Disinformation operations in cyber-space

Disinformation operations are a clear reminder that cyber-space is a term that not only incorporates networks and computing devices but also the human element.

June 15, 2017


In parallel to cyber-attacks that impact technological assets, threat actors have been conducting an increasing number of multi-faceted disinformation operations. Alleged objectives of these attacks are to infiltrate dependable information sources and influence and distract public opinion, (social) media and the press. This is attempted by seeding distrust, undermining widely accepted societal and democratic values, and potentially influencing the outcome of important events such as elections. Such attacks can be perfectly disguised beneath the vast amount of publicly available information (often tailored to individual or group profiles) that people “consume” on a daily basis. This renders those attacks difficult to detect and mitigate.

Disinformation operations are a clear reminder that cyber-space is a term that not only incorporates networks and computing devices but also the human element. This note outlines disinformation campaigns and provides an overview of the trending threat of “tainted leaks”.

Disinformation campaigns

Disinformation operations in cyber-space became evident after the revelation of the Democratic National Committee (DNC) hack in 2016, where according to the US government agencies a foreign state attempted to covertly interfere (additional overt channels were possibly used as recently disclosed) with the US presidential elections. Following this attack, US government agencies assessed that similar attempts of influencing elections would be seen across Europe.

During March-May 2017 there were attacks against Emmanuel Macron’s election campaign in France. The attacks involved spear-phishing campaigns, controversial leaks aiming to discredit Macron, and a massive data leak (“Macron leaks”). The leak allegedly included e-mails between Macron, his team, other officials, politicians, as well as original documents and photos.

A recent report, which focused on disinformation campaigns and tactics, introduced the term “tainted leaks” to describe “the deliberate seeding of false information within a larger set of authentically stolen data”. The tactic behind tainted leaks is not new. Intelligence services have used them in the past for disinformation and psychological warfare. Nowadays, tainted leaks use cyber-space to gain more traction. Tainted leaks move a step forward from the dissemination of fake news, by further blurring the lines of what is true and what is a fallacy.

A large volume of stolen data is a good candidate for tainting before publicly leaked. As stated in the aforementioned report, a carefully constructed tainted leak contains a series of legitimate data/information -as a proof of authenticity, while they are surrounded by well-tailored fake information. The mixture of legitimate and fake information is quite challenging to be detected and hence it can be overlooked by the press. The combination of the dissemination of tainted leaks together with the launch of well-orchestrated social-media campaigns that focus on spreading the falsified elements of these leaks, highlights how serious -and non-trivial to solve- the problem of tainted leaks is.

Tainted leaks usually have a twofold goal. On the one hand, they aim at propagating false information and discrediting the party affected by the falsehoods. On the other hand, and perhaps most importantly, they aim at cultivating distrust among citizens and inducing them to question the integrity, reliability and trustworthiness of the media -which often fall in the trap of relaying fake news. Citizens usually do not have the ability to verify the integrity of data leaks and in the case of tainted leaks the media may have a difficult time performing proper fact checking in a timely manner. In the meantime, false information spread like wildfire fulfilling their goal.

Examples of mitigation approaches

One interesting aspect in Emmanuel Macron’s case was the “counter offensive” tactic that Macron’s digital team employed against the frequent phishing attacks it faced during the election campaign. The head of Macron’s digital team revealed that his team “replied” to the several phishing attempts by feeding them with decoy data (referred to credentials of fake accounts containing fake data/information e.g. documents) and hence rendering the validation of the authenticity of those data a non-trivial as well as time-consuming task for the attackers.

The head of Macron’s digital team also noted that the “Macron leaks” included both authentic and fake documents (created by the attacker/s), stolen documents from various companies, and fake e-mails created by Macron’s team. He did not comment on whether fake documents created by Macron’s team were part of the leak. In the context of tainted leaks, an interesting point in this case is that Macron’s team attempted to use the tainted leaks in its favor by trying to influence them -prior to their revelation- and hence limit their impact. Therefore, Macron’s case suggests that not all tainted leaks work the same or cause the same damage.

In case the already shared information regarding this “counter offensive” operation is correct, a few remarks can be made: “counter offensive” operations are controversial and are still a grey area in cyber security. They might have worked in Macron’s case but they may not have the same impact and consequences when applied in different sectors. Having said that, as highlighted in a previous note, there are some considerations that need to be taken into account prior to employing “counter offensive” operations.

Europe has raised concerns about fake news while warning that there are no easy solutions to this issue.  After pressure from European bodies, social networks (which are heavily leveraged for spreading fake news) seem to be taking steps in the fight against fake news campaigns. For example, Facebook, recently acknowledged the issue and published a report about it, describing its approach against fake news. It is expected that similar actions will be initiated by various stakeholders whose businesses heavily depend on information.


Disinformation campaigns and tainted leaks, are becoming a serious issue both in the cyber and physical world. Due to their nature, they are difficult both to identify and counter. Societies will have to develop defences against such attacks, particularly the ones that aim to potentially affect democratic processes such as elections, legislative procedures, law enforcement and justice. In the context of cyber security, disinformation campaigns should be closely monitored and thoroughly analysed in order to counter similar attacks in the future.

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies