TIPS #21: The Disinformation/Misinformation Dual Threat

Issue: Disinformation and misinformation are growing threats that impact companies and require specific security measures most don’t have in place.  

With the 2024 US election around the corner, disinformation and election security are certainly top of mind. It’s a familiar challenge that many nation-states have grappled with in recent years: social media and communications technologies amplify false claims and spread misinformation, potentially impacting elections and misleading citizens about candidates, policies, or even when and where to cast their vote.  

It isn’t just nation-states facing this challenge, though. Companies are also at risk. Cyber attacks often utilize technology to influence and manipulate people with access to valuable data, business systems, and resources. Put another way, attackers target humans to subvert computer systems- and disinformation is a tool they use to impact people’s decisions.  

Disinformation vs. Misinformation 

Any discussion of disinformation requires consideration of its relationship to misinformation.  

Disinformation is a deliberate tactic used by malicious actors with objective outcomes. It is the targeted use of false information with the goal of deceiving and manipulating victims’ behaviors.  

Misinformation, on the other hand, is the reconveyance and amplification of disinformation by innocent and unsuspecting third parties. Left unchecked, misinformation significantly expands the blast radius of disinformation and leads to outsized impacts.  

Examples of disinformation and misinformation 

Attackers leverage disinformation and misinformation in concert by leveraging networks of social trust. For example: 

• An attacker may steal a user’s credentials and take over their accounts (ATO), utilizing access to communications technologies and social networks (over social media, email, or otherwise) to spread disinformation and prey upon innocent third parties who then propagate misinformation.  

• Bad actors may leverage bots on social media sites like LinkedIn to establish a virtual relationship with initial victims, utilizing those victims’ connections to bridge over to target victims.  

• Attackers may like or otherwise show support for victims’ social media posts and comments to become visible and establish a level of trust, which they then leverage to foment misinformation at scale.  

• An attacker might spoof an executive’s identity using a Business Email Compromise (BEC) scam or a deepfake, targeting a business functionary with disinformation and manipulating them into making a fraudulent payment.  

• A company’s competitor may deploy disinformation to disrupt a pending merger or acquisition, leveraging social media and communications technologies to encourage misinformed news stories and social media posts to impact M&A prospects, competitive dynamics, valuations, and stock prices.  

Unfortunately, most companies are not prepared to combat disinformation and misinformation. There is a widespread lack of preventative education around these tactics and how they operate. Many companies do not see disinformation as a corporate security issue and fail to strategize and coordinate between security, communications, PR, and other internal teams. They may also lack preventative tooling like email filters which flag or block BEC attempts and often fail to implement two-person integrity policies which require two authorized users to perform sensitive tasks and reduce the chances of manipulation.  

Impact: Disinformation and its amplification through misinformation can severely damage a company’s business prospects and reputation. 

All forms of disinformation and misinformation have the potential to severely damage a company’s reputation and operations. Brand and reputational harm are some of the most common impacts when misinformation spreads and manipulates public perception. These tactics can also cause financial losses like lost revenue and lowered stock prices in addition to operational disruptions to business systems, supply chains, and customer relationships.

The following examples are high profile case studies of disinformation and misinformation which illustrate the dynamics and impacts of these tactics:  

Fake DOD Memo Targets Broadcom-CA Technologies Acquisition 

On October 10, 2018, semiconductor and chip manufacturer Broadcom was targeted with a fake U.S. Department of Defense memo regarding a proposed $19 billion deal to acquire software company CA Technologies. The fake memo stated that the deal might require review by the Committee on Foreign Investment in the United States (CFIUS) and was circulated among Senators and members of Congress, with Senator Rand Paul calling for CFIUS review on the same day- though his office later stated that the memo did not influence the call for a CFIUS review. Broadcom and CA Technologies both saw their stock prices fall and the deal faced increased public scrutiny. The acquisition would go through about a month later.  

In this case, the fake memo contained disinformation and misinformation was propagated to legislative decision-makers, impacting company stock prices and casting doubt on the potential acquisition.  

RT America Spreads 5G Disinformation 

In 2019, Russian state-backed news outlet RT America began promoting disinformation that 5G technologies caused negative health impacts. The outlet later linked the disinformation about 5G to COVID-19 during the coronavirus pandemic in 2020, casting doubts around the U.S.’s 5G infrastructure expansion as misinformation spread widely through social media platforms and was amplified by celebrities and social influencers. The disinformation campaign may have been designed to harm the U.S. government’s plans to expand 5G and to slow down innovation by U.S.-based telecommunications companies, to give Russian companies time to catch up and develop their own 5G technologies. 

In this case, disinformation was delivered via news media and misinformation spread through social media platforms, reducing trust in the U.S. government, 5G technology, and U.S. telecommunications companies.  

Scoular Co. Loses $17.2 Million to BEC Scam 

In 2015, agriculture firm Scoular Co. fell prey to a BEC scam which cost the company $17.2 million. Attackers impersonated the company’s CEO to target the company’s controller, whom they manipulated into believing that the company was buying a Chinese firm. They instructed the controller to get wire details from Scoular’s third-party accounting firm KPMG, even providing the name of a real KPMG employee along with a fake email and phone number. The attackers impersonated the KPMG employee over email and phone in conversations with the controller, who eventually wired the funds to a bank in China.  

This was a highly sophisticated scam involving multiple impersonations (disinformation) and targeted social engineering. Scoular had legitimately been considering expanding into China at the time, making the scam seem more realistic. Attackers additionally warned the employee to avoid communicating about the deal outside of the email chain to avoid SEC violations, preventing potential discovery.  

In this case, attackers used BEC tactics to spread disinformation regarding an acquisition and manipulate Scoular’s controller into transferring the funds.  

Action: Focus on disinformation education and policies, leverage preventative tooling, utilize threat intelligence and detection, and implement effective incident response (IR). 

1) Employee education and disinformation policies 

The foundation of defenses against disinformation and misinformation starts with education. Develop procedures and awareness training resources that enhance employees’ ability to identify and report potential disinformation and misinformation  

Create disinformation and misinformation policies and playbooks which include coordination between and across security, communications, PR, marketing, and social media teams. Consider establishing a working group or response team focused on disinformation monitoring and response. Foster relationships with government agencies, law enforcement, and industry partners to collaboratively address industry-specific disinformation. 

2) Preventative security tooling and authorization practices 

Invest in tools like email filtering which enable BEC detection. Use two-party integrity controls which require two authorized users to perform sensitive tasks. These preventative security measures lower the chances of an employee being socially engineered into a harmful action.  

3) Robust threat intelligence and detection  

Utilize advanced technologies to detect and mitigate disinformation and misinformation threats. Constella Identity’s services monitor employee identities and detect ATO and identity theft which may be associated with disinformation campaigns. 

4) Response and recovery 

Develop strong IR capabilities to prepare for, react to, and recover from disinformation incidents and the spread of misinformation. Surefire Cyber helps companies create, test, and implement IR plans and procedures, offering services designed to address disinformation threats like BEC.