Methodology
The Authoritarian Interference Tracker and Its Data
The Authoritarian Interference Tracker (AIT) monitors incidents of hybrid threats carried out by state-sponsored actors from Russia, China, and Iran. We define state-sponsored actors as: a person, group, or entity that conducts coordinated activity on behalf of, under the direction of, or in material alignment with the Russian, Chinese, or Iranian governments.
The AIT catalogs incidents according to five incident types — cyber operations, kinetic operations, information operations, malign finance, and political and civic subversion — that state-sponsored actors use as asymmetric tools of state power and influence to interfere in a target country's democratic institutions, processes, and societies. Each incident includes a list of tactics, techniques, and procedures (TTPs) that further delineate how threat actors conduct interference operations. In some incidents, threat actors deploy multiple tactics and/or target multiple countries, highlighting how these threat actors use various tactics simultaneously and against multiple targets.
The AIT monitors incidents targeting countries within the transatlantic community, which we define as: members of the European Union, NATO, the European Free Trade Association, EU candidate countries, and countries that have officially signaled intent to apply for EU membership. This final category adds Kosovo and Armenia to our dataset. The AIT tracks interference campaigns affecting these countries since February 2014, when Russia illegally annexed Crimea. Although several countries faced hybrid threats before Russia's annexation of Crimea, we recognize this as a key inflection point in Western recognition of the phenomenon. Since 2014, FIMI and hybrid threats targeting democracies have also become more commonplace, as has open-source reporting of such activity by governments and media sources.
Despite being a significant target of hybrid threats, Ukraine is not included in our dataset. We acknowledge that Ukraine has been ground zero for hybrid activity even before Russia's full-scale invasion in 2022. However, the current kinetic war makes it exceedingly difficult to accurately document every hybrid incident within the country. We therefore have decided, for the time being, to exclude Ukraine from our dataset.
We remain engaged in expanding our data to include other threat actors and target countries. Specifically, we aim to soon begin tracking all members of the Five Eyes intelligence alliance, adding Australia and New Zealand.
This dataset, while comprehensive, is not an exhaustive list of examples of hybrid threats in the target countries, but functions as a catalogue of incidents from which to draw conclusions, highlight vulnerabilities in target countries, and surface leads for further investigation. We also acknowledge that more countries engage in foreign interference than the threat actors we track and that targeted countries have different perceptions of which countries constitute purveyors of hybrid threats. Furthermore, due to the covert or plausibly deniable nature of many types of hybrid operations, identifying clear and direct attribution is often difficult. Consequently, the AIT is limited to incidents that are publicly reported and credibly attributed to the governments of Russia, China, and Iran and their proxies. Credible public attribution includes trusted governments, multilateral organizations, research institutes, private companies, or news outlets that have named Russia, China, or Iran as responsible or likely responsible for an incident. We also acknowledge that many incidents, namely cyber operations and information operations, happen every day and remain unreported. Because we rely on trusted sources to identify when these attacks occur, there are almost certainly incidents that we have missed or that we are unable to include. We require at least two sources of attribution to include an incident in the AIT.
Incident Types
An article enters the catalog as a candidate incident only when it clears three thresholds, applied first by the AI classifier and then re-checked at editorial review:
- Attribution. The reporting credibly attributes the activity to the Russian, Chinese, or Iranian state, an agency of one of those states, or a proxy acting under direction or in material alignment with one of them. We require at least two independent sources of attribution to publish.
- Target. The activity targets a country in the transatlantic community as defined above.
- Type fit. The activity falls within one of the five incident types described below, and was deliberately in service of undermining a target country's democratic institutions, processes, or society — not incidental or purely criminal conduct that happens to involve a state actor.
These thresholds are reviewed and updated periodically as the threat landscape and the TTP vocabulary evolve. Borderline cases — especially espionage and ordinary cybercrime — are routed to editorial review and may be rejected as out of scope.
Cyber Operations
The probing or penetration of computer networks or connected systems and devices to disrupt, manipulate, or damage critical infrastructure or to erode confidence in democratic institutions or processes.
Examples: Russia-backed hackers taking down websites related to government institutions, political candidates, or election procedures; and Iran's Islamic Revolutionary Guard Corps breaching and gaining control of a remote water station at a facility in Pennsylvania.
Kinetic Operations
The deliberate use of — or credible threat to use — physical violence and/or physically disruptive actions to undermine security, damage confidence in democratic governance, and/or destabilize democratic society.
Examples: Russian intelligence using proxies to sabotage critical infrastructure, including railway lines and air transport; and Iran enlisting criminal groups for murder-for-hire plots against dissidents or Jews.
Information Operations
The coordinated, and often covert, use of actions employed to deliberately manipulate information environments and influence public debate, including intentionally spreading or amplifying information that is false, misleading, or distorted, and/or engaging in deceptive practices such as masking or misrepresenting the provenance or intent of information and/or intentionally suppressing information.
Examples: Russia-linked networks fabricating evidence of election fraud, such as in the United States and Germany; and foreign state-sponsored groups employing bot networks or fabricating websites impersonating local media to disseminate false information or propaganda.
Malign Finance
The illicit funding of foreign political parties, candidates, campaigns, or other influential individuals or entities, often through covert or nontransparent structures designed to obfuscate ties to a nation-state or its proxies.
Examples: Russia bypassing sanctions by funneling money to shell companies; and foreign operatives attempting to influence policy or elections via bribery or vote buying.
Political and Civil Society Subversion
The hijacking, instrumentalization, or co-opting of social movements, political parties, politicians, advocacy groups, or other civil society or political entities through non-transparent or seditious means to amplify political and social cleavages, target minority or diaspora groups, influence political decisions, or otherwise divide target societies.
Examples: Chinese and Iranian transnational repression of diaspora groups abroad; Russia's financing of protests, political parties, or non-governmental organizations; or government officials working as foreign agents.
A Note on Espionage
Authoritarian regimes' intensifying hybrid warfare against democracies has brought about an acceleration of traditional espionage tactics. This is seen most clearly in Russia's recruitment of citizens across Europe, including through non-transparent means and the use of commercial messaging services, to spy on military installations or share sensitive information about their countries' national security, often for pay in cryptocurrency. Without a doubt, these incidents shed light on the bigger picture of accelerating authoritarian assault against democracies. However, they are only included in the AIT if they meet the threshold of one or more of our incident types and were deliberately in service of undermining a target country's democracy.
Examples:
- Lithuania charges 13 in Russian intelligence plot to murder two activists
- Iran tasks Danish national with spying on Berlin's Jewish community for potential attack
Data Collection and a Note on AI
AIT data is drawn from open-source reporting across government, media, and private-sector sources in multiple languages. Automated systems continuously poll these sources for new material, and AI models score each article for relevance, attribution, and incident type. Articles covering the same event are consolidated into a single structured record capturing threat actors, targets, timeline, tactics, and named entities, with close duplicates merged automatically before review.
Every candidate incident then enters a two-stage human review — an editor triages (approving, deferring, archiving as out of scope, or rejecting) and a reviewer confirms publication. Only incidents that clear both stages appear on the public tracker.
ISD, "Authoritarian Interference Tracker," accessed [DATE], https://interference.isdglobal.org/.