Be careful what you OSINT with

There are lots of neat OSINT platforms out there to make your life easier. But how many of you vet the software before using it? Not every platform should be entrusted with sensitive data as this case reveals.

1

In January 2019 I was tagged on Twitter, asking for my input on an OSINT platform named Lampyre. Before I use any type of software, I try to vet it as good as possible. This includes OSINT research on the company, asking tech-savy people I know for their opinion and ultimately reaching out to the company itself. No one had really heard of the software at that time, no one was using it, and I couldn’t really find much background information online. I ended up contacting Lampyre and asking them where they came from, what their background was and a couple of other questions. Unfortunately, they only sent evasive answers. They wouldn’t even tell me which country they were based in. I tried the software on one of my VMs and tested it with fake or non-relevant data. To be honest, I did like what I saw, but I decided not to use it operationally. As time passed, I noticed that many OSINTers started using the software and decided to have another look into the company and people behind it. It turns out, I was right not to use this platform. Lampyre isn’t who they claim they are. I teamed up with several helpful elves (to be honest, they did most of the work) and we found some pretty disturbing information.

Lampyre is apparently made by a company in Budapest (Hungary) called Data Tower. The company itself was registered in February 2019 and the CEO and sole shareholder is Laszlo Schmidt. The original address used to register the company leads to a law firm and the phone number that Data Tower provides belongs to another law firm in which Laszslo Schmidt is working as a lawyer. This information points to the fact that Data Tower is merely a shell company. So, how do you we get to the people behind Lampyre?

Looking into their online presence doesn’t lead to any notable individuals either. Some of the names used, such as John Galt, are most likely pseudonyms or fake accounts. Since searching for people didn’t provide any leads, we decided to look into the traffic that Lampyre sends to its back end in each query. The queries contain a brief description on what is requested and apparently the local language used by the developers is Russian, as each description is written not only in English but also in Russian.

2

Why should a company based in Hungary use Russian as their local language setting? Of course, the developers could be Russians working in Budapest, but again something just doesn’t seem right here: an organization that shows signs of being a shell company, the lack of transparency when directly confronted and now indications that point towards Russia. Decompiling the software showed further Russian language embedded in the code:

3

While this was being done, more OSINT research revealed a person named Andrey Skhomenko. This guy posted Python modules for Lampyre on Github and knew about the product in March 2018, way before it was released to public in October 2018. Andrey is based in Moscow and used to have a LinkedIn profile as well (which has been deleted in the meantime).

4

According to his LinkedIn, Andrey worked for the Russian Federal Security Service (also known as FSB) in the past and is now working for a company called Norsi-Trans. Norsi-Trans produces SIGINT and lawful interception equipment and software for the Russian government. It turns out that Norsi Trans also sells an OSINT platform called Vitok-ROI (or Vitok-OSINT).

5

The overall look of this platform reminded me of something I had seen before. Oh, that’s right! Both Lampyre and Vitok-OSINT have that Win95/Win98 appearance, not only in the network visualization, but also the software itself.

6

So far, this was just a gut feeling. Could anymore evidence be found that would link these two products and thus Norsi Trans and Data Tower? You bet? We pulled the certificates used by Lampyre and saw that they were registered in Russia and even more compelling: one of the certificates made a direct reference to Vitok.

7

This was the final nail in the coffin. Lampyre and Norsi Trans are in fact connected! While there is still plenty to be discovered, I think we have proof that Lampyre and Data Tower are not fully honest. And as everything you query in Lampyre is probably sent to Russian servers, I am happy I decided not to use this tool in my private and professional investigations. After all, Russia mandates decryption for domestic services.

Maybe Lampyre is Norsi Trans’ attempt to sell their software in the western world, maybe it is a rogue operation by a Norsi Trans employee (or a few). Although, I personally have doubts about that second theory. The software is quite powerful and receives regular updates. To create something like this, you’d surely need more than one person and having a rogue team within a company try to pull this off would surely not go unnoticed. What I find most interesting, is the fact that Andrey stated he had worked for the FSB. To put it in the words of one of my former colleagues: You don’t leave Russian intelligence services, you just change your cover and continue working for them.

Matthias Wilson / 23.03.2020

The Importance of Grammar in Forensic Linguistics

1

Commas matter and grammar matters. Especially when you deal with threat letters, poison pen letters or even ransom notes. In this case, grammatical errors, misspellings or unique writing styles might reveal the person behind the mischievous texts. Are you dealing with one author or multiple individuals? Can you link these letters to other reference documents, e.g. internal employee emails? The art of analyzing written documents in investigations is a subset of forensic linguistics.

While I won’t go through any real examples in the following article, I would like to share my experience when dealing with such cases. First up, I won’t even try to get into graphology. This is the analysis of handwriting, in an attempt to evaluate personal characteristics or the psychological state of the writer.

Graphologist: “The author is a male and he is very angry, possibly holding a grudge against the recipient.”

Intel analyst: “No shit, sherlock. The handwriting is sloppy and why else would he write a poison pen letter?”

The most important tool for me is a set of highlighters. If dealing with multiple documents, I found it easer to print them out and to mark peculiarities with the highlighters and also add handwritten notes of my own. I use different colors for different categories. One for spelling mistakes, one for grammatical errors, one for the use of uncommon words or unique word-creations and lastly the final color for certain style elements.

Let’s start off with the first category: spelling mistakes. Many people have distinct spelling mistakes they constantly make. And not always will they recognize mistakes when proof-reading their own work. Sometimes these mistakes might also indicate if the author is a native speaker or not. A German writing an English text might automatically use Telefon instead of telephone. Furthermore, many languages capitalize nouns, so look out for this as well. Other spelling mistakes may derive from auto-correct functions in office. When I open Word, it assumes I’ll write in German and does the autocorrect based on the German dictionary. Newer versions of Word notice I’m typing English after about one sentence and then automatically adjust, older versions might need a manual reset. When typing or writing quickly, one may produce clerical errors, such as forgetting letters, adding letters or switching letters. In this case, always check to see how letters are allocated on the keyboard to understand the origin of these typos. Keep in mind that different countries use different keyboard-layouts!

The next one is a bit more tricky. I have to admit, my grammar isn’t the best. I usually just know that something looks weird, without being able to grasp the actual reason or grammar rule. So, in this phase of investigations I often google certain grammar rules to make sure my hunch was right. From simple things such as mixing up your and you’re, to the inproper use of commas, there are many different errors that might show up in multiple documents. One important thing to remember is, that it will be the sum of indicators that lead to successfully solving the case. It most likely won’t just be one blatant error.

Depending on an individual’s background, they may have a different spelling of words. It may vary between British or American English, it may contain colloquial terms or even slang and different dialects. Everything that differs from the standard form of writing in the specific area you are working in, should be marked with a highlighter. Using modern-day slang might indicate a younger person, old-fashioned terms will probably not be used by a kid. I once had a case, in which the author creatively invented new curse words I had never heard of before. Some of them where so hilarious, I actually added them to my personal vocabulary. Another example would be the use of local dialect. In Germany bread rolls are named differently in many regions: Brötchen, Wecken, Semmel, Schrippe, Krossen, Normale, Rundstücke; these are all the same thing! I’m sure similar examples can found in other languages and for more relevant terms as well. Try to figure out which region the word originates from. Again, a little googling can be helpful here.

Next up, concentrate on the style of writing. Is there anything that sticks out? Specific punctuation, such as the frequent use of exclamation marks or multiple dots…. Also, concentrate on the sentence structure. Is the author using short sentences or is he fond of long-winding sentences? Does the whole document read as if it were written by the same person? A shift in style may indicate that some part was copied from another document. Finally, have a look at the format: font, size, line spacing, alignment. After marking all documents according to the above points, it’s time to spread them out and get a birds-eye view of all of them. Sometimes, this will reveal more similarities or conspicuous features shared by multiple documents.

Now, for the most important aspect: Assume your adversary, the author, is well aware of his distinct mistakes and style of writing! He might try to deceive us. Changing the usual format, by using odd fonts or changing the alignment are easy to recognize, but sometimes an author will substitute some of his unique identifiers with another. Mostly by doing the exact opposite of what his style of writing is usually known for. Someone that uses long and complex sentences might break these down into short and concise sentences, making the letter look more like an old telegram. Obvious spelling mistakes might be implemented as well, to put us on the wrong track. However, anything that is deliberately done will likely follow a certain pattern. It is our job to identify this pattern.

Of course, there is much more that can be done when handling cases like these. Analyzing handwriting by overlaying different sets of handwritten words on each other is one technique that might help. This works really well in MS Office, since the office suite has some pretty impressive features to handle images. Furthermore, fingerprint identification (dactyloscopy), analyzing the paper, trying to trace back emails; a broad variety of methods can be applied here. Maybe even the graphologist, if you’re that desperate. As with all intelligence analysis, it is important to never fully rely on just one method. Combine what you have at hand to achieve the best result.

After this brief introduction to the topic of forensic linguistics, I will prepare an example for a future article, highlighting the aforementioned. I just have to figure out who I want to blackmail or send a poison pen letter to. Maybe one of the scammers from a previous project.

Matthias Wilson / 01.10.2019

How a Corporate Takeover Went into a Tailspin within Days

When companies change ownership, key employees often get busy looking for new jobs. Some also take intellectual property with them on the way out the door. Here is how a real-world case unfolded – and how investors can prevent such calamities from happening.

The moment the investment started sputtering and stalling was the day the head engineer quit his job. His resignation letter, hand-delivered to the CEO in the morning, hit the new private equity investors of the company like a bucket of ice water. They had only recently acquired the southern German plant manufacturer for a load of cash. The engineer, a key figure in the company, had assured the new owners just the day before, again, that he would stay on in the new era.

As the news of his sudden departure reached the asset managers, they instantly realized the momentousness of his decision. But before they could even discuss how to deal with the consequences, more resignations turned up within hours. Three senior sales people and service technicians quit by lunchtime, a serious upheaval in the midsized company. According to the grapevine emerging that day, they did not believe that their future was golden under the new ownership.

The acquisition had been rather expensive in the first place. It was after all a seller’s market in the German corporate world. Potential investors from all corners of the globe – Europe, the Middle East, China, the U.S. – were lining up around the block to buy up German “hidden gems”. Midsized, globally successful, family-owned businesses.

The backdrop to this phenomenon was fast-growing private wealth, which to this day has been giving private equity investments a massive shot in the arm. Whereas PE assets under management totaled approx. $ 30 billion worldwide in 1992, they had reached $ 4,000 billion (=4 trillion) by 2015, according to the private equity marketplace Palico based in Paris. By 2020, Palico predicts the PE market will have doubled to $ 8 trillion. But the demand for attractive investment opportunities already far exceeds the supply. And thus investors are jumping at the chance to snatch up, among other things, successful German engineering companies. They are seen as solid and reliable, like the plant builder in southern Germany.

iStock-1056730980.jpg

When the Music Stopped Playing

We were hired as investigators to look into the sudden personnel departures and found that the head engineer had started a new Ltd. company in a neighboring country not far from his previous job. The financier of the new venture was a local entrepreneur with deep pockets. Meanwhile, a first wave of customers began canceling their contracts with the plant manufacturer and signed up with the brand-new competition, who were offering competitive prices for their services.

We scrutinized the laptop computers left behind by the departing staff. A breadcrumb trail of bits and bytes showed that customer lists and tens of thousands of engineering documents had miraculously left the building in recent months. Most of them in the last two weeks before the resignation wave.

Also, part of a business plan was discovered, outlining the new Ltd.’s strategic direction. The document’s time stamps suggested that its creators had lied about their intentions for quite some time.

Armed with the assembled proof, the plant manufacturer filed a criminal complaint, a likely breach of competition law, with the local prosecutor’s office. The case is now a government investigation that will probably drag on for years, outcome unknown. It is unclear, too, whether the plant manufacturer’s business will continue to flourish as it did in the past forty years. All it took was a data breach and a few disgruntled key employees to turn a rock-solid investment into a liability within a few days.

Investors beware: prepare for such scenarios. Because cases like this happen every week.

Collect background information about key personnel before the takeover, so that there are no surprises. Look into the IT situation: how well protected are the company’s ‘crown jewels’? Are there any open barn doors that may be used to squirrel away intellectual property? And finally, talk to the key personnel early in the game and keep your promises to them. They will judge you by your actions, not your words.

Sebastian Okada / 28.01.2018

How Ray Reardon Solved a Blackmail Case

When playing snooker, you sometimes have to rely on your opponent making a mistake to win the game. When conducting investigations, we also have to rely on the suspect to make mistakes, in order to solve the case.

A while back one of our customers, a large German cosmetic company, had received threatening emails from an unknown perpetrator. This person threatened to sabotage the company’s supply chain and thus cause a production fallout. The emails where sent from an anonymous email address and we were not able to find any information on the originator through OSINT. Over the course of the next weeks, the perpetrator continued to send threats and demands in various emails. One of the demands was to transfer a large sum of money to a Bitcoin account.

Again, we went looking for information online, trying to track down this Bitcoin account. Once more, we turned up empty handed. We tried every trick in the book, including trying to lure the perpetrator into a trap using phishing emails, which only resulted in him sending the threats from different email-addresses each time.

The only consistent information was the Bitcoin wallet address and the name he used to sign the emails. This name was ‘Ray Reardon’. Judging from the content of the emails, we had a hunch that this person might actually be an insider. He apparently had extensive knowledge of the company’s supply chain and internal procedures. Knowing this, we sat down with the company’s security officer and discussed the next steps. Our technical approach using OSINT and even phishing was exhausted and we agreed upon covert investigations within the company. In the first step, the security officer identified everyone that could have the knowledge displayed in the emails. We received a list of eight employees and also some written documents from each of these employees. We compared the documents to the emails, hoping we might find specific phrases, terms or spelling mistakes that match. As with the steps before, this proved inconclusive.

The suspects worked in different shifts and the company’s employees had no access to private IT or phones during their worktime. Each employee entered and left the building through doors that only opened with their personally issued RFID tag. We pulled the login data and compared it to the times that the emails had been sent and could rule out five of the suspects, as they were definitely still in the building at their workspaces. Furthermore, we had the IT department check if any company computers had accessed the websites of the email providers used to send the threat emails. So far, we started off with OSINT, then tried social engineering (phishing) and were now down to an internal forensic investigation.

These steps enabled us to narrow down the amount of suspects from eight to three. The remaining three suspects were off duty at the time the emails had been transmitted. We started conducting intensive background checks on all three, including looking at their social media and online footprints. While the checks on two of the suspects did not provide any further leads, one check revealed that the last remaining suspect was really into snooker and competed in regional snooker tournaments. This small and seemingly irrelevant information actually helped solve the case. Remember the name used to sign the threatening emails? It turns out ‘Ray Reardon’ is actually a famous snooker player. Combined with the fact that the suspect wasn’t at work in the relevant time period, the use of the name ‘Ray Reardon’ proved to be a circumstantial piece of evidence that our customer then handed over to the German law enforcement agencies. Subsequently, it was enough to get a search warrant for the suspect’s home.

Our customer later reported that the police had found more evidence on the suspect’s computer and that he was tried and convicted for attempted blackmail.

Our investigation was the frame ball* in this case.

Snooker_Touching_Ball_Redfoto by barfisch under license CC-BY-SA 3.0

Matthias Wilson / 14.12.2018

*Snooker term: the last difficult shot required to win