mirror of
https://github.com/DISARMFoundation/DISARMframeworks.git
synced 2024-10-01 01:45:36 -04:00
code update
This commit is contained in:
Sara-Jayne Terp
parent
3ea4176a4f
commit
82053a2221
File diff suppressed because it is too large
Load Diff
@ -44,140 +44,140 @@ A 2019 report by Michael Golebiewski identifies five types of data voids. (1)
|
||||
70,Prepare,Develop Content,Generate information pollution,Hijack Hashtags,,ST0038,,,,,
|
||||
72,Prepare,Develop Content,Distort facts,Reframe Context,"Reframing context refers to removing an event from its surrounding context to distort its intended meaning. Rather than deny that an event occurred, reframing context frames an event in a manner that may lead the target audience to draw a different conclusion about its intentions. ",ST0039,,,,,
|
||||
73,Prepare,Develop Content,Distort facts,Edit Open-Source Content,"An influence operation may edit open-source content, such as collaborative blogs or encyclopedias, to promote its narratives on outlets with existing credibility and audiences. Editing open-source content may allow an operation to post content on platforms without dedicating resources to the creation and maintenance of its own assets. ",ST0040,,,,,
|
||||
76,Prepare,Develop Content,Obtain Private Documents,Leak Authentic Documents,,ST0040,,,,,
|
||||
77,Prepare,Develop Content,Obtain Private Documents,Leak False Documents,,ST0041,,,,,
|
||||
78,Prepare,Develop Content,Obtain Private Documents,Leak Altered Documents,"Obtain documents (eg by theft or leak), then alter and release, possibly among factual documents/sources.",ST0042,,,,,T0025 Leak altered documents (AMITT)
|
||||
81,Prepare,Establish Social Assets,Create Inauthentic Accounts,Create Anonymous Accounts,Anonymous accounts or anonymous users refer to users that access network resources without providing a username or password. An influence operation may use anonymous accounts to spread content without direct attribution to the operation. ,ST0043,,,,SPICE,
|
||||
82,Prepare,Establish Social Assets,Create Inauthentic Accounts,Create Cyborg Accounts,"Cyborg accounts refer to partly manned, partly automated social media accounts. Cyborg accounts primarily act as bots, but a human operator periodically takes control of the account to engage with real social media users by responding to comments and posting original content. Influence operations may use cyborg accounts to reduce the amount of direct human input required to maintain a regular account but increase the apparent legitimacy of the cyborg account by occasionally breaking its bot-like behavior with human interaction. ",ST0044,,,,SPICE,
|
||||
76,Prepare,Develop Content,Obtain Private Documents,Leak Authentic Documents,,ST0041,,,,,
|
||||
77,Prepare,Develop Content,Obtain Private Documents,Leak False Documents,,ST0042,,,,,
|
||||
78,Prepare,Develop Content,Obtain Private Documents,Leak Altered Documents,"Obtain documents (eg by theft or leak), then alter and release, possibly among factual documents/sources.",ST0043,,,,,T0025 Leak altered documents (AMITT)
|
||||
81,Prepare,Establish Social Assets,Create Inauthentic Accounts,Create Anonymous Accounts,Anonymous accounts or anonymous users refer to users that access network resources without providing a username or password. An influence operation may use anonymous accounts to spread content without direct attribution to the operation. ,ST0044,,,,SPICE,
|
||||
82,Prepare,Establish Social Assets,Create Inauthentic Accounts,Create Cyborg Accounts,"Cyborg accounts refer to partly manned, partly automated social media accounts. Cyborg accounts primarily act as bots, but a human operator periodically takes control of the account to engage with real social media users by responding to comments and posting original content. Influence operations may use cyborg accounts to reduce the amount of direct human input required to maintain a regular account but increase the apparent legitimacy of the cyborg account by occasionally breaking its bot-like behavior with human interaction. ",ST0045,,,,SPICE,
|
||||
83,Prepare,Establish Social Assets,Create Inauthentic Accounts,Create Bot Accounts,"Bots refer to autonomous internet users that interact with systems or other users while imitating traditional human behavior. Bots use a variety of tools to stay active without direct human operation, including artificial intelligence and big data analytics. For example, an individual may program a Twitter bot to retweet a tweet every time it contains a certain keyword or hashtag. An influence operation may use bots to increase its exposure and artificially promote its content across the internet without dedicating additional time or human resources.
|
||||
Amplifier bots promote operation content through reposts, shares, and likes to increase the content’s online popularity. Hacker bots are traditionally covert bots running on computer scripts that rarely engage with users and work primarily as agents of larger cyberattacks, such as a Distributed Denial of Service attacks. Spammer bots are programmed to post content on social media or in comment sections, usually as a supplementary tool. Impersonator bots102 pose as real people by mimicking human behavior, complicating their detection. ",ST0045,,,,SPICE,
|
||||
84,Prepare,Establish Social Assets,Create Inauthentic Accounts,Create Sockpuppet Accounts,Sockpuppet accounts refer to falsified accounts that either promote the influence operation’s own material or attack critics of the material online. Individuals who control sockpuppet accounts also man at least one other user account.67 Sockpuppet accounts help legitimize operation narratives by providing an appearance of external support for the material and discrediting opponents of the operation. ,ST0046,,,,SPICE,
|
||||
86,Prepare,Establish Social Assets,Recruit bad actors,Recruit Contractors,,ST0047,,,,,
|
||||
87,Prepare,Establish Social Assets,Recruit bad actors,Recruit Partisans,,ST0048,,,,,
|
||||
Amplifier bots promote operation content through reposts, shares, and likes to increase the content’s online popularity. Hacker bots are traditionally covert bots running on computer scripts that rarely engage with users and work primarily as agents of larger cyberattacks, such as a Distributed Denial of Service attacks. Spammer bots are programmed to post content on social media or in comment sections, usually as a supplementary tool. Impersonator bots102 pose as real people by mimicking human behavior, complicating their detection. ",ST0046,,,,SPICE,
|
||||
84,Prepare,Establish Social Assets,Create Inauthentic Accounts,Create Sockpuppet Accounts,Sockpuppet accounts refer to falsified accounts that either promote the influence operation’s own material or attack critics of the material online. Individuals who control sockpuppet accounts also man at least one other user account.67 Sockpuppet accounts help legitimize operation narratives by providing an appearance of external support for the material and discrediting opponents of the operation. ,ST0047,,,,SPICE,
|
||||
86,Prepare,Establish Social Assets,Recruit bad actors,Recruit Contractors,,ST0048,,,,,
|
||||
87,Prepare,Establish Social Assets,Recruit bad actors,Recruit Partisans,,ST0049,,,,,
|
||||
88,Prepare,Establish Social Assets,Recruit bad actors,Enlist Troll Accounts,"An influence operation may hire trolls, or human operators of fake accounts that aim to provoke others by posting and amplifying content about controversial issues. Trolls can serve to discredit an influence operation’s opposition or bring attention to the operation’s cause through debate.
|
||||
Classic trolls refer to regular people who troll for personal reasons, such as attention-seeking or boredom. Classic trolls may advance operation narratives by coincidence but are not directly affiliated with any larger operation. Conversely, hybrid trolls act on behalf of another institution, such as a state or financial organization, and post content with a specific ideological goal. Hybrid trolls may be highly advanced and institutionalized or less organized and work for a single individual. ",ST0049,,,,,
|
||||
91,Prepare,Establish Social Assets,Build Network,Create Organizations,"Influence operations may establish organizations with legitimate or falsified hierarchies, staff, and content to structure operation assets, provide a sense of legitimacy to the operation, or provide institutional backing to operation activities.",ST0050,,,,,
|
||||
92,Prepare,Establish Social Assets,Build Network,Follow Trains,,ST0051,,,,,
|
||||
93,Prepare,Establish Social Assets,Build Network,Create Community or Sub-group,,ST0052,,,,,
|
||||
Classic trolls refer to regular people who troll for personal reasons, such as attention-seeking or boredom. Classic trolls may advance operation narratives by coincidence but are not directly affiliated with any larger operation. Conversely, hybrid trolls act on behalf of another institution, such as a state or financial organization, and post content with a specific ideological goal. Hybrid trolls may be highly advanced and institutionalized or less organized and work for a single individual. ",ST0050,,,,,
|
||||
91,Prepare,Establish Social Assets,Build Network,Create Organizations,"Influence operations may establish organizations with legitimate or falsified hierarchies, staff, and content to structure operation assets, provide a sense of legitimacy to the operation, or provide institutional backing to operation activities.",ST0051,,,,,
|
||||
92,Prepare,Establish Social Assets,Build Network,Follow Trains,,ST0052,,,,,
|
||||
93,Prepare,Establish Social Assets,Build Network,Create Community or Sub-group,,ST0053,,,,,
|
||||
95,Prepare,Establish Social Assets,Acquire/ recruit Network,Fund Proxies,"An influence operation may fund proxies, or external entities that work for the operation. An operation may recruit/train users with existing sympathies towards the operation’s narratives and/or goals as proxies. Funding proxies serves various purposes including:
|
||||
- Diversifying operation locations to complicate attribution
|
||||
- Reducing the workload for direct operation assets ",ST0053,,,,,
|
||||
96,Prepare,Establish Social Assets,Acquire/ recruit Network,Botnets,,ST0054,,,,,
|
||||
98,Prepare,Establish Social Assets,Infiltrate Existing Networks,Identify susceptible targets in networks,,ST0055,,,,,TK0016 Identify susceptible targets in networks (AMITT)
|
||||
99,Prepare,Establish Social Assets,Infiltrate Existing Networks,Utilize Butterfly Attack,"Butterfly attacks occur when operators pretend to be members of a certain social group, usually a group that struggles for representation. An influence operation may mimic a group to insert controversial statements into the discourse, encourage the spread of operation content, or promote harassment among group members. Unlike astroturfing, butterfly attacks aim to infiltrate and discredit existing grassroots movements, organizations, and media campaigns. ",ST0056,,,,,
|
||||
105,Prepare,Establish Social Assets,Prepare fundraising campaigns,From bad actors,,ST0057,,,,,
|
||||
106,Prepare,Establish Social Assets,Prepare fundraising campaigns,From ignorant agents,,ST0058,,,,,
|
||||
108,Prepare,Establish Social Assets,Leverage Content Farm,Create a Content Farm,,ST0059,,,,,
|
||||
109,Prepare,Establish Social Assets,Leverage Content Farm,Outsource Content Creation to External Organizations,"An influence operation may outsource content creation to external companies to avoid attribution, increase the rate of content creation, or improve content quality, i.e., by employing an organization that can create content in the target audience’s native language. Employed organizations may include marketing companies for tailored advertisements or external content farms for high volumes of targeted media. ",ST0060,,,,,
|
||||
113,Prepare,Establish Legitimacy,Create fake experts,Utilize Academic/Pseudoscientific Justifications,,ST0061,,,,,
|
||||
115,Prepare,Establish Legitimacy,Create personas,Backstop personas ,"Create other assets/dossier/cover/fake relationships and/or connections or documents, sites, bylines, attributions, to establish/augment/inflate crediblity/believability",ST0062,,,,,T0030 Backstop personas (AMITT)
|
||||
117,Prepare,Establish Legitimacy,Establish Inauthentic News Sites,Create Inauthentic News Sites,,ST0063,,,,,T0008 Create fake or imposter news sites (AMITT)
|
||||
- Reducing the workload for direct operation assets ",ST0054,,,,,
|
||||
96,Prepare,Establish Social Assets,Acquire/ recruit Network,Botnets,,ST0055,,,,,
|
||||
98,Prepare,Establish Social Assets,Infiltrate Existing Networks,Identify susceptible targets in networks,,ST0056,,,,,TK0016 Identify susceptible targets in networks (AMITT)
|
||||
99,Prepare,Establish Social Assets,Infiltrate Existing Networks,Utilize Butterfly Attack,"Butterfly attacks occur when operators pretend to be members of a certain social group, usually a group that struggles for representation. An influence operation may mimic a group to insert controversial statements into the discourse, encourage the spread of operation content, or promote harassment among group members. Unlike astroturfing, butterfly attacks aim to infiltrate and discredit existing grassroots movements, organizations, and media campaigns. ",ST0057,,,,,
|
||||
105,Prepare,Establish Social Assets,Prepare fundraising campaigns,From bad actors,,ST0058,,,,,
|
||||
106,Prepare,Establish Social Assets,Prepare fundraising campaigns,From ignorant agents,,ST0059,,,,,
|
||||
108,Prepare,Establish Social Assets,Leverage Content Farm,Create a Content Farm,,ST0060,,,,,
|
||||
109,Prepare,Establish Social Assets,Leverage Content Farm,Outsource Content Creation to External Organizations,"An influence operation may outsource content creation to external companies to avoid attribution, increase the rate of content creation, or improve content quality, i.e., by employing an organization that can create content in the target audience’s native language. Employed organizations may include marketing companies for tailored advertisements or external content farms for high volumes of targeted media. ",ST0061,,,,,
|
||||
113,Prepare,Establish Legitimacy,Create fake experts,Utilize Academic/Pseudoscientific Justifications,,ST0062,,,,,
|
||||
115,Prepare,Establish Legitimacy,Create personas,Backstop personas ,"Create other assets/dossier/cover/fake relationships and/or connections or documents, sites, bylines, attributions, to establish/augment/inflate crediblity/believability",ST0063,,,,,T0030 Backstop personas (AMITT)
|
||||
117,Prepare,Establish Legitimacy,Establish Inauthentic News Sites,Create Inauthentic News Sites,,ST0064,,,,,T0008 Create fake or imposter news sites (AMITT)
|
||||
118,Prepare,Establish Legitimacy,Establish Inauthentic News Sites,Leverage Existing Inauthentic News Sites,"An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognizable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organizations, or state entities.
|
||||
An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entity’s website or social media account. Typosquatting87 is the international registration of a domain name with purposeful variations of the impersonated domain name through intentional typos, top-level domain (TLD) manipulation, or punycode. Typosquatting facilitates the creation of falsified websites by creating similar domain names in the URL box, leaving it to the user to confirm that the URL is correct. ",ST0064,,,,,
|
||||
120,Prepare,Establish Legitimacy,Prepare Assets Impersonating Legitimate Entities,Astroturfing,"Astroturfing occurs when an influence operation disguises itself as grassroots movement or organization that supports operation narratives. Unlike butterfly attacks, astroturfing aims to increase the appearance of popular support for the operation cause and does not infiltrate existing groups to discredit their objectives. ",ST0065,,,,,
|
||||
121,Prepare,Establish Legitimacy,Prepare Assets Impersonating Legitimate Entities,Spoof/parody account/site,,ST0066,,,,,
|
||||
123,Prepare,Establish Legitimacy,Co-opt Trusted Sources,Co-Opt Trusted Individuals,,ST0067,,,,,
|
||||
124,Prepare,Establish Legitimacy,Co-opt Trusted Sources,Co-Opt Grassroots Groups,,ST0068,,,,,
|
||||
125,Prepare,Establish Legitimacy,Co-opt Trusted Sources,Co-opt Influencers,,ST0069,,,,,TK0013 Find Influencers (AMITT)
|
||||
132,Execute,Microtarget,Leverage Echo Chambers/Filter Bubbles,Use existing Echo Chambers/Filter Bubbles,,ST0070,,,,,
|
||||
133,Execute,Microtarget,Leverage Echo Chambers/Filter Bubbles,Create Echo Chambers/Filter Bubbles,,ST0071,,,,,
|
||||
An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entity’s website or social media account. Typosquatting87 is the international registration of a domain name with purposeful variations of the impersonated domain name through intentional typos, top-level domain (TLD) manipulation, or punycode. Typosquatting facilitates the creation of falsified websites by creating similar domain names in the URL box, leaving it to the user to confirm that the URL is correct. ",ST0065,,,,,
|
||||
120,Prepare,Establish Legitimacy,Prepare Assets Impersonating Legitimate Entities,Astroturfing,"Astroturfing occurs when an influence operation disguises itself as grassroots movement or organization that supports operation narratives. Unlike butterfly attacks, astroturfing aims to increase the appearance of popular support for the operation cause and does not infiltrate existing groups to discredit their objectives. ",ST0066,,,,,
|
||||
121,Prepare,Establish Legitimacy,Prepare Assets Impersonating Legitimate Entities,Spoof/parody account/site,,ST0067,,,,,
|
||||
123,Prepare,Establish Legitimacy,Co-opt Trusted Sources,Co-Opt Trusted Individuals,,ST0068,,,,,
|
||||
124,Prepare,Establish Legitimacy,Co-opt Trusted Sources,Co-Opt Grassroots Groups,,ST0069,,,,,
|
||||
125,Prepare,Establish Legitimacy,Co-opt Trusted Sources,Co-opt Influencers,,ST0070,,,,,TK0013 Find Influencers (AMITT)
|
||||
132,Execute,Microtarget,Leverage Echo Chambers/Filter Bubbles,Use existing Echo Chambers/Filter Bubbles,,ST0071,,,,,
|
||||
133,Execute,Microtarget,Leverage Echo Chambers/Filter Bubbles,Create Echo Chambers/Filter Bubbles,,ST0072,,,,,
|
||||
134,Execute,Microtarget,Leverage Echo Chambers/Filter Bubbles,Exploit Data Voids,"A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation.
|
||||
A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalizing on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term. ",ST0072,,,,,
|
||||
137,Execute,Select Channels and Affordances,Chat apps,Use Encrypted Chat Apps,,ST0073,,,,,
|
||||
138,Execute,Select Channels and Affordances,Chat apps,Use Unencrypted Chats Apps,,ST0074,,,,,
|
||||
140,Execute,Select Channels and Affordances,Livestream,Video Livestream,,ST0075,,,,,
|
||||
141,Execute,Select Channels and Affordances,Livestream,Audio Livestream,,ST0076,,,,,
|
||||
143,Execute,Select Channels and Affordances, Social Networks,Mainstream Social Networks,"Examples include Facebook, Twitter, LinkedIn, VK, ",ST0077,,,,,
|
||||
144,Execute,Select Channels and Affordances, Social Networks,Dating Apps,,ST0078,,,,,
|
||||
145,Execute,Select Channels and Affordances, Social Networks,Private/Closed Social Networks,,ST0079,,,,,
|
||||
146,Execute,Select Channels and Affordances, Social Networks,Interest-Based Networks,"Examples include smaller and niche networks including Gettr, Truth Social, Parler, etc.",ST0080,,,,,
|
||||
147,Execute,Select Channels and Affordances, Social Networks,Use hashtags,"Use a dedicated, existing hashtag for the campaign/incident.",ST0081,,,,,T0055 Use hashtags (AMITT)
|
||||
148,Execute,Select Channels and Affordances, Social Networks,Create dedicated hashtag,Create a campaign/incident specific hashtag.,ST0082,,,,,
|
||||
150,Execute,Select Channels and Affordances,Media Sharing Networks,Photo Sharing,"Examples include Instagram, Snapchat, Flickr, etc",ST0083,,,,,
|
||||
151,Execute,Select Channels and Affordances,Media Sharing Networks,Video Sharing,"Examples include Youtube, TikTok, ShareChat, Rumble, etc",ST0084,,,,,
|
||||
152,Execute,Select Channels and Affordances,Media Sharing Networks,Audio sharing,"Examples include podcasting apps, Soundcloud, etc.",ST0085,,,,,
|
||||
154,Execute,Select Channels and Affordances,Discussion Forums,Anonymous Message Boards,Examples include the Chans,ST0086,,,,,
|
||||
161,Execute,Select Channels and Affordances,Traditional Media,TV,,ST0087,,,,,
|
||||
162,Execute,Select Channels and Affordances,Traditional Media,Newspaper,,ST0088,,,,,
|
||||
163,Execute,Select Channels and Affordances,Traditional Media,Radio,,ST0089,,,,,
|
||||
175,Execute,Deliver Content,Deliver Ads,Social media,,ST0090,,,,,
|
||||
176,Execute,Deliver Content,Deliver Ads,Traditional Media,"Examples include TV, Radio, Newspaper, billboards",ST0091,,,,,
|
||||
178,Execute,Deliver Content,Post Content,Share Memes,"Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.",ST0092,,,,,
|
||||
179,Execute,Deliver Content,Post Content,Post Violative Content to Provoke Takedown and Backlash,,ST0093,,,,,
|
||||
180,Execute,Deliver Content,Post Content,One-Way Direct Posting,"Direct posting refers to a method of posting content via a one-way messaging service, where the recipient cannot directly respond to the poster’s messaging. An influence operation may post directly to promote operation narratives to the target audience without allowing opportunities for fact-checking or disagreement, creating a false sense of support for the narrative. ",ST0094,,,,,
|
||||
182,Execute,Deliver Content,Comment or Reply on Content,Post inauthentic social media comment,"Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums.",ST0095,,,,,T0051 Fabricate social media comment (AMITT)
|
||||
186,Execute,Maximize Exposure,Flooding the Information Space,Trolls amplify and manipulate,"Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it's easier to amplify existing content than create new/original content. Trolls operate where ever there's a socially divisive issue (issues that can/are be politicized).",ST0096,,,,,T0053 Trolls amplify and manipulate (AMITT)
|
||||
187,Execute,Maximize Exposure,Flooding the Information Space,Hijack existing hashtag,Take over an existing hashtag to drive exposure.,ST0097,,,,,
|
||||
A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalizing on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term. ",ST0073,,,,,
|
||||
137,Execute,Select Channels and Affordances,Chat apps,Use Encrypted Chat Apps,,ST0074,,,,,
|
||||
138,Execute,Select Channels and Affordances,Chat apps,Use Unencrypted Chats Apps,,ST0075,,,,,
|
||||
140,Execute,Select Channels and Affordances,Livestream,Video Livestream,,ST0076,,,,,
|
||||
141,Execute,Select Channels and Affordances,Livestream,Audio Livestream,,ST0077,,,,,
|
||||
143,Execute,Select Channels and Affordances, Social Networks,Mainstream Social Networks,"Examples include Facebook, Twitter, LinkedIn, VK, ",ST0078,,,,,
|
||||
144,Execute,Select Channels and Affordances, Social Networks,Dating Apps,,ST0079,,,,,
|
||||
145,Execute,Select Channels and Affordances, Social Networks,Private/Closed Social Networks,,ST0080,,,,,
|
||||
146,Execute,Select Channels and Affordances, Social Networks,Interest-Based Networks,"Examples include smaller and niche networks including Gettr, Truth Social, Parler, etc.",ST0081,,,,,
|
||||
147,Execute,Select Channels and Affordances, Social Networks,Use hashtags,"Use a dedicated, existing hashtag for the campaign/incident.",ST0082,,,,,T0055 Use hashtags (AMITT)
|
||||
148,Execute,Select Channels and Affordances, Social Networks,Create dedicated hashtag,Create a campaign/incident specific hashtag.,ST0083,,,,,
|
||||
150,Execute,Select Channels and Affordances,Media Sharing Networks,Photo Sharing,"Examples include Instagram, Snapchat, Flickr, etc",ST0084,,,,,
|
||||
151,Execute,Select Channels and Affordances,Media Sharing Networks,Video Sharing,"Examples include Youtube, TikTok, ShareChat, Rumble, etc",ST0085,,,,,
|
||||
152,Execute,Select Channels and Affordances,Media Sharing Networks,Audio sharing,"Examples include podcasting apps, Soundcloud, etc.",ST0086,,,,,
|
||||
154,Execute,Select Channels and Affordances,Discussion Forums,Anonymous Message Boards,Examples include the Chans,ST0087,,,,,
|
||||
161,Execute,Select Channels and Affordances,Traditional Media,TV,,ST0088,,,,,
|
||||
162,Execute,Select Channels and Affordances,Traditional Media,Newspaper,,ST0089,,,,,
|
||||
163,Execute,Select Channels and Affordances,Traditional Media,Radio,,ST0090,,,,,
|
||||
175,Execute,Deliver Content,Deliver Ads,Social media,,ST0091,,,,,
|
||||
176,Execute,Deliver Content,Deliver Ads,Traditional Media,"Examples include TV, Radio, Newspaper, billboards",ST0092,,,,,
|
||||
178,Execute,Deliver Content,Post Content,Share Memes,"Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.",ST0093,,,,,
|
||||
179,Execute,Deliver Content,Post Content,Post Violative Content to Provoke Takedown and Backlash,,ST0094,,,,,
|
||||
180,Execute,Deliver Content,Post Content,One-Way Direct Posting,"Direct posting refers to a method of posting content via a one-way messaging service, where the recipient cannot directly respond to the poster’s messaging. An influence operation may post directly to promote operation narratives to the target audience without allowing opportunities for fact-checking or disagreement, creating a false sense of support for the narrative. ",ST0095,,,,,
|
||||
182,Execute,Deliver Content,Comment or Reply on Content,Post inauthentic social media comment,"Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums.",ST0096,,,,,T0051 Fabricate social media comment (AMITT)
|
||||
186,Execute,Maximize Exposure,Flooding the Information Space,Trolls amplify and manipulate,"Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it's easier to amplify existing content than create new/original content. Trolls operate where ever there's a socially divisive issue (issues that can/are be politicized).",ST0097,,,,,T0053 Trolls amplify and manipulate (AMITT)
|
||||
187,Execute,Maximize Exposure,Flooding the Information Space,Hijack existing hashtag,Take over an existing hashtag to drive exposure.,ST0098,,,,,
|
||||
188,Execute,Maximize Exposure,Flooding the Information Space,Bots Amplify via Automated Forwarding and Reposting,"Automated forwarding and reposting refer to the proliferation of operation content using automated means, such as artificial intelligence or social media bots. An influence operation may use automated activity to increase content exposure without dedicating the resources, including personnel and time, traditionally required to forward and repost content.
|
||||
Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it's more ""popular"" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.",ST0098,,,,,
|
||||
189,Execute,Maximize Exposure,Flooding the Information Space,Utilize Spamoflauge,"Spamoflauge refers to the practice of disguising spam messages as legitimate. Spam refers to the use of electronic messaging systems to send out unrequested or unwanted messages in bulk. Simple methods of spamoflauge include replacing letters with numbers to fool keyword-based email spam filters, for example, ""you've w0n our jackp0t!"". Spamoflauge may extend to more complex techniques such as modifying the grammar or word choice of the language, casting messages as images which spam detectors cannot automatically read, or encapsulating messages in password protected attachments, such as .pdf or .zip files. Influence operations may use spamoflauge to avoid spam filtering systems and increase the likelihood of the target audience receiving operation messaging. ",ST0099,,,,,
|
||||
190,Execute,Maximize Exposure,Flooding the Information Space,Conduct Swarming,"Swarming refers to the coordinated use of accounts to overwhelm the information space with operation content. Unlike information flooding, swarming centers exclusively around a specific event or actor rather than a general narrative. Swarming relies on “horizontal communication” between information assets rather than a top-down, vertical command-and-control approach. ",ST0100,,,,,
|
||||
191,Execute,Maximize Exposure,Flooding the Information Space,Conduct Keyword Squatting,"Keyword squatting refers to the creation of online content, such as websites, articles, or social media accounts, around a specific search engine-optimized term to overwhelm the search results of that term. An influence may keyword squat to increase content exposure to target audience members who query the exploited term in a search engine and manipulate the narrative around the term. ",ST0101,,,,,
|
||||
192,Execute,Maximize Exposure,Flooding the Information Space,Inauthentic Sites Amplify News and Narratives,"Inauthentic sites circulate cross-post stories and amplify narratives. Often these sites have no masthead, bylines or attribution.",ST0102,,,,,
|
||||
195,Execute,Maximize Exposure,Cross-Posting,Post Across Groups,,ST0103,,,,,
|
||||
196,Execute,Maximize Exposure,Cross-Posting,Post Across Platform,,ST0104,,,,,
|
||||
197,Execute,Maximize Exposure,Cross-Posting,Post Across Disciplines,,ST0105,,,,,
|
||||
199,Execute,Maximize Exposure,Incentivize Sharing,Use Affiliate Marketing Programs,,ST0106,,,,,
|
||||
200,Execute,Maximize Exposure,Incentivize Sharing,Use Contests and Prizes,,ST0107,,,,,
|
||||
Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it's more ""popular"" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.",ST0099,,,,,
|
||||
189,Execute,Maximize Exposure,Flooding the Information Space,Utilize Spamoflauge,"Spamoflauge refers to the practice of disguising spam messages as legitimate. Spam refers to the use of electronic messaging systems to send out unrequested or unwanted messages in bulk. Simple methods of spamoflauge include replacing letters with numbers to fool keyword-based email spam filters, for example, ""you've w0n our jackp0t!"". Spamoflauge may extend to more complex techniques such as modifying the grammar or word choice of the language, casting messages as images which spam detectors cannot automatically read, or encapsulating messages in password protected attachments, such as .pdf or .zip files. Influence operations may use spamoflauge to avoid spam filtering systems and increase the likelihood of the target audience receiving operation messaging. ",ST0100,,,,,
|
||||
190,Execute,Maximize Exposure,Flooding the Information Space,Conduct Swarming,"Swarming refers to the coordinated use of accounts to overwhelm the information space with operation content. Unlike information flooding, swarming centers exclusively around a specific event or actor rather than a general narrative. Swarming relies on “horizontal communication” between information assets rather than a top-down, vertical command-and-control approach. ",ST0101,,,,,
|
||||
191,Execute,Maximize Exposure,Flooding the Information Space,Conduct Keyword Squatting,"Keyword squatting refers to the creation of online content, such as websites, articles, or social media accounts, around a specific search engine-optimized term to overwhelm the search results of that term. An influence may keyword squat to increase content exposure to target audience members who query the exploited term in a search engine and manipulate the narrative around the term. ",ST0102,,,,,
|
||||
192,Execute,Maximize Exposure,Flooding the Information Space,Inauthentic Sites Amplify News and Narratives,"Inauthentic sites circulate cross-post stories and amplify narratives. Often these sites have no masthead, bylines or attribution.",ST0103,,,,,
|
||||
195,Execute,Maximize Exposure,Cross-Posting,Post Across Groups,,ST0104,,,,,
|
||||
196,Execute,Maximize Exposure,Cross-Posting,Post Across Platform,,ST0105,,,,,
|
||||
197,Execute,Maximize Exposure,Cross-Posting,Post Across Disciplines,,ST0106,,,,,
|
||||
199,Execute,Maximize Exposure,Incentivize Sharing,Use Affiliate Marketing Programs,,ST0107,,,,,
|
||||
200,Execute,Maximize Exposure,Incentivize Sharing,Use Contests and Prizes,,ST0108,,,,,
|
||||
202,Execute,Maximize Exposure,Manipulate Platform Algorithm,Bypass Content Blocking,"Bypassing content blocking refers to actions taken to circumvent network security measures that prevent users from accessing certain servers, resources, or other online spheres. An influence operation may bypass content blocking to proliferate its content on restricted areas of the internet. Common strategies for bypassing content blocking include:
|
||||
- Altering IP addresses to avoid IP filtering
|
||||
- Using a Virtual Private Network (VPN) to avoid IP filtering
|
||||
- Using a Content Delivery Network (CDN) to avoid IP filtering
|
||||
- Enabling encryption to bypass packet inspection blocking
|
||||
- Manipulating text to avoid filtering by keywords
|
||||
- Posting content on multiple platforms to avoid platform-specific removals - Using local facilities or modified DNS servers to avoid DNS filtering ",ST0108,,,,,
|
||||
206,Execute,Drive Online Harms,Harass,"Boycott/""Cancel"" Opponents","Cancel culture refers to the phenomenon in which individuals collectively refrain from supporting an individual, organization, business, or other entity, usually following a real or falsified controversy. An influence operation may exploit cancel culture by emphasizing an adversary’s problematic or disputed behavior and presenting its own content as an alternative. ",ST0109,,,,,
|
||||
207,Execute,Drive Online Harms,Harass,Harass People Based on Identities,"Examples include social identities like gender, sexuality, race, ethnicity, religion, ability, nationality, etc. as well as roles and occupations like journalist or activist.",ST0110,,,,,
|
||||
208,Execute,Drive Online Harms,Harass,Threaten to Dox,"Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content. ",ST0111,,,,,
|
||||
209,Execute,Drive Online Harms,Harass,Dox,"Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content. ",ST0112,,,,,
|
||||
212,Execute,Drive Online Harms,Control Information Environment through Offensive Cyberspace Operations,Delete Opposing Content,"Deleting opposing content refers to the removal of content that conflicts with operational narratives from selected platforms. An influence operation may delete opposing content to censor contradictory information from the target audience, allowing operation narratives to take priority in the information space.",ST0113,,,,,
|
||||
213,Execute,Drive Online Harms,Control Information Environment through Offensive Cyberspace Operations,Block Content,Content blocking refers to actions taken to restrict internet access or render certain areas of the internet inaccessible. An influence operation may restrict content based on both network and content attributes. ,ST0114,,,,,
|
||||
214,Execute,Drive Online Harms,Control Information Environment through Offensive Cyberspace Operations,Destroy Information Generation Capabilities,"Destroying information generation capabilities refers to actions taken to limit, degrade, or otherwise incapacitate an actor’s ability to generate conflicting information. An influence operation may destroy an actor’s information generation capabilities by physically dismantling the information infrastructure, disconnecting resources needed for information generation, or redirecting information generation personnel. An operation may destroy an adversary’s information generation capabilities to limit conflicting content exposure to the target audience and crowd the information space with its own narratives. ",ST0115,,,,,
|
||||
215,Execute,Drive Online Harms,Control Information Environment through Offensive Cyberspace Operations,Conduct Server Redirect,"A server redirect, also known as a URL redirect, occurs when a server automatically forwards a user from one URL to another using server-side scripting languages. An influence operation may conduct a server redirect to divert target audience members from one website to another without their knowledge. The redirected website may pose as a legitimate source, host malware, or otherwise aid operation objectives.",ST0116,,,,,
|
||||
217,Execute,Drive Online Harms,Suppress Opposition,Report Non-Violative Opposing Content,"Reporting opposing content refers to notifying and providing an instance of a violation of a platform’s guidelines and policies for conduct on the platform. In addition to simply reporting the content, an operation may leverage copyright regulations to trick social media and web platforms into removing opposing content by manipulating the content to appear in violation of copyright laws. Reporting opposing content facilitates the suppression of contradictory information and allows operation narratives to take priority in the information space. ",ST0117,,,,,
|
||||
218,Execute,Drive Online Harms,Suppress Opposition,Goad People into Harmful Action (Stop Hitting Yourself),Goad people into actions that violate terms of service or will lead to having their content or accounts taken down. ,ST0118,,,,,
|
||||
219,Execute,Drive Online Harms,Suppress Opposition,Exploit Platform TOS/Content Moderation,,ST0119,,,,,
|
||||
223,Execute,Drive Offline Activity,Encourage Attendance at Events,Call to action to attend ,,ST0120,,,,,
|
||||
224,Execute,Drive Offline Activity,Encourage Attendance at Events,Facilitate logistics or support for attendance,"Facilitate logistics or support for travel, food, housing, etc.",ST0121,,,,,
|
||||
226,Execute,Drive Offline Activity,Organize Events,Pay for Physical Action,"Paying for physical action occurs when an influence operation pays individuals to act in the physical realm. An influence operation may pay for physical action to create specific situations and frame them in a way that supports operation narratives, for example, paying a group of people to burn a car to later post an image of the burning car and frame it as an act of protest. ",ST0122,,,,,
|
||||
227,Execute,Drive Offline Activity,Organize Events,Conduct Symbolic Action,"Symbolic action refers to activities specifically intended to advance an operation’s narrative by signaling something to the audience, for example, a military parade supporting a state’s narrative of military superiority. An influence operation may use symbolic action to create falsified evidence supporting operation narratives in the physical information space. ",ST0123,,,,,
|
||||
229,Execute,Drive Offline Activity,Conduct fundraising,Conduct Crowdfunding Campaigns,,ST0124,,,,,
|
||||
231,Execute,Drive Offline Activity,Physical Violence,Conduct Physical Violence,,ST0125,,,,,
|
||||
232,Execute,Drive Offline Activity,Physical Violence,Encourage Physical Violence,,ST0126,,,,,
|
||||
234,Execute,Drive Offline Activity,Merchandising/ Advertising,Sell Merchandise,"Selling merchandise refers to the sale of often branded items to the target audience. An influence operation may sell merchandise to raise funds and promote its messaging in the physical information space, for example, by selling t-shirts with operational messaging displayed on the clothing. ",ST0127,,,,,
|
||||
237,Execute,Persist in the Information Space,Conceal People,Use Pseudonyms,"An operation may use pseudonyms, or fake names, to mask the identity of operation accounts, publish anonymous content, or otherwise use falsified personas to conceal identity of the operation. An operation may coordinate pseudonyms across multiple platforms, for example, by writing an article under a pseudonym and then posting a link to the article on social media on an account with the same falsified name. ",ST0128,,,,,
|
||||
238,Execute,Persist in the Information Space,Conceal People,Conceal Network Identity,"Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organization. ",ST0129,,,,,
|
||||
239,Execute,Persist in the Information Space,Conceal People,Distance Reputable Individuals from Operation,"Distancing reputable individuals from the operation occurs when enlisted individuals, such as celebrities or subject matter experts, actively disengage themselves from operation activities and messaging. Individuals may distance themselves from the operation by deleting old posts or statements, unfollowing operation information assets, or otherwise detaching themselves from the operation’s timeline. An influence operation may want reputable individuals to distance themselves from the operation to reduce operation exposure, particularly if the operation aims to remove all evidence.",ST0130,,,,,
|
||||
240,Execute,Persist in the Information Space,Conceal People,Launder Accounts,Account laundering occurs when an influence operation acquires control of previously legitimate online accounts from third parties through sale or exchange and often in contravention of terms of use. Influence operations use laundered accounts to reach target audience members from an existing information channel and complicate attribution. ,ST0131,,,,,
|
||||
241,Execute,Persist in the Information Space,Conceal People,Change Names of Accounts,Changing names of accounts occurs when an operation changes the name of an existing social media account. An operation may change the names of its accounts throughout an operation to avoid detection or alter the names of newly acquired or repurposed accounts to fit operational narratives. ,ST0132,,,,,
|
||||
243,Execute,Persist in the Information Space,Conceal Operational Activity,Conceal Network Identity,"Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organization. ",ST0133,,,,,
|
||||
244,Execute,Persist in the Information Space,Conceal Operational Activity,Generate Content Unrelated to Narrative,"An influence operation may mix its own operation content with legitimate news or external unrelated content to disguise operational objectives, narratives, or existence. For example, an operation may generate ""lifestyle"" or ""cuisine"" content alongside regular operation content. ",ST0134,,,,,
|
||||
245,Execute,Persist in the Information Space,Conceal Operational Activity,Break Association with Content,"Breaking association with content occurs when an influence operation actively separates itself from its own content. An influence operation may break association with content by unfollowing, unliking, or unsharing its content, removing attribution from its content, or otherwise taking actions that distance the operation from its messaging. An influence operation may break association with its content to complicate attribution or regain credibility for a new operation. ",ST0135,,,,,
|
||||
246,Execute,Persist in the Information Space,Conceal Operational Activity,Delete URLs,"URL deletion occurs when an influence operation completely removes its website registration, rendering the URL inaccessible. An influence operation may delete its URLs to complicate attribution or remove online documentation that the operation ever occurred.",ST0136,,,,,
|
||||
247,Execute,Persist in the Information Space,Conceal Operational Activity,Coordinate on encrypted/ closed networks,,ST0137,,,,,
|
||||
248,Execute,Persist in the Information Space,Conceal Operational Activity,Deny involvement,"Without ""smoking gun"" proof (and even with proof), incident creator can or will deny involvement. This technique also leverages the attacker advantages outlined in ""Demand insurmountable proof"", specifically the asymmetric disadvantage for truth-tellers in a ""firehose of misinformation"" environment.",ST0138,,,,,T0041 Deny involvement (AMITT)
|
||||
249,Execute,Persist in the Information Space,Conceal Operational Activity,Delete Accounts/Account Activity,"Deleting accounts and account activity occurs when an influence operation removes its online social media assets, including social media accounts, posts, likes, comments, and other online artifacts. An influence operation may delete its accounts and account activity to complicate attribution or remove online documentation that the operation ever occurred. ",ST0139,,,,,
|
||||
250,Execute,Persist in the Information Space,Conceal Operational Activity,Redirect URLs,"An influence operation may redirect its falsified or typosquatted URLs to legitimate websites to increase the operation's appearance of legitimacy, complicate attribution, and avoid detection. ",ST0140,,,,,
|
||||
251,Execute,Persist in the Information Space,Conceal Operational Activity,Remove Post Origins,"Removing post origins refers to the elimination of evidence that indicates the initial source of operation content, often to complicate attribution. An influence operation may remove post origins by deleting watermarks, renaming files, or removing embedded links in its content. ",ST0141,,,,,
|
||||
252,Execute,Persist in the Information Space,Conceal Operational Activity,Misattribute Activity,"Misattributed activity refers to incorrectly attributed operation activity. For example, a state sponsored influence operation may conduct operation activity in a way that mimics another state so that external entities misattribute activity to the incorrect state. An operation may misattribute their activities to complicate attribution, avoid detection, or frame an adversary for negative behavior. ",ST0142,,,,,
|
||||
- Posting content on multiple platforms to avoid platform-specific removals - Using local facilities or modified DNS servers to avoid DNS filtering ",ST0109,,,,,
|
||||
206,Execute,Drive Online Harms,Harass,"Boycott/""Cancel"" Opponents","Cancel culture refers to the phenomenon in which individuals collectively refrain from supporting an individual, organization, business, or other entity, usually following a real or falsified controversy. An influence operation may exploit cancel culture by emphasizing an adversary’s problematic or disputed behavior and presenting its own content as an alternative. ",ST0110,,,,,
|
||||
207,Execute,Drive Online Harms,Harass,Harass People Based on Identities,"Examples include social identities like gender, sexuality, race, ethnicity, religion, ability, nationality, etc. as well as roles and occupations like journalist or activist.",ST0111,,,,,
|
||||
208,Execute,Drive Online Harms,Harass,Threaten to Dox,"Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content. ",ST0112,,,,,
|
||||
209,Execute,Drive Online Harms,Harass,Dox,"Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content. ",ST0113,,,,,
|
||||
212,Execute,Drive Online Harms,Control Information Environment through Offensive Cyberspace Operations,Delete Opposing Content,"Deleting opposing content refers to the removal of content that conflicts with operational narratives from selected platforms. An influence operation may delete opposing content to censor contradictory information from the target audience, allowing operation narratives to take priority in the information space.",ST0114,,,,,
|
||||
213,Execute,Drive Online Harms,Control Information Environment through Offensive Cyberspace Operations,Block Content,Content blocking refers to actions taken to restrict internet access or render certain areas of the internet inaccessible. An influence operation may restrict content based on both network and content attributes. ,ST0115,,,,,
|
||||
214,Execute,Drive Online Harms,Control Information Environment through Offensive Cyberspace Operations,Destroy Information Generation Capabilities,"Destroying information generation capabilities refers to actions taken to limit, degrade, or otherwise incapacitate an actor’s ability to generate conflicting information. An influence operation may destroy an actor’s information generation capabilities by physically dismantling the information infrastructure, disconnecting resources needed for information generation, or redirecting information generation personnel. An operation may destroy an adversary’s information generation capabilities to limit conflicting content exposure to the target audience and crowd the information space with its own narratives. ",ST0116,,,,,
|
||||
215,Execute,Drive Online Harms,Control Information Environment through Offensive Cyberspace Operations,Conduct Server Redirect,"A server redirect, also known as a URL redirect, occurs when a server automatically forwards a user from one URL to another using server-side scripting languages. An influence operation may conduct a server redirect to divert target audience members from one website to another without their knowledge. The redirected website may pose as a legitimate source, host malware, or otherwise aid operation objectives.",ST0117,,,,,
|
||||
217,Execute,Drive Online Harms,Suppress Opposition,Report Non-Violative Opposing Content,"Reporting opposing content refers to notifying and providing an instance of a violation of a platform’s guidelines and policies for conduct on the platform. In addition to simply reporting the content, an operation may leverage copyright regulations to trick social media and web platforms into removing opposing content by manipulating the content to appear in violation of copyright laws. Reporting opposing content facilitates the suppression of contradictory information and allows operation narratives to take priority in the information space. ",ST0118,,,,,
|
||||
218,Execute,Drive Online Harms,Suppress Opposition,Goad People into Harmful Action (Stop Hitting Yourself),Goad people into actions that violate terms of service or will lead to having their content or accounts taken down. ,ST0119,,,,,
|
||||
219,Execute,Drive Online Harms,Suppress Opposition,Exploit Platform TOS/Content Moderation,,ST0120,,,,,
|
||||
223,Execute,Drive Offline Activity,Encourage Attendance at Events,Call to action to attend ,,ST0121,,,,,
|
||||
224,Execute,Drive Offline Activity,Encourage Attendance at Events,Facilitate logistics or support for attendance,"Facilitate logistics or support for travel, food, housing, etc.",ST0122,,,,,
|
||||
226,Execute,Drive Offline Activity,Organize Events,Pay for Physical Action,"Paying for physical action occurs when an influence operation pays individuals to act in the physical realm. An influence operation may pay for physical action to create specific situations and frame them in a way that supports operation narratives, for example, paying a group of people to burn a car to later post an image of the burning car and frame it as an act of protest. ",ST0123,,,,,
|
||||
227,Execute,Drive Offline Activity,Organize Events,Conduct Symbolic Action,"Symbolic action refers to activities specifically intended to advance an operation’s narrative by signaling something to the audience, for example, a military parade supporting a state’s narrative of military superiority. An influence operation may use symbolic action to create falsified evidence supporting operation narratives in the physical information space. ",ST0124,,,,,
|
||||
229,Execute,Drive Offline Activity,Conduct fundraising,Conduct Crowdfunding Campaigns,,ST0125,,,,,
|
||||
231,Execute,Drive Offline Activity,Physical Violence,Conduct Physical Violence,,ST0126,,,,,
|
||||
232,Execute,Drive Offline Activity,Physical Violence,Encourage Physical Violence,,ST0127,,,,,
|
||||
234,Execute,Drive Offline Activity,Merchandising/ Advertising,Sell Merchandise,"Selling merchandise refers to the sale of often branded items to the target audience. An influence operation may sell merchandise to raise funds and promote its messaging in the physical information space, for example, by selling t-shirts with operational messaging displayed on the clothing. ",ST0128,,,,,
|
||||
237,Execute,Persist in the Information Space,Conceal People,Use Pseudonyms,"An operation may use pseudonyms, or fake names, to mask the identity of operation accounts, publish anonymous content, or otherwise use falsified personas to conceal identity of the operation. An operation may coordinate pseudonyms across multiple platforms, for example, by writing an article under a pseudonym and then posting a link to the article on social media on an account with the same falsified name. ",ST0129,,,,,
|
||||
238,Execute,Persist in the Information Space,Conceal People,Conceal Network Identity,"Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organization. ",ST0130,,,,,
|
||||
239,Execute,Persist in the Information Space,Conceal People,Distance Reputable Individuals from Operation,"Distancing reputable individuals from the operation occurs when enlisted individuals, such as celebrities or subject matter experts, actively disengage themselves from operation activities and messaging. Individuals may distance themselves from the operation by deleting old posts or statements, unfollowing operation information assets, or otherwise detaching themselves from the operation’s timeline. An influence operation may want reputable individuals to distance themselves from the operation to reduce operation exposure, particularly if the operation aims to remove all evidence.",ST0131,,,,,
|
||||
240,Execute,Persist in the Information Space,Conceal People,Launder Accounts,Account laundering occurs when an influence operation acquires control of previously legitimate online accounts from third parties through sale or exchange and often in contravention of terms of use. Influence operations use laundered accounts to reach target audience members from an existing information channel and complicate attribution. ,ST0132,,,,,
|
||||
241,Execute,Persist in the Information Space,Conceal People,Change Names of Accounts,Changing names of accounts occurs when an operation changes the name of an existing social media account. An operation may change the names of its accounts throughout an operation to avoid detection or alter the names of newly acquired or repurposed accounts to fit operational narratives. ,ST0133,,,,,
|
||||
243,Execute,Persist in the Information Space,Conceal Operational Activity,Conceal Network Identity,"Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organization. ",ST0134,,,,,
|
||||
244,Execute,Persist in the Information Space,Conceal Operational Activity,Generate Content Unrelated to Narrative,"An influence operation may mix its own operation content with legitimate news or external unrelated content to disguise operational objectives, narratives, or existence. For example, an operation may generate ""lifestyle"" or ""cuisine"" content alongside regular operation content. ",ST0135,,,,,
|
||||
245,Execute,Persist in the Information Space,Conceal Operational Activity,Break Association with Content,"Breaking association with content occurs when an influence operation actively separates itself from its own content. An influence operation may break association with content by unfollowing, unliking, or unsharing its content, removing attribution from its content, or otherwise taking actions that distance the operation from its messaging. An influence operation may break association with its content to complicate attribution or regain credibility for a new operation. ",ST0136,,,,,
|
||||
246,Execute,Persist in the Information Space,Conceal Operational Activity,Delete URLs,"URL deletion occurs when an influence operation completely removes its website registration, rendering the URL inaccessible. An influence operation may delete its URLs to complicate attribution or remove online documentation that the operation ever occurred.",ST0137,,,,,
|
||||
247,Execute,Persist in the Information Space,Conceal Operational Activity,Coordinate on encrypted/ closed networks,,ST0138,,,,,
|
||||
248,Execute,Persist in the Information Space,Conceal Operational Activity,Deny involvement,"Without ""smoking gun"" proof (and even with proof), incident creator can or will deny involvement. This technique also leverages the attacker advantages outlined in ""Demand insurmountable proof"", specifically the asymmetric disadvantage for truth-tellers in a ""firehose of misinformation"" environment.",ST0139,,,,,T0041 Deny involvement (AMITT)
|
||||
249,Execute,Persist in the Information Space,Conceal Operational Activity,Delete Accounts/Account Activity,"Deleting accounts and account activity occurs when an influence operation removes its online social media assets, including social media accounts, posts, likes, comments, and other online artifacts. An influence operation may delete its accounts and account activity to complicate attribution or remove online documentation that the operation ever occurred. ",ST0140,,,,,
|
||||
250,Execute,Persist in the Information Space,Conceal Operational Activity,Redirect URLs,"An influence operation may redirect its falsified or typosquatted URLs to legitimate websites to increase the operation's appearance of legitimacy, complicate attribution, and avoid detection. ",ST0141,,,,,
|
||||
251,Execute,Persist in the Information Space,Conceal Operational Activity,Remove Post Origins,"Removing post origins refers to the elimination of evidence that indicates the initial source of operation content, often to complicate attribution. An influence operation may remove post origins by deleting watermarks, renaming files, or removing embedded links in its content. ",ST0142,,,,,
|
||||
252,Execute,Persist in the Information Space,Conceal Operational Activity,Misattribute Activity,"Misattributed activity refers to incorrectly attributed operation activity. For example, a state sponsored influence operation may conduct operation activity in a way that mimics another state so that external entities misattribute activity to the incorrect state. An operation may misattribute their activities to complicate attribution, avoid detection, or frame an adversary for negative behavior. ",ST0143,,,,,
|
||||
253,Execute,Persist in the Information Space,Conceal Infrastructure,Conceal Sponsorship,"Concealing sponsorship aims to mislead or obscure the identity of the hidden sponsor behind an operation rather than entity publicly running the operation. Operations that conceal sponsorship may maintain visible falsified groups, news outlets, non-profits, or other organizations, but seek to mislead or obscure the identity sponsoring, funding, or otherwise supporting these entities.
|
||||
Influence operations may use a variety of techniques to mask the location of their social media accounts to complicate attribution and conceal evidence of foreign interference. Operation accounts may set their location to a false place, often the location of the operation’s target audience, and post in the region’s language",ST0143,,,,,
|
||||
255,Execute,Persist in the Information Space,Conceal Infrastructure,Utilize Bulletproof Hosting,"Hosting refers to services through which storage and computing resources are provided to an individual or organization for the accommodation and maintenance of one or more websites and related services. Services may include web hosting, file sharing, and email distribution. Bulletproof hosting refers to services provided by an entity, such as a domain hosting or web hosting firm, that allows its customer considerable leniency in use of the service. An influence operation may utilize bulletproof hosting to maintain continuity of service for suspicious, illegal, or disruptive operation activities that stricter hosting services would limit, report, or suspend. ",ST0144,,,,,
|
||||
256,Execute,Persist in the Information Space,Conceal Infrastructure,Use Shell Organizations,,ST0145,,,,,
|
||||
257,Execute,Persist in the Information Space,Conceal Infrastructure,Use Cryptocurrency,,ST0146,,,,,
|
||||
258,Execute,Persist in the Information Space,Conceal Infrastructure,Obfuscate Payment,,ST0147,,,,,
|
||||
260,Execute,Persist in the Information Space,Exploit TOS/Content Moderation,Legacy web content,"Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it's hard to remove or unlikely to be removed.",ST0148,,,,,
|
||||
261,Execute,Persist in the Information Space,Exploit TOS/Content Moderation,Post Borderline Content,,ST0149,,,,,
|
||||
266,Assess,Assess Effectiveness,Measure Performance,People Focused,,ST0150,,,,,
|
||||
267,Assess,Assess Effectiveness,Measure Performance,Content Focused,,ST0151,,,,,
|
||||
268,Assess,Assess Effectiveness,Measure Performance,View Focused,,ST0152,,,,,
|
||||
270,Assess,Assess Effectiveness,Measure Effectiveness,Behavior changes,Monitor and evaluate behaviour changes from misinformation incidents. ,ST0153,,,,,T0062 Behaviour changes (AMITT)
|
||||
271,Assess,Assess Effectiveness,Measure Effectiveness,Content,,ST0154,,,,,
|
||||
272,Assess,Assess Effectiveness,Measure Effectiveness,Awareness,,ST0155,,,,,
|
||||
273,Assess,Assess Effectiveness,Measure Effectiveness,Knowledge,,ST0156,,,,,
|
||||
274,Assess,Assess Effectiveness,Measure Effectiveness,Action/attitude,,ST0157,,,,,
|
||||
276,Assess,Assess Effectiveness,Measure Effectiveness Indicators (or KPIs),Message reach,Monitor and evaluate message reach in misinformation incidents. ,ST0158,,,,,T0063 Message reach (AMITT)
|
||||
277,Assess,Assess Effectiveness,Measure Effectiveness Indicators (or KPIs),Social media engagement,Monitor and evaluate social media engagement in misinformation incidents.,ST0159,,,,,T0064 Social media engagement (AMITT)
|
||||
Influence operations may use a variety of techniques to mask the location of their social media accounts to complicate attribution and conceal evidence of foreign interference. Operation accounts may set their location to a false place, often the location of the operation’s target audience, and post in the region’s language",ST0144,,,,,
|
||||
255,Execute,Persist in the Information Space,Conceal Infrastructure,Utilize Bulletproof Hosting,"Hosting refers to services through which storage and computing resources are provided to an individual or organization for the accommodation and maintenance of one or more websites and related services. Services may include web hosting, file sharing, and email distribution. Bulletproof hosting refers to services provided by an entity, such as a domain hosting or web hosting firm, that allows its customer considerable leniency in use of the service. An influence operation may utilize bulletproof hosting to maintain continuity of service for suspicious, illegal, or disruptive operation activities that stricter hosting services would limit, report, or suspend. ",ST0145,,,,,
|
||||
256,Execute,Persist in the Information Space,Conceal Infrastructure,Use Shell Organizations,,ST0146,,,,,
|
||||
257,Execute,Persist in the Information Space,Conceal Infrastructure,Use Cryptocurrency,,ST0147,,,,,
|
||||
258,Execute,Persist in the Information Space,Conceal Infrastructure,Obfuscate Payment,,ST0148,,,,,
|
||||
260,Execute,Persist in the Information Space,Exploit TOS/Content Moderation,Legacy web content,"Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it's hard to remove or unlikely to be removed.",ST0149,,,,,
|
||||
261,Execute,Persist in the Information Space,Exploit TOS/Content Moderation,Post Borderline Content,,ST0150,,,,,
|
||||
266,Assess,Assess Effectiveness,Measure Performance,People Focused,,ST0151,,,,,
|
||||
267,Assess,Assess Effectiveness,Measure Performance,Content Focused,,ST0152,,,,,
|
||||
268,Assess,Assess Effectiveness,Measure Performance,View Focused,,ST0153,,,,,
|
||||
270,Assess,Assess Effectiveness,Measure Effectiveness,Behavior changes,Monitor and evaluate behaviour changes from misinformation incidents. ,ST0154,,,,,T0062 Behaviour changes (AMITT)
|
||||
271,Assess,Assess Effectiveness,Measure Effectiveness,Content,,ST0155,,,,,
|
||||
272,Assess,Assess Effectiveness,Measure Effectiveness,Awareness,,ST0156,,,,,
|
||||
273,Assess,Assess Effectiveness,Measure Effectiveness,Knowledge,,ST0157,,,,,
|
||||
274,Assess,Assess Effectiveness,Measure Effectiveness,Action/attitude,,ST0158,,,,,
|
||||
276,Assess,Assess Effectiveness,Measure Effectiveness Indicators (or KPIs),Message reach,Monitor and evaluate message reach in misinformation incidents. ,ST0159,,,,,T0063 Message reach (AMITT)
|
||||
277,Assess,Assess Effectiveness,Measure Effectiveness Indicators (or KPIs),Social media engagement,Monitor and evaluate social media engagement in misinformation incidents.,ST0160,,,,,T0064 Social media engagement (AMITT)
|
||||
3,Plan,Plan Strategy,Determine Target Audiences,n/a,,T0001,,,,DISARM Revision Process,
|
||||
4,Plan,Plan Strategy,Determine Strategic Ends,n/a,,T0002,,,,DISARM Revision Process,
|
||||
6,Plan,Plan Objectives,Dismiss,n/a,Push back against criticism by dismissing your critics. This might be arguing that the critics use a different standard for you than with other actors or themselves; or arguing that their criticism is biased.,T0003,,,,,
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
200
CODE/tmp_subs.csv
Normal file
200
CODE/tmp_subs.csv
Normal file
@ -0,0 +1,200 @@
|
||||
DISARM Subtechnique_x,DISARM Technique,Description_x,DISARM ID_x,DISARM Subtechnique_y,Description_y,DISARM ID_y
|
||||
Discredit Credible Sources,Dismiss,"Plan to delegitimize the media landscape and degrade public trust in reporting, by discrediting credible sources. This makes it easier to promote influence operation content.",ST0001,,Push back against criticism by dismissing your critics. This might be arguing that the critics use a different standard for you than with other actors or themselves; or arguing that their criticism is biased.,T0003
|
||||
Monitor Social Media Analytics,Map Target Audience Information Environment,"An influence operation may use social media analytics to determine which factors will increase the operation content’s exposure to its target audience on social media platforms, including views, interactions, and sentiment relating to topics and content types. The social media platform itself or a third-party tool may collect the metrics. ",ST0002,,"Mapping the target audience information environment analyzes the information space itself, including social media analytics, web traffic, and media surveys. Mapping the information environment may help the influence operation determine the most realistic and popular information channels to reach its target audience.
|
||||
Mapping the target audience information environment aids influence operations in determining the most vulnerable areas of the information space to target with messaging.",T0010
|
||||
Evaluate Media Surveys,Map Target Audience Information Environment,"An influence operation may evaluate its own or third-party media surveys to determine what type of content appeals to its target audience. Media surveys may provide insight into an audience’s political views, social class, general interests, or other indicators used to tailor operation messaging to its target audience.",ST0003,,"Mapping the target audience information environment analyzes the information space itself, including social media analytics, web traffic, and media surveys. Mapping the information environment may help the influence operation determine the most realistic and popular information channels to reach its target audience.
|
||||
Mapping the target audience information environment aids influence operations in determining the most vulnerable areas of the information space to target with messaging.",T0010
|
||||
Identify Trending Topics/Hashtags,Map Target Audience Information Environment,An influence operation may identify trending hashtags on social media platforms for later use in boosting operation content. A hashtag40 refers to a word or phrase preceded by the hash symbol (#) on social media used to identify messages and posts relating to a specific topic. All public posts that use the same hashtag are aggregated onto a centralized page dedicated to the word or phrase and sorted either chronologically or by popularity. ,ST0004,,"Mapping the target audience information environment analyzes the information space itself, including social media analytics, web traffic, and media surveys. Mapping the information environment may help the influence operation determine the most realistic and popular information channels to reach its target audience.
|
||||
Mapping the target audience information environment aids influence operations in determining the most vulnerable areas of the information space to target with messaging.",T0010
|
||||
Conduct Web Traffic Analysis,Map Target Audience Information Environment,"An influence operation may conduct web traffic analysis to determine which search engines, keywords, websites, and advertisements gain the most traction with its target audience.",ST0005,,"Mapping the target audience information environment analyzes the information space itself, including social media analytics, web traffic, and media surveys. Mapping the information environment may help the influence operation determine the most realistic and popular information channels to reach its target audience.
|
||||
Mapping the target audience information environment aids influence operations in determining the most vulnerable areas of the information space to target with messaging.",T0010
|
||||
Assess Degree/Type of Media Access,Map Target Audience Information Environment,"An influence operation may survey a target audience’s Internet availability and degree of media freedom to determine which target audience members will have access to operation content and on which platforms. An operation may face more difficulty targeting an information environment with heavy restrictions and media control than an environment with independent media, freedom of speech and of the press, and individual liberties. ",ST0006,,"Mapping the target audience information environment analyzes the information space itself, including social media analytics, web traffic, and media surveys. Mapping the information environment may help the influence operation determine the most realistic and popular information channels to reach its target audience.
|
||||
Mapping the target audience information environment aids influence operations in determining the most vulnerable areas of the information space to target with messaging.",T0010
|
||||
Find Echo Chambers,Identify Social and Technical Vulnerabilities,"Find or plan to create areas (social media groups, search term groups, hashtag groups etc) where individuals only engage with people they agree with. ",ST0007,,"Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment.
|
||||
Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives. ",T0011
|
||||
Identify Data Voids,Identify Social and Technical Vulnerabilities,"A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation.
|
||||
A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalizing on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term. ",ST0008,,"Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment.
|
||||
Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives. ",T0011
|
||||
Identify Existing Prejudices,Identify Social and Technical Vulnerabilities,"An influence operation may exploit existing racial, religious, demographic, or social prejudices to further polarize its target audience from the rest of the public.",ST0009,,"Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment.
|
||||
Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives. ",T0011
|
||||
Identify Existing Fissures,Identify Social and Technical Vulnerabilities,"An influence operation may identify existing fissures to pit target populations against one another or facilitate a “divide-and-conquer"" approach to tailor operation narratives along the divides.",ST0010,,"Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment.
|
||||
Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives. ",T0011
|
||||
Identify Existing Conspiracy Narratives/Suspicions,Identify Social and Technical Vulnerabilities,An influence operation may assess preexisting conspiracy theories or suspicions in a population to identify existing narratives that support operational objectives. ,ST0011,,"Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment.
|
||||
Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives. ",T0011
|
||||
Identify Wedge Issues,Identify Social and Technical Vulnerabilities,"A wedge issue is a divisive political issue, usually concerning a social phenomenon, that divides individuals along a defined line. An influence operation may exploit wedge issues by intentionally polarizing the public along the wedge issue line and encouraging opposition between factions.",ST0012,,"Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment.
|
||||
Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives. ",T0011
|
||||
Identify Target Audience Adversaries,Identify Social and Technical Vulnerabilities,"An influence operation may identify or create a real or imaginary adversary to center operation narratives against. A real adversary may include certain politicians or political parties while imaginary adversaries may include falsified “deep state”62 actors that, according to conspiracies, run the state behind public view. ",ST0013,,"Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment.
|
||||
Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives. ",T0011
|
||||
Identify Media System Vulnerabilities,Identify Social and Technical Vulnerabilities,"An influence operation may exploit existing weaknesses in a target’s media system. These weaknesses may include existing biases among media agencies, vulnerability to false news agencies on social media, or existing distrust of traditional media sources. An existing distrust among the public in the media system’s credibility holds high potential for exploitation by an influence operation when establishing alternative news agencies to spread operation content. ",ST0014,,"Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment.
|
||||
Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives. ",T0011
|
||||
Geographic Segmentation,Segment Audiences,"An influence operation may target populations in a specific geographic location, such as a region, state, or city. An influence operation may use geographic segmentation to Create Localized Content (see: Establish Legitimacy). ",ST0015,,"Create audience segmentations by features of interest to the influence campaign, including political affiliation, geographic location, income, demographics, and psychographics. ",T0012
|
||||
Demographic Segmentation,Segment Audiences,"An influence operation may target populations based on demographic segmentation, including age, gender, and income. Demographic segmentation may be useful for influence operations aiming to change state policies that affect a specific population sector. For example, an influence operation attempting to influence Medicare funding in the United States would likely target U.S. voters over 65 years of age. ",ST0016,,"Create audience segmentations by features of interest to the influence campaign, including political affiliation, geographic location, income, demographics, and psychographics. ",T0012
|
||||
Economic Segmentation,Segment Audiences,"An influence operation may target populations based on their income bracket, wealth, or other financial or economic division. ",ST0017,,"Create audience segmentations by features of interest to the influence campaign, including political affiliation, geographic location, income, demographics, and psychographics. ",T0012
|
||||
Psychographic Segmentation,Segment Audiences,"An influence operation may target populations based on psychographic segmentation, which uses audience values and decision-making processes. An operation may individually gather psychographic data with its own surveys or collection tools or externally purchase data from social media companies or online surveys, such as personality quizzes. ",ST0018,,"Create audience segmentations by features of interest to the influence campaign, including political affiliation, geographic location, income, demographics, and psychographics. ",T0012
|
||||
Political Segmentation,Segment Audiences,"An influence operation may target populations based on their political affiliations, especially when aiming to manipulate voting or change policy.",ST0019,,"Create audience segmentations by features of interest to the influence campaign, including political affiliation, geographic location, income, demographics, and psychographics. ",T0012
|
||||
Amplify Existing Conspiracy Theory Narrative,Leverage Conspiracy Theory Narratives,,ST0020,,"""Conspiracy narratives"" appeal to the human desire for explanatory order, by invoking the participation of poweful (often sinister) actors in pursuit of their own political goals. These narratives are especially appealing when an audience is low-information, marginalized or otherwise inclined to reject the prevailing explanation. Conspiracy narratives are an important component of the ""firehose of falsehoods"" model. ",T0016
|
||||
Develop Original Conspiracy Theory Narratives,Leverage Conspiracy Theory Narratives,,ST0021,,"""Conspiracy narratives"" appeal to the human desire for explanatory order, by invoking the participation of poweful (often sinister) actors in pursuit of their own political goals. These narratives are especially appealing when an audience is low-information, marginalized or otherwise inclined to reject the prevailing explanation. Conspiracy narratives are an important component of the ""firehose of falsehoods"" model. ",T0016
|
||||
Use Copypasta,Reuse Existing Content,"Copypasta refers to a piece of text that has been copied and pasted multiple times across various online platforms. A copypasta’s final form may differ from its original source text as users add, delete, or otherwise edit the content as they repost the text. ",ST0022,,When an operation recycles content from its own previous operations or plagiarizes from external operations. An operation may launder information to conserve resources that would have otherwise been utilized to develop new content. ,T0020
|
||||
Plagiarize Content,Reuse Existing Content,,ST0023,,When an operation recycles content from its own previous operations or plagiarizes from external operations. An operation may launder information to conserve resources that would have otherwise been utilized to develop new content. ,T0020
|
||||
Deceptively Labeled or Translated,Reuse Existing Content,,ST0024,,When an operation recycles content from its own previous operations or plagiarizes from external operations. An operation may launder information to conserve resources that would have otherwise been utilized to develop new content. ,T0020
|
||||
Appropriate Content,Reuse Existing Content,,ST0025,,When an operation recycles content from its own previous operations or plagiarizes from external operations. An operation may launder information to conserve resources that would have otherwise been utilized to develop new content. ,T0020
|
||||
Develop AI-Generated Text,Develop Text-based Content,"AI-generated texts refers to synthetic text composed by computers using text-generating AI technology. Autonomous generation refers to content created by a bot without human input, also known as bot-created content generation. Autonomous generation represents the next step in automation after language generation and may lead to automated journalism. An influence operation may use read fakes or autonomous generation to quickly develop and distribute content to the target audience.",ST0026,,,T0021
|
||||
Develop False or Altered Documents,Develop Text-based Content,,ST0027,,,T0021
|
||||
Develop Inauthentic News Articles,Develop Text-based Content,,ST0028,,,T0021
|
||||
Develop Memes,Develop Image-based Content,"Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.",ST0029,,,T0022
|
||||
Develop AI-Generated Images (Deepfakes),Develop Image-based Content,"Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.",ST0030,,,T0022
|
||||
Deceptively Edit Image (Cheap fakes),Develop Image-based Content,"Cheap fakes utilize less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.",ST0031,,,T0022
|
||||
Aggregate Information into Evidence Collages,Develop Image-based Content,image files that aggregate positive evidence (Joan Donovan),ST0032,,,T0022
|
||||
Develop AI-Generated Videos (Deepfakes),Develop Video-based Content,"Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.",ST0033,,,T0023
|
||||
Deceptively Edit Video (Cheap fakes),Develop Video-based Content,"Cheap fakes utilize less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.",ST0034,,,T0023
|
||||
Develop AI-Generated Audio (Deepfakes),Develop Audio-based Content,"Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures.",ST0035,,,T0024
|
||||
Deceptively Edit Audio (Cheap fakes),Develop Audio-based Content,"Cheap fakes utilize less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event.",ST0036,,,T0024
|
||||
Create fake research,Generate information pollution,"Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx",ST0037,,"Flood social channels; drive traffic/engagement to all assets; create aura/sense/perception of pervasiveness/consensus (for or against or both simultaneously) of an issue or topic. ""Nothing is true, but everything is possible."" Akin to astroturfing campaign.",T0025
|
||||
Hijack Hashtags,Generate information pollution,,ST0038,,"Flood social channels; drive traffic/engagement to all assets; create aura/sense/perception of pervasiveness/consensus (for or against or both simultaneously) of an issue or topic. ""Nothing is true, but everything is possible."" Akin to astroturfing campaign.",T0025
|
||||
Reframe Context,Distort facts,"Reframing context refers to removing an event from its surrounding context to distort its intended meaning. Rather than deny that an event occurred, reframing context frames an event in a manner that may lead the target audience to draw a different conclusion about its intentions. ",ST0039,,"Change, twist, or exaggerate existing facts to construct a narrative that differs from reality. Examples: images and ideas can be distorted by being placed in an improper content",T0026
|
||||
Edit Open-Source Content,Distort facts,"An influence operation may edit open-source content, such as collaborative blogs or encyclopedias, to promote its narratives on outlets with existing credibility and audiences. Editing open-source content may allow an operation to post content on platforms without dedicating resources to the creation and maintenance of its own assets. ",ST0040,,"Change, twist, or exaggerate existing facts to construct a narrative that differs from reality. Examples: images and ideas can be distorted by being placed in an improper content",T0026
|
||||
Leak Authentic Documents,Obtain Private Documents,,ST0041,,,T0028
|
||||
Leak False Documents,Obtain Private Documents,,ST0042,,,T0028
|
||||
Leak Altered Documents,Obtain Private Documents,"Obtain documents (eg by theft or leak), then alter and release, possibly among factual documents/sources.",ST0043,,,T0028
|
||||
Create Anonymous Accounts,Create Inauthentic Accounts,Anonymous accounts or anonymous users refer to users that access network resources without providing a username or password. An influence operation may use anonymous accounts to spread content without direct attribution to the operation. ,ST0044,,,T0029
|
||||
Create Cyborg Accounts,Create Inauthentic Accounts,"Cyborg accounts refer to partly manned, partly automated social media accounts. Cyborg accounts primarily act as bots, but a human operator periodically takes control of the account to engage with real social media users by responding to comments and posting original content. Influence operations may use cyborg accounts to reduce the amount of direct human input required to maintain a regular account but increase the apparent legitimacy of the cyborg account by occasionally breaking its bot-like behavior with human interaction. ",ST0045,,,T0029
|
||||
Create Bot Accounts,Create Inauthentic Accounts,"Bots refer to autonomous internet users that interact with systems or other users while imitating traditional human behavior. Bots use a variety of tools to stay active without direct human operation, including artificial intelligence and big data analytics. For example, an individual may program a Twitter bot to retweet a tweet every time it contains a certain keyword or hashtag. An influence operation may use bots to increase its exposure and artificially promote its content across the internet without dedicating additional time or human resources.
|
||||
Amplifier bots promote operation content through reposts, shares, and likes to increase the content’s online popularity. Hacker bots are traditionally covert bots running on computer scripts that rarely engage with users and work primarily as agents of larger cyberattacks, such as a Distributed Denial of Service attacks. Spammer bots are programmed to post content on social media or in comment sections, usually as a supplementary tool. Impersonator bots102 pose as real people by mimicking human behavior, complicating their detection. ",ST0046,,,T0029
|
||||
Create Sockpuppet Accounts,Create Inauthentic Accounts,Sockpuppet accounts refer to falsified accounts that either promote the influence operation’s own material or attack critics of the material online. Individuals who control sockpuppet accounts also man at least one other user account.67 Sockpuppet accounts help legitimize operation narratives by providing an appearance of external support for the material and discrediting opponents of the operation. ,ST0047,,,T0029
|
||||
Recruit Contractors,Recruit bad actors,,ST0048,,,T0030
|
||||
Recruit Partisans,Recruit bad actors,,ST0049,,,T0030
|
||||
Enlist Troll Accounts,Recruit bad actors,"An influence operation may hire trolls, or human operators of fake accounts that aim to provoke others by posting and amplifying content about controversial issues. Trolls can serve to discredit an influence operation’s opposition or bring attention to the operation’s cause through debate.
|
||||
Classic trolls refer to regular people who troll for personal reasons, such as attention-seeking or boredom. Classic trolls may advance operation narratives by coincidence but are not directly affiliated with any larger operation. Conversely, hybrid trolls act on behalf of another institution, such as a state or financial organization, and post content with a specific ideological goal. Hybrid trolls may be highly advanced and institutionalized or less organized and work for a single individual. ",ST0050,,,T0030
|
||||
Create Organizations,Build Network,"Influence operations may establish organizations with legitimate or falsified hierarchies, staff, and content to structure operation assets, provide a sense of legitimacy to the operation, or provide institutional backing to operation activities.",ST0051,,,T0032
|
||||
Follow Trains,Build Network,,ST0052,,,T0032
|
||||
Create Community or Sub-group,Build Network,,ST0053,,,T0032
|
||||
Fund Proxies,Acquire/ recruit Network,"An influence operation may fund proxies, or external entities that work for the operation. An operation may recruit/train users with existing sympathies towards the operation’s narratives and/or goals as proxies. Funding proxies serves various purposes including:
|
||||
- Diversifying operation locations to complicate attribution
|
||||
- Reducing the workload for direct operation assets ",ST0054,,,T0033
|
||||
Botnets,Acquire/ recruit Network,,ST0055,,,T0033
|
||||
Identify susceptible targets in networks,Infiltrate Existing Networks,,ST0056,,,T0034
|
||||
Utilize Butterfly Attack,Infiltrate Existing Networks,"Butterfly attacks occur when operators pretend to be members of a certain social group, usually a group that struggles for representation. An influence operation may mimic a group to insert controversial statements into the discourse, encourage the spread of operation content, or promote harassment among group members. Unlike astroturfing, butterfly attacks aim to infiltrate and discredit existing grassroots movements, organizations, and media campaigns. ",ST0057,,,T0034
|
||||
From bad actors,Prepare fundraising campaigns,,ST0058,,"Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns (see: Develop Information Pathways) to promote operation messaging while raising money to support its activities. ",T0039
|
||||
From ignorant agents,Prepare fundraising campaigns,,ST0059,,"Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns (see: Develop Information Pathways) to promote operation messaging while raising money to support its activities. ",T0039
|
||||
Create a Content Farm,Leverage Content Farm,,ST0060,,,T0040
|
||||
Outsource Content Creation to External Organizations,Leverage Content Farm,"An influence operation may outsource content creation to external companies to avoid attribution, increase the rate of content creation, or improve content quality, i.e., by employing an organization that can create content in the target audience’s native language. Employed organizations may include marketing companies for tailored advertisements or external content farms for high volumes of targeted media. ",ST0061,,,T0040
|
||||
Utilize Academic/Pseudoscientific Justifications,Create fake experts,,ST0062,,"Stories planted or promoted in computational propaganda operations often make use of experts fabricated from whole cloth, sometimes specifically for the story itself. ",T0042
|
||||
Backstop personas ,Create personas,"Create other assets/dossier/cover/fake relationships and/or connections or documents, sites, bylines, attributions, to establish/augment/inflate crediblity/believability",ST0063,,,T0043
|
||||
Create Inauthentic News Sites,Establish Inauthentic News Sites,,ST0064,,"Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda--for instance, click-based revenue--often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details.",T0044
|
||||
Leverage Existing Inauthentic News Sites,Establish Inauthentic News Sites,"An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognizable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organizations, or state entities.
|
||||
An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entity’s website or social media account. Typosquatting87 is the international registration of a domain name with purposeful variations of the impersonated domain name through intentional typos, top-level domain (TLD) manipulation, or punycode. Typosquatting facilitates the creation of falsified websites by creating similar domain names in the URL box, leaving it to the user to confirm that the URL is correct. ",ST0065,,"Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda--for instance, click-based revenue--often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details.",T0044
|
||||
Astroturfing,Prepare Assets Impersonating Legitimate Entities,"Astroturfing occurs when an influence operation disguises itself as grassroots movement or organization that supports operation narratives. Unlike butterfly attacks, astroturfing aims to increase the appearance of popular support for the operation cause and does not infiltrate existing groups to discredit their objectives. ",ST0066,,"An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognizable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organizations, or state entities.
|
||||
An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entity’s website or social media account. Typosquatting87 is the international registration of a domain name with purposeful variations of the impersonated domain name through intentional typos, top-level domain (TLD) manipulation, or punycode. Typosquatting facilitates the creation of falsified websites by creating similar domain names in the URL box, leaving it to the user to confirm that the URL is correct. ",T0045
|
||||
Spoof/parody account/site,Prepare Assets Impersonating Legitimate Entities,,ST0067,,"An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognizable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organizations, or state entities.
|
||||
An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entity’s website or social media account. Typosquatting87 is the international registration of a domain name with purposeful variations of the impersonated domain name through intentional typos, top-level domain (TLD) manipulation, or punycode. Typosquatting facilitates the creation of falsified websites by creating similar domain names in the URL box, leaving it to the user to confirm that the URL is correct. ",T0045
|
||||
Co-Opt Trusted Individuals,Co-opt Trusted Sources,,ST0068,,"An influence operation may co-opt trusted sources by infiltrating or repurposing a source to reach a target audience through existing, previously reliable networks. Co-opted trusted sources may include:
|
||||
- National or local new outlets
|
||||
- Research or academic publications
|
||||
- Online blogs or websites ",T0046
|
||||
Co-Opt Grassroots Groups,Co-opt Trusted Sources,,ST0069,,"An influence operation may co-opt trusted sources by infiltrating or repurposing a source to reach a target audience through existing, previously reliable networks. Co-opted trusted sources may include:
|
||||
- National or local new outlets
|
||||
- Research or academic publications
|
||||
- Online blogs or websites ",T0046
|
||||
Co-opt Influencers,Co-opt Trusted Sources,,ST0070,,"An influence operation may co-opt trusted sources by infiltrating or repurposing a source to reach a target audience through existing, previously reliable networks. Co-opted trusted sources may include:
|
||||
- National or local new outlets
|
||||
- Research or academic publications
|
||||
- Online blogs or websites ",T0046
|
||||
Use existing Echo Chambers/Filter Bubbles,Leverage Echo Chambers/Filter Bubbles,,ST0071,,"An echo chamber refers to an internet subgroup, often along ideological lines, where individuals only engage with “others with which they are already in agreement.” A filter bubble refers to an algorithm's placement of an individual in content that they agree with or regularly engage with, possibly entrapping the user into a bubble of their own making. An operation may create these isolated areas of the internet by match existing groups, or aggregating individuals into a single target audience based on shared interests, politics, values, demographics, and other characteristics. Echo chambers and filter bubbles help to reinforce similar biases and content to the same target audience members. ",T0050
|
||||
Create Echo Chambers/Filter Bubbles,Leverage Echo Chambers/Filter Bubbles,,ST0072,,"An echo chamber refers to an internet subgroup, often along ideological lines, where individuals only engage with “others with which they are already in agreement.” A filter bubble refers to an algorithm's placement of an individual in content that they agree with or regularly engage with, possibly entrapping the user into a bubble of their own making. An operation may create these isolated areas of the internet by match existing groups, or aggregating individuals into a single target audience based on shared interests, politics, values, demographics, and other characteristics. Echo chambers and filter bubbles help to reinforce similar biases and content to the same target audience members. ",T0050
|
||||
Exploit Data Voids,Leverage Echo Chambers/Filter Bubbles,"A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation.
|
||||
A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalizing on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term. ",ST0073,,"An echo chamber refers to an internet subgroup, often along ideological lines, where individuals only engage with “others with which they are already in agreement.” A filter bubble refers to an algorithm's placement of an individual in content that they agree with or regularly engage with, possibly entrapping the user into a bubble of their own making. An operation may create these isolated areas of the internet by match existing groups, or aggregating individuals into a single target audience based on shared interests, politics, values, demographics, and other characteristics. Echo chambers and filter bubbles help to reinforce similar biases and content to the same target audience members. ",T0050
|
||||
Use Encrypted Chat Apps,Chat apps,,ST0074,,"Direct messaging via chat app is an increasing method of delivery. These messages are often automated and new delivery and storage methods make them anonymous, viral, and ephemeral. This is a difficult space to monitor, but also a difficult space to build acclaim or notoriety.",T0051
|
||||
Use Unencrypted Chats Apps,Chat apps,,ST0075,,"Direct messaging via chat app is an increasing method of delivery. These messages are often automated and new delivery and storage methods make them anonymous, viral, and ephemeral. This is a difficult space to monitor, but also a difficult space to build acclaim or notoriety.",T0051
|
||||
Video Livestream,Livestream,,ST0076,,,T0052
|
||||
Audio Livestream,Livestream,,ST0077,,,T0052
|
||||
Mainstream Social Networks, Social Networks,"Examples include Facebook, Twitter, LinkedIn, VK, ",ST0078,,,T0053
|
||||
Dating Apps, Social Networks,,ST0079,,,T0053
|
||||
Private/Closed Social Networks, Social Networks,,ST0080,,,T0053
|
||||
Interest-Based Networks, Social Networks,"Examples include smaller and niche networks including Gettr, Truth Social, Parler, etc.",ST0081,,,T0053
|
||||
Use hashtags, Social Networks,"Use a dedicated, existing hashtag for the campaign/incident.",ST0082,,,T0053
|
||||
Create dedicated hashtag, Social Networks,Create a campaign/incident specific hashtag.,ST0083,,,T0053
|
||||
Photo Sharing,Media Sharing Networks,"Examples include Instagram, Snapchat, Flickr, etc",ST0084,,"Media sharing networks refer to services whose primary function is the hosting and sharing of specific forms of media. Examples include Instagram, Snapchat, TikTok, Youtube, SoundCloud.",T0054
|
||||
Video Sharing,Media Sharing Networks,"Examples include Youtube, TikTok, ShareChat, Rumble, etc",ST0085,,"Media sharing networks refer to services whose primary function is the hosting and sharing of specific forms of media. Examples include Instagram, Snapchat, TikTok, Youtube, SoundCloud.",T0054
|
||||
Audio sharing,Media Sharing Networks,"Examples include podcasting apps, Soundcloud, etc.",ST0086,,"Media sharing networks refer to services whose primary function is the hosting and sharing of specific forms of media. Examples include Instagram, Snapchat, TikTok, Youtube, SoundCloud.",T0054
|
||||
Anonymous Message Boards,Discussion Forums,Examples include the Chans,ST0087,,"Platforms for finding, discussing, and sharing information and opinions. Examples include Reddit, Quora, Digg, message boards, interest-based discussion forums, etc.",T0055
|
||||
TV,Traditional Media,,ST0088,,"Examples include TV, Newspaper, Radio, etc.",T0061
|
||||
Newspaper,Traditional Media,,ST0089,,"Examples include TV, Newspaper, Radio, etc.",T0061
|
||||
Radio,Traditional Media,,ST0090,,"Examples include TV, Newspaper, Radio, etc.",T0061
|
||||
Social media,Deliver Ads,,ST0091,,Delivering content via any form of paid media or advertising.,T0070
|
||||
Traditional Media,Deliver Ads,"Examples include TV, Radio, Newspaper, billboards",ST0092,,Delivering content via any form of paid media or advertising.,T0070
|
||||
Share Memes,Post Content,"Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.",ST0093,,Delivering content by posting via owned media (assets that the operator controls). ,T0071
|
||||
Post Violative Content to Provoke Takedown and Backlash,Post Content,,ST0094,,Delivering content by posting via owned media (assets that the operator controls). ,T0071
|
||||
One-Way Direct Posting,Post Content,"Direct posting refers to a method of posting content via a one-way messaging service, where the recipient cannot directly respond to the poster’s messaging. An influence operation may post directly to promote operation narratives to the target audience without allowing opportunities for fact-checking or disagreement, creating a false sense of support for the narrative. ",ST0095,,Delivering content by posting via owned media (assets that the operator controls). ,T0071
|
||||
Post inauthentic social media comment,Comment or Reply on Content,"Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums.",ST0096,,Delivering content by replying or commenting via owned media (assets that the operator controls). ,T0072
|
||||
Trolls amplify and manipulate,Flooding the Information Space,"Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it's easier to amplify existing content than create new/original content. Trolls operate where ever there's a socially divisive issue (issues that can/are be politicized).",ST0097,,Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.,T0074
|
||||
Hijack existing hashtag,Flooding the Information Space,Take over an existing hashtag to drive exposure.,ST0098,,Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.,T0074
|
||||
Bots Amplify via Automated Forwarding and Reposting,Flooding the Information Space,"Automated forwarding and reposting refer to the proliferation of operation content using automated means, such as artificial intelligence or social media bots. An influence operation may use automated activity to increase content exposure without dedicating the resources, including personnel and time, traditionally required to forward and repost content.
|
||||
Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it's more ""popular"" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.",ST0099,,Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.,T0074
|
||||
Utilize Spamoflauge,Flooding the Information Space,"Spamoflauge refers to the practice of disguising spam messages as legitimate. Spam refers to the use of electronic messaging systems to send out unrequested or unwanted messages in bulk. Simple methods of spamoflauge include replacing letters with numbers to fool keyword-based email spam filters, for example, ""you've w0n our jackp0t!"". Spamoflauge may extend to more complex techniques such as modifying the grammar or word choice of the language, casting messages as images which spam detectors cannot automatically read, or encapsulating messages in password protected attachments, such as .pdf or .zip files. Influence operations may use spamoflauge to avoid spam filtering systems and increase the likelihood of the target audience receiving operation messaging. ",ST0100,,Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.,T0074
|
||||
Conduct Swarming,Flooding the Information Space,"Swarming refers to the coordinated use of accounts to overwhelm the information space with operation content. Unlike information flooding, swarming centers exclusively around a specific event or actor rather than a general narrative. Swarming relies on “horizontal communication” between information assets rather than a top-down, vertical command-and-control approach. ",ST0101,,Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.,T0074
|
||||
Conduct Keyword Squatting,Flooding the Information Space,"Keyword squatting refers to the creation of online content, such as websites, articles, or social media accounts, around a specific search engine-optimized term to overwhelm the search results of that term. An influence may keyword squat to increase content exposure to target audience members who query the exploited term in a search engine and manipulate the narrative around the term. ",ST0102,,Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.,T0074
|
||||
Inauthentic Sites Amplify News and Narratives,Flooding the Information Space,"Inauthentic sites circulate cross-post stories and amplify narratives. Often these sites have no masthead, bylines or attribution.",ST0103,,Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.,T0074
|
||||
Post Across Groups,Cross-Posting,,ST0104,,"Cross-posting refers to posting the same message to multiple internet discussions, social media platforms or accounts, or news groups at one time. An influence operation may post content online in multiple communities and platforms to increase the chances of content exposure to the target audience. ",T0076
|
||||
Post Across Platform,Cross-Posting,,ST0105,,"Cross-posting refers to posting the same message to multiple internet discussions, social media platforms or accounts, or news groups at one time. An influence operation may post content online in multiple communities and platforms to increase the chances of content exposure to the target audience. ",T0076
|
||||
Post Across Disciplines,Cross-Posting,,ST0106,,"Cross-posting refers to posting the same message to multiple internet discussions, social media platforms or accounts, or news groups at one time. An influence operation may post content online in multiple communities and platforms to increase the chances of content exposure to the target audience. ",T0076
|
||||
Use Affiliate Marketing Programs,Incentivize Sharing,,ST0107,,"Incentivizing content sharing refers to actions that encourage users to share content themselves, reducing the need for the operation itself to post and promote its own content.",T0077
|
||||
Use Contests and Prizes,Incentivize Sharing,,ST0108,,"Incentivizing content sharing refers to actions that encourage users to share content themselves, reducing the need for the operation itself to post and promote its own content.",T0077
|
||||
Bypass Content Blocking,Manipulate Platform Algorithm,"Bypassing content blocking refers to actions taken to circumvent network security measures that prevent users from accessing certain servers, resources, or other online spheres. An influence operation may bypass content blocking to proliferate its content on restricted areas of the internet. Common strategies for bypassing content blocking include:
|
||||
- Altering IP addresses to avoid IP filtering
|
||||
- Using a Virtual Private Network (VPN) to avoid IP filtering
|
||||
- Using a Content Delivery Network (CDN) to avoid IP filtering
|
||||
- Enabling encryption to bypass packet inspection blocking
|
||||
- Manipulating text to avoid filtering by keywords
|
||||
- Posting content on multiple platforms to avoid platform-specific removals - Using local facilities or modified DNS servers to avoid DNS filtering ",ST0109,,"Manipulating a platform algorithm refers to conducting activity on a platform in a way that intentionally targets its underlying algorithm. After analyzing a platform’s algorithm (see: Select Platforms), an influence operation may use a platform in a way that increases its content exposure, avoids content removal, or otherwise benefits the operation’s strategy. For example, an influence operation may use bots to amplify its posts so that the platform’s algorithm recognizes engagement with operation content and further promotes the content on user timelines. ",T0078
|
||||
"Boycott/""Cancel"" Opponents",Harass,"Cancel culture refers to the phenomenon in which individuals collectively refrain from supporting an individual, organization, business, or other entity, usually following a real or falsified controversy. An influence operation may exploit cancel culture by emphasizing an adversary’s problematic or disputed behavior and presenting its own content as an alternative. ",ST0110,,"Threatening or harassing believers of opposing narratives refers to the use of intimidation techniques, including cyberbullying and doxing, to discourage opponents from voicing their dissent. An influence operation may threaten or harass believers of the opposing narratives to deter individuals from posting or proliferating conflicting content. ",T0080
|
||||
Harass People Based on Identities,Harass,"Examples include social identities like gender, sexuality, race, ethnicity, religion, ability, nationality, etc. as well as roles and occupations like journalist or activist.",ST0111,,"Threatening or harassing believers of opposing narratives refers to the use of intimidation techniques, including cyberbullying and doxing, to discourage opponents from voicing their dissent. An influence operation may threaten or harass believers of the opposing narratives to deter individuals from posting or proliferating conflicting content. ",T0080
|
||||
Threaten to Dox,Harass,"Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content. ",ST0112,,"Threatening or harassing believers of opposing narratives refers to the use of intimidation techniques, including cyberbullying and doxing, to discourage opponents from voicing their dissent. An influence operation may threaten or harass believers of the opposing narratives to deter individuals from posting or proliferating conflicting content. ",T0080
|
||||
Dox,Harass,"Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content. ",ST0113,,"Threatening or harassing believers of opposing narratives refers to the use of intimidation techniques, including cyberbullying and doxing, to discourage opponents from voicing their dissent. An influence operation may threaten or harass believers of the opposing narratives to deter individuals from posting or proliferating conflicting content. ",T0080
|
||||
Delete Opposing Content,Control Information Environment through Offensive Cyberspace Operations,"Deleting opposing content refers to the removal of content that conflicts with operational narratives from selected platforms. An influence operation may delete opposing content to censor contradictory information from the target audience, allowing operation narratives to take priority in the information space.",ST0114,,Controling the information environment through offensive cyberspace operations uses cyber tools and techniques to alter the trajectory of content in the information space to either prioritize operation messaging or block opposition messaging.,T0082
|
||||
Block Content,Control Information Environment through Offensive Cyberspace Operations,Content blocking refers to actions taken to restrict internet access or render certain areas of the internet inaccessible. An influence operation may restrict content based on both network and content attributes. ,ST0115,,Controling the information environment through offensive cyberspace operations uses cyber tools and techniques to alter the trajectory of content in the information space to either prioritize operation messaging or block opposition messaging.,T0082
|
||||
Destroy Information Generation Capabilities,Control Information Environment through Offensive Cyberspace Operations,"Destroying information generation capabilities refers to actions taken to limit, degrade, or otherwise incapacitate an actor’s ability to generate conflicting information. An influence operation may destroy an actor’s information generation capabilities by physically dismantling the information infrastructure, disconnecting resources needed for information generation, or redirecting information generation personnel. An operation may destroy an adversary’s information generation capabilities to limit conflicting content exposure to the target audience and crowd the information space with its own narratives. ",ST0116,,Controling the information environment through offensive cyberspace operations uses cyber tools and techniques to alter the trajectory of content in the information space to either prioritize operation messaging or block opposition messaging.,T0082
|
||||
Conduct Server Redirect,Control Information Environment through Offensive Cyberspace Operations,"A server redirect, also known as a URL redirect, occurs when a server automatically forwards a user from one URL to another using server-side scripting languages. An influence operation may conduct a server redirect to divert target audience members from one website to another without their knowledge. The redirected website may pose as a legitimate source, host malware, or otherwise aid operation objectives.",ST0117,,Controling the information environment through offensive cyberspace operations uses cyber tools and techniques to alter the trajectory of content in the information space to either prioritize operation messaging or block opposition messaging.,T0082
|
||||
Report Non-Violative Opposing Content,Suppress Opposition,"Reporting opposing content refers to notifying and providing an instance of a violation of a platform’s guidelines and policies for conduct on the platform. In addition to simply reporting the content, an operation may leverage copyright regulations to trick social media and web platforms into removing opposing content by manipulating the content to appear in violation of copyright laws. Reporting opposing content facilitates the suppression of contradictory information and allows operation narratives to take priority in the information space. ",ST0118,,,T0083
|
||||
Goad People into Harmful Action (Stop Hitting Yourself),Suppress Opposition,Goad people into actions that violate terms of service or will lead to having their content or accounts taken down. ,ST0119,,,T0083
|
||||
Exploit Platform TOS/Content Moderation,Suppress Opposition,,ST0120,,,T0083
|
||||
Call to action to attend ,Encourage Attendance at Events,,ST0121,,Operation encourages attendance at existing real world event.,T0085
|
||||
Facilitate logistics or support for attendance,Encourage Attendance at Events,"Facilitate logistics or support for travel, food, housing, etc.",ST0122,,Operation encourages attendance at existing real world event.,T0085
|
||||
Pay for Physical Action,Organize Events,"Paying for physical action occurs when an influence operation pays individuals to act in the physical realm. An influence operation may pay for physical action to create specific situations and frame them in a way that supports operation narratives, for example, paying a group of people to burn a car to later post an image of the burning car and frame it as an act of protest. ",ST0123,,"Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives.",T0086
|
||||
Conduct Symbolic Action,Organize Events,"Symbolic action refers to activities specifically intended to advance an operation’s narrative by signaling something to the audience, for example, a military parade supporting a state’s narrative of military superiority. An influence operation may use symbolic action to create falsified evidence supporting operation narratives in the physical information space. ",ST0124,,"Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives.",T0086
|
||||
Conduct Crowdfunding Campaigns,Conduct fundraising,,ST0125,,"Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services166 on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns to promote operation messaging while raising money to support its activities. ",T0087
|
||||
Conduct Physical Violence,Physical Violence,,ST0126,,"Physical violence refers to the use of force to injure, abuse, damage, or destroy. An influence operation may conduct or encourage physical violence to discourage opponents from promoting conflicting content or draw attention to operation narratives using shock value. ",T0088
|
||||
Encourage Physical Violence,Physical Violence,,ST0127,,"Physical violence refers to the use of force to injure, abuse, damage, or destroy. An influence operation may conduct or encourage physical violence to discourage opponents from promoting conflicting content or draw attention to operation narratives using shock value. ",T0088
|
||||
Sell Merchandise,Merchandising/ Advertising,"Selling merchandise refers to the sale of often branded items to the target audience. An influence operation may sell merchandise to raise funds and promote its messaging in the physical information space, for example, by selling t-shirts with operational messaging displayed on the clothing. ",ST0128,,Merchandising/Advertising refers to getting the message or narrative into physical space in the offline world,T0089
|
||||
Use Pseudonyms,Conceal People,"An operation may use pseudonyms, or fake names, to mask the identity of operation accounts, publish anonymous content, or otherwise use falsified personas to conceal identity of the operation. An operation may coordinate pseudonyms across multiple platforms, for example, by writing an article under a pseudonym and then posting a link to the article on social media on an account with the same falsified name. ",ST0129,,Conceal the identity or provenance of the account and people assets.,T0090
|
||||
Conceal Network Identity,Conceal People,"Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organization. ",ST0130,,Conceal the identity or provenance of the account and people assets.,T0090
|
||||
Distance Reputable Individuals from Operation,Conceal People,"Distancing reputable individuals from the operation occurs when enlisted individuals, such as celebrities or subject matter experts, actively disengage themselves from operation activities and messaging. Individuals may distance themselves from the operation by deleting old posts or statements, unfollowing operation information assets, or otherwise detaching themselves from the operation’s timeline. An influence operation may want reputable individuals to distance themselves from the operation to reduce operation exposure, particularly if the operation aims to remove all evidence.",ST0131,,Conceal the identity or provenance of the account and people assets.,T0090
|
||||
Launder Accounts,Conceal People,Account laundering occurs when an influence operation acquires control of previously legitimate online accounts from third parties through sale or exchange and often in contravention of terms of use. Influence operations use laundered accounts to reach target audience members from an existing information channel and complicate attribution. ,ST0132,,Conceal the identity or provenance of the account and people assets.,T0090
|
||||
Change Names of Accounts,Conceal People,Changing names of accounts occurs when an operation changes the name of an existing social media account. An operation may change the names of its accounts throughout an operation to avoid detection or alter the names of newly acquired or repurposed accounts to fit operational narratives. ,ST0133,,Conceal the identity or provenance of the account and people assets.,T0090
|
||||
Conceal Network Identity,Conceal Operational Activity,"Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organization. ",ST0134,,,T0091
|
||||
Generate Content Unrelated to Narrative,Conceal Operational Activity,"An influence operation may mix its own operation content with legitimate news or external unrelated content to disguise operational objectives, narratives, or existence. For example, an operation may generate ""lifestyle"" or ""cuisine"" content alongside regular operation content. ",ST0135,,,T0091
|
||||
Break Association with Content,Conceal Operational Activity,"Breaking association with content occurs when an influence operation actively separates itself from its own content. An influence operation may break association with content by unfollowing, unliking, or unsharing its content, removing attribution from its content, or otherwise taking actions that distance the operation from its messaging. An influence operation may break association with its content to complicate attribution or regain credibility for a new operation. ",ST0136,,,T0091
|
||||
Delete URLs,Conceal Operational Activity,"URL deletion occurs when an influence operation completely removes its website registration, rendering the URL inaccessible. An influence operation may delete its URLs to complicate attribution or remove online documentation that the operation ever occurred.",ST0137,,,T0091
|
||||
Coordinate on encrypted/ closed networks,Conceal Operational Activity,,ST0138,,,T0091
|
||||
Deny involvement,Conceal Operational Activity,"Without ""smoking gun"" proof (and even with proof), incident creator can or will deny involvement. This technique also leverages the attacker advantages outlined in ""Demand insurmountable proof"", specifically the asymmetric disadvantage for truth-tellers in a ""firehose of misinformation"" environment.",ST0139,,,T0091
|
||||
Delete Accounts/Account Activity,Conceal Operational Activity,"Deleting accounts and account activity occurs when an influence operation removes its online social media assets, including social media accounts, posts, likes, comments, and other online artifacts. An influence operation may delete its accounts and account activity to complicate attribution or remove online documentation that the operation ever occurred. ",ST0140,,,T0091
|
||||
Redirect URLs,Conceal Operational Activity,"An influence operation may redirect its falsified or typosquatted URLs to legitimate websites to increase the operation's appearance of legitimacy, complicate attribution, and avoid detection. ",ST0141,,,T0091
|
||||
Remove Post Origins,Conceal Operational Activity,"Removing post origins refers to the elimination of evidence that indicates the initial source of operation content, often to complicate attribution. An influence operation may remove post origins by deleting watermarks, renaming files, or removing embedded links in its content. ",ST0142,,,T0091
|
||||
Misattribute Activity,Conceal Operational Activity,"Misattributed activity refers to incorrectly attributed operation activity. For example, a state sponsored influence operation may conduct operation activity in a way that mimics another state so that external entities misattribute activity to the incorrect state. An operation may misattribute their activities to complicate attribution, avoid detection, or frame an adversary for negative behavior. ",ST0143,,,T0091
|
||||
Conceal Sponsorship,Conceal Infrastructure,"Concealing sponsorship aims to mislead or obscure the identity of the hidden sponsor behind an operation rather than entity publicly running the operation. Operations that conceal sponsorship may maintain visible falsified groups, news outlets, non-profits, or other organizations, but seek to mislead or obscure the identity sponsoring, funding, or otherwise supporting these entities.
|
||||
Influence operations may use a variety of techniques to mask the location of their social media accounts to complicate attribution and conceal evidence of foreign interference. Operation accounts may set their location to a false place, often the location of the operation’s target audience, and post in the region’s language",ST0144,,,T0092
|
||||
Utilize Bulletproof Hosting,Conceal Infrastructure,"Hosting refers to services through which storage and computing resources are provided to an individual or organization for the accommodation and maintenance of one or more websites and related services. Services may include web hosting, file sharing, and email distribution. Bulletproof hosting refers to services provided by an entity, such as a domain hosting or web hosting firm, that allows its customer considerable leniency in use of the service. An influence operation may utilize bulletproof hosting to maintain continuity of service for suspicious, illegal, or disruptive operation activities that stricter hosting services would limit, report, or suspend. ",ST0145,,,T0092
|
||||
Use Shell Organizations,Conceal Infrastructure,,ST0146,,,T0092
|
||||
Use Cryptocurrency,Conceal Infrastructure,,ST0147,,,T0092
|
||||
Obfuscate Payment,Conceal Infrastructure,,ST0148,,,T0092
|
||||
Legacy web content,Exploit TOS/Content Moderation,"Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it's hard to remove or unlikely to be removed.",ST0149,,,T0093
|
||||
Post Borderline Content,Exploit TOS/Content Moderation,,ST0150,,,T0093
|
||||
People Focused,Measure Performance,,ST0151,,,T0095
|
||||
Content Focused,Measure Performance,,ST0152,,,T0095
|
||||
View Focused,Measure Performance,,ST0153,,,T0095
|
||||
Behavior changes,Measure Effectiveness,Monitor and evaluate behaviour changes from misinformation incidents. ,ST0154,,,T0096
|
||||
Content,Measure Effectiveness,,ST0155,,,T0096
|
||||
Awareness,Measure Effectiveness,,ST0156,,,T0096
|
||||
Knowledge,Measure Effectiveness,,ST0157,,,T0096
|
||||
Action/attitude,Measure Effectiveness,,ST0158,,,T0096
|
||||
Message reach,Measure Effectiveness Indicators (or KPIs),Monitor and evaluate message reach in misinformation incidents. ,ST0159,,,T0097
|
||||
Social media engagement,Measure Effectiveness Indicators (or KPIs),Monitor and evaluate social media engagement in misinformation incidents.,ST0160,,,T0097
|
||||
|
BIN
DISARM_MASTER_DATA/~$DISARM_FRAMEWORKS_MASTER.xlsx
Normal file
BIN
DISARM_MASTER_DATA/~$DISARM_FRAMEWORKS_MASTER.xlsx
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user