadot portal, researchers said.
“They wanted to make sure that donation function works,” Anderson said.