Syria, nonproliferation sanctions, OSINT, Google Dorks and SIGINT. In 2009, these all came together in an interesting investigation.
Earlier this year, I wrote an article about my opinion on the future of OSINT and while doing so, I had to think about how OSINT looked in the past and how it has evolved over the years. Gathering and analyzing information, not only through OSINT, has always been my passion and I’ve been doing this for about 20 years now. Just like the recent project with Sector035, where we unraveled a massive scam network, I have often conducted research on specific topics purely out of curiosity. These side projects were never work related, but the skills I then learned were eventually useful throughout my career. Often, reading a simple news article would send me down a rabbit hole. From looking up related news articles to spending hours on Wikipedia to creating link charts, largescale investigations were always only a mouse-click away.
I just recently recalled a project I worked on in early 2009. It all started with me looking into various nonproliferation sanctions lists. I think it was a news article that sparked my interest. These sanctions were and are imposed on countries that have been accused of trying to procure and/or produce weapons of mass destruction, e.g. nuclear, chemical or biological weapons. I started looking into government and non-government entities from Syria on those lists. Remember, this was back in 2009. There weren’t really many sophisticated OSINT tools back then, so most findings resulted from simple Google queries.
One of the entities I looked at was the Mechanical Construction Factory. Googling this led to millions of results, so I narrowed it down by adding quotation marks: “Mechanical Construction Factory”. My next step was looking for this search term in specific filetypes. PDF or Powerpoint documents have the tendency to contain more relevant information than your average webpage. Adding the filetype-operator in Google led to some rather interesting results.
For example, the Greek Exporters Association (SEVE) posted monthly spreadsheets of tenders originating from Syria. These lists contained information on who requested the offer (including addresses, phone numbers and email-addresses), as well as goods they were seeking to acquire.
In order to find all tender spreadsheets on this page, I again used Google dorks. Combining the site-operator with the filetype-operator brought up all the PDFs saved in the 2008 directory. Since I only wanted to look at the PDFs for Syria, I used Google Translate to obtain the Greek spelling of Syria, as each spreadsheet had this somewhere in the document. The final query looked like this:
I now had a long list of Syrian companies that had requested to purchase goods from Greece. Not only that, multiple companies used the same phone numbers, so I could assume that they were linked to each other in some way. I recall finding one or two companies that were linked to a sanctioned company by a phone number and that weren’t listed themselves.
Playing around with Google dorks had me find plenty of interesting material to go through. While I can still reproduce the example mentioned above (just try it yourself), the most interesting finding in this case is unfortunately lost.
Back then, Turkey had a government organization named “Undersecretariat for Defence Industries”. The Turkish abbreviation of this was SSM. The SSM-website doesn’t exist anymore, as the organization was renamed and restructured in 2018 (as SSB). This organization posted roughly 150 scanned original tenders from Syria on their website. While not directly accessible through a dedicated page, using the Google dorks had them appear in my queries. These documents contained phone numbers, addresses, signatures and seals that were stamped on the paper. Apparently, they were sent to Turkey in hardcopy or scanned and then sent electronically.
Keep in mind, I did all this at home. This was my hobby and not related to my actual line of work. I was a SIGINTer, not an OSINTer at work, tasked with a completely different area of operations. However, these original documents seemed like something my colleagues working on Syria would also be interested in. I took an example of one of the tender documents to work one day and showed it to the guys at the Syria desk. They could not believe that I had just found this online. Some of them where even convinced that I had access to their data and pulled it from there. I ended up directing them to all the documents I had discovered on the aforementioned Turkish site and they proved to compliment the knowledge the Syria desk already had.
While writing this article, I tried to find the those documents using the Wayback Machine, but as I previously mentioned they weren’t actually located on a site that could be easily accessed. So, they unfortunately weren’t archived. I went through the complete site map in the Wayback Machine with no luck. For those of you who don’t know this function, try it out. It is great to get an overview of the structure of a historic webpage.
In 2009, many people underestimated the power of OSINT. In 2019, I don’t many people will make that mistake again. No fancy tools were needed back then, just some Google dorks and perseverance to manually go through hundreds of PDFs. Although things have changed in the OSINT world and continue to change as we move along, I am sure there is still plenty of juicy information that can be found on the internet by just mastering the use of Google operators. Happy hunting, fellow OSINTers!
Matthias Wilson / 27.09.2019