Foreign Information Manipulation and Interference (FIMI)

What is the Foreign Information Manipulation and Interference (FIMI)?

Foreign Information Manipulation and Interference (FIMI) refers to the intentional and coordinated efforts by state or non-state actors to manipulate information environments to achieve political, security, or other strategic objectives. This manipulation can undermine public trust in democratic institutions, increase societal polarization, and disrupt the implementation of EU policies both domestically and internationally.

FIMI includes disinformation, but also encompasses broader manipulative activities that can involve cyber threats and other hybrid tactics. Adversaries use a variety of Tactics, Techniques, and Procedures (TTPs) to carry out FIMI. These often evolve and adapt, combining cyber activities with other forms of hybrid threats to create a multifaceted attack on information environments.

According to the European External Action Service (EEAS) that has taken a leading role in addressing the issue, Foreign Information Manipulation and Interference (FIMI) is a pattern of behaviour that threatens or has the potential to negatively impact values, procedures and political processes. Such activity is manipulative in character, conducted in an intentional and coordinated manner. Actors of such activity can be state or non-state actors, including their proxies inside and outside of their own territory .

The EEAS detected, investigated and encoded 750 cases of detected Foreign Information Manipulation and Interference incidents between 1 December 2022 and 30 November 2023. The number of cases analysed signifies an almost doubling of cases and capacity for detection and analysis compared to the year prior. This is largely due to the commitment to, and implementation of, the common framework and methodology to systematically collect evidence on FIMI activity as outlined in the first threat report, which enabled more targeted detection based on high-risk TTPs and focused OSINT investigations.

FIMI not only targets countries, it is also directed at organisations, groups and individuals. 30% of all cases targeted 149 different organisations 318 times. The organisations most frequently subject to FIMI attacks were the EU (19% of cases targeting organisations, excl. attacks against individual EU institutions), NATO (15%), the armed forces of Ukraine (14%), the UN (3%) as well as various media organisations like Euronews (3%), Reuters (2%), Deutsche Welle (2%) or the New York Times (2%). While public organisations are directly attacked, media organisations and their brand are much more likely to be misused in FIMI attacks through impersonation, in order to lend credibility to manipulated content.

The European External Action Service (EEAS) is the European Union’s diplomatic service. Since 2011, the EEAS carries out the EU’s Common Foreign and Security Policy to promote peace, prosperity, security, and the interests of Europeans across the globe.

Understanding the Foreign Information Manipulation and Interference (FIMI)

According to the 2nd EEAS Report on Foreign Information Manipulation and Interference Threats (January 2024):

Tactics, Techniques, and Procedures TTP(s) are patterns of behaviour used by threat actors to manipulate the information environment with the intention to deceive.

“Tactics” are the operational goals that threat actors are trying to accomplish.

“Techniques” are actions through which they try to accomplish them.

“Procedures” are the specific combination of techniques across multiple tactics (or stages of an attack) that indicate intent and may be unique for different threat actors.

The Structured Threat Information Expression (STIX™) language is a data format used to encode and exchange cyber threat intelligence (CTI). It can also be used to share information on FIMI incidents, by breaking them down into their different constitutive elements.

The Response Framework to FIMI Threats is a systematic way of organising and conceptualising the analysis and response processes to FIMI. It merges two workflows:

- an analytical one providing information on the threat,

- a response one facilitating the decision-making process on countermeasures.

The Response Framework relies on the assessment of potential risks and vulnerabilities extracted from the aggregated knowledge of past investigations. Each organisation should adapt its strategy and organise preventive and reactive activities before, while and after an incident occurs.

The Threat Analysis Cycle provides a core analytical workflow that delivers on the both short- and long-term objective of systematically analysing and disrupting FIMI and disinformation by providing insights for quick and timely responses. The functioning of the Threat Analysis Cycle has been outlined in the 1st EEAS report on FIMI threats.

The Response Cycle provides one core response workflow defining evidence-based countermeasures to FIMI and disinformation. This Cycle is composed of a series of steps outlining the process to make informed decisions based also on the information obtained through the Threat Analysis Cycle.

Kill Chain describes an end-to-end process, or the entire chain of events, that is required to perform a successful attack. Once an attack is understood and deconstructed into discrete phases, it allows defenders to map potential countermeasures against each one of these phases.

The Risk Assessment Matrix measures the level of risk of an incident based on different indicators such as spread, severity, TTPs or potential consequences. The threat level scored by the matrix indicates the level of adequate action needed. Each organisation can design its own matrix based on internal capabilities and needs.

FIMI Toolbox is the Toolbox to counter Foreign Information Manipulation and Interference. The Strategic Compass, adopted in March 2022 by the EU, sets out a plan of action for strengthening the EU’s security and defence policy by 2030. One of the aspects covered in terms of security policy is the development of a Toolbox to counter Foreign Information Manipulation and Interference. The toolbox is a catalogue of instruments, many of which are in constant implementation, to tackle and respond to FIMI operations.

FIMI-ISAC Information Sharing and Analysis Centres (ISAC) are platforms that facilitate sharing of information between different actors about root causes, incidents and threats, as well as sharing experience, knowledge and analysis. Specifically, the FIMI-ISAC promotes the use of standardised frameworks, taxonomies, and data standards, enabling members to build upon shared threat models and information to better address emerging threats.


In recent years, the European Union has established many instruments that enable Institutions and Member States to address FIMI, while fully respecting fundamental rights and freedoms. The FIMI Toolbox outlines different areas and instruments that together constitute a robust and comprehensive framework for tackling FIMI.

The toolbox includes short-, medium- and long-term measures – from prevention to reaction – and it is a dynamic system in order to account for the constant evolution of the threat. Existing instruments can be complemented, where appropriate, by new instruments.

The Figure above should not be regarded as an exhaustive list of instruments, but aims to give an overview over the diversity of them across the four different areas. The FIMI Toolbox should also be seen as complementary to other Toolboxes, in particular the EU’s Hybrid Toolbox.

Cooperation across the domains is crucial to use them to their full potential. Moreover, in order to tackle FIMI, it is essential to cooperate with other players in the defender community – following the “whole-of-society” approach.

The instruments can be grouped into four dimensions:

1. Situational Awareness: A thorough understanding of the threat is a key prerequisite, to inform which responses and which responder are most appropriate.

2. Resilience Building: Examples include strategic communications, the cooperation in the EU’s Rapid Alert System or efforts to inform and raise awareness, which are ongoing on a permanent basis.

3. Disruption and Regulation: Efforts to further trust, transparency and safety in the information environment, such as the Digital Services Act, are permanent instruments that shape the environment in which responses to FIMI are taken.

4. Measures related to EU external action, including P Common Foreign and Security Policy (CFSP) and diplomatic responses: This dimension opens up instruments in the area of foreign and security policy, such as international cooperation, the G7 Rapid Response Mechanism or the sanctions on Kremlin-controlled outlets like RT and Sputnik.

Threat actors, from the 1st EEAS Report on Foreign Information Manipulation and Interference Threats (February 2023)

What does a threat actor want to achieve with their FIMI activity? To identify potential patterns, we assigned presumed objectives to FIMI incidents. By attaching a presumed objective to each of the 100 incidents we are able to assess if and how threat actors tailor their manipulation techniques according to what motivates their activity. The presumed objective may be identified based on the analysis of the observables and the TTPs, as well as the promoted content.

For this, the 5D (Dismiss, Distort, Distract, Dismay, Divide) classification was used.

■ Dismiss: to push back against criticism, deny allegations and denigrate the source;

■ Distort: to change the framing and twist and change the narrative;

■ Distract: to turn attention to a different actor or narrative or to shift the blame;

■ Dismay: to threaten and scare off opponents;

■ Divide: to create conflict and widen divisions within or between communities and groups.

When it comes to the most frequently used Tactics, Techniques, and Procedures (TTPs), threat actors pay special attention to the production and fabrication of content. The development of image-based and video based content were the two most recurrent techniques employed. Moreover, the use of formal diplomatic channels to distribute content was the most used technique to deliver content to online audiences. In order to maximize the exposure of the operations, the amplification of the content happened through cross-posting across groups and platforms to propagate the content to new communities within the target audiences or to new target audiences.

The Foreign Information Manipulation and Interference in the USA

According to the US Department of State, foreign information manipulation and interference is a national security threat to the United States as well as to its allies and partners. In January 2024, the U.S. Department of State announced an important new tool for addressing this problem: The Framework to Counter Foreign State Information Manipulation. This Framework seeks to develop a common understanding of this threat and establish a common set of action areas from which the United States, with its allies and partners, can develop coordinated responses to foreign information manipulation and protect free and open societies.

Authoritarian governments use information manipulation to shred the fabric of free and democratic societies. They manipulate social discourse, skew national and international debates on subjects of critical importance, and undermine democratic institutions. This transnational threat requires a coordinated international response.

The Framework serves as a tool for diplomatic engagement on the threat of foreign information manipulation. It will deepen cooperation between like-minded partners, establish a common operating picture, and support the development of resilient, fact-based information ecosystems. The Framework is based on five Key Action Areas:

(1) national strategies and policies;

(2) governance structures and institutions;

(3) human and technical capacity;

(4) civil society, independent media, and academia; and

(5) multilateral engagement.

1. National Strategies and Policies:

- Effectively addressing foreign state information manipulation requires countries to go beyond “monitor-and-report” approaches, to include developing and implementing strategies to counter this threat.

- These policies should ensure safeguards for freedom of expression, protection for marginalized groups, transparency in media ownership, and a commitment to protect elections from foreign malign influence.

2. Governance Structures and Institutions:

- Marshaling and administering a national-level approach to countering foreign state information manipulation requires designated governance structures and institutions within governments.

- The ability to organize dedicated government institutions to lead and coordinate national efforts, international engagement, and fact-based digital communication on foreign information manipulation is key to this effort.

3. Human and Technical Capacity:

- Effectively countering foreign state information manipulation requires technical means and human capacity to maintain threat awareness.

- Building effective capacity includes investing in digital security tools that can detect foreign state information manipulation and ensuring interoperability between government partners working to counter this threat.

4. Civil Society, Independent Media, and Academia:

- Civil society, independent media, and academia can play essential roles in informing and supporting government-led initiatives to counter foreign state information manipulation.

- Countering foreign state information manipulation is best done when governments protect and support the role of independent media, promote independent fact checking and media and digital literacy, and welcome public advocacy on the issue.

5. Multilateral Engagement:

- Multilateral organizations that leverage international cooperation to counter and build resilience against foreign state information manipulation are indispensable to alleviating information and capability shortfalls across partner nations.

The Way Forward:

A broad coalition of like-minded partners is key to successfully countering foreign information manipulation, as each country brings different strengths, capacities, and resources to offer.

The United States calls on partner countries committed to promoting open and fact-based information environments, free from foreign information manipulation, to endorse the Key Action Areas included in the Framework and to begin working towards a coordinated approach to this transnational threat.

By committing to these five Key Action Areas, the United States with its partners and allies can begin working bilaterally and multilaterally to build societal resiliency to foreign disinformation.

No borders

Foreign information manipulation and interference knows no borders and is not just a threat for one country, but for the international community and the international, rules-based order.

As shown during the COVID-19 pandemic, foreign actors have tried to exploit citizens’ fears around the world to confuse the public and discredit efforts in democratic countries to curb the spread of the virus and attempted to portray authoritarian regimes as better equipped to deal with such a crisis, thus trying to undermine democracy as such. The political and security challenge of FIMI needs to be addressed both at the regional, national, and international level.

A whole-of-society approach is important to leverage the different capabilities and competences that lay with governments, civil society and private industry. International partners may have valuable experience in regional areas where the EU wants to increase its work on tackling FIMI; an awareness of ongoing initiatives by international partners in regions where the EU engages in is also of utmost importance to avoid duplication and – where possible – streamline efforts and cooperate. Therefore, only if the EU brings together all these stakeholders in a meaningful way can it tackle the threat in a comprehensive and effective manner.

Defending our societies against FIMI means safeguarding the common public space in which ideas can be freely debated and formed.

Cyber Risk GmbH, some of our clients