Unravelling the Norton Scam – Chapter 2

Art is often considered the process or product of deliberately arranging elements in a way that appeals to the senses or emotions. OSINT is art and sometimes OSINT produces art.

This is the second chapter of a series of short blog posts covering the investigation of a massive online scam network. If you are a new reader, I would advise you start with the first chapter to understand the context of this project.

The Art of OSINT

This is big! So far, we have collected information on hundreds of different entities; including websites, names, phone numbers, email addresses and much more. When we started, relevant data was just dumped into a text file. We also used Hunchly during our collection and then realized we needed to structure the most important data and moved on to a spreadsheet. This worked for a while, until we felt the need to display links between entities in an easy and understandable way. A more visual approach was chosen, and Sector started what I call “The Art of OSINT”: a link chart.

Sector used Maltego for our case, but there are many alternatives you can use as well. I have grown fond of draw.io and others might use one of the various mind mapping apps and platforms. The idea behind link analysis in general is to evaluate relations and connections between entities. Link charts are the visualization of this data, which in many cases make it easier for an analyst to discover connections. Sometimes the connections are not direct, but indirect, linking entities to each other by a third-party individual.

Let us take a look at how link charts can be built from scratch. In the first chapter of our series, I posted a screenshot of one of the scam sites.

4

On here I already have multiple pieces of information that I can connect. A name, a postal address, a phone number and lastly an email address. Each of these is the starting point for further OSINT investigtions. We found that the email address was used to register the domain allbagmanufacturing(dot)com. This domain also lists an Indian phone number in the WHOIS data.

phone number register.png

It turns out, that the Indian phone number was also used to register the site roadrunneremailsupports(dot)com.

all links.png

In conclusion, both sites are likely connected. However, how do we know that this phone isn’t just a burner phone or a random phone number? More OSINT research is required to verify if the phone number is existent and who it belongs to. I also mentioned a little social engineering coming up, didn’t I? If you were hoping to read about this topic in the second chapter of our journey, I have to disappoint you. Rest assured, we have a nice story on social engineering in one of the later chapters. Now, let’s get back to our link analysis.

One piece of information leads to another and soon we find new leads and many connections between the entities. The chart itself has grown quite a bit in the meantime. At first glance, it will seem a bit chaotic. However, it is still easier to handle than relaying this information in a text-based form. For me, link charts have an artistic character. Each chart, whether built manually or automated, is one of a kind. Unique data, unique arrangements, all coming together to form a piece of modern art.

Modern Art.jpg

Put this on a large canvas, have Sector sign it and it would be something that could be found in the Guggenheim Museum of Modern Art. One day I plan to do exactly that. A vernissage on “The Art of OSINT”. Until then, let’s keep creating more masterpieces with our online investigations and link charts.

Sector035/MW-OSINT – 04.08.2019

Intelligence Collection on the Train

Sometimes I miss my SIGINT days: Listening into my target’s phone calls and getting juicy intelligence out of this. However, you don’t always need SIGINT to eavesdrop on interesting conversations.

The company that I work for offers a broad variety of security products. When it comes to securing valuable data and information, most of our customers rely on technical solutions. However, the best firewalls and security suites will not help, if information is continuously disclosed outside of hardened IT-environments by careless employees. As a former SIGINTer I was always astonished about how much information my intelligence targets would openly share over non-secure lines. Now that I left SIGINT behind, I still have the chance to eavesdrop on conversations every once in a while.

I have a one-hour commute to work each day and the time I am on the train has proven to be a valuable social engineering and OSINT training ground. Two weeks ago, I was sitting on the train when a gentleman sat down next to me and immediately started making phone calls.

1https://unsplash.com/@jcgellidon

The second phone call went to a woman named Kelly Adams. I know this because I could see her name on the screen of his phone. I could hear everything he said and since his volume was cranked up, I could also hear parts of what Kelly had said. Curious as I am, I immediately googled Kelly. Based on what I had heard, I could narrow it down to three individuals. One woman working for a large German defense company and two others in IT firms. The topic of the conversation was a pretty significant retention bonus that Kelly would receive, if she decided to stay with the company and move to Munich. It turns out the company was currently relocating its headquarters to Munich.

As soon as the gentleman ended this conversation, he started writing emails on his phone. Again in plain sight and did I mention that I am very curious? It turned out his name is Andreas Müller. Searching for the combination “Kelly Adams” and “Andreas Müller” led to the exact company. Dr. Andreas Müller was the head of the research and development department of a large German defense company and Kelly was one of the leading project managers for a specific branch. I did not need any sophisticated OSINT skills here, a simple Google query and LinkedIn search was enough. Dr. Müller then sent the details of the retention bonus to someone named Alfred, whom I assume was in HR. If I would have been working for an opposing company, I could have easily used this information to counter the offer Kelly received. But wait, it gets even better!

Next up, Dr. Müller opened spreadsheets depicting the budget of certain projects. Dr. Müller was sitting on my right and I held my phone to my right ear, simulated a conversation and managed to get a couple pictures of his screen. As of now, I had seen enough and it was time to approach him.

“Excuse me, Dr. Müller. May I ask you a question?”

You should have seen the look on his face. Surprised and shocked, as he was clearly not expecting this. I asked him if the conversations and the emails he had looked at were sensitive. I told him what I had picked up from his conversation with Kelly and showed him a picture of the spreadsheet. Still shocked, he did not really know how to react. I explained my line of work and handed him a business card. Dr. Müller can consider himself lucky, usually I charge customers for this kind of consulting and I think he learned a valuable lesson.

Remember: No matter how good your cyber security measures are, the most important aspect is minimizing human error and taking security serious at all times. I have often read that there is no patch for human stupidity. I do not agree and I am sure that Dr. Müller has been “patched” after our train ride.

I guess I never will be able to let the SIGINT side of me go. I just love eavesdropping in on people, so be careful what you say in public or on your phone, you never know if someone is  listening!

MW-OSINT / 26.03.2019

The Nigerian Prince from South Africa

Great, another Nigerian prince in your inbox. Instead of deleting it, why not answer for a change. I did and it turned out to be quite interesting.

Last week, I received my first Nigerian prince scam mail (also known as 419-scam) in German. I assume someone put a lot of work into this, so I thought I would answer. Although the message was apparently sent from jefaturaestudiositurbi@valencia.es, I was to reply to wong.shiu@accountant.com. This email supposedly belonged to Mr. Wong, the banker who was handling the case.

Let us have a look at the message header first, before answering.

1

Even if I would have answered to jefaturaestudiositurbi@valencia.es, the email would have been sent to wong.shiu@accountant.com. I assume the email was not actually sent from the @valencia.es domain in the first place and that this was just used to bypass my spam filter. Next up, I wanted to see if I could find any leads to where the email was sent from.

2

The initial ‘Received’ entry in the message header points to a South African IP-address belonging to a mobile provider. It also appears to have been sent through a Huawei 3G/4G WiFi router.

Next up, I set up a new Gmail account to communicate with this Nigerian (South African) prince. Sure enough, I received an answer within minutes. The reply contained additional information regarding the deal and was clearly a very bad Google translation of an English text. Again, this message was sent from the same IP-address. We emailed back and forth several times until I was asked to provide some ID, an address and a phone number. So I did.

3.jpg

Apparently, Mr. Wong thought this was funny as well. For the first time I actually received a response that was not just copied and pasted from a pretext.

3-1

“You dey gather my fmt” – This actually translates to: So, you are one of those guys that collect my pretext. At this point, Mr. Wong also started using a different email to communicate with me: wong.shiu@mail.com. Again, I checked each message header. While several different IPs were used, they all belonged to South African mobile providers.

4

The conversation went on for quite a while and I was surprised that Mr. Wong kept answering.

5

The following day I received another scam mail that looked just like to first one. The only difference  was that the name of the banker had changed (and thus the reply email) and the promised sum of money was a lot higher than in the first email. It sure looked like this was also the work of my friend Mr. Wong, so I decided to answer to this new email as well.

6

Unfortunately, Mr. Wong did not answer any more. Looking into all the emails again, I could clearly see a pattern. Each IP-address could be traced to South African mobile providers and all emails were sent through Huawei 3G/4G WiFi routers. The language used also hinted towards Africa in general. Furthermore, over the course of two days I noticed that Mr. Wong began answering around 09:30 (CET), leading to the conclusion that he must have been in the same time zone (or nearby) if this was his 9 to 5 job.

If you ever try this yourself, please make sure to use a clean email address and do not download or open attachments. If you keep this in mind, you might have some fun with a Nigerian prince yourself. As for Mr. Wong:

Mr. Wong,

If you ever read this, feel free to contact me again. I can’t promise I’ll pay the advance fee you requested, but I’m always there for you if you need someone to chat.

Yours sincerely,

MW-OSINT / 19.03.2019

Why Primary Sources Matter

Hurray! German company data is now available in OpenCorporates! Does this mean I don’t have to pay for the official company register access anymore?

This morning I confronted my boss Christian with a fact that I had found on the internet yesterday evening. Although he claimed to be the director of his company, I could not find him on OpenCorporates. For those of you who do not know what this platform does: OpenCorporates is the largest open database of companies and company data in the world. The site claims to have over 160 million companies indexed. As of yesterday, they added 5 million German companies to their database. Should I believe Christian or OpenCorporates in this matter?

When I conduct due diligence and background checks, OpenCorporates is among one of the first platforms I use. As good as it is, OpenCorporates is still a secondary source and when it comes to reliable and present-day information, I rather choose to trust primary sources.

Don’t get me wrong, secondary sources such as the aforementioned or compliance tools like LexisNexis are amazing and are really helpful to get an overview of what you are dealing with, but they all have little flaws. In some cases, the data is not as up-to-date as it should be, in other cases they are lacking essential information, such as the company shareholders. The worst-case scenario is when data is falsely aggregated during the import-process, linking the wrong entities to each other. Throughout my investigations, I have stumbled upon these issues more than once when using secondary sources.

Based on yesterday’s import of the German company data into OpenCorporates, I decided to check my own employer: Corporate Trust, Business Risk & Crisis Management GmbH. This is what OpenCorporates provided:

sources

There are some flaws in this dataset, because I am sure Christain would love to see his name in here as well. After all he founded the company and has been the director of Corporate Trust ever since. This is not just a problem within OpenCorporates, I have seen similar issues quite often in expensive commercial compliance databases as well. As you can see, the dataset is also missing information on the company’s shareholders. Even when this information is contained in compliance databases, it is sometimes outdated.

These are the reasons I always try to use primary sources, such as official government company registers, whenever possible. OpenCorporates is a great starting point to tell me where to look for more detailed information, especially since it offers the possibility to search for individuals (something that many government company registers lack), but the official company registers provides the real intelligence. This is where things can get challenging. Let us have a look at the company register in Germany, our Handelsregister. It requires a formal registration, which is only available in German. No credit card payments are possible, only direct debit. For many countries, this alone may prove to be an obstacle. On the bright side, once you have access to this database, you will gain access to the original company documents, including a list of shareholders for private limited companies.

In other countries, you can only gain access to the national company registers if you are a resident of that country and in most cases against payment. Unfortunately, nothing in life is free (except the amazing British Companies House). So when it comes to obtaining all relevant and up-to-date data, a bit more is required than just the access to (free) secondary sources.

Just to be sure about Christian, I checked our company in the official German company register. Turns out he is listed as director in the Handelsregister after all.

MW-OSINT / 06.02.2019

How I Became Ted Mosby

Remember Ted Mosby from the sitcom How I Met Your Mother? This fictional TV character inspired a pretext for social engineering in an actual investigation.

Not all investigations can be conducted solely online. Sometimes, information that is discovered on the internet has to be verified in the real world. Many of these cases then require certain social engineering skills to obtain access to otherwise restricted areas. One of the most important aspects of social engineering is the pretext used to present oneself. This is more than just a quick and simple lie, it requires the creation of a complete identity to impersonate someone that will be able to gain the trust of whoever you are using it against. A large portion of the pretexting process is actually OSINT: Gathering the relevant information in order to appear credible.

A while back, I was working on a case in which I had to verify the location of a certain company and try to figure out if the company actually did business there or if this address was just used as a mailbox. Google Street View was not helpful, as in most cases in Germany, and a quick walk-by revealed the address was a large gated town villa. No information on the target company was visible on mailboxes at the gate. To be completely sure, I had to gain inside access and in this particular case, my customer asked for conclusive evidence of my findings. The challenge was finding a way inside that would enable me to snoop around and even take pictures. Further research revealed that the town villa also accommodated a law firm, an advertising firm and an investment management company. I initially thought of posing as a parcel courier to gain entrance and then use a hidden camera to document what I found. However, this pretext came with lots of downsides. I would require a uniform, have to deliver a fake parcel (which would surely strike attention as soon they opened it) and using hidden cameras has always proven tricky in the past when trying to get quality images.

I did a little more OSINT research and found out the estate itself was designed and built by a famous German architect. It was one of his early works. At the time, I was just watching some old episodes of How I Met Your Mother. In one of the episodes, the main character Ted Mosby was giving an architecture lecture as a professor, boring his students with architectural facts. That gave me the idea to pose as a young architecture professor preparing a course on the style of architecture the town villa was built in. Of course, I would also need pictures of the house to point out certain style elements of the villa. With this idea in mind, I spent the next couple hours doing research and preparing my pretext. I learned quite a bit about the German historicism architecture of the 19th century and of course about the famous architect himself.

villa

The next morning I approached my target. Rather than ringing a doorbell and trying to gain access through the intercom, I choose to linger around the house and initially take pictures from the outside during a period in which I assumed people would be entering the estate to commence work. I planned to approach the first person I saw, tell them my cover story and hope to gain full access to the estate without raising suspicion. After all, I was just there to take a couple of pictures of the building itself. At this point, luck was on my side. The first person I encountered turned out to be the owner of the villa, who was in fact a direct descendant of the famous German architect that had built the place. This gentleman was so excited that a young professor wanted to use his estate as an example in class, that he happily invited me inside and allowed me to take as many pictures as I wanted. I received a complete tour, inside and out. I was able to take pictures of mailboxes inside the villa, have a peak into the office spaces and he told me about the current tenants, as well as answering my questions.  During this phase, I used all the architectural terminology I had learned to keep my cover upright.

In the end, I did not find any direct trace of the company I was looking for, nor was any office space for rent or any tenant moving out. However, I did see and take pictures of the internal mailbox belonging to the investment management company. This mailbox listed around 15 additional company names. Subsequent research linked one of those companies to the CEO of my actual target company and this proved to be a starting point for a whole network of letterbox companies.

That is the story of how I became Theodore Evelyn ‘Ted’ Mosby for a day and of course I did not use that name for my character. When I was a child, I remember my grandmother complaining about how harmful TV was and that what I watched was useless in real life. This one time, I guess I proved her wrong.

(By the way: No need in geolocating the villa in picture, it’s not the one from the actual case. However, it does look very similar)

MW-OSINT / 09.01.2019

Image: CC BY 2.0 @HaPe_Gera (image cropped)

The Golden Age of OSINT is over

Change is coming and it will greatly affect the way OSINT investigations are conducted in the future. Who knows, in a couple of years completely different skill sets might be needed to handle online investigations. Are we prepared?

In the OSINT community we constantly have to deal with changes. New tools and new platforms are always on the rise, just as old platforms and tools become obsolete in an instant. Staying updated is a continuous challenge, much more than just one person can handle. Luckily, most members of the OSINT community are willing to share any new discoveries, especially on Twitter. Therefore, following the hashtag #OSINT on Twitter, as well as numerous OSINT-related accounts, is the first and most important step when working in any area that requires OSINT skills.

There is always a lot of chatter on the future of OSINT and unlike many others, I do not think that Python is the future of OSINT. Does OSINT even have a future? Let us fast forward to the year 2022 and have a look at online investigations then.

roads ends2

January 2022:

Over the past years, more and more people have been made aware of their own data privacy and this has massively changed the way they use online services. What started with the release of the ‘Snowden documents’ in 2013 and continued with massive data breaches, such as the Cambridge Analytica case made public in 2018, has led to the desire to share less information publicly. This development basically made Facebook obsolete and new platforms have arisen in its place. Although Facebook still exists, the data it contains only has historic value and cannot be used for current investigations, much like Google+ or MySpace a couple of years back. Even though Facebook tried to turn the tide by changing privacy settings, the damage done by many the data breaches was too much to convince users to maintain a presence on the platform. Nowadays, social media is more anonymous than before, modern platforms do not require or request real names and information shared is not automatically distributed publicly. For OSINT investigations, this means that a real name might not provide a starting point to search for someone online. The main starting point is now an obscured username, which is hopefully unique enough to be used in investigations. How can we identify a username, if we just have a real name to start with?

In modern social media this is almost impossible. Unlike the old Facebook, which gave us a display name and an account name (mostly based on the real name), today’s social media does not reveal the real name. So, either you know the username to start with or you are pretty much screwed. Of course, another possibility is searching ‘historic’ sites that have linked usernames to real names, such as Facebook or maybe even Twitter. There are also commercial databases and people search engines that offer these services for a small fee. However, if someone was OPSEC-savvy before 2019, he or she most likely will not be found online easily in 2022. Even with a unique username, the information that can be obtained from social networks is marginal, since everyone is well aware of their own data privacy. If you are not a part of your targets network, you will not see anything. No updates, no pictures. Even likes and other forms of indirect communication between accounts will not be publicly disclosed. This rendered many of the Python tools developed over the past years obsolete, as the data that can be scraped is mostly useless.

With that said, how does OSINT look today? In general, we have shifted from the passive gathering of information to more active means of collecting data. I call it virtual HUMINT (VUMINT). The objective of VUMINT is to infiltrate target networks during investigations in order to see information that is not openly available and possibly even interact with the target on a ‘personal’ level. Whereas sock puppets in 2019 where mainly used to gain access to social networks in general, sock pockets nowadays are needed to gain access to specific profiles of our targets and their closed networks. Now, more than ever, it is important to have lifelike and tailor-made sock puppets to achieve this objective. A blog post from 2019 is still useful and gives a good description of sock puppets and how they should be setup: The OSINT Puppeteer. Building a sock puppet for a specific account is not something that is done in a short period time, so receiving results through VUMINT takes much longer than information gathering through passive OSINT. Naturally, there is no guarantee that a target will add you to his or her network, no matter how good the sock puppet is. This means you might invest a lot of time in the creation of a sock puppet without achieving any notable results. In certain ways, it is very similar to a target-centric phishing campaign.

Another challenge in modern OSINT is the vast dissemination of unverified or untrue information on the internet. Everyone can post everything online in an instant and everyone wants to have news in a heartbeat, making it harder for press and media to thoroughly research events before releasing information. Media and press institutes that fact-check and verify first are losing the battle against quick-releasing competitors. The customer’s demand for instant information over reliable information has flooded the internet with rumors and ‘fake news’. During investigations, more and more time is spent conducting OSINT research on the credibility of data found on specific targets. Finding the original source of the information, the so-called Patient Zero, assessing its trustworthiness and then determining how and if the information can be used in our investigations. Today, it is not the actual collection of open source data that is the key, but the actual evaluation of this material.

One thing that has not changed, is the fact that the global corporations behind online platforms, and thus intelligence services, still have the possibility to use all the personal data on users however they desire. While OSINT collection and intelligence has become more challenging for everyone outside of these corporations and intelligence services, it is easier than ever for them to make use of personal data. Whether it is tailor-made advertising or extensive profiling through intelligence services, our data and of course ourselves are now more transparent than ever. There is no hiding from global corporations or intelligence services anymore if we want to use online services. Luckily (or unfortunately), the personal data is not sold or leaked as much as it was a couple years ago, limiting the benefit of commercial databases.

In 2022, the Golden Age of OSINT in investigations is over. The trends that started around 2015, e.g. automating OSINT, do not work anymore. Instead of learning how to code, maybe we should focus on social engineering a bit more. A good OSINT investigator in 2022, first and foremost, needs to be a good intelligence analyst and have some strong Human Intelligence skills.

Thank goodness it’s still 2019!

MW-OSINT / 04.01.2019

百度地图 – On China’s Streets with Baidu Maps

Different countries, different customs. It doesn’t always have to be Google. Today I’ll present a possibility to look at addresses in China.

Google Street View is a must-have from OSINT investigators nowadays. Especially when conducting Geolocation Verifications, this tool is a valuable asset. The overall coverage is getting better day by day and in larger cities, such as Paris and London, the Google Street View car has passed multiple times, allowing us to see changes over the years. Even in third world and emerging countries there might be a solid Street View coverage. This effortlessly enables us to have a look at a remote village in Slovakia in order to check an address which supposedly belongs to a large company.

Unfortunately, there are still many blind spots on the Google Street View map. This isn’t Google’s fault and mostly results from regulatory reasons and/or security policies in various countries.

In Germany, the main reason is the complicated relation between Germans and data privacy. Only a few major cities have Street View coverage from 2009 and lots of locations are pixeled. Germany is a digital developing country.

PNG 1Google Street View coverage for Germany compared with neighboring countries

China also does not have a Street View coverage (except Hong Kong). This has regulatory reasons. However, China wouldn’t be China, if they didn’t have a copy of Street Maps. The Chinese search tool Baidu also incorporates a map tool that has something similar to Street View called Total View. There is no complete coverage in this tool, only in the larger cities and economic centers. Investigators conducting a due diligence of new business partner in China can use Baidu Maps to verify addresses. If the address which is supposed to house a large business only shows a small newspaper kiosk, something might not be right.

PNG 2Baidu Total View coverage (blue shaded area) in and around Shanghai

The big challenge here is the language barrier. Baidu is in Chinese and the automatic translation of this site sometimes does not work properly, so we’ll have to copy and paste sections of the page to get proper translations.

You can acces the Baidu Maps by clicking on 地图 (this translates to ‘map’) at the top right of the Baidu landing page.

PNG 3

In general, this tool is built like Google Maps. On the top left you’ll see the search field (red box). On the bottom right you can choose between the different view types: Street Map (green box), Satellite View (yellow box) and Total View (purple box).

PNG 4

It is best to search with Chinese search terms when using Baido. So, if we want to search for the address of a Chinese company, we should look up the address in Chinese on the website of the company.

Let us take Volkswagen (China) Investment Co. Ltd. (大众汽车(中国)投资有限公司), for example. This company is a subsidiary of the German automotive group. On the company’s website www.vw.com.cn we’ll find the company name and address in Chinese, of course we have to use Google Translate to get this far.

After copying the Chinese address into the Baidu Maps search, we’ll receive a result. Now we can switch to the Total View mode and place the camera icon right in front of the address.

PNG 7

Just like Google Street View, we now have to possibility to pitch and turn the camera, as well as zoomin in and out and ‘driving’ along the street. In our case, we can clearly see the Volkswagen building with its logo.

PNG 8

It isn’t always this easy, sometimes you have to look around a bit on Baidu Total View to actually find what you’re looking for.

I hope this short and simple blog post can help you when using Baidu Total View. Just play around with the tool a bit to learn more. If you have any questions or remarks, feel free to use the comment section underneath this blog post.

Ingmar Heinrich / 03.12.2018

The Nexus Analyst: Understanding your Customer’s Requirements

Nexus is ‘an important connection between the parts of a system’, according to the dictionary. In an intelligence environment, OSINT has the same function. Another example of how OSINT can provide important leads for HUMINT and SIGINT in Afghanistan.

Open Source Intelligence (OSINT) is all about perseverance and following bread crumbs that lead to key findings. To be honest, you won’t always find the smoking gun and in some cases you might miss it. That’s one thing I have learned: No matter how hard you look, you are always likely to miss out on something. That is why the OSINT community on Twitter is so important. New tools and techniques are shared there and help broaden your own set of skills on a daily basis. Another important lesson, is to always have clearly defined objectives, the so-called Key Intelligence Questions (KIQ), when conducting OSINT research. What specifically is your intelligence customer asking for? This means you have to understand the ultimate goal and your customer’s mindset to a certain extent.

My concept called Interdisciplinary Intelligence Preparation of Operations (I2PO) relies on OSINT to support other intelligence collection types (ICT), such as Signals Intelligence (SIGINT) or Human Intelligence (HUMINT), and vice versa. Therefore, the OSINT analyst must understand the specific requirements for each ICT. If you deliver a phone number or email address to a HUMINTer, he might give you puzzled looks. Again, I would like to demonstrate my point with an OSINT case that might easily happen this way in military intelligence and intelligence services. In a previous blog post, we had HUMINT information as a starting point for OSINT. This time, we have a couple of Key Intelligence Questions.

Imagine we are forward deployed OSINT analysts in Afghanistan. We not only provide information on the general situation in our area of operations, but also support the adjacent HUMINT and SIGINT teams. Our HUMINTers want to know a little more about the family ties of their intelligence targets and the networks surrounding these people (KIQ 1). The SIGINTer just needs some selectors such as phone number and email addresses, which he could task in his SIGINT systems (KIQ 2). One of the intelligence targets happens to be Mohammad Atta Noor, a key power broker in Northern Afghanistan.

We start out with a simple Google search and we soon find an interesting site containing bios of Afghan VIPs: afghan.bios.info. The entry on Mohammad Atta Noor is quite detailed and also reveals the name of one his sons, Tariq Noor.

Next up we conduct a Google search on Tariq Noor in combination with the name of his father. This leads us to Tariq’s Twitter account, where he is pictured together with his father.

1.png

Twitter also suggests further accounts to follow, one of them being Khalid Noor. It turns out that this is another son of Mohammad Atta Noor.

2.png

So far, we have names and pictures of two sons. Knowing that Mohammad Atta Noor has even more children, we could continue our search and identify the other children, while trying to obtain pictures and more data on them. However, let us focus on Tariq and Khalid first. As their father is a successful businessman, it is likely that his sons have businesses of their own, or are maybe even connected to their father’s companies.

To check this, we again have a look at the Afghan company register (www.acbrip.gov.af). Since we cannot search for individuals here, we assume that Tariq and Khalid have companies named after themselves. This search within the Afghan company register produces good results. The first result when looking for Khalid Noor even gives us the phone number of Mohammad Atta Noor and a bit of his family history with the names of Mohammad Atta Noor’s father and grandfather.

3

Mohammad Atta Noor is the president of the Khalid Noor LTD and states his father’s name is Haji Noor Mohammad and his grandfather’s name is Mirza Mohammad Gul. In Arabic and Central Asian countries, this information is valuable when distinguishing same-named persons. A look into the shareholders of this company reveal not only that Khalid is a shareholder, but also mentions other business partners (and their family history, as well as phone numbers). All this information helps build a network chart including the relevant family ties. This is the information our HUMINT team was looking for (KIQ 1). Of course, the phone numbers answer the Key Intelligence Question our SIGINT Team had (KIQ 2). A query for Tariq Noor produces similar results, including phone numbers of Tariq and his business partners.

4

All in all, following OSINT bread crumbs led to amazing key findings. Now this information can be used for HUMINT operations, when trying to infiltrate the networks around Mohammad Atta Noor and, as mentioned, also to task SIGINT operations. A perfect example of I2PO!

In conclusion, this way to work makes me refer to an OSINT analyst within military and intelligence services as a ‘Nexus Analyst’, an analyst in between ICTs. Someone that knows what HUMINT or SIGINT really need to conduct their missions successfully and who takes this into account when browsing the web.

MW-OSINT / 28.11.2018

Learning from Aircraft Spotters for Competitive Intelligence

Aircraft spotters use tracking sites to obtain information on flight paths, enabling them to take pictures of aircraft taking off or landing at airports. Did you know that these tracking sites and methods could also be useful when conducting OSINT investigations?

Today I would like show another aspect of OSINT when it comes to competitive intelligence (CI). Wikipedia defines CI as ‘the action of defining, gathering, analyzing, and distributing intelligence about products, customer, competitors’ in order to support decision making processes in companies. Depending on the actual case, we will do research in a variety of different sources, ranging from company databases, to credit rating services, and in some cases even deep-dive into social media. However, every once and while we might have to look into something more exotic.

The following case is completely fictional, but could easily take place as described.

German Special Forces are currently looking for a new light support helicopter. Two companies are in the race for this very lucrative contract: Airbus with its new H-145M design and a second company, which employs us to gather information on the Airbus product.

One of the key intelligence questions our customer wants us to answer is about the performance of the H-145M. We find out that Airbus conducts its testing at the airfield in Manching near Munich, Germany. Whenever aircraft fly through public airspace, they are required to switch on their ADS-B systems, which allows them to be tracked, avoiding collisions with other aircraft and thus ensuring flight safety. I would like to point out, that certain military or government flights are conducted without enabling ADS-B tracking. Another relevant point is that the tracking depends on a network of mostly private ADS-B receivers and is lacking full global coverage. However, Germany has a pretty decent coverage.

Using ADS-B tracking sites such as flightradar24.com, we can collect data on any relevant flights. As an alternative, we can also buy our own ADS-B tracker for as little as 20 euros and set it up in the vicinity of the airport. This information could prove valuable to our customer, when assessing the overall performance of the competitor’s product.

Today happens to be one of the test days and two helicopters take off from the airfield in Manching. These two are the pre-series H-145M models that we are looking for. For future reference, we can always identify them by their registration numbers.

1

Registration details a H-145M

The following picture shows the flight path during these tests. Looking at the flight path might give an indication on what exactly was tested.

2

We also obtain detailed information regarding the speed and altitude of these flights. This might lead to clues on the peak performance values.

3

Of course, our work does not end here. We continue to track every movement of the two identified helicopters. Future operations might even include getting high-resolution videos or photos of the helicopters and maybe even HUMINT to receive a couple more details.

This scenario unravels just one of the ways in which data from ADS-B tracking sites can be utilized. It can also be helpful when tracking specific flights or monitoring smaller airfields to find a specific plane. In the future I will provide another case in which the tracking of an airplane led to an important intelligence finding.

Until then, why you don’t you have a look at the traffic above yourself!

MW-OSINT / 08.11.2018

Covert Operations in a Digital World

Even spies leave behind a digital footprint. Through social media profiles and various leaks they can be identified and their clandestine activities exposed. In the digital age it takes more time and effort to conceal covert operations, requiring new approaches as early as during their recruiting.

Covert Ops in a Digital World2.jpg

The recent uncovering of Russian GRU agents accused with the attempt to poison former Russian spy Sergei Skripal, as well as the exposure of Saudi Arabian spies in the murder of Jamal Khashoggi clearly show the problems intelligence services are facing when conducting covert operations.

Investigate journalists, such as the Bellingcat team, were able to identify the suspected culprits, often using crowdsourcing to do so. These two examples have proven how effective and timely the wisdom of the crowd can be. Another reason for the great results achieved in these online investigations, is the fact that the contributors to each investigation were highly motivated: they did not make these findings because they had to; they wanted to unravel the mysteries surrounding aforementioned cases.

Both times, blatant mistakes made by the operatives left a paper trail to follow, ultimately leading to the identification of several members of Russian and Saudi intelligence services. Not accounting for the various slipups, the main problem is that all culprits do work for their nation’s government and/or intelligence services and this was too transparent. The GRU operatives had addresses registered to known GRU locations, one of the Saudi operatives is seen in pictures where he appears to belong to the close protection team accompanying Saudi crown prince Mohammad Bin Salman on travels. These are just two examples showing links between the individuals and their governments.

The question remains, how an intelligence service can conduct covert operations that actually remain covert. One of the most obvious solutions to counter this problem is minimizing an operatives’ digital presence. This can be achieved fairly easy. Covert operatives should stay away from social media and press coverage. However, an old IT-saying states: “There is no patch for human stupidity.” Due to this, there will always be a margin of error, undisciplined individuals making exactly the mistakes leading to their public exposure. Massive CCTV coverage is causing another problem. It is impossible to travel nowadays without being filmed or photographed. As soon as these pictures of individuals are published in news and on social media, crowdsourcing kicks in. Maybe this individual was seen entering  a government building, maybe a former government co-worker recognizes him. Although the former co-worker should probably keep this information to himself rather than risking legal consequences (many have signed some form of non-disclosure agreement), this does not stop it from happening. Again, human error stands in the way.  In conclusion, intelligence services should try to rule out human error as much as possible. Regular screenings on intelligence employees aimed at searching for compromising information online could help counter these exposure threats in a timely manner. Another approach would be to decrease the amount of people who actually know of the covert operative. One radical, yet most likely successful approach could be keeping covert operatives away from government entities.

Let me elaborate on this. As soon as an individual enlists within a government entity and becomes part of this system, bureaucracy takes its toll and the individual is listed in numerous databases for mainly administrative reasons, also increasing the number of people who know of his existence. Travel expenses, payment processes and even journeys to known government sites leave plenty of breadcrumbs to follow and to identify someone as a government employee. In many countries, once you are on the government’s payroll, it is highly unlikely you will ever leave the comfort of having this government job and the benefits that come with it.

What if a covert operative never actually worked for the government?

The scenario I am about to explain might sound like it is from a Hollywood movie script, but it might be the only feasible way to conduct future covert operations. It all starts with proper recruiting. Identifying suitable candidates will be challenging and I will not discuss what traits are essential to become a perfect spy. Although former military members might be the first choice, their military service might be what uncovers them in the future. Let us look at the following fictional career:

A young, fit 18-year-old named James appears at a police or military recruiting office and expresses interest in an intelligence, investigation and/or special forces career. He achieves outstanding results in the following assessment center. These results are noted by the intelligence service, upon which they approach the potential recruit. Of course, intensive screenings are conducted beforehand and at no point is he invited to official government sites. All contacts are conducted by a dedicated handler. The used modus operandi is basically the same one used when acquiring HUMINT sources.

James receives an offer to work for the intelligence service but not in the intelligence service. He receives a scholarship to study political science at a renowned university, earning a degree which will provide the basis for his future civilian career. The scholarship is payed for by a complex system of front companies, eventually ending in some sort of charity. During his studies, James uses the semester breaks or long weekends to train the many skills needed for his covert intelligence service job. Officially, he is on long backpack tours around the world or other types of vacations. This training method takes much longer and is conducted individually at inconspicuous sites. However, after 3-4 years of part-time training and smaller operations during his university sojourn, James should be able to conduct covert operations.

After his studies, James receives a job in a worldwide consulting company. Of course, some strings were pulled in the background to enable and promote his civilian career. From time to time, James has to oversee projects in other cities or countries. This is the cover needed to enable worldwide travel to conduct covert intelligence operations. These projects could actually originate from government entities and thus fit to the intelligence operation.

After a certain time as a covert operative, James is removed from the operational line of duty. The compensation for his intelligence work could then be a non-covert job within the intelligence service (or another related government entity) or a severance pay.

This description is very short and is lacking many of the challenging details. I would like to point out a couple of interesting aspects to why this concept might actually be worth the effort:

  • The recruit could be dismissed at any time during the training program without major consequences. Other than his handlers, he does not have deep insight into the intelligence service, its locations or operations.
  • Providing a college education and kickstarting a promising civilian career, as well as offering an interesting field of work in the intelligence sector should prove extremely motivational.
  • The civilian career, when guided by the intelligence service, would deliver the best cover story for operations.
  • Failed operations could be denied easier by government entities. In this case, a statement like the recent Saudi “rogue operative theory” would pass easier.

Even though the ratio of supporting intelligence personnel assigned exclusively to such an external covert operative is higher than compared to the amount of supporting staff for regular intelligence employees, the external covert operative in total has less exposure to intelligence personnel. Regarding training, financial and operational planning, everything could be kept in a smaller yet highly professional scale.

Who knows, maybe these techniques are already in use by some intelligence services worldwide. That is probably the reason we never hear about it. Maybe the person sitting next to you on the plane is not just the business traveler he pretends to be.

MW-OSINT / 24.10.2018