Hybrid Attack Signals – Typology

Purpose:
To categorize and describe the main types of hybrid attack signals we aim to monitor as part of the Hybrid Attack Panel (HAP). This typology guides feed selection, analysis, and response prioritization.

Signal Category	Description	Examples of Sources / Indicators
DNS Registration Anomalies	Suspicious domain registrations or changes linked to disinformation or cyber operations	Newly registered domains matching threat actor patterns, sudden bulk changes, phishing domains
Infrastructure Sabotage Reports	Physical or cyber disruptions to critical infrastructure (energy, transportation, communications)	OSINT reports of rail disruptions, power outages, telecom interference
Military/Civilian Overlap Incidents	Events where military or paramilitary actors interact with civilian systems or populations in ambiguous ways	Border incidents, no-claim airspace violations, proxy militia activity
Psychological/Information Operations	Coordinated campaigns aimed at influencing public opinion or disrupting social cohesion	Social media bot activity, misinformation spikes, fake news reports
Maritime and Airspace Violations	Unauthorized presence or maneuvers in contested maritime zones or airspace	Satellite imagery, maritime AIS anomalies, restricted airspace breaches
Electoral Process Interference	Attempts to disrupt or manipulate elections via cyber, misinformation, or coercion	Vote hacking reports, fake voter registration campaigns, election-day misinformation
AI-Generated Forgeries and Deepfakes	Use of synthetic media for deception, impersonation, or sowing confusion	Deepfake videos, AI-synthesized voice recordings, fake news bots

Note: This typology is evolving and may be refined as more signals emerge or existing ones change.

Category:[[Tools]]

Hybrid Attack Signals – Typology

Possible new candidate signal categories: