SecTor 2025: How Info Warfare Threatens Organizations

At SecTor 2025 in Toronto this week, NATO’s former Head of Digital Insights Franky Saegerman detailed how state-sponsored actors are weaponizing automated networks and poisoning AI to target governments, leaders, brands, and critical infrastructure. 

SecTor is Black Hat’s Canadian stop. The conference takes place from September 30 to October 2 at the Metro Toronto Convention Centre, anchoring Canada’s largest security week, and it blends hands-on research with policy sessions that tie cybersecurity to geopolitics. This year’s event featured panel discussions, demonstrations of cyber tools, and briefings from experts, including Saegerman, who debriefed the audience of CISOs, security practitioners, technologists, and business leaders on the role of foreign information manipulation and interference (FIMI) in cyberattacks.

Saegerman brings three decades of NATO experience to the frontlines of information warfare analysis. Over his 30-year career with the Alliance, he has held pivotal roles, including Head of Social Media, Head of Digital Insights, and, most recently, Information Environment Analyst. This unique trajectory gave him a comprehensive understanding of the information ecosystem, encompassing the creation and dissemination of NATO’s messaging, as well as the detection and analysis of adversarial disinformation campaigns targeting the organization and its member states. His research focuses on FIMI operations, particularly those orchestrated by Russia and China. He is a leading voice on how these campaigns evolve from digital narratives into hybrid threats with real-world consequences. 

FIMI, argued Saegerman, represents a fundamental evolution of disinformation campaigns. Where traditional bad actors spread false information, FIMI operators deploy sophisticated, multi-vector campaigns that are mostly legal, deliberately patterned, and designed to manipulate how entire populations process information.

“Not all disinformation is FIMI, and FIMI is not only disinformation,” Saegerman emphasizes. These operations employ seven recurring patterns identified through NATO’s analysis: exploiting societal divisions, creating compelling lies wrapped in truth, concealing attribution through layers of proxies, leveraging authentic voices as “useful idiots,” and playing decade-long strategic games rather than chasing news cycles.

Caption: Former NATO analyst Franky Saegerman briefs about the impact of FIMI on traditional cyberattacks at SecTor 2025

The FIMI Threat Landscape

Foreign Information Manipulation and Interference (FIMI) has been ranked as the World Economic Forum’s top global risk for 2025, projected to remain among the top five threats for the next decade. This reflects the systematic way state actors like Russia and China have weaponized information to undermine democratic processes, erode institutional trust, and exploit societal divisions.

Recent NATO research, led by Saegerman, reveals a disturbing pattern: these operations follow a consistent playbook that spans from digital manipulation to physical-world consequences.

The Narrative Manipulation Playbook: A Proven Pattern

The recurring tactics follow five key steps:

1. Identify exploitable divisions – Whether based on religion, race, or political persuasion, adversaries map fault lines in target societies.

2. Create “the big lie” – Often containing a kernel of truth to enhance credibility. Example: Claims that Zelenskyy’s wife bought jewelry in Paris with Ukrainian aid money. The truth? They were in Paris. The lie? No jewelry was purchased.

3. Conceal attribution – Deploy networks of fake accounts, bots, and proxy sites rather than official state media channels.

4. Find useful idiots – Wait for organic amplification by unsuspecting users who broadcast the message to their networks.

5. Deny, distract, manipulate – When confronted, launch counter-narratives or flood the zone with alternative explanations.

Examples: The Infrastructure of Deception

Modern FIMI operations operate through sophisticated technical infrastructure:

Pink Slime Websites

Often, FIMI relies on the dissemination of misleading news sites masquerading as legitimate information outlets. For example, sites Saegerman labels as phony news sites, such as “Miami Chronicle,” “Boston Times,” and “DC Weekly,” now outnumber legitimate local news outlets in specific markets. These domains—often registered years in advance—rank high in search engine results and establish credibility over time, only to be weaponized during critical moments.

Operation Doppelganger

The Way Forward – Takeaways for Organization Leaders

To help leaders and organizations counter FIMI, Saegerman proposes a three-part response framework:

Awareness: Education must start early. Finland has integrated media literacy and disinformation detection into school curricula, preparing the next generation to think critically about information sources.

Behavior: Individual responsibility matters. Before sharing content, verify it appears in multiple legitimate outlets. Being first to share is less important than being accurate and truthful.

Counter: This requires multi-stakeholder action:

• Platform accountability for advertising revenue from disinformation sources
• Stricter domain registration requirements to prevent spoofed URLs
• Strategic exposure of operations (though this can trigger counterproductive debates)
• Regulatory intervention, such as the EU’s blocking of RT News and other state-controlled outlets

Playing The Long Game

The most critical insight is that adversaries think in decades, not election cycles. These operations aim to fundamentally reshape perceptions, behaviors, and democratic institutions over the course of multiple generations.

Saegerman’s SecTor briefing underscores a reality most organizations are still slow to accept: FIMI operations are already targeting them, and detection depends on recognizing patterns that blend technical sophistication with human psychology. The adversaries refining these techniques have decades of experience and now deploy AI systems that can operate faster and at a greater scale than any human security team. Organizations that build resilience do so by treating information integrity as a security function that extends beyond CISOs and technical teams to every employee who processes and shares information. 

• To receive a complimentary copy of The Forrester External Threat Intelligence Landscape 2025 Report, visit here.
• To learn more about how Blackbird.AI can help you in these situations, book a demo.