A new form of cyberattack that experts say could be as damaging as ransomware is emerging: Narrative attacks that spread falsehoods undermine confidence in organizations. In a recent interview, cybersecurity leaders Wasim Khaled of Blackbird.AI and Mark Turnage of DarkOwl discussed the benefits of the companies partnering together to enable organizations to identify narrative attacks across the dark web and warned that these narrative attacks work hand-in-hand with cyberattacks to sow chaos.

Khaled and Turnage explained how threat actors now exploit the power of technology, AI, and social media to fabricate evidence and distribute convincing fake narratives quickly. This allows them to strategically time disinformation campaigns to amplify the impact of actual cyber breaches. Companies must monitor online conversations and build trust through transparency to inoculate stakeholders. Protecting systems is no longer enough - in the digital age, securing perception itself is a new imperative for cybersecurity.

In recent years, ransomware-as-a-service emerged as one of the most common cyberattacks. How are narrative attacks related to and often powered by ransomware attacks?

WASIM KHALED, co-founder and CEO of Blackbird.AI: Both ransomware and narrative attacks undermine societal trust and destabilize institutions, albeit through different means. Ransomware attacks compromise the integrity and availability of critical data, shaking faith in institutional safeguards and potentially causing chaos, especially when targeting critical infrastructure or public services. Concurrently, disinformation campaigns manipulate public perception, sow discord, and delegitimize authorities. The synergy between these two forms of cyber warfare becomes particularly potent when ransomware attacks are used to either distract from or amplify disinformation efforts. For instance, a ransomware attack on an organization could conveniently take down its systems just as a disinformation campaign is launched, stifling the voice of a credible counter-narrative. In this way, ransomware can serve as a powerful enabler for narrative warfare, strategically timed and targeted to maximize damage and confusion.

MARK TURNAGE, co-founder and CEO of DarkOwl: RaaS gangs are an ever-evolving and elusive threat, deploying increasingly sophisticated malware in tandem with advanced deception methodologies to evade detection and maintain persistent access to victim networks and compromised devices. We see actors pursuing “target rich, cyber poor” industries that will make them money by selling data, exploiting the victims they target, the partners and third-party services linked to them, and infiltrating supply chains. And with the use of AI growing, the attack surface is more extensive than ever.

Is there a risk of an insider threat of narrative attacks?

WASIM: Insider threats are a risk for narrative attacks if disgruntled employees spread malicious rumors or leverage inside information. These threats to an organization's intellectual capital, know-how, trade secrets, or patented methods are at risk from insider threats that could be shared and observable through conversational data online. It is critical to know what harmful narratives are being discussed across the internet and the impact they could have on company employees who are at risk. 

MARK: We see unhappy employees rant in darknet chat rooms and forums. This could be about their working conditions, abusive bosses, or anything that makes them disgruntled. That in itself isn’t necessarily a cybersecurity risk. However, ransomware threat actors often solicit insider threats to shorten the cyber-attack lifecycle by using employees with direct access to company IT resources instead of brute forcing network credentials or exploiting vulnerable network devices. DarkOwl has uncovered instances where an employee has leaked specific team member names and information. With this information, the company can launch an internal investigation to mitigate the risk to the organization.

How can companies inoculate stakeholders against narrative attacks and disinformation?

WASIM: Companies can inoculate stakeholders against narrative attacks by quickly correcting misleading claims, being transparent, securing systems, and building trust through ethical actions. Ongoing communication and education help identify disinformation.

MARK: Agree. We all know corporate brand recognition, reputation, and public perceptions are paramount in establishing market share and sustaining fiscal certainty in uncertain economic conditions.

How are narrative attacks linked to cyberattacks?

WASIM: In today's world of advanced AI and social media, misinformation can be as damaging as a traditional cyberattack. Consider two scenarios: your organization suffers a real cyberattack, which you contain before it becomes public knowledge. Though unfortunate, you can recover. Now imagine there is no attack, but false narratives spread that you have been hacked. This “imaginary cyberattack” could destroy trust in your brand. With current tech, bad actors can fabricate convincing fake evidence and distribute it quickly. We aim to combat this dangerous misuse of AI. Ultimately, organizations must now guard against both actual and simulated threats.

MARK: I would just like to mention defacement attacks, I think it ties in nicely here. Defacement attacks involve the unauthorized modification or vandalism of a website or web application and usually result in the alteration of the website’s content, appearance, or functionality by attackers with malicious intent. The primary goals of defacement attacks are generally to deface the targeted website, display a message or image, and often to spread a message or agenda, drawing attention to the attacker’s cause or skills. Like narrative attacks, defacement attacks don’t usually involve data theft or damage to the website’s infrastructure. So, like a narrative attack, it is not what we typically think of as a traditional “cyberattack,” but it can be very damaging. They can have a significant impact on the website’s reputation and the trust of its visitors, as well as voicing messaging that the corporation would not usually publicize or approve.

Can you explain the ‘narrative intelligence gap’ and how bad actors exploit it?

WASIM: In our digitally connected world, narratives are powerful. Malicious actors exploit this by spreading misinformation to manipulate public perception, stir dissatisfaction, impact stock prices, and provoke cyberattacks. Traditional cybersecurity has focused on gathering threat intelligence and securing networks and data. But today's CISOs need more visibility into the harmful narratives propagating across the internet's underbelly - dark web forums, messaging apps, social platforms, and news sites. To fully protect an organization, cybersecurity must evolve to detect and counteract false narratives before they go viral. Securing systems is insufficient; we must ensure trust in the digital age.

MARK: This is why monitoring the darknet and darknet adjacent platforms is so important. Corporations and their key leadership are regularly targeted and mentioned in the darknet – across marketplaces, discussion forums, and transient paste sites. Many times, the references are specific to a cyber campaign to target the company. In contrast, others are perfectly matched counterfeited goods marketed by underground counterfeiters and resold on darknet decentralized marketplaces. Having insight into what threat actors are saying about your company or planning against your company can help prevent reputational damage that could occur from a false narrative or cyberattack down the road.

The interview continues on the DarkOwl blog.

To learn more about how Blackbird.AI can help in these situations, contact us here.

About Blackbird.AI
Blackbird.AI helps organizations detect and respond to threats that cause reputational and financial harm. Powered by their AI-Driven Narrative & Risk Intelligence Constellation Platform, organizations can proactively understand risks and threats to their reputation in real-time. Blackbird.AI was founded by a team of experts from artificial intelligence, and national security, with a mission to defend authenticity and fight narrative manipulation. Recognized by Forrester as a "Top Threat Intelligence Company," Blackbird.AI's technology is used by many of the world's largest organizations for strategic decision making


While all these recommendations seem to be sound, the likelihood that these measures can be agreed upon and implemented are becoming increasingly less likely in the U.S. and around the world. In fact, we have been moving in the opposite direction. Platforms have begun to roll back access for research communities, decrease moderation around misinformation, or strike down moderation altogether in the name of freedom of expression. The very notion of banning a popular platform in the U.S. would have seemed unthinkable a few short years ago, with organizations like the ACLU strongly voicing that a ban on TikTok would violate the First Amendment.

- asdf