The Impact of OSINT on Christmas

Proper intelligence is vital to prepare military and law enforcement operations or to provide information to political and business leadership prior to decision making. However, these are not the only people relying on good intelligence to get the job done. I had the honor of interviewing a very special person on his views of intelligence and how his organization utilizes it for one of the most challenging tasks known to mankind.

Sir, it is such an honor to have you here. Tell us a little about yourself. What exactly is your job and how does it involve intelligence work?

I go by many names, but please just call me Santa. I am in charge of a large organization tasked with bringing joy and fun to children worldwide on Christmas Eve. While I’m pretty sure you all know what I do during the Christmas night, not many people know what happens prior to this.

My organization and I have roughly 24 hours to deliver presents to children who deserve them. In order to accomplish this, a lot of planning is necessary and this planning is based on the information I receive from an intelligence agency within my organization. In Santa’s Secret Service, or S3, we mainly conduct GEOINT along with OSINT to make sure everything runs smooth on that one special night. Oh, and don’t confuse us with the Amazon web service.

Santa, while most of my readers are acquainted with terms such as GEOINT and OSINT, could you please explain what they are and possibly provide a use case from your organization.

Sure. I only have a limited timeframe to make sure I deliver everything to the right address. The route I take has to be carefully planned. The number of children on this world is steadily growing, more deliveries leave less room for mistkes. Even though my sleigh travels at an incredible speed…

How fast and how does that work?

I’m afraid that is classified. In order to properly plan the route, I rely on precise satellite imagery and maps. Imagery and maps from search engine providers are not up to date and commercial satellite imagery is not detailed enough. Keep in mind, my team has to figure out the best way into a chimney. We need a resolution of less than 0.3m to do so. Before Christmas, my sleigh is outfitted with an ultra high resolution imaging system and flies several sorties. While the actual collection of the imagery does not take that long, creating maps and the final route based on this is a bit more time-consuming. The whole process I just described is referred to as geospatial intelligence, or GEOINT.

Wow, that alone is probably a large amount of data collected each year. How do you process such massive amounts of data?

We have our own server infrastructure at S3. Located in vicinity of the North Pole, our energy consumption is lower than usual, because we have a natural cooling system.

 What happens after you have mapped the world?

I forgot to mention one thing. In order to plan the route, we need to know who will receive a delivery. Luckily, I have information on the address of each child from a classified source. But, does this child even deserve anything? We have to figure out who was naughty and nice. A lot of this is done through open source intelligence, or OSINT.

While we could use classic signals intelligence (SIGINT) to tap into communications and try to answer the question who is naughty or nice, we have found that OSINT provides the best “bang for the buck”. S3 has a very large team of OSINTers, who mainly monitor social media activities.

What exactly is your team looking into?

My OSINTers start off looking into profiles of the children, but not only to see how they behave. Depending on the region they live in, the platforms they use will differ. From Ask.fm to Weibo, there are many differnt sources to look at. We have seen TikTok blow up over the past months, but we also still obtain a lot of information from “older” platforms such as Facebook and Pinterest. These platforms also provide leads on the interests of our targeted subjects, which enables my organization to match them with the perfect present. We not only look at the children, but also monitor profiles of their family and friends, since relevant information is hidden here as well. As you can see, this is all a very deep intrusion into personal privacy. Therefore, we have very strict rules on how to handle this data, a massive auditing and compliance system and constant trainings for my team. If you thought GDPR was challenging, you wouldn’t want to know how much effort we put into protecting the privacy of our subjects!

Many children nowadays are active in closed communications, such as messengers, or they have restricted public access to their acounts by changing their privacy settings. How do you cope with this?

There are two different approaches we can take here. The first one is what you would call virtual HUMINT, or VUMINT. We try to place someone within a closed chat group using a false persona. For example, a group of friends has a WhatsApp channel with 20 participants. Using OSINT, we create a sock puppet credible enough to be invited into this group. In cases in which this works, we then can then instantly monitor 20 people. Of course, such actions are subject to much stricter rules and regulations that normal OSINT and are not performed often.

The second approach would be a classic computer network operation, or “hacking” an account. This is very rarely done and the methods and techniques are highly classified.

What about children who don’t have access to modern communications?

In this case, we rely on classic human intelligence, or HUMINT. Throughout the world, we have a network of sources directly providing us information. A lot of this is hearsay, so we try to confirm information with other sources before processing it. This actually also applies to data won through OSINT.

However, I would like to point out that at the end of the day we will never gather everything on everyone. Have you ever wondered why a spoiled and misbehaved child you knew received a nice present anyway? No matter how much effort we put into intelligence collection, there will always be a delta between what information is out there and which information we have obtained. I think that is the nature of intelligence work in general.

Circling back to OSINT, how does S3 ensure that they are up to date on new tools and techniques?

We do OSINT to enable OSINT. Of course, we follow #OSINT on Twitter and we also have someone monitoring osint.team as well as various blogs such as osintcurio.us and your blog.

Wow, I’m honored to have made it on S3’s reading list. I know you are quite busy, so we can wrap it up here. Is there anything else you would like to add?

Merry Christmas, happy OSINTing and I wish you all the best in 2020!

cropped-desktop-2.png

Matthias Wilson / 22.12.2019

Researching Right-Wing Extremism in Central Europe

How to start investigations on right-wing extremists? Work your way through multiple social media platforms and combine information to generate leads!

The recent Iron March Leak once again showed the extent of right-wing extremism within our society. This leak provided a massive mount of data to conduct online investigations. While Iron March was shut down, the individuals behind it still use many other platforms to disseminate their thoughts and ideas and to communicate among each other. Of course, the new communication channels they use won’t be found with a mere Google search. In order to find such sites, we will have to follow the digital breadcrumbs across various social media networks. In this article, I would like to show starting points for OSINT research and how to work your way through different platforms to identify potentially relevant information when tracking down right-wing extremists.

Looking through social media, we will unfortunately find lots of people that follow a racist or fascist ideology. These people might not be the actual targets we are looking for, but they could lead us to them. Especially in Germany and other central European countries, many people have left Facebook and Twitter after their accounts were temporarily suspended or deleted upon sharing hate speech, which under certain circumstances is a criminal offence. They found refuge on the Russian Facebook-clone VKontakte (short: VK) and Gab, as an alternative to Twitter. In order to access information on these platforms, we will of course have to create sockpuppets. VK also allows logging on with a Facebook-account, as do many other social media platforms.

Let us start our research from scratch. First, we will have to identify individuals that might be worth investigating. Since many of these individuals think of themselves as “patriots” in Germany, searching for this term might lead to some initial results on VK.

1

2.png

Et voilà, the first VK-group to investigate. As you can see, this group also cites a Facebook-page. However, the Facebook-presence has been deleted and does not exist anymore. Going through the posts on this page and having a look at the members clearly shows that we are on the right track. Below are profile pictures of some of the members. Many images shown here, such as the swastika, are banned by law in Germany. Yet, on VK German citizens are free to display their ideology without any notable repercussions.

3

While the information posted within the VK-Group “German Patriots” might not lead to real extremist sites, the information shared by members of the group on their personal profiles could get us there. With no way of automating the next step, one of the most important OSINT traits is now needed: perseverance. This means we will have look at a number of these personal profiles manually to find new leads. Instead of going through all 2000+ member-profiles, let us concentrate on the ones with the most disturbing profile pictures. One interesting aspect during this investigation, is the fact that many people that can be found here have Russian-ancestry. This means we might also find information on another Russian social platform called Odnoklassniki (short: OK). Keep this in mind when conducting OSINT on people of Russian origin.

It doesn’t take long and we find hints towards the use of other platforms and communication channels outside of VK. Some individuals have posted their Skype-usernames, some link Telegram channels. One post from January 2018 describes an independent message board outside of Facebook and VK. The author invites people to join this outside platform by commenting or liking the post, after which he will get in contact with them and invite them to the newly created site. Interestingly, he doesn’t disclose the name or URL of his VK and Facebook alternative.

4

The author hasn’t publicly been active on VK since this post, although he did access it just two days ago. VK displays the last time of user activity, a useful feature to determine if the account is still active, even if nothing is publicly posted.

5

Regarding the unspecified platform mentioned above, I remembered stumbling upon such a site while conducting a similar search on Facebook. There I had also started by looking for profiles and pages containing derivations of “patriot”. This led me to a page called “Patrioten-Treff”, promoting a Facebook-like platform.

6.png

It turns out that this project started in early or mid-2017 and by December 2017/January 2018 it had opened to public. It was exactly the type of right-wing extremist forum I was looking for.

7.png

8.png

Online shops, racist discussions, team speak servers, organized events; “Patrioten-Treff” had it all. By linking the information I had found on VK and Facebook, it is likely that the person I had come across on VK was actually part of the team behind this new right-wing social media alternative. By early 2019 it was offline, but the content displayed there was more radical than anything seen on standard social media. Regarding the reason it shut down, it could be out of lack of funding. Before “Patrioten-Treff” was taken down, they requested funding to cover the expenses. Payment could be made by Bitcoin, direct transfer, Alipay and Paypal. Again, providing further leads to conduct OSINT investigations.

9.png

Patrioten-Treff had 2,500 users and was not even able to raise 80 Euros a month. I guess right-wing extremists are a bit stingy. Next to financial support, content moderators were needed. These moderators would communicate using WhatsApp.

10.png

While Patrioten-Treff is currently offline, the Facebook-page continues to be active every once and while. A recent post from September 2019 shared a Telegramm channel of the German neo-Nazi party Der III. Weg.

11

In this cross-domain investigation, manually searching for information on one social media platform led us to a plethora of new starting points to dive into. From VK to Skype, from Facebook to Telegram, from Bitcoin to WhatsApp; there are now plenty of leads to follow up upon. Not all leads can be investigated with OSINT, but this type of intelligence might provide the information we need to conduct Virtual HUMINT (VUMINT), enabling an infiltration of the new message board, Telegram channels or WhatsApp groups. I didn’t go that far, but I’m sure someone or some organization did.

By the way, the methodology described above can also be used to track other extremist groups. I wonder if other groups are just as cheap as the right-wing that couldn’t raise 80 Euros to host a website?

Matthias Wilson / 01.12.2019

The Golden Age of OSINT is over

Change is coming and it will greatly affect the way OSINT investigations are conducted in the future. Who knows, in a couple of years completely different skill sets might be needed to handle online investigations. Are we prepared?

In the OSINT community we constantly have to deal with changes. New tools and new platforms are always on the rise, just as old platforms and tools become obsolete in an instant. Staying updated is a continuous challenge, much more than just one person can handle. Luckily, most members of the OSINT community are willing to share any new discoveries, especially on Twitter. Therefore, following the hashtag #OSINT on Twitter, as well as numerous OSINT-related accounts, is the first and most important step when working in any area that requires OSINT skills.

There is always a lot of chatter on the future of OSINT and unlike many others, I do not think that Python is the future of OSINT. Does OSINT even have a future? Let us fast forward to the year 2022 and have a look at online investigations then.

roads ends2

January 2022:

Over the past years, more and more people have been made aware of their own data privacy and this has massively changed the way they use online services. What started with the release of the ‘Snowden documents’ in 2013 and continued with massive data breaches, such as the Cambridge Analytica case made public in 2018, has led to the desire to share less information publicly. This development basically made Facebook obsolete and new platforms have arisen in its place. Although Facebook still exists, the data it contains only has historic value and cannot be used for current investigations, much like Google+ or MySpace a couple of years back. Even though Facebook tried to turn the tide by changing privacy settings, the damage done by many the data breaches was too much to convince users to maintain a presence on the platform. Nowadays, social media is more anonymous than before, modern platforms do not require or request real names and information shared is not automatically distributed publicly. For OSINT investigations, this means that a real name might not provide a starting point to search for someone online. The main starting point is now an obscured username, which is hopefully unique enough to be used in investigations. How can we identify a username, if we just have a real name to start with?

In modern social media this is almost impossible. Unlike the old Facebook, which gave us a display name and an account name (mostly based on the real name), today’s social media does not reveal the real name. So, either you know the username to start with or you are pretty much screwed. Of course, another possibility is searching ‘historic’ sites that have linked usernames to real names, such as Facebook or maybe even Twitter. There are also commercial databases and people search engines that offer these services for a small fee. However, if someone was OPSEC-savvy before 2019, he or she most likely will not be found online easily in 2022. Even with a unique username, the information that can be obtained from social networks is marginal, since everyone is well aware of their own data privacy. If you are not a part of your targets network, you will not see anything. No updates, no pictures. Even likes and other forms of indirect communication between accounts will not be publicly disclosed. This rendered many of the Python tools developed over the past years obsolete, as the data that can be scraped is mostly useless.

With that said, how does OSINT look today? In general, we have shifted from the passive gathering of information to more active means of collecting data. I call it virtual HUMINT (VUMINT). The objective of VUMINT is to infiltrate target networks during investigations in order to see information that is not openly available and possibly even interact with the target on a ‘personal’ level. Whereas sock puppets in 2019 where mainly used to gain access to social networks in general, sock pockets nowadays are needed to gain access to specific profiles of our targets and their closed networks. Now, more than ever, it is important to have lifelike and tailor-made sock puppets to achieve this objective. A blog post from 2019 is still useful and gives a good description of sock puppets and how they should be setup: The OSINT Puppeteer. Building a sock puppet for a specific account is not something that is done in a short period time, so receiving results through VUMINT takes much longer than information gathering through passive OSINT. Naturally, there is no guarantee that a target will add you to his or her network, no matter how good the sock puppet is. This means you might invest a lot of time in the creation of a sock puppet without achieving any notable results. In certain ways, it is very similar to a target-centric phishing campaign.

Another challenge in modern OSINT is the vast dissemination of unverified or untrue information on the internet. Everyone can post everything online in an instant and everyone wants to have news in a heartbeat, making it harder for press and media to thoroughly research events before releasing information. Media and press institutes that fact-check and verify first are losing the battle against quick-releasing competitors. The customer’s demand for instant information over reliable information has flooded the internet with rumors and ‘fake news’. During investigations, more and more time is spent conducting OSINT research on the credibility of data found on specific targets. Finding the original source of the information, the so-called Patient Zero, assessing its trustworthiness and then determining how and if the information can be used in our investigations. Today, it is not the actual collection of open source data that is the key, but the actual evaluation of this material.

One thing that has not changed, is the fact that the global corporations behind online platforms, and thus intelligence services, still have the possibility to use all the personal data on users however they desire. While OSINT collection and intelligence has become more challenging for everyone outside of these corporations and intelligence services, it is easier than ever for them to make use of personal data. Whether it is tailor-made advertising or extensive profiling through intelligence services, our data and of course ourselves are now more transparent than ever. There is no hiding from global corporations or intelligence services anymore if we want to use online services. Luckily (or unfortunately), the personal data is not sold or leaked as much as it was a couple years ago, limiting the benefit of commercial databases.

In 2022, the Golden Age of OSINT in investigations is over. The trends that started around 2015, e.g. automating OSINT, do not work anymore. Instead of learning how to code, maybe we should focus on social engineering a bit more. A good OSINT investigator in 2022, first and foremost, needs to be a good intelligence analyst and have some strong Human Intelligence skills.

Thank goodness it’s still 2019!

Matthias Wilson / 04.01.2019