A glossary: who is who in the FIMI zoo?

The 3rd EEAS Report on Foreign Information Manipulation and Interference (FIMI) Threats offers a wealth of insights into information manipulation operations. Our series of deep-dive articles peeks behind the curtain and introduces a novel analytical approach to exposing FIMI. It also zeroes in on the architecture of Russian FIMI operations, using the analogy of an iceberg, to show that a large part of this manipulative architecture is hidden below the surface. The Report also zooms out to analyse the scope of the manipulative networks and the interrelationships within them, in what we call the FIMI galaxy.

Reports can sometimes be too technical and fall into the trap of using subject-specific jargon and terminology alien to the wider public. Of course, our platform has been explaining and countering information manipulation and providing the learning tools to those who seek to do the same. To help you along this journey to learn more about information manipulation and navigate the pages of our reports with confidence, we offer a useful glossary of terms, so you too can know who is who in the FIMI zoo.

Not all information is created equal – the basics

Let’s start with the basics. What is misinformation and how is it different from disinformation? Well, for the European Union, misinformation is false or misleading content that is shared without any malicious or harmful intent. Don’t be deceived – even if there is no intention to harm, the spread of misinformation can still lead to harmful consequences. For example, not all misleading content about the COVID-19 pandemic was spread by state actors like Russia and China that may have intended harm. But regardless of whom is spreading misleading content about COVID-19 or why, it did have an impact on vaccine hesitancy, hence increasing public harm.

Disinformation, on the other hand, we define as verifiably false information that is created, presented and disseminated for economic or political gain or to intentionally deceive the public and cause public harm. This harm also means threats to democratic political and policy-making processes as well as harm to health, the environment, or security. To make it easier to understand, we have collected more than 18 000 examples of disinformation in our database.

Deciphering the acronyms

When people think about disinformation, they typically think about the misleading story or the narrative that someone tells with the intent to deceive. But information manipulation can be much broader than deceptive stories. That is why the European Union conceptualised this threat as foreign information manipulation and interference, or FIMI.

What does it actually mean? Well, FIMI focusses on manipulative behaviour, rather than just the deceptive narrative. It describes a mostly non-illegal pattern of behaviour that threatens or negatively impacts values, procedures, and political processes. FIMI is manipulative and conducted in an intentional and coordinated manner. It can be carried out by both state and non-state actors and can rely on using proxies operating domestically or from abroad.

Here are a few more helpful decryptions of acronyms and terms we use when we talk about FIMI or information manipulation more broadly.

A FIMI incident is an action perpetrated by one or more threat actors pursuing specific objectives who carries out the action with the intent to deceive. It is composed of a combination of observables, such as a social media post, a video or an article on a website, and some tactics, techniques and procedures (TTPs) for conducting FIMI activity. Multiple, related FIMI incidents might indicate that there is a larger FIMI campaign in play.

In the FIMI context, TTPs are patterns of behaviour used by threat actors to manipulate the information environment. Tactics indicate operational goals. Techniques describe how FIMI threat actors try to accomplish those goals. Procedures are the specific combination and techniques across multiple tactics (or stages of an attack) that indicate intent. Here is a very useful collection of TTPs collected by the DISARM Foundation.

Sometimes when taking about techniques of information manipulation, people also refer to coordinated inauthentic behaviour or CIB. This can be considered as just a group of techniques – It means organised, deliberate, and manipulative efforts to mislead audiences by using multiple fake or inauthentic accounts deployed in a concerted way. Generally, it includes networks of accounts and social media pages working together to spread disinformation while concealing their nature. Therefore, this terminology is favoured by social media platforms like Meta that use CIB to describe information manipulation in their Adversarial Threat Reports.

When we say ‘threat actor’, it may sound as impersonal as it does ominous. But what we really mean is an organisation, a government, an individual, or a group that poses a security threat by engaging in malicious activities such as FIMI campaigns, cyberattacks, or other harmful actions. These threat actors can have different motives for malicious activities. Some do it for financial gain or political influence, others for espionage and the disruption of democratic processes.

Tools for responding

In order to respond to information manipulation threats, the European Union has also developed a set of tools. These are commonly referred to as the FIMI toolbox. The creation of the toolbox was set in motion by the Strategic Compass, which set out a plan of action for strengthening the EU’s security and defence policy. It recognised information manipulation as a significant security threat to the EU and therefore the FIMI toolbox is a comprehensive catalogue of responses and instruments arranged in four broad thematic areas – situational awareness, resilience building, regulation, and diplomatic action.

Continuing to sharpen the instruments in the FIMI toolbox, the 2nd EEAS Report on FIMI threats introduced the Response Framework to FIMI Threats. This framework is a systematic way of organising and conceptualising the analysis and response processes to FIMI. It is a guide to how defenders can prevent, prepare for, respond to, and recover from FIMI attacks while continuously improving their security in future attacks. The workflow of the Response Framework coordinates actions in the different phases of threat analysis and response.

Lastly, we have already covered the FIMI Exposure Matrix in a separate deep-dive article. But just to recap – the Exposure Matrix is a novel approach to understanding and attributing FIMI activity. It provides an instrument to reveal the comprehensive and multi-layered digital architecture put into place by authoritarian regimes such as Russia and China to conduct their FIMI operations.

In practical terms, this means mapping the channels of attributed FIMI infrastructure and beyond, prioritising behavioural and technical indicators to understand their interconnectedness and alignment. It also combines data sources to categorise FIMI networks and their operations while enhancing monitoring and response capabilities. Exposure Matrix is composed of four categories: three are attributed to a threat actor, while the fourth includes non-attributed sources that still play a significant role in FIMI activities.

Information manipulation campaigns

Of course, countering FIMI is not just a conceptual exercise to develop new terminology. The methodology, insights, practices, and approaches developed by the EEAS together with many outstanding partners across like-minded governments, international organisations, civil society groups, academics, and research organisations have significantly strengthened the community of FIMI defenders and yielded tangible results in exposing FIMI campaigns.

But unlike technical-sounding FIMI terminology, the naming convention for these campaigns is far more poetic – the Doppelgänger campaign, Operation False Façade , Operation Overload, Portal Kombat, and Operation Matryoshka, just to name a few. Catchy names can be good for drawing attention to these information manipulation operations, but they can also sometimes be confusing and not immediately clear about the very real security threat hiding behind these poetic titles. So, here is a quick rundown of some of the most visible FIMI campaigns uncovered to date.

Doppelgänger

Doppelgänger is a FIMI campaign attributed to Russia, active since mid-2022. According to data collected by the EEAS, it consists of 228 domains and 25,000 CIB networks operating across many languages. The campaign has a prominent presence within the Russian FIMI infrastructure. Doppelgänger has been widely exposed by FIMI defenders in civil society and governments alike.

The main objective of the Doppelgänger campaign is to expand Russian influence globally through audience segmentation and manipulative localised content. Initially Doppelgänger focussed on impersonating Western news outlets and government websites. But eventually it evolved into a multi-layered FIMI operation. It deploys networks of thousands of fake domains designed to manipulate platform algorithms, runs sponsored ads to drive traffic, and relies on large-scale CIB networks. Read more to find out against whom the Doppelgänger campaign was deployed in the context of the European elections.

Operation False Façade (Storm-1516)

The False Façade operation, also called Storm-1516, launched in late 2023, consists of a network of 230 inauthentic websites, including both active and dormant domains. It mimics Western media by incorporating city names from the EU, UK, and US in its branding, for example Boston Times or London Crier. This behaviour indicates that the geographic focus for this FIMI operation is to influence the West. The campaign centres around information laundering of especially chosen content between attributed and non-attributed sources. Read more about Operation False Façade here.

Portal Kombat

Portal Kombat (also known as the Pravda network) was created in 2022 and operates at least 200 inauthentic media outlets targeting local and regional audiences across Europe, Africa, and Asia. This FIMI campaign was initially uncovered by French authorities. For the most part, Portal Kombat appears to prioritise expanding its influence across Africa. In our latest FIMI report, we have identified 73 incidents indicating that Portal Kombat relies on the high-frequency automated re-publication of Russian FIMI content from selected sources, including official Russian government entities, state-affiliated media, Russian Telegram influencers, and local anti-establishment outlets.

Operation Overload/Operation Matryoshka

Sometimes, information manipulation does not mean pushing out deceptive or manipulative content. In the case of Operation Overload, it was a campaign to overrun or overload the capacity of fact-checkers in newsrooms and media outlets across the globe with requests to verify dubious claims undermining Ukraine, France, and Germany, among others.

The operation included sending thousands of fabricated images, screenshots, and videos to newsrooms, underpinned by coordinated action on Telegram and X to artificially disseminate fabricated content. Operation Overload operated in tandem with Operation Matryoshka. The latter was aptly named after the Russian nesting-doll because the deceptive content generated by this operation generally impersonates North American and European public figures and media outlets. And yet, a closer look reveals that most of the content was first published on Russian-language Telegram channels already identified in other pro-Kremlin information operations.

The intent behind these operations is clear. Bog down fact-checkers with red herrings so they are not able to respond to real requests and give more oxygen to disinformation narratives when such dubious claims are debunked en masse. More on Operation Overload here.

Article and pictures first time published on the EUvsDisinfo web page. Prepared for publication by volunteers from the Res Publica - The Center for Civil Resistance.