Building a common operational picture of FIMI

Building a common operational picture of FIMI

Using IMS to strengthen technical attribution and disruption

Four years on from Russia’s full-scale invasion of Ukraine and the associated surge in disinformation and Foreign Information Manipulation and Interference (FIMI) efforts across Europe, the counter-disinformation field is facing mounting challenges. The rapid growth in incident monitoring has created confusion about how different operations relate to each other, resulting in duplicate reporting and inflated perceptions of scale. This obscures the strategic picture and dilutes accountability across producers, intermediaries, and enablers.

A fragmented response landscape – with no shared approach among public and private stakeholders – leads to ad hoc measures that are easily bypassed. Rather than focusing solely on isolated incidents, a ‘supply chain’ perspective is needed to identify vulnerabilities and strengthen disruption strategies. This report, based on EU DisinfoLab’s experience facilitating a working group, introduces the Information Manipulation Sets (IMS) framework as a practical way to enhance attribution standards and bolster countermeasures.

This document reflects the contributions of the participating organisations and is endorsed by EU DisinfoLab, CheckFirst, Viginum, Cassini, the Auswärtiges Amt, the European External Action Service (EEAS) and the DFR Lab, without implying that every position expressed necessarily reflects their full respective institutional positions. We would also like to acknowledge the contribution of Dr. Maxime Audinet, (Inalco, Irsem).

The IMS model, developed by France’s VIGINUM and agreed upon with the European External Action Service, defines an IMS as a set of adversarial behaviours, tools, and tactics likely linked to the same threat actor. These sets bridge the gap between individual incidents and full campaign attribution, enabling analysis at three levels: tactical (incident-level data), operational (narratives and infrastructure), and strategic (linking to threat actors and intent).

Using IMSs helps analysts move beyond repetitive incident tracking, revealing the operational ecosystems behind them. It allows for better attribution thresholds, mapping of enabling infrastructure, and clearer distinctions between different types of operations – even when led by the same threat actor. For instance, several IMSs (Doppelganger, Media Brands/RRN, and Undercut) are all operated by Russia’s SDA but differ in tactics, channels, and focus.

The working group applied the IMS framework to Russian operations targeting European audiences. It identified five key IMSs – Doppelganger, Media Brands/RRN, Undercut, Storm-1516, and Overload – each with unique methods, infrastructures, and goals. This exercise revealed the decentralised yet state-linked nature of Russian disinformation, supported by overlapping contractor ecosystems including SDA, the former Prigozhin network, and ideological actors such as Dugin-affiliated groups.

One focus was on assessing the effectiveness of EU sanctions through the IMS lens. While sanctions exist on paper, enforcement is patchy. Individuals often remain unaffected, and entities like SDA continue to access EU-based services, despite asset freezes. Barriers include lack of notification, use of proxies, fragmented enforcement, and limited platform transparency.

The report puts forward recommendations to close these gaps:

• Strengthen and sustain IMS data collection, and improve coordination between platforms, researchers, and public bodies.
• Introduce IMS tagging in takedown databases to support cross-platform monitoring.
• Enhance transparency on how IMSs function within platforms.
• Improve the EU’s sanctions regime by developing a robust evidence pipeline, coordinating enforcement monitoring, and targeting the operational structures that support disinformation networks.

Ultimately, the IMS framework provides a structured, practical way to improve collective attribution and design more effective countermeasures. Continued cooperation across sectors will be essential to translate these insights into meaningful disruption of FIMI threats.

While this publication aims to raise awareness within the counter-disinformation community, we believe that deeper cooperation would significantly improve the effectiveness of countermeasures. The working group remains open to engaging with vetted and reputable stakeholders whose mandates and expertise align with this work, and who can provide:

• additional visualisations showing the location of entities and online intermediaries
• technical documentation on IMSs, including infrastructure data, attribution thresholds, and methodologies for attributing incidents and campaigns to IMSs

If you’d like to request access to additional supporting material linked to this report, please fill out the form below. Access is limited to professionals working in the field, and requests must be submitted using a professional email address. Please note that access is not granted automatically.