mirror of
https://github.com/DISARMFoundation/DISARMframeworks.git
synced 2024-10-01 01:45:36 -04:00
95 KiB
95 KiB
DISARM Techniques:
| disarm_id | name | summary | tactic_id |
|---|---|---|---|
| T0002 | Facilitate State Propaganda | Organise citizens around pro-state messaging. Coordinate paid or volunteer groups to push state propaganda. | TA02 |
| T0003 | Leverage Existing Narratives | Use or adapt existing narrative themes, where narratives are the baseline stories of a target audience. Narratives form the bedrock of our worldviews. New information is understood through a process firmly grounded in this bedrock. If new information is not consitent with the prevailing narratives of an audience, it will be ignored. Effective campaigns will frame their misinformation in the context of these narratives. Highly effective campaigns will make extensive use of audience-appropriate archetypes and meta-narratives throughout their content creation and amplifiction practices. | TA14 |
| T0004 | Develop Competing Narratives | Advance competing narratives connected to same issue ie: on one hand deny incident while at same time expresses dismiss. Suppressing or discouraging narratives already spreading requires an alternative. The most simple set of narrative techniques in response would be the construction and promotion of contradictory alternatives centred on denial, deflection, dismissal, counter-charges, excessive standards of proof, bias in prohibition or enforcement, and so on. These competing narratives allow loyalists cover, but are less compelling to opponents and fence-sitters than campaigns built around existing narratives or highly explanatory master narratives. Competing narratives, as such, are especially useful in the "firehose of misinformation" approach. | TA14 |
| T0007 | Create Inauthentic Social Media Pages and Groups | Create key social engineering assets needed to amplify content, manipulate algorithms, fool public and/or specific incident/campaign targets. Computational propaganda depends substantially on false perceptions of credibility and acceptance. By creating fake users and groups with a variety of interests and commitments, attackers can ensure that their messages both come from trusted sources and appear more widely adopted than they actually are. | TA15 |
| T0009 | Create Fake Experts | Stories planted or promoted in computational propaganda operations often make use of experts fabricated from whole cloth, sometimes specifically for the story itself. | TA16 |
| T0009.001 | Utilise Academic/Pseudoscientific Justifications | Utilise Academic/Pseudoscientific Justifications | TA16 |
| T0010 | Cultivate Ignorant Agents | Cultivate propagandists for a cause, the goals of which are not fully comprehended, and who are used cynically by the leaders of the cause. Independent actors use social media and specialised web sites to strategically reinforce and spread messages compatible with their own. Their networks are infiltrated and used by state media disinformation organisations to amplify the state’s own disinformation strategies against target populations. Many are traffickers in conspiracy theories or hoaxes, unified by a suspicion of Western governments and mainstream media. Their narratives, which appeal to leftists hostile to globalism and military intervention and nationalists against immigration, are frequently infiltrated and shaped by state-controlled trolls and altered news items from agencies such as RT and Sputnik. Also know as "useful idiots" or "unwitting agents". | TA15 |
| T0011 | Compromise Legitimate Accounts | Hack or take over legimate accounts to distribute misinformation or damaging content. | TA16 |
| T0013 | Create Inauthentic Websites | Create media assets to support inauthentic organisations (e.g. think tank), people (e.g. experts) and/or serve as sites to distribute malware/launch phishing operations. | TA15 |
| T0014 | Prepare Fundraising Campaigns | Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns (see: Develop Information Pathways) to promote operation messaging while raising money to support its activities. | TA15 |
| T0014.001 | Raise Funds from Malign Actors | Raising funds from malign actors may include contributions from foreign agents, cutouts or proxies, shell companies, dark money groups, etc. | TA15 |
| T0014.002 | Raise Funds from Ignorant Agents | Raising funds from ignorant agents may include scams, donations intended for one stated purpose but then used for another, etc. | TA15 |
| T0015 | Create Hashtags and Search Artefacts | Create one or more hashtags and/or hashtag groups. Many incident-based campaigns will create hashtags to promote their fabricated event. Creating a hashtag for an incident can have two important effects: 1. Create a perception of reality around an event. Certainly only "real" events would be discussed in a hashtag. After all, the event has a name!, and 2. Publicise the story more widely through trending lists and search behaviour. Asset needed to direct/control/manage "conversation" connected to launching new incident/campaign with new hashtag for applicable social media sites). | TA06 |
| T0016 | Create Clickbait | Create attention grabbing headlines (outrage, doubt, humour) required to drive traffic & engagement. This is a key asset. | TA05 |
| T0017 | Conduct Fundraising | Fundraising campaigns refer to an influence operation’s systematic effort to seek financial support for a charity, cause, or other enterprise using online activities that further promote operation information pathways while raising a profit. Many influence operations have engaged in crowdfunding services166 on platforms including Tipee, Patreon, and GoFundMe. An operation may use its previously prepared fundraising campaigns to promote operation messaging while raising money to support its activities. | TA10 |
| T0017.001 | Conduct Crowdfunding Campaigns | An influence operation may Conduct Crowdfunding Campaigns on platforms such as GoFundMe, GiveSendGo, Tipeee, Patreon, etc. | TA10 |
| T0018 | Purchase Targeted Advertisements | Create or fund advertisements targeted at specific populations | TA05 |
| T0019 | Generate Information Pollution | Flood social channels; drive traffic/engagement to all assets; create aura/sense/perception of pervasiveness/consensus (for or against or both simultaneously) of an issue or topic. "Nothing is true, but everything is possible." Akin to astroturfing campaign. | TA06 |
| T0019.001 | Create Fake Research | Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx | TA06 |
| T0019.002 | Hijack Hashtags | Hashtag hijacking occurs when users “[use] a trending hashtag to promote topics that are substantially different from its recent context” (VanDam and Tan, 2016) or “to promote one’s own social media agenda” (Darius and Stephany, 2019). | TA06 |
| T0020 | Trial Content | Iteratively test incident performance (messages, content etc), e.g. A/B test headline/content enagagement metrics; website and/or funding campaign conversion rates | TA08 |
| T0022 | Leverage Conspiracy Theory Narratives | "Conspiracy narratives" appeal to the human desire for explanatory order, by invoking the participation of poweful (often sinister) actors in pursuit of their own political goals. These narratives are especially appealing when an audience is low-information, marginalised or otherwise inclined to reject the prevailing explanation. Conspiracy narratives are an important component of the "firehose of falsehoods" model. | TA14 |
| T0022.001 | Amplify Existing Conspiracy Theory Narratives | An influence operation may amplify an existing conspiracy theory narrative that aligns with its incident or campaign goals. By amplifying existing conspiracy theory narratives, operators can leverage the power of the existing communities that support and propagate those theories without needing to expend resources creating new narratives or building momentum and buy in around new narratives. | TA14 |
| T0022.002 | Develop Original Conspiracy Theory Narratives | While this requires more resources than amplifying existing conspiracy theory narratives, an influence operation may develop original conspiracy theory narratives in order to achieve greater control and alignment over the narrative and their campaign goals. Prominent examples include the USSR's Operation INFEKTION disinformation campaign run by the KGB in the 1980s to plant the idea that the United States had invented HIV/AIDS as part of a biological weapons research project at Fort Detrick, Maryland. More recently, Fort Detrick featured prominently in a new conspiracy theory narratives around the origins of the COVID-19 outbreak and pandemic. | TA14 |
| T0023 | Distort Facts | Change, twist, or exaggerate existing facts to construct a narrative that differs from reality. Examples: images and ideas can be distorted by being placed in an improper content | TA06 |
| T0023.001 | Reframe Context | Reframing context refers to removing an event from its surrounding context to distort its intended meaning. Rather than deny that an event occurred, reframing context frames an event in a manner that may lead the target audience to draw a different conclusion about its intentions. | TA06 |
| T0023.002 | Edit Open-Source Content | An influence operation may edit open-source content, such as collaborative blogs or encyclopaedias, to promote its narratives on outlets with existing credibility and audiences. Editing open-source content may allow an operation to post content on platforms without dedicating resources to the creation and maintenance of its own assets. | TA06 |
| T0029 | Online Polls | Create fake online polls, or manipulate existing online polls. Data gathering tactic to target those who engage, and potentially their networks of friends/followers as well | TA07 |
| T0039 | Bait Legitimate Influencers | Credibility in a social media environment is often a function of the size of a user's network. "Influencers" are so-called because of their reach, typically understood as: 1) the size of their network (i.e. the number of followers, perhaps weighted by their own influence); and 2) The rate at which their comments are re-circulated (these two metrics are related). Add traditional media players at all levels of credibility and professionalism to this, and the number of potential influencial carriers available for unwitting amplification becomes substantial. By targeting high-influence people and organisations in all types of media with narratives and content engineered to appeal their emotional or ideological drivers, influence campaigns are able to add perceived credibility to their messaging via saturation and adoption by trusted agents such as celebrities, journalists and local leaders. | TA08 |
| T0040 | Demand Insurmountable Proof | Campaigns often leverage tactical and informational asymmetries on the threat surface, as seen in the Distort and Deny strategies, and the "firehose of misinformation". Specifically, conspiracy theorists can be repeatedly wrong, but advocates of the truth need to be perfect. By constantly escalating demands for proof, propagandists can effectively leverage this asymmetry while also priming its future use, often with an even greater asymmetric advantage. The conspiracist is offered freer rein for a broader range of "questions" while the truth teller is burdened with higher and higher standards of proof. | TA14 |
| T0042 | Seed Kernel of Truth | Wrap lies or altered context/facts around truths. Influence campaigns pursue a variety of objectives with respect to target audiences, prominent among them: 1. undermine a narrative commonly referenced in the target audience; or 2. promote a narrative less common in the target audience, but preferred by the attacker. In both cases, the attacker is presented with a heavy lift. They must change the relative importance of various narratives in the interpretation of events, despite contrary tendencies. When messaging makes use of factual reporting to promote these adjustments in the narrative space, they are less likely to be dismissed out of hand; when messaging can juxtapose a (factual) truth about current affairs with the (abstract) truth explicated in these narratives, propagandists can undermine or promote them selectively. Context matters. | TA08 |
| T0043 | Chat Apps | Direct messaging via chat app is an increasing method of delivery. These messages are often automated and new delivery and storage methods make them anonymous, viral, and ephemeral. This is a difficult space to monitor, but also a difficult space to build acclaim or notoriety. | TA07 |
| T0043.001 | Use Encrypted Chat Apps | Examples include Signal, WhatsApp, Discord, Wire, etc. | TA07 |
| T0043.002 | Use Unencrypted Chats Apps | Examples include SMS, etc. | TA07 |
| T0044 | Seed Distortions | Try a wide variety of messages in the early hours surrounding an incident or event, to give a misleading account or impression. | TA08 |
| T0045 | Use Fake Experts | Use the fake experts that were set up during Establish Legitimacy. Pseudo-experts are disposable assets that often appear once and then disappear. Give "credility" to misinformation. Take advantage of credential bias | TA08 |
| T0046 | Use Search Engine Optimisation | Manipulate content engagement metrics (ie: Reddit & Twitter) to influence/impact news search results (e.g. Google), also elevates RT & Sputnik headline into Google news alert emails. aka "Black-hat SEO" | TA08 |
| T0047 | Censor Social Media as a Political Force | Use political influence or the power of state to stop critical social media comments. Government requested/driven content take downs (see Google Transperancy reports). | TA18 |
| T0048 | Harass | Threatening or harassing believers of opposing narratives refers to the use of intimidation techniques, including cyberbullying and doxing, to discourage opponents from voicing their dissent. An influence operation may threaten or harass believers of the opposing narratives to deter individuals from posting or proliferating conflicting content. | TA18 |
| T0048.001 | Boycott/"Cancel" Opponents | Cancel culture refers to the phenomenon in which individuals collectively refrain from supporting an individual, organisation, business, or other entity, usually following a real or falsified controversy. An influence operation may exploit cancel culture by emphasising an adversary’s problematic or disputed behaviour and presenting its own content as an alternative. | TA18 |
| T0048.002 | Harass People Based on Identities | Examples include social identities like gender, sexuality, race, ethnicity, religion, ability, nationality, etc. as well as roles and occupations like journalist or activist. | TA18 |
| T0048.003 | Threaten to Dox | Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content. | TA18 |
| T0048.004 | Dox | Doxing refers to online harassment in which individuals publicly release private information about another individual, including names, addresses, employment information, pictures, family members, and other sensitive information. An influence operation may dox its opposition to encourage individuals aligned with operation narratives to harass the doxed individuals themselves or otherwise discourage the doxed individuals from posting or proliferating conflicting content. | TA18 |
| T0049 | Flooding the Information Space | Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect. | TA17 |
| T0049.001 | Trolls Amplify and Manipulate | Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it's easier to amplify existing content than create new/original content. Trolls operate where ever there's a socially divisive issue (issues that can/are be politicized). | TA17 |
| T0049.002 | Hijack Existing Hashtag | Take over an existing hashtag to drive exposure. | TA17 |
| T0049.003 | Bots Amplify via Automated Forwarding and Reposting | Automated forwarding and reposting refer to the proliferation of operation content using automated means, such as artificial intelligence or social media bots. An influence operation may use automated activity to increase content exposure without dedicating the resources, including personnel and time, traditionally required to forward and repost content. Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it's more "popular" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive. | TA17 |
| T0049.004 | Utilise Spamoflauge | Spamoflauge refers to the practice of disguising spam messages as legitimate. Spam refers to the use of electronic messaging systems to send out unrequested or unwanted messages in bulk. Simple methods of spamoflauge include replacing letters with numbers to fool keyword-based email spam filters, for example, "you've w0n our jackp0t!". Spamoflauge may extend to more complex techniques such as modifying the grammar or word choice of the language, casting messages as images which spam detectors cannot automatically read, or encapsulating messages in password protected attachments, such as .pdf or .zip files. Influence operations may use spamoflauge to avoid spam filtering systems and increase the likelihood of the target audience receiving operation messaging. | TA17 |
| T0049.005 | Conduct Swarming | Swarming refers to the coordinated use of accounts to overwhelm the information space with operation content. Unlike information flooding, swarming centres exclusively around a specific event or actor rather than a general narrative. Swarming relies on “horizontal communication” between information assets rather than a top-down, vertical command-and-control approach. | TA17 |
| T0049.006 | Conduct Keyword Squatting | Keyword squatting refers to the creation of online content, such as websites, articles, or social media accounts, around a specific search engine-optimized term to overwhelm the search results of that term. An influence may keyword squat to increase content exposure to target audience members who query the exploited term in a search engine and manipulate the narrative around the term. | TA17 |
| T0049.007 | Inauthentic Sites Amplify News and Narratives | Inauthentic sites circulate cross-post stories and amplify narratives. Often these sites have no masthead, bylines or attribution. | TA17 |
| T0057 | Organise Events | Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives. | TA10 |
| T0057.001 | Pay for Physical Action | Paying for physical action occurs when an influence operation pays individuals to act in the physical realm. An influence operation may pay for physical action to create specific situations and frame them in a way that supports operation narratives, for example, paying a group of people to burn a car to later post an image of the burning car and frame it as an act of protest. | TA10 |
| T0057.002 | Conduct Symbolic Action | Symbolic action refers to activities specifically intended to advance an operation’s narrative by signalling something to the audience, for example, a military parade supporting a state’s narrative of military superiority. An influence operation may use symbolic action to create falsified evidence supporting operation narratives in the physical information space. | TA10 |
| T0059 | Play the Long Game | Play the long game refers to two phenomena: 1. To plan messaging and allow it to grow organically without conducting your own amplification. This is methodical and slow and requires years for the message to take hold 2. To develop a series of seemingly disconnected messaging narratives that eventually combine into a new narrative. | TA11 |
| T0060 | Continue to Amplify | continue narrative or message amplification after the main incident work has finished | TA11 |
| T0061 | Sell Merchandise | Sell mechandise refers to getting the message or narrative into physical space in the offline world while making money | TA10 |
| T0065 | Prepare Physical Broadcast Capabilities | Create or coopt broadcast capabilities (e.g. TV, radio etc). | TA15 |
| T0066 | Degrade Adversary | Plan to degrade an adversary’s image or ability to act. This could include preparation and use of harmful information about the adversary’s actions or reputation. | TA02 |
| T0068 | Respond to Breaking News Event or Active Crisis | Media attention on a story or event is heightened during a breaking news event, where unclear facts and incomplete information increase speculation, rumours, and conspiracy theories, which are all vulnerable to manipulation. | TA14 |
| T0072 | Segment Audiences | Create audience segmentations by features of interest to the influence campaign, including political affiliation, geographic location, income, demographics, and psychographics. | TA13 |
| T0072.001 | Geographic Segmentation | An influence operation may target populations in a specific geographic location, such as a region, state, or city. An influence operation may use geographic segmentation to Create Localised Content (see: Establish Legitimacy). | TA13 |
| T0072.002 | Demographic Segmentation | An influence operation may target populations based on demographic segmentation, including age, gender, and income. Demographic segmentation may be useful for influence operations aiming to change state policies that affect a specific population sector. For example, an influence operation attempting to influence Medicare funding in the United States would likely target U.S. voters over 65 years of age. | TA13 |
| T0072.003 | Economic Segmentation | An influence operation may target populations based on their income bracket, wealth, or other financial or economic division. | TA13 |
| T0072.004 | Psychographic Segmentation | An influence operation may target populations based on psychographic segmentation, which uses audience values and decision-making processes. An operation may individually gather psychographic data with its own surveys or collection tools or externally purchase data from social media companies or online surveys, such as personality quizzes. | TA13 |
| T0072.005 | Political Segmentation | An influence operation may target populations based on their political affiliations, especially when aiming to manipulate voting or change policy. | TA13 |
| T0073 | Determine Target Audiences | Determining the target audiences (segments of the population) who will receive campaign narratives and artefacts intended to achieve the strategic ends. | TA01 |
| T0074 | Determine Strategic Ends | Determining the campaigns goals or objectives. Examples include achieving achieving geopolitical advantage like undermining trust in an adversary, gaining domestic political advantage, achieving financial gain, or attaining a policy change, | TA01 |
| T0075 | Dismiss | Push back against criticism by dismissing your critics. This might be arguing that the critics use a different standard for you than with other actors or themselves; or arguing that their criticism is biassed. | TA02 |
| T0075.001 | Discredit Credible Sources | Plan to delegitimize the media landscape and degrade public trust in reporting, by discrediting credible sources. This makes it easier to promote influence operation content. | TA02 |
| T0076 | Distort | Twist the narrative. Take information, or artefacts like images, and change the framing around them. | TA02 |
| T0077 | Distract | Shift attention to a different narrative or actor, for instance by accusing critics of the same activity that they’ve accused you of (e.g. police brutality). | TA02 |
| T0078 | Dismay | Threaten the critic or narrator of events. For instance, threaten journalists or news outlets reporting on a story. | TA02 |
| T0079 | Divide | Create conflict between subgroups, to widen divisions in a community | TA02 |
| T0080 | Map Target Audience Information Environment | Mapping the target audience information environment analyses the information space itself, including social media analytics, web traffic, and media surveys. Mapping the information environment may help the influence operation determine the most realistic and popular information channels to reach its target audience. Mapping the target audience information environment aids influence operations in determining the most vulnerable areas of the information space to target with messaging. | TA13 |
| T0080.001 | Monitor Social Media Analytics | An influence operation may use social media analytics to determine which factors will increase the operation content’s exposure to its target audience on social media platforms, including views, interactions, and sentiment relating to topics and content types. The social media platform itself or a third-party tool may collect the metrics. | TA13 |
| T0080.002 | Evaluate Media Surveys | An influence operation may evaluate its own or third-party media surveys to determine what type of content appeals to its target audience. Media surveys may provide insight into an audience’s political views, social class, general interests, or other indicators used to tailor operation messaging to its target audience. | TA13 |
| T0080.003 | Identify Trending Topics/Hashtags | An influence operation may identify trending hashtags on social media platforms for later use in boosting operation content. A hashtag40 refers to a word or phrase preceded by the hash symbol (#) on social media used to identify messages and posts relating to a specific topic. All public posts that use the same hashtag are aggregated onto a centralised page dedicated to the word or phrase and sorted either chronologically or by popularity. | TA13 |
| T0080.004 | Conduct Web Traffic Analysis | An influence operation may conduct web traffic analysis to determine which search engines, keywords, websites, and advertisements gain the most traction with its target audience. | TA13 |
| T0080.005 | Assess Degree/Type of Media Access | An influence operation may survey a target audience’s Internet availability and degree of media freedom to determine which target audience members will have access to operation content and on which platforms. An operation may face more difficulty targeting an information environment with heavy restrictions and media control than an environment with independent media, freedom of speech and of the press, and individual liberties. | TA13 |
| T0081 | Identify Social and Technical Vulnerabilities | Identifying social and technical vulnerabilities determines weaknesses within the target audience information environment for later exploitation. Vulnerabilities include decisive political issues, weak cybersecurity infrastructure, search engine data voids, and other technical and non technical weaknesses in the target information environment. Identifying social and technical vulnerabilities facilitates the later exploitation of the identified weaknesses to advance operation objectives. | TA13 |
| T0081.001 | Find Echo Chambers | Find or plan to create areas (social media groups, search term groups, hashtag groups etc) where individuals only engage with people they agree with. | TA13 |
| T0081.002 | Identify Data Voids | A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation. A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalising on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term. | TA13 |
| T0081.003 | Identify Existing Prejudices | An influence operation may exploit existing racial, religious, demographic, or social prejudices to further polarise its target audience from the rest of the public. | TA13 |
| T0081.004 | Identify Existing Fissures | An influence operation may identify existing fissures to pit target populations against one another or facilitate a “divide-and-conquer" approach to tailor operation narratives along the divides. | TA13 |
| T0081.005 | Identify Existing Conspiracy Narratives/Suspicions | An influence operation may assess preexisting conspiracy theories or suspicions in a population to identify existing narratives that support operational objectives. | TA13 |
| T0081.006 | Identify Wedge Issues | A wedge issue is a divisive political issue, usually concerning a social phenomenon, that divides individuals along a defined line. An influence operation may exploit wedge issues by intentionally polarising the public along the wedge issue line and encouraging opposition between factions. | TA13 |
| T0081.007 | Identify Target Audience Adversaries | An influence operation may identify or create a real or imaginary adversary to centre operation narratives against. A real adversary may include certain politicians or political parties while imaginary adversaries may include falsified “deep state”62 actors that, according to conspiracies, run the state behind public view. | TA13 |
| T0081.008 | Identify Media System Vulnerabilities | An influence operation may exploit existing weaknesses in a target’s media system. These weaknesses may include existing biases among media agencies, vulnerability to false news agencies on social media, or existing distrust of traditional media sources. An existing distrust among the public in the media system’s credibility holds high potential for exploitation by an influence operation when establishing alternative news agencies to spread operation content. | TA13 |
| T0082 | Develop New Narratives | Actors may develop new narratives to further strategic or tactical goals, especially when existing narratives adequately align with the campaign goals. New narratives provide more control in terms of crafting the message to achieve specific goals. However, new narratives may require more effort to disseminate than adapting or adopting existing narratives. | TA14 |
| T0083 | Integrate Target Audience Vulnerabilities into Narrative | An influence operation may seek to exploit the preexisting weaknesses, fears, and enemies of the target audience for integration into the operation’s narratives and overall strategy. Integrating existing vulnerabilities into the operational approach conserves resources by exploiting already weak areas of the target information environment instead of forcing the operation to create new vulnerabilities in the environment. | TA14 |
| T0084 | Reuse Existing Content | When an operation recycles content from its own previous operations or plagiarises from external operations. An operation may launder information to conserve resources that would have otherwise been utilised to develop new content. | TA06 |
| T0084.001 | Use Copypasta | Copypasta refers to a piece of text that has been copied and pasted multiple times across various online platforms. A copypasta’s final form may differ from its original source text as users add, delete, or otherwise edit the content as they repost the text. | TA06 |
| T0084.002 | Plagiarise Content | An influence operation may take content from other sources without proper attribution. This content may be either misinformation content shared by others without malicious intent but now leveraged by the campaign as disinformation or disinformation content from other sources. | TA06 |
| T0084.003 | Deceptively Labelled or Translated | An influence operation may take authentic content from other sources and add deceptive labels or deceptively translate the content into other langauges. | TA06 |
| T0084.004 | Appropriate Content | An influence operation may take content from other sources with proper attribution. This content may be either misinformation content shared by others without malicious intent but now leveraged by the campaign as disinformation or disinformation content from other sources. Examples include the appropriation of content from one inauthentic news site to another inauthentic news site or network in ways that align with the originators licencing or terms of service. | TA06 |
| T0085 | Develop Text-Based Content | Creating and editing false or misleading text-based artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. | TA06 |
| T0085.001 | Develop AI-Generated Text | AI-generated texts refers to synthetic text composed by computers using text-generating AI technology. Autonomous generation refers to content created by a bot without human input, also known as bot-created content generation. Autonomous generation represents the next step in automation after language generation and may lead to automated journalism. An influence operation may use read fakes or autonomous generation to quickly develop and distribute content to the target audience. | TA06 |
| T0085.002 | Develop False or Altered Documents | Develop False or Altered Documents | TA06 |
| T0085.003 | Develop Inauthentic News Articles | An influence operation may develop false or misleading news articles aligned to their campaign goals or narratives. | TA06 |
| T0086 | Develop Image-Based Content | Creating and editing false or misleading visual artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include photographing staged real-life situations, repurposing existing digital images, or using image creation and editing technologies. | TA06 |
| T0086.001 | Develop Memes | Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns. | TA06 |
| T0086.002 | Develop AI-Generated Images (Deepfakes) | Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures. | TA06 |
| T0086.003 | Deceptively Edit Images (Cheap Fakes) | Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event. | TA06 |
| T0086.004 | Aggregate Information into Evidence Collages | Image files that aggregate positive evidence (Joan Donovan) | TA06 |
| T0087 | Develop Video-Based Content | Creating and editing false or misleading video artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include staging videos of purportedly real situations, repurposing existing video artefacts, or using AI-generated video creation and editing technologies (including deepfakes). | TA06 |
| T0087.001 | Develop AI-Generated Videos (Deepfakes) | Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures. | TA06 |
| T0087.002 | Deceptively Edit Video (Cheap Fakes) | Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event. | TA06 |
| T0088 | Develop Audio-Based Content | Creating and editing false or misleading audio artefacts, often aligned with one or more specific narratives, for use in a disinformation campaign. This may include creating completely new audio content, repurposing existing audio artefacts (including cheap fakes), or using AI-generated audio creation and editing technologies (including deepfakes). | TA06 |
| T0088.001 | Develop AI-Generated Audio (Deepfakes) | Deepfakes refer to AI-generated falsified photos, videos, or soundbites. An influence operation may use deepfakes to depict an inauthentic situation by synthetically recreating an individual’s face, body, voice, and physical gestures. | TA06 |
| T0088.002 | Deceptively Edit Audio (Cheap Fakes) | Cheap fakes utilise less sophisticated measures of altering an image, video, or audio for example, slowing, speeding, or cutting footage to create a false context surrounding an image or event. | TA06 |
| T0089 | Obtain Private Documents | Procuring documents that are not publicly available, by whatever means -- whether legal or illegal, highly-resourced or less so. These documents can include authentic non-public documents, authentic non-public documents have been altered, or inauthentic documents intended to appear as if they are authentic non-public documents. All of these types of documents can be "leaked" during later stages in the operation. | TA06 |
| T0089.001 | Obtain Authentic Documents | Procure authentic documents that are not publicly available, by whatever means -- whether legal or illegal, highly-resourced or less so. These documents can be "leaked" during later stages in the operation. | TA06 |
| T0089.002 | Create Inauthentic Documents | Create inauthentic documents intended to appear as if they are authentic non-public documents. These documents can be "leaked" during later stages in the operation. | TA06 |
| T0089.003 | Alter Authentic Documents | Alter authentic documents (public or non-public) to achieve campaign goals. The altered documents are intended to appear as if they are authentic can be "leaked" during later stages in the operation. | TA06 |
| T0090 | Create Inauthentic Accounts | Inauthentic accounts include bot accounts, cyborg accounts, sockpuppet accounts, and anonymous accounts. | TA15 |
| T0090.001 | Create Anonymous Accounts | Anonymous accounts or anonymous users refer to users that access network resources without providing a username or password. An influence operation may use anonymous accounts to spread content without direct attribution to the operation. | TA15 |
| T0090.002 | Create Cyborg Accounts | Cyborg accounts refer to partly manned, partly automated social media accounts. Cyborg accounts primarily act as bots, but a human operator periodically takes control of the account to engage with real social media users by responding to comments and posting original content. Influence operations may use cyborg accounts to reduce the amount of direct human input required to maintain a regular account but increase the apparent legitimacy of the cyborg account by occasionally breaking its bot-like behaviour with human interaction. | TA15 |
| T0090.003 | Create Bot Accounts | Bots refer to autonomous internet users that interact with systems or other users while imitating traditional human behaviour. Bots use a variety of tools to stay active without direct human operation, including artificial intelligence and big data analytics. For example, an individual may programme a Twitter bot to retweet a tweet every time it contains a certain keyword or hashtag. An influence operation may use bots to increase its exposure and artificially promote its content across the internet without dedicating additional time or human resources. Amplifier bots promote operation content through reposts, shares, and likes to increase the content’s online popularity. Hacker bots are traditionally covert bots running on computer scripts that rarely engage with users and work primarily as agents of larger cyberattacks, such as a Distributed Denial of Service attacks. Spammer bots are programmed to post content on social media or in comment sections, usually as a supplementary tool. Impersonator bots102 pose as real people by mimicking human behaviour, complicating their detection. | TA15 |
| T0090.004 | Create Sockpuppet Accounts | Sockpuppet accounts refer to falsified accounts that either promote the influence operation’s own material or attack critics of the material online. Individuals who control sockpuppet accounts also man at least one other user account.67 Sockpuppet accounts help legitimise operation narratives by providing an appearance of external support for the material and discrediting opponents of the operation. | TA15 |
| T0091 | Recruit Malign Actors | Operators recruit bad actors paying recruiting, or exerting control over individuals includes trolls, partisans, and contractors. | TA15 |
| T0091.001 | Recruit Contractors | Operators recruit paid contractor to support the campaign. | TA15 |
| T0091.002 | Recruit Partisans | Operators recruit partisans (ideologically-aligned individuals) to support the campaign. | TA15 |
| T0091.003 | Enlist Troll Accounts | An influence operation may hire trolls, or human operators of fake accounts that aim to provoke others by posting and amplifying content about controversial issues. Trolls can serve to discredit an influence operation’s opposition or bring attention to the operation’s cause through debate. Classic trolls refer to regular people who troll for personal reasons, such as attention-seeking or boredom. Classic trolls may advance operation narratives by coincidence but are not directly affiliated with any larger operation. Conversely, hybrid trolls act on behalf of another institution, such as a state or financial organisation, and post content with a specific ideological goal. Hybrid trolls may be highly advanced and institutionalised or less organised and work for a single individual. | TA15 |
| T0092 | Build Network | Operators build their own network, creating links between accounts -- whether authentic or inauthentic -- in order amplify and promote narratives and artefacts, and encourage further growth of ther network, as well as the ongoing sharing and engagement with operational content. | TA15 |
| T0092.001 | Create Organisations | Influence operations may establish organisations with legitimate or falsified hierarchies, staff, and content to structure operation assets, provide a sense of legitimacy to the operation, or provide institutional backing to operation activities. | TA15 |
| T0092.002 | Use Follow Trains | A follow train is a group of people who follow each other on a social media platform, often as a way for an individual or campaign to grow its social media following. Follow trains may be a violation of platform Terms of Service. They are also known as follow-for-follow groups. | TA15 |
| T0092.003 | Create Community or Sub-Group | When there is not an existing community or sub-group that meets a campaign's goals, an influence operation may seek to create a community or sub-group. | TA15 |
| T0093 | Acquire/Recruit Network | Operators acquire an existing network by paying, recruiting, or exerting control over the leaders of the existing network. | TA15 |
| T0093.001 | Fund Proxies | An influence operation may fund proxies, or external entities that work for the operation. An operation may recruit/train users with existing sympathies towards the operation’s narratives and/or goals as proxies. Funding proxies serves various purposes including: - Diversifying operation locations to complicate attribution - Reducing the workload for direct operation assets | TA15 |
| T0093.002 | Acquire Botnets | A botnet is a group of bots that can function in coordination with each other. | TA15 |
| T0094 | Infiltrate Existing Networks | Operators deceptively insert social assets into existing networks as group members in order to influence the members of the network and the wider information environment that the network impacts. | TA15 |
| T0094.001 | Identify Susceptible Targets in Networks | When seeking to infiltrate an existing network, an influence operation may identify individuals and groups that might be susceptible to being co-opted or influenced. | TA15 |
| T0094.002 | Utilise Butterfly Attacks | Butterfly attacks occur when operators pretend to be members of a certain social group, usually a group that struggles for representation. An influence operation may mimic a group to insert controversial statements into the discourse, encourage the spread of operation content, or promote harassment among group members. Unlike astroturfing, butterfly attacks aim to infiltrate and discredit existing grassroots movements, organisations, and media campaigns. | TA15 |
| T0095 | Develop Owned Media Assets | An owned media asset refers to an agency or organisation through which an influence operation may create, develop, and host content and narratives. Owned media assets include websites, blogs, social media pages, forums, and other platforms that facilitate the creation and organisation of content. | TA15 |
| T0096 | Leverage Content Farms | Using the services of large-scale content providers for creating and amplifying campaign artefacts at scale. | TA15 |
| T0096.001 | Create Content Farms | An influence operation may create an organisation for creating and amplifying campaign artefacts at scale. | TA15 |
| T0096.002 | Outsource Content Creation to External Organisations | An influence operation may outsource content creation to external companies to avoid attribution, increase the rate of content creation, or improve content quality, i.e., by employing an organisation that can create content in the target audience’s native language. Employed organisations may include marketing companies for tailored advertisements or external content farms for high volumes of targeted media. | TA15 |
| T0097 | Create Personas | Creating fake people, often with accounts across multiple platforms. These personas can be as simple as a name, can contain slightly more background like location, profile pictures, backstory, or can be effectively backstopped with indicators like fake identity documents. | TA16 |
| T0097.001 | Backstop Personas | Create other assets/dossier/cover/fake relationships and/or connections or documents, sites, bylines, attributions, to establish/augment/inflate crediblity/believability | TA16 |
| T0098 | Establish Inauthentic News Sites | Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda--for instance, click-based revenue--often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details. | TA16 |
| T0098.001 | Create Inauthentic News Sites | Create Inauthentic News Sites | TA16 |
| T0098.002 | Leverage Existing Inauthentic News Sites | Leverage Existing Inauthentic News Sites | TA16 |
| T0099 | Prepare Assets Impersonating Legitimate Entities | An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organisations, or state entities. An influence operation may use a wide variety of cyber techniques to impersonate a legitimate entity’s website or social media account. Typosquatting87 is the international registration of a domain name with purposeful variations of the impersonated domain name through intentional typos, top-level domain (TLD) manipulation, or punycode. Typosquatting facilitates the creation of falsified websites by creating similar domain names in the URL box, leaving it to the user to confirm that the URL is correct. | TA16 |
| T0099.001 | Astroturfing | Astroturfing occurs when an influence operation disguises itself as grassroots movement or organisation that supports operation narratives. Unlike butterfly attacks, astroturfing aims to increase the appearance of popular support for the operation cause and does not infiltrate existing groups to discredit their objectives. | TA16 |
| T0099.002 | Spoof/Parody Account/Site | An influence operation may prepare assets impersonating legitimate entities to further conceal its network identity and add a layer of legitimacy to its operation content. Users will more likely believe and less likely fact-check news from recognisable sources rather than unknown sites. Legitimate entities may include authentic news outlets, public figures, organisations, or state entities. | TA16 |
| T0100 | Co-Opt Trusted Sources | An influence operation may co-opt trusted sources by infiltrating or repurposing a source to reach a target audience through existing, previously reliable networks. Co-opted trusted sources may include: - National or local new outlets - Research or academic publications - Online blogs or websites | TA16 |
| T0100.001 | Co-Opt Trusted Individuals | Co-Opt Trusted Individuals | TA16 |
| T0100.002 | Co-Opt Grassroots Groups | Co-Opt Grassroots Groups | TA16 |
| T0100.003 | Co-Opt Influencers | Co-opt Influencers | TA16 |
| T0101 | Create Localised Content | Localised content refers to content that appeals to a specific community of individuals, often in defined geographic areas. An operation may create localised content using local language and dialects to resonate with its target audience and blend in with other local news and social media. Localised content may help an operation increase legitimacy, avoid detection, and complicate external attribution. | TA05 |
| T0102 | Leverage Echo Chambers/Filter Bubbles | An echo chamber refers to an internet subgroup, often along ideological lines, where individuals only engage with “others with which they are already in agreement.” A filter bubble refers to an algorithm's placement of an individual in content that they agree with or regularly engage with, possibly entrapping the user into a bubble of their own making. An operation may create these isolated areas of the internet by match existing groups, or aggregating individuals into a single target audience based on shared interests, politics, values, demographics, and other characteristics. Echo chambers and filter bubbles help to reinforce similar biases and content to the same target audience members. | TA05 |
| T0102.001 | Use Existing Echo Chambers/Filter Bubbles | Use existing Echo Chambers/Filter Bubbles | TA05 |
| T0102.002 | Create Echo Chambers/Filter Bubbles | Create Echo Chambers/Filter Bubbles | TA05 |
| T0102.003 | Exploit Data Voids | A data void refers to a word or phrase that results in little, manipulative, or low-quality search engine data. Data voids are hard to detect and relatively harmless until exploited by an entity aiming to quickly proliferate false or misleading information during a phenomenon that causes a high number of individuals to query the term or phrase. In the Plan phase, an influence operation may identify data voids for later exploitation in the operation. A 2019 report by Michael Golebiewski identifies five types of data voids. (1) “Breaking news” data voids occur when a keyword gains popularity during a short period of time, allowing an influence operation to publish false content before legitimate news outlets have an opportunity to publish relevant information. (2) An influence operation may create a “strategic new terms” data void by creating their own terms and publishing information online before promoting their keyword to the target audience. (3) An influence operation may publish content on “outdated terms” that have decreased in popularity, capitalising on most search engines’ preferences for recency. (4) “Fragmented concepts” data voids separate connections between similar ideas, isolating segment queries to distinct search engine results. (5) An influence operation may use “problematic queries” that previously resulted in disturbing or inappropriate content to promote messaging until mainstream media recontextualizes the term. | TA05 |
| T0103 | Livestream | A livestream refers to an online broadcast capability that allows for real-time communication to closed or open networks. | TA07 |
| T0103.001 | Video Livestream | A video livestream refers to an online video broadcast capability that allows for real-time communication to closed or open networks. | TA07 |
| T0103.002 | Audio Livestream | An audio livestream refers to an online audio broadcast capability that allows for real-time communication to closed or open networks. | TA07 |
| T0104 | Social Networks | Social media are interactive digital channels that facilitate the creation and sharing of information, ideas, interests, and other forms of expression through virtual communities and networks. | TA07 |
| T0104.001 | Mainstream Social Networks | Examples include Facebook, Twitter, LinkedIn, etc. | TA07 |
| T0104.002 | Dating Apps | Dating Apps | TA07 |
| T0104.003 | Private/Closed Social Networks | An audio livestream refers to an online audio broadcast capability that allows for real-time communication to closed or open networks. Examples include Twitter Spaces, | TA07 |
| T0104.004 | Interest-Based Networks | Examples include smaller and niche networks including Gettr, Truth Social, Parler, etc. | TA07 |
| T0104.005 | Use Hashtags | Use a dedicated, existing hashtag for the campaign/incident. | TA07 |
| T0104.006 | Create Dedicated Hashtag | Create a campaign/incident specific hashtag. | TA07 |
| T0105 | Media Sharing Networks | Media sharing networks refer to services whose primary function is the hosting and sharing of specific forms of media. Examples include Instagram, Snapchat, TikTok, Youtube, SoundCloud. | TA07 |
| T0105.001 | Photo Sharing | Examples include Instagram, Snapchat, Flickr, etc | TA07 |
| T0105.002 | Video Sharing | Examples include Youtube, TikTok, ShareChat, Rumble, etc | TA07 |
| T0105.003 | Audio Sharing | Examples include podcasting apps, Soundcloud, etc. | TA07 |
| T0106 | Discussion Forums | Platforms for finding, discussing, and sharing information and opinions. Examples include Reddit, Quora, Digg, message boards, interest-based discussion forums, etc. | TA07 |
| T0106.001 | Anonymous Message Boards | Examples include the Chans | TA07 |
| T0107 | Bookmarking and Content Curation | Platforms for searching, sharing, and curating content and media. Examples include Pinterest, Flipboard, etc. | TA07 |
| T0108 | Blogging and Publishing Networks | Examples include WordPress, Blogger, Weebly, Tumblr, Medium, etc. | TA07 |
| T0109 | Consumer Review Networks | Platforms for finding, reviewing, and sharing information about brands, products, services, restaurants, travel destinations, etc. Examples include Yelp, TripAdvisor, etc. | TA07 |
| T0110 | Formal Diplomatic Channels | Leveraging formal, traditional, diplomatic channels to communicate with foreign governments (written documents, meetings, summits, diplomatic visits, etc). This type of diplomacy is conducted by diplomats of one nation with diplomats and other officials of another nation or international organisation. | TA07 |
| T0111 | Traditional Media | Examples include TV, Newspaper, Radio, etc. | TA07 |
| T0111.001 | TV | TV | TA07 |
| T0111.002 | Newspaper | Newspaper | TA07 |
| T0111.003 | Radio | Radio | TA07 |
| T0112 | Delivering content and narratives via email. This can include using list management or high-value individually targeted messaging. | TA07 | |
| T0113 | Employ Commercial Analytic Firms | Commercial analytic firms collect data on target audience activities and evaluate the data to detect trends, such as content receiving high click-rates. An influence operation may employ commercial analytic firms to facilitate external collection on its target audience, complicating attribution efforts and better tailoring the content to audience preferences. | TA08 |
| T0114 | Deliver Ads | Delivering content via any form of paid media or advertising. | TA09 |
| T0114.001 | Social Media | Social Media | TA09 |
| T0114.002 | Traditional Media | Examples include TV, Radio, Newspaper, billboards | TA09 |
| T0115 | Post Content | Delivering content by posting via owned media (assets that the operator controls). | TA09 |
| T0115.001 | Share Memes | Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns. | TA09 |
| T0115.002 | Post Violative Content to Provoke Takedown and Backlash | Post Violative Content to Provoke Takedown and Backlash. | TA09 |
| T0115.003 | One-Way Direct Posting | Direct posting refers to a method of posting content via a one-way messaging service, where the recipient cannot directly respond to the poster’s messaging. An influence operation may post directly to promote operation narratives to the target audience without allowing opportunities for fact-checking or disagreement, creating a false sense of support for the narrative. | TA09 |
| T0116 | Comment or Reply on Content | Delivering content by replying or commenting via owned media (assets that the operator controls). | TA09 |
| T0116.001 | Post Inauthentic Social Media Comment | Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums. | TA09 |
| T0117 | Attract Traditional Media | Deliver content by attracting the attention of traditional media (earned media). | TA09 |
| T0118 | Amplify Existing Narrative | An influence operation may amplify existing narratives that align with its narratives to support operation objectives. | TA17 |
| T0119 | Cross-Posting | Cross-posting refers to posting the same message to multiple internet discussions, social media platforms or accounts, or news groups at one time. An influence operation may post content online in multiple communities and platforms to increase the chances of content exposure to the target audience. | TA17 |
| T0119.001 | Post across Groups | An influence operation may post content across groups to spread narratives and content to new communities within the target audiences or to new target audiences. | TA17 |
| T0119.002 | Post across Platform | An influence operation may post content across platforms to spread narratives and content to new communities within the target audiences or to new target audiences. Posting across platforms can also remove opposition and context, helping the narrative spread with less opposition on the cross-posted platform. | TA17 |
| T0119.003 | Post across Disciplines | Post Across Disciplines | TA17 |
| T0120 | Incentivize Sharing | Incentivizing content sharing refers to actions that encourage users to share content themselves, reducing the need for the operation itself to post and promote its own content. | TA17 |
| T0120.001 | Use Affiliate Marketing Programmes | Use Affiliate Marketing Programmes | TA17 |
| T0120.002 | Use Contests and Prizes | Use Contests and Prizes | TA17 |
| T0121 | Manipulate Platform Algorithm | Manipulating a platform algorithm refers to conducting activity on a platform in a way that intentionally targets its underlying algorithm. After analysing a platform’s algorithm (see: Select Platforms), an influence operation may use a platform in a way that increases its content exposure, avoids content removal, or otherwise benefits the operation’s strategy. For example, an influence operation may use bots to amplify its posts so that the platform’s algorithm recognises engagement with operation content and further promotes the content on user timelines. | TA17 |
| T0121.001 | Bypass Content Blocking | Bypassing content blocking refers to actions taken to circumvent network security measures that prevent users from accessing certain servers, resources, or other online spheres. An influence operation may bypass content blocking to proliferate its content on restricted areas of the internet. Common strategies for bypassing content blocking include: - Altering IP addresses to avoid IP filtering - Using a Virtual Private Network (VPN) to avoid IP filtering - Using a Content Delivery Network (CDN) to avoid IP filtering - Enabling encryption to bypass packet inspection blocking - Manipulating text to avoid filtering by keywords - Posting content on multiple platforms to avoid platform-specific removals - Using local facilities or modified DNS servers to avoid DNS filtering | TA17 |
| T0122 | Direct Users to Alternative Platforms | Direct users to alternative platforms refers to encouraging users to move from the platform on which they initially viewed operation content and engage with content on alternate information channels, including separate social media channels and inauthentic websites. An operation may drive users to alternative platforms to diversify its information channels and ensure the target audience knows where to access operation content if the initial platform suspends, flags, or otherwise removes original operation assets and content. | TA17 |
| T0123 | Control Information Environment through Offensive Cyberspace Operations | Controlling the information environment through offensive cyberspace operations uses cyber tools and techniques to alter the trajectory of content in the information space to either prioritise operation messaging or block opposition messaging. | TA18 |
| T0123.001 | Delete Opposing Content | Deleting opposing content refers to the removal of content that conflicts with operational narratives from selected platforms. An influence operation may delete opposing content to censor contradictory information from the target audience, allowing operation narratives to take priority in the information space. | TA18 |
| T0123.002 | Block Content | Content blocking refers to actions taken to restrict internet access or render certain areas of the internet inaccessible. An influence operation may restrict content based on both network and content attributes. | TA18 |
| T0123.003 | Destroy Information Generation Capabilities | Destroying information generation capabilities refers to actions taken to limit, degrade, or otherwise incapacitate an actor’s ability to generate conflicting information. An influence operation may destroy an actor’s information generation capabilities by physically dismantling the information infrastructure, disconnecting resources needed for information generation, or redirecting information generation personnel. An operation may destroy an adversary’s information generation capabilities to limit conflicting content exposure to the target audience and crowd the information space with its own narratives. | TA18 |
| T0123.004 | Conduct Server Redirect | A server redirect, also known as a URL redirect, occurs when a server automatically forwards a user from one URL to another using server-side scripting languages. An influence operation may conduct a server redirect to divert target audience members from one website to another without their knowledge. The redirected website may pose as a legitimate source, host malware, or otherwise aid operation objectives. | TA18 |
| T0124 | Suppress Opposition | Operators can suppress the opposition by exploiting platform content moderation tools and processes like reporting non-violative content to platforms for takedown and goading opposition actors into taking actions that result in platform action or target audience disapproval. | TA18 |
| T0124.001 | Report Non-Violative Opposing Content | Reporting opposing content refers to notifying and providing an instance of a violation of a platform’s guidelines and policies for conduct on the platform. In addition to simply reporting the content, an operation may leverage copyright regulations to trick social media and web platforms into removing opposing content by manipulating the content to appear in violation of copyright laws. Reporting opposing content facilitates the suppression of contradictory information and allows operation narratives to take priority in the information space. | TA18 |
| T0124.002 | Goad People into Harmful Action (Stop Hitting Yourself) | Goad people into actions that violate terms of service or will lead to having their content or accounts taken down. | TA18 |
| T0124.003 | Exploit Platform TOS/Content Moderation | Exploit Platform TOS/Content Moderation | TA18 |
| T0125 | Platform Filtering | Platform filtering refers to the decontextualization of information as claims cross platforms (from Joan Donovan https://www.hks.harvard.edu/publications/disinformation-design-use-evidence-collages-and-platform-filtering-media-manipulation) | TA18 |
| T0126 | Encourage Attendance at Events | Operation encourages attendance at existing real world event. | TA10 |
| T0126.001 | Call to Action to Attend | Call to action to attend an event | TA10 |
| T0126.002 | Facilitate Logistics or Support for Attendance | Facilitate logistics or support for travel, food, housing, etc. | TA10 |
| T0127 | Physical Violence | Physical violence refers to the use of force to injure, abuse, damage, or destroy. An influence operation may conduct or encourage physical violence to discourage opponents from promoting conflicting content or draw attention to operation narratives using shock value. | TA10 |
| T0127.001 | Conduct Physical Violence | An influence operation may directly Conduct Physical Violence to achieve campaign goals. | TA10 |
| T0127.002 | Encourage Physical Violence | An influence operation may Encourage others to engage in Physical Violence to achieve campaign goals. | TA10 |
| T0128 | Conceal People | Conceal the identity or provenance of a campaign account and people assets to avoid takedown and attribution. | TA11 |
| T0128.001 | Use Pseudonyms | An operation may use pseudonyms, or fake names, to mask the identity of operation accounts, publish anonymous content, or otherwise use falsified personas to conceal identity of the operation. An operation may coordinate pseudonyms across multiple platforms, for example, by writing an article under a pseudonym and then posting a link to the article on social media on an account with the same falsified name. | TA11 |
| T0128.002 | Conceal Network Identity | Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organisation. | TA11 |
| T0128.003 | Distance Reputable Individuals from Operation | Distancing reputable individuals from the operation occurs when enlisted individuals, such as celebrities or subject matter experts, actively disengage themselves from operation activities and messaging. Individuals may distance themselves from the operation by deleting old posts or statements, unfollowing operation information assets, or otherwise detaching themselves from the operation’s timeline. An influence operation may want reputable individuals to distance themselves from the operation to reduce operation exposure, particularly if the operation aims to remove all evidence. | TA11 |
| T0128.004 | Launder Accounts | Account laundering occurs when an influence operation acquires control of previously legitimate online accounts from third parties through sale or exchange and often in contravention of terms of use. Influence operations use laundered accounts to reach target audience members from an existing information channel and complicate attribution. | TA11 |
| T0128.005 | Change Names of Accounts | Changing names of accounts occurs when an operation changes the name of an existing social media account. An operation may change the names of its accounts throughout an operation to avoid detection or alter the names of newly acquired or repurposed accounts to fit operational narratives. | TA11 |
| T0129 | Conceal Operational Activity | Conceal the campaign's operational activity to avoid takedown and attribution. | TA11 |
| T0129.001 | Conceal Network Identity | Concealing network identity aims to hide the existence an influence operation’s network completely. Unlike concealing sponsorship, concealing network identity denies the existence of any sort of organisation. | TA11 |
| T0129.002 | Generate Content Unrelated to Narrative | An influence operation may mix its own operation content with legitimate news or external unrelated content to disguise operational objectives, narratives, or existence. For example, an operation may generate "lifestyle" or "cuisine" content alongside regular operation content. | TA11 |
| T0129.003 | Break Association with Content | Breaking association with content occurs when an influence operation actively separates itself from its own content. An influence operation may break association with content by unfollowing, unliking, or unsharing its content, removing attribution from its content, or otherwise taking actions that distance the operation from its messaging. An influence operation may break association with its content to complicate attribution or regain credibility for a new operation. | TA11 |
| T0129.004 | Delete URLs | URL deletion occurs when an influence operation completely removes its website registration, rendering the URL inaccessible. An influence operation may delete its URLs to complicate attribution or remove online documentation that the operation ever occurred. | TA11 |
| T0129.005 | Coordinate on Encrypted/Closed Networks | Coordinate on encrypted/ closed networks | TA11 |
| T0129.006 | Deny Involvement | Without "smoking gun" proof (and even with proof), incident creator can or will deny involvement. This technique also leverages the attacker advantages outlined in "Demand insurmountable proof", specifically the asymmetric disadvantage for truth-tellers in a "firehose of misinformation" environment. | TA11 |
| T0129.007 | Delete Accounts/Account Activity | Deleting accounts and account activity occurs when an influence operation removes its online social media assets, including social media accounts, posts, likes, comments, and other online artefacts. An influence operation may delete its accounts and account activity to complicate attribution or remove online documentation that the operation ever occurred. | TA11 |
| T0129.008 | Redirect URLs | An influence operation may redirect its falsified or typosquatted URLs to legitimate websites to increase the operation's appearance of legitimacy, complicate attribution, and avoid detection. | TA11 |
| T0129.009 | Remove Post Origins | Removing post origins refers to the elimination of evidence that indicates the initial source of operation content, often to complicate attribution. An influence operation may remove post origins by deleting watermarks, renaming files, or removing embedded links in its content. | TA11 |
| T0129.010 | Misattribute Activity | Misattributed activity refers to incorrectly attributed operation activity. For example, a state sponsored influence operation may conduct operation activity in a way that mimics another state so that external entities misattribute activity to the incorrect state. An operation may misattribute their activities to complicate attribution, avoid detection, or frame an adversary for negative behaviour. | TA11 |
| T0130 | Conceal Infrastructure | Conceal the campaign's infrastructure to avoid takedown and attribution. | TA11 |
| T0130.001 | Conceal Sponsorship | Concealing sponsorship aims to mislead or obscure the identity of the hidden sponsor behind an operation rather than entity publicly running the operation. Operations that conceal sponsorship may maintain visible falsified groups, news outlets, non-profits, or other organisations, but seek to mislead or obscure the identity sponsoring, funding, or otherwise supporting these entities. Influence operations may use a variety of techniques to mask the location of their social media accounts to complicate attribution and conceal evidence of foreign interference. Operation accounts may set their location to a false place, often the location of the operation’s target audience, and post in the region’s language | TA11 |
| T0130.002 | Utilise Bulletproof Hosting | Hosting refers to services through which storage and computing resources are provided to an individual or organisation for the accommodation and maintenance of one or more websites and related services. Services may include web hosting, file sharing, and email distribution. Bulletproof hosting refers to services provided by an entity, such as a domain hosting or web hosting firm, that allows its customer considerable leniency in use of the service. An influence operation may utilise bulletproof hosting to maintain continuity of service for suspicious, illegal, or disruptive operation activities that stricter hosting services would limit, report, or suspend. | TA11 |
| T0130.003 | Use Shell Organisations | Use Shell Organisations to conceal sponsorship. | TA11 |
| T0130.004 | Use Cryptocurrency | Use Cryptocurrency to conceal sponsorship. Examples include Bitcoin, Monero, and Etherium. | TA11 |
| T0130.005 | Obfuscate Payment | Obfuscate Payment | TA11 |
| T0131 | Exploit TOS/Content Moderation | Exploiting weaknesses in platforms' terms of service and content moderation policies to avoid takedowns and platform actions. | TA11 |
| T0131.001 | Legacy Web Content | Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it's hard to remove or unlikely to be removed. | TA11 |
| T0131.002 | Post Borderline Content | Post Borderline Content | TA11 |
| T0132 | Measure Performance | A metric used to determine the accomplishment of actions. “Are the actions being executed as planned?” | TA12 |
| T0132.001 | People Focused | Measure the performance individuals in achieving campaign goals | TA12 |
| T0132.002 | Content Focused | Measure the performance of campaign content | TA12 |
| T0132.003 | View Focused | View Focused | TA12 |
| T0133 | Measure Effectiveness | A metric used to measure a current system state. “Are we on track to achieve the intended new system state within the planned timescale?” | TA12 |
| T0133.001 | Behaviour Changes | Monitor and evaluate behaviour changes from misinformation incidents. | TA12 |
| T0133.002 | Content | Measure current system state with respect to the effectiveness of campaign content. | TA12 |
| T0133.003 | Awareness | Measure current system state with respect to the effectiveness of influencing awareness. | TA12 |
| T0133.004 | Knowledge | Measure current system state with respect to the effectiveness of influencing knowledge. | TA12 |
| T0133.005 | Action/Attitude | Measure current system state with respect to the effectiveness of influencing action/attitude. | TA12 |
| T0134 | Measure Effectiveness Indicators (or KPIs) | Ensuring that Key Performance Indicators are identified and tracked, so that the performance and effectiveness of campaigns, and elements of campaigns, can be measured, during and after their execution. | TA12 |
| T0134.001 | Message Reach | Monitor and evaluate message reach in misinformation incidents. | TA12 |
| T0134.002 | Social Media Engagement | Monitor and evaluate social media engagement in misinformation incidents. | TA12 |