Before we dive into the mechanics of these attacks, we recommend watching our deep-dive webinar - Hybrid Warfare Reloaded: Russian Info Ops Against the West and NATO. If you are looking for automated defense capabilities, take a look at our solution - Fighting FIMI with Osavul.
When we talk about modern conflict, the line between a technical hack and a psychological operation has practically vanished. In the past, a data breach was usually a financial crime - someone stole credit card numbers or trade secrets to sell them. Today, a data breach is often just the opening move in a much larger chess game. This is the world of hybrid information operations.
At Osavul, we constantly analyze how threat actors combine kinetic actions, cyber intrusions, and narrative manipulation. One pattern stands out distinctly: the use of stolen, confidential data as the fuel for disinformation. It’s a strategy where the "hack" is merely the supply chain for the "leak."
To understand how to defend against this, we have to look at the anatomy of these attacks. We need to answer the questions that security professionals and policymakers are asking right now.
What Are Hybrid Information Operations?
Hybrid information operations are coordinated campaigns that blend distinct methods - usually cyber attacks and influence operations - to achieve a political or psychological effect. Unlike a standard propaganda campaign that relies on making things up from scratch, a hybrid operation often relies on a kernel of truth obtained illegally.
The effectiveness of hybrid information operations lies in their ability to bypass our natural skepticism. If a bot farm on X (formerly Twitter) claims a politician is corrupt, we might ignore it. But if that same bot farm is amplifying a PDF document that looks like an official internal email stolen from that politician’s server, the claim suddenly carries weight. The unauthorized access (the cyber part) lends credibility to the narrative (the info part).
This convergence creates a problem that traditional security teams struggle to handle. The IT department fixes the server, but they can't "patch" the reputation damage caused by the leak.
How Do Cyber Security Operations Feed Disinformation?
The connection between technical hacking and information warfare is sequential. We often see cyber security operations - specifically offensive ones - conducted months before the public ever sees a headline.
Think of it as a three-stage pipeline:
- Acquisition (The Cyber Phase): Attackers compromise email servers, cloud storage, or messaging apps. They aren't looking for bank accounts; they are looking for "kompromat" (compromising material) or mundane documents that can be taken out of context.
- Curation and Modification: This is where the cyberops team hands off data to the information specialists. Analysts sift through gigabytes of stolen data. They select emails that, when read in isolation, look suspicious. Sometimes, they subtly alter a real document - changing a date or a dollar amount - knowing that the victim will be forced to verify the document's general authenticity, which inadvertently validates the fake parts too.
- Dissemination (The InfoOps Phase): The data is released. It might be dumped on a "activist" website, sent to journalists, or slowly leaked via anonymous social media accounts.
This structure allows hostile actors to build entire strategies around a single breach. The stolen data becomes the anchor for weeks or months of hybrid information operations.
Why Is the "Hack-and-Leak" Model So Dangerous?
The primary danger is the "validity trap." When cyber security operations result in a leak, the public discussion shifts from "Is this true?" to "What does this reveal?"
We have seen this play out in elections across the US and Europe. A threat actor hacks a campaign manager’s email. They release thousands of boring, legitimate emails mixed with five or six sensationalized ones. The media, driven by the public interest in the stolen data, covers the content of the leak. By the time forensics experts confirm that the data was obtained via foreign cyberops, the narrative damage is already done.
This method weaponizes transparency. It forces the victim into a defensive posture where they are arguing about the nuance of an internal email rather than their public policy. It is a highly efficient way to destabilize an opponent without firing a shot.
How Does "CyberOps" Fit Into the Bigger Picture?
In the intelligence community, we often use the term cyberops to describe the technical side of these intrusions. However, in a hybrid context, these operations are not distinct from the psychological goals.
For example, a cyberops team might deface a government website. The technical impact is low - the site can be restored from a backup in minutes. But the information impact is high. Screenshots of the defaced site circulate on Telegram channels as proof of the government's incompetence or weakness. The hack wasn't meant to destroy data; it was meant to generate content for the influence campaign.
This intersection is sometimes referred to in niche circles as the cyberops-infosec nexus, where the security of the infrastructure directly dictates the security of the narrative. If you can't protect your data, you can't protect your story.
What Is the Strategy Behind These Campaigns?
The strategy is almost always about eroding trust. Hybrid information operations do not necessarily need to convince you to love a specific leader or hate a specific country. They just need to convince you that nothing is true and no one is secure.
By repeatedly conducting cyber security operations that result in leaks, threat actors create a sense of inevitability. They want the public to feel that their institutions are porous and leaking like a sieve.
We see this strategy built on three pillars:
- Timing. Leaks are timed to coincide with sensitive political moments, like elections or summits.
- Mixing. Mixing real, stolen data with total fabrications. The real data acts as a shield for the fake data.
- Amplification. Using networks of bots and trolls to ensure the leaked material trends on social media before fact-checkers can assess it.
How Do We Defend Against Hybrid InfoOps?
Defending against hybrid infoOps requires a cultural shift. We cannot treat information security and reputation management as separate silos anymore.
Organizations need to understand that their data is not just an asset; it is a potential weapon that can be used against them. Securing email servers is not just about compliance; it is about denying the adversary the ammunition they need for their next propaganda push.
This is why hybrid infoOps are so difficult to counter. You can have perfect firewalls and still lose the information war if an employee gets phishing-tricked and their emails are spun into a scandal.
We have found the NATO resource on this topic particularly helpful for understanding the doctrine behind these attacks. You can read more about their perspective here. They outline how hybrid information operations sit alongside economic pressure and military posturing.
What is the Future of Cyber Security Operations?
As we move forward, cyber security operations will become even more integrated with AI and automated generation. We are already seeing the early signs of AI being used to write fake emails that mimic the style of stolen ones, making the "mix" of real and fake even harder to detect.
The defenders - us - need to be faster. We need to identify not just the malware on the network, but the narrative on the social web. When a breach happens, the response plan must include an information strategy. If data was stolen, assume it will be leaked. Assume it will be altered. And prepare the public before the dump happens.
Conclusion
The era of the isolated hack is over. Today, every stolen byte of data is potential leverage. Hybrid information operations thrive on the gap between our technical defenses and our cognitive defenses. They exploit our trust in "leaked documents" to manipulate public perception.
To fight this, we need to bridge the gap between the SOC (Security Operations Center) and the comms team. We need to recognize that hybrid infoOps are not just a technical nuisance; they are a strategic threat that uses our own digital footprint against us.
At Osavul, we are building the tools to track these narratives and identify the coordinated behavior that signals a hybrid attack. Because in this new landscape, knowing you've been hacked is only half the battle. Knowing how that hack will be used to lie to the world - that is where the real defense begins.
