OSINT Key Findings in the Year 2009

Syria, nonproliferation sanctions, OSINT, Google Dorks and SIGINT. In 2009, these all came together in an interesting investigation.

Earlier this year, I wrote an article about my opinion on the future of OSINT and while doing so, I had to think about how OSINT looked in the past and how it has evolved over the years. Gathering and analyzing information, not only through OSINT, has always been my passion and I’ve been doing this for about 20 years now. Just like the recent project with Sector035, where we unraveled a massive scam network, I have often conducted research on specific topics purely out of curiosity. These side projects were never work related, but the skills I then learned were eventually useful throughout my career. Often, reading a simple news article would send me down a rabbit hole. From looking up related news articles to spending hours on Wikipedia to creating link charts, largescale investigations were always only a mouse-click away.

I just recently recalled a project I worked on in early 2009. It all started with me looking into various nonproliferation sanctions lists. I think it was a news article that sparked my interest. These sanctions were and are imposed on countries that have been accused of trying to procure and/or produce weapons of mass destruction, e.g. nuclear, chemical or biological weapons. I started looking into government and non-government entities from Syria on those lists. Remember, this was back in 2009. There weren’t really many sophisticated OSINT tools back then, so most findings resulted from simple Google queries.

One of the entities I looked at was the Mechanical Construction Factory. Googling this led to millions of results, so I narrowed it down by adding quotation marks: “Mechanical Construction Factory”. My next step was looking for this search term in specific filetypes. PDF or Powerpoint documents have the tendency to contain more relevant information than your average webpage. Adding the filetype-operator in Google led to some rather interesting results.

For example, the Greek Exporters Association (SEVE) posted monthly spreadsheets of tenders originating from Syria. These lists contained information on who requested the offer (including addresses, phone numbers and email-addresses), as well as goods they were seeking to acquire.

1

In order to find all tender spreadsheets on this page, I again used Google dorks. Combining the site-operator with the filetype-operator brought up all the PDFs saved in the 2008 directory. Since I only wanted to look at the PDFs for Syria, I used Google Translate to obtain the Greek spelling of Syria, as each spreadsheet had this somewhere in the document. The final query looked like this:

2

I now had a long list of Syrian companies that had requested to purchase goods from Greece. Not only that, multiple companies used the same phone numbers, so I could assume that they were linked to each other in some way. I recall finding one or two companies that were linked to a sanctioned company by a phone number and that weren’t listed themselves.

Playing around with Google dorks had me find plenty of interesting material to go through. While I can still reproduce the example mentioned above (just try it yourself), the most interesting finding in this case is unfortunately lost.

Back then, Turkey had a government organization named “Undersecretariat for Defence Industries”. The Turkish abbreviation of this was SSM. The SSM-website doesn’t exist anymore, as the organization was renamed and restructured in 2018 (as SSB). This organization posted roughly 150 scanned original tenders from Syria on their website. While not directly accessible through a dedicated page, using the Google dorks had them appear in my queries. These documents contained phone numbers, addresses, signatures and seals that were stamped on the paper. Apparently, they were sent to Turkey in hardcopy or scanned and then sent electronically.

Keep in mind, I did all this at home. This was my hobby and not related to my actual line of work. I was a SIGINTer, not an OSINTer at work, tasked with a completely different area of operations. However, these original documents seemed like something my colleagues working on Syria would also be interested in. I took an example of one of the tender documents to work one day and showed it to the guys at the Syria desk. They could not believe that I had just found this online. Some of them where even convinced that I had access to their data and pulled it from there. I ended up directing them to all the documents I had discovered on the aforementioned Turkish site and they proved to compliment the knowledge the Syria desk already had.

While writing this article, I tried to find the those documents using the Wayback Machine, but as I previously mentioned they weren’t actually located on a site that could be easily accessed. So, they unfortunately weren’t archived. I went through the complete site map in the Wayback Machine with no luck. For those of you who don’t know this function, try it out. It is great to get an overview of the structure of a historic webpage.

3.png

In 2009, many people underestimated the power of OSINT. In 2019, I don’t think many people will make that mistake again. No fancy tools were needed back then, just some Google dorks and perseverance to manually go through hundreds of PDFs. Although things have changed in the OSINT world and continue to change as we move along, I am sure there is still plenty of juicy information that can be found on the internet by just mastering the use of Google operators. Happy hunting, fellow OSINTers!

Matthias Wilson / 27.09.2019

Harvesting Intel on India’s Nuclear Command – When OSINT meets SIGINT

Using OSINT to enable SIGINT. Imagine you are a SIGINT analyst keeping track of India’s nuclear forces. Luckily, you have some OSINT skills, which enable you to find selectors related to the former commander-in-chief of these forces. This could be a door opener to the current leadership…

So far, I have written short posts on how OSINT can support military decision makers as well as being a vital part of HUMINT operations. The key statement is that each intelligence collection type (ICT) requires a certain amount of OSINT to successfully prepare and conduct operations. This is a concept I call ‘Interdisciplinary Intelligence Preparation of Operations’, in short: I2PO.

One of the most secretive ICTs is Signals Intelligence (SIGINT). In many cases SIGINT services or SIGINT branches within services are isolated from other ICTs, thus making a cooperation between them challenging. This is one reason why SIGINT should incorporate dedicated OSINT capabilities, especially when doing preparatory research on new target areas or specific target decks.  On the one hand, OSINT could provide general information on the telecommunications infrastructure of a target area and on the other hand, OSINT could actually provide valuable selectors to task.

There are many different ways on how to support SIGINT with OSINT using the vast variety of OSINT tools and skills. In the following example, I would like to point out how to acquire additional selectors for a certain target deck.

Let us assume we are SIGINT analysts working on the India target desk, specifically the desk tasked with conducting SIGINT against India’s nuclear forces. A country’s nuclear forces are among the most highly protected and secretive assets. Finding SIGINT leads and selectors to gather credible information is an almost impossible task in this context. I assume the direct communication of these forces is secure and hardened. As a result, collecting official military communications from their dedicated channels can be ruled out. What other chances do we have to gather intelligence on our target?

SIGINT, as all other ICTs, feeds off mistakes that our targets make. If people were OPSEC-aware, we would not find so much information on the internet, HUMINT sources would not be so talkative and eavesdropping in on communications would not reveal that much. With this in mind, let us find a hands-on, doable approach towards our target. Sometimes people use non-secure communications to transmit confidential information. Our targets might do the same. So our first step would be to identify targets and their non-official selectors, hoping these could be tasked and provide valuable intelligence.

Unfortunately, none of the current leadership of India’s nuclear forces, the Strategic Forces Command (SFC), is overt enough to provide us with additional non-official selectors. To start, we look at the former leadership, expecting that they might still be in contact with some of the current administration. Press reporting indicates that the previous commander in chief of the SFC, Lieutenant General Amit Sharma, handed over his command in July 2016. This is close enough for us to assume that General Sharma will still occasionally get in touch with his former comrades.

Next up is an extensive Google search on General Sharma. As a high-ranking former member of the military, he might have directorships or board memberships in civilian companies. In our case he does not, so searches in company databases remain negative.

One of my favorite Google dorks is ‘filetype’, specifically looking for PDFs or PPTs. PDFs and PPTs often contain a lot of information, which helps give an overview of the target and sometimes provides leads for further research.

india google results

This search results in several hits, mainly being studies and conferences in which General Sharma participated. However, the first hit is actually the gold nugget we have been looking for. In India, the Department of Public Enterprises hosts a database containing former CEOs, directors and government officials; including short résumés.

Let’s have a look a General Sharma’s résumé:

bio data

Now we have a private email address and a mobile phone number belonging to General Sharma. These two selectors are tasked and a metadata analysis is conducted on both. Maybe he is in contact with his old comrades in the Strategic Forces Command. This is the door opener we needed to successfully approach our goal. We can also look up the address, which seems to be his home address. Sometimes this will also lead to further selectors.

I also hope that General Sharma did not use Dropbox to save the nuclear launch codes. Haveibeenpwnd lists his email and password as one of those hacked in the Dropbox data leak mid-2012.

As this examples shows, it is essential for SIGINT analysts to include OSINT research into their daily workflow.

Disclaimer: Although the data shown is real, the complete scenario described here is fictional. I have no idea if this information is known or used by intelligence services, nor do I have any insight on the assumption that India’s Strategic Forces Command is an intelligence target.

Matthias Wilson / 08.10.2018