This confirms that sophisticated malign influence activities rely on developments in a target nation to generate initial interest without compromising the identity of the attacker. Perhaps most interestingly, our research also unexpectedly uncovered evidence of malware being leveraged against Facebook users.

While it may seem counterintuitive that the IRA would hack users that they are trying to influence without being caught, the operational approach here was clear. They used click-fraud malware like FaceMusic to infect an initially gullible population, enhance the visibility of troll farm content used by IRA accounts, and then expand the reach of the influence operation to more diverse social media populations. Given the focus in CEIO research on direct attacks on influence infrastructure like voting systems or social media platforms, this finding is revelatory.

Capture, not kill: Operational utility feeds strategic value of cyber-enabled influence operations

This research shows a clear lifecycle of CEIO activities that is rooted in a robust understanding of the constraints facing influence operators. We might think of this as a capture chain rather than the traditional kill chain. As the diagram below shows, preparatory cyber activity is critical in the development of influence campaigns that can be the differentiator between tactical results and strategic value. After a belligerent like the IRA establishes its initial social media footprint, it engages in a messaging campaign that references domestic triggering events to engage and capture an initial population.

As with much social engineering, however, the first-mover principle with influence operations is to target gullible persons to expand access. Malware was the key to this goal, translating the prospects of the operation from one with limited likelihood of serious impact to something capable of generating strategically meaningful manipulation of America’s information environment.

This new take on the use of malware for influence operations not only refocuses research and practice on CEIO, it also helps make sense of high-level empirical patterns in the marriage of cyber and influence efforts in the past couple of years. As Microsoft and other technology stakeholders have noted recently, for instance, there is a clear difference in practice between Chinese and Russian and Iranian threat actors in this space since 2020. While Chinese APTs have been linked to numerous influence campaigns, the use of malware or more performative cyber actions alongside such efforts is minimal, particularly against Western targets. By contrast, hackers backed by Moscow and Tehran consistently blend the methods, to questionable results.

A promising explanation for this divergence lies in the character of Chinese influence operations, which have often focused on the West more on issue-based manipulation of media and less on subverting sociopolitical systems. Such an approach relies much more on distraction and on generating noise than it does on targeted audience effects. As such, the utility of malware is less.

Assessing cyber-enabled influence operations vulnerability

How should security teams assess risk around cyber-enabled influence? The conventional answer to this question is similar to assessing risk from geopolitical crisis. When considering the threat of manipulative or parallel cyber activities, vulnerability is most significant for two types of actors. First, any organization whose operation directly ties into the function of electoral processes is at heightened risk, whether that be social technology companies or firms contracted to service voting infrastructure. Second, organizations that symbolize key social or political issues are at risk of compromise as foreign threat actors seek to leverage contemporary conditions to produce performative ends.

This new research, however, suggests that risk lies much more problematically with workforces than with organizations themselves. The use of malware against vulnerable populations on social media suggests that the CEIO threat is much more disaggregated than national security planners and industry security teams would like.

Traditional hygiene controls like workforce training and constraints on the use of personal equipment are obviously key to limiting organizational vulnerability to infection. More generally, however, the notion of a capture chain emphasizes yet again the need for sociopolitical intelligence products to be factored into security analytics. Assessing CEIO risk means not only understanding how geopolitical circumstance heightens company vulnerability, it means understanding when personnel background and practice introduces new risk for organizational function.