OSINT is OpenSource Intelligence: it is derived from data and information that is available to the general public. It’s not limited to what can be found using Google, although the so-called “surface web” is an important component. Most of the tools and techniques used to conduct open source intelligence initiatives are designed to help security professionals (or even threat actors) focus their efforts on specific areas of interest.
Bellingcat used all of its OSINT wiles to unmask a Russian spy – with a very interesting connection to the Russian attack on Sergei Skripal and his daughter in Salisbury, UK in 2018.
26 August 2022 – Open Source Intelligence (OSINT) is a subject I have written about many, many times before, especially in my series which covers the war in Ukraine. If you in the eDiscovery or cybersecurity industries much of this you know because many vendors in those industries use OSINT in their digital investigations work.
I have been fortunate because via my own company, Luminative Media, I started an OSINT unit about eight years ago and it has proved invaluable. Many of those contacts are Russian and Ukrainian and still based in Eastern Europe.
But as a journalist I am only following the path any responsible publisher needs to follow: to invest in greater capacity for robust fact-checking and digital verification. It’s not only the media giants like the New York Times or the BBC – who obviously have enormous resources to maintain fully-staffed open-source investigations units – but us smaller operations that must do the same. And I am heartened that organizations like Bellingcat (which is the star of this post as you will see) are receiving more and more funding.
Last year I published a monograph on OSINT for my paying subscribers but I’ll summarise a few points for all of my readers:
• OSINT has enabled many forensic breakthroughs in recent years and Bellingcat has made the most full use of it over any organisation I know. The internet remains an astonishing resource for helping redress the power imbalances between the rulers and the ruled. History is no longer just written by the winners, but filmed by the losers on their smartphones. To me, Bellingcat stands at the nexus of journalism, activism, computer science, criminal investigation and academic research.
• Its origins (somewhat) lie in the world of intelligence and law enforcement. It was in the U.S., via the final report of the 9/11 Commission in 2004, that the first “official” recommendation came to create a government open-source intelligence unit, a proposal reinforced a year later by the Iraq Intelligence Commission. But as we all knew, the methodology had already found its most innovative and effective use in the hands of journalists. OSINT has a long history and use.
• The central pursuit in open-source investigations is finding publicly accessible data on an incident, verifying the authenticity of the data, using that data to confirm the temporal and spatial dimensions of the incident, and cross-referencing the data with other digital records.
• An open-source investigator will thus start by scouring social media for postings from the area around the time. For instance, once such images are found, they will be geolocated using Google Earth to cross-referencing geographical features. The time for each image will then be confirmed, using digital sundials to calculate shadow length and direction. For instance, a route for a missile launcher can then be constructed by placing the photographs on a map along with the time for each sighting.
• For all its utility, such material always carries the risk of inauthenticity or manipulation. With the help of its ally Russia, for instance, Syria adapted to our new media environment by mobilizing armies of trolls to add digital noise to the mix, further diminishing trust in such material. This is where open-source verification becomes essential, establishing the authenticity of audio-visual material before any conclusions can be drawn from them.
• And an important note. The remoteness of open-source analysts from the subject of their analysis is not as absolute as its critics make it out to be. Much of the data used in open-source analysis comes from witnesses on the ground who have more immediate access to events. Which is certainly true in Ukraine.
• Most open-source investigators aren’t formally employed as journalists – many emerged from a gaming subculture where street cred derives from the economy and precision of one’s method – and professionals from other fields of expertise such as architecture, medicine, chemistry, finance, and law have found uses for their specialist knowledge in unraveling forensic puzzles. The British-Israeli architect Eyal Weizman has pioneered the entirely new field of forensic architecture, using open-source data for spatial investigations into human rights violations; the chemical weapons expert Dan Kaszeta has contributed to several Bellingcat investigations; UC Berkeley’s Human Rights Investigations Lab recruits from over a dozen disciplines.
• For me, this is the closest that journalism has come to a scientific method: the transparency allows the process to be replicated, the underlying data to be examined, and the conclusions to be tested by others. This is worlds apart from the journalism of assertion that demands trust in expert authority.
And the Big Gorilla: metadata. Just to highlight a few points certainly known to any of us that have worked in cybersecurity, military intelligence or the legaltech industry:
1. Metadata can be more useful than the content of a particular message or voice call
2. Metadata can be mapped through time creating a nifty path of an individual’s movements
3. Metadata can be cross-correlated easily with other data. If you follow the myriad of experts on Linkedin who know this stuff cold, or read the works of Gordon Corera, John Hughes-Wilson or Bruce Schneier (plus a host of others but they are my favs; email me and I’ll send you my reading list) the ease and magic of cross-correlation is an eye opener.
4. Metadata can be analyzed in more than two dimensions.
And it was by using almost all of the tools I noted above (plus other very cool OSINT tools) that Bellingcat was able to unmask a Russian spy.
ABOVE: “Maria Adela Kuhfeldt Rivera” otherwise known as Olga Kolobova, agent for the GRU (Russia’s main military intelligence service) who led an active social life in Naples, where she befriended Nato staff.
The Bellingcat article is very long read, with copious detail, and my ediscovery, cybersecurity and military intelligence communities will (well, should) find it fascinating. But to summarize:
• Bellingcat worked with a team of investigators that included investigative journalists from Der Spiegel, The Insider and La Repubblica over the course of 10 months. It is based on data from open sources, publicly accessible archives, FOIA data from Peru, leaked Russian databases, material from the Dark Net plus interviews with people who had unsuspectingly befriended the Russian spy.
• The investigators say the woman went by the name of Maria Adela Kuhfeldt Rivera, and told people she met that she was the child of a German father and Peruvian mother, born in the city of Callao, Peru.
• In fact, she was a career GRU officer from Russia.
• “Rivera” was what the intelligence community call an illegal, a deep-cover agent trained to pose as a foreigner. Moscow’s intelligence agencies have used illegals since the early Soviet period. Sometimes, they stay living in their fake identities for decades. Some GRU illegals only travel abroad for quick, short-term missions and change identities regularly.
• Posing as “Rivera”, the illegal moved between Rome, Malta and Paris, eventually settling in Naples, home of Nato’s Allied Joint Force Command, around 2013. She set up a jewellery boutique called Serein and led an active social life.
• Her acquaintances said that by taking on the role of secretary at the Naples branch of the international Lions Club, she was able to befriend many Nato staff and other affiliates. One Nato employee told the investigators that he had a brief romantic relationship with “Rivera”.
• Traditionally, illegals have been extremely hard for counterintelligence agencies to find, but in a world of biometric data, facial recognition software and open source investigation possibilities, it has become harder for Russia to keep its illegals below the radar.
• Christo Grozev, Bellingcat’s CEO and lead investigator, said in an interview that he had first found the trail of a possible GRU illegal when he was looking at a leaked database of border crossings logged by Belarusian border guards and provided by a group of hackers in opposition to the regime of Alexander Lukashenko.
• Grozev searched for Russian passport numbers in ranges known to have been used by GRU operatives, and found numerous hits. Most had Russian names, but one stood out: Maria Adela Kuhfeldt Rivera.
• Looking more closely at “Rivera”, Grozev found that she travelled on several Russian passports with serial numbers in a range used by other known GRU operatives, including an officer who had been indicted for the alleged novichok poisoning of the Bulgarian arms dealer Emilian Gebrev, and another GRU officer reportedly involved in the attack on Sergei Skripal and his daughter in Salisbury in 2018.
• He also discovered that on 15 September 2018, “Rivera” bought a ticket from Naples to Moscow. The previous day, Bellingcat and its Russian investigative partner, the Insider, published an article on the two Salisbury poisoners, who travelled under the cover identities Ruslan Boshirov and Alexander Petrov, noting irregularities in their passport data suggesting they had security services links.
• It seems “Rivera” was withdrawn by her bosses, who feared that other operatives with similar passport numbers could be compromised. She does not appear to have left Russia again.
• Two months after her sudden departure from Naples, she posted a Facebook status in Italian, apparently as a way of explaining her disappearance and silence: “It’s the truth I must finally reveal … Hair is growing now after chemo, very short but it’s there. I miss everything, but I’m trying to breathe”.
• Bellingcat did not give up. Through some amazing OSINT detective work they unmasked her as Olga Kolobova, GRU agent.
It is an utterly amazing story and you can read the full Bellingcat report by clicking here.
Which takes me to an extraordinary book to end this post.
As my regular readers know, I have quoted Bellingcat in numerous posts. Bellingcat is the open-source investigative agency founded by Eliot Higgins, a British researcher and citizen journalist, who I had the opportunity to meet a few years ago.
Bellingcat’s name comes from the old fable in which the mice hung a bell around the cat’s neck so that it would never catch them again.
In a video posted on YouTube last year, the Russian opposition leader Alexei Navalny described in chilling detail how a secret service hit squad had poisoned him with the novichok nerve agent. Navalny identified the intelligence operatives involved. He even telephoned one of them later and tricked him into describing how he smeared novichok on Navalny’s underpants, the subject of another video. The Kremlin dismissed the accusations on the novel grounds that it would have done a better job of killing Navalny had it wanted to do so. But Navalny’s video severely dented the Kremlin’s denials of involvement and presented an alternative story to 22m viewers, something unimaginable in the pre-internet era.
This extraordinary exposé was aided by Bellingcat. Using airline passenger manifests, telephone records, geolocation data and personnel files, all circulating on the darker recesses of the Russian internet, Bellingcat was able to piece together the plot to poison Navalny.
That story, plus scores of others detailed in the book, speak to Bellingcat’s roll: to take aim at those who only bewail the downsides of the internet. As Higgens says in his book:
“At Bellingcat, we do not accept this cyber-miserabilism. The marvels of the internet can still have an impact for the better.”
Higgens also details how his team of researchers helped unmask the Russian spies responsible for the novichok poisonings of Sergei Skripal and his daughter Yulia in Salisbury in 2018. Plus how they tracked down the Russian Buk anti-aircraft missile system that shot down Malaysia Airlines MH17 over eastern Ukraine in 2104, killing 298 passengers and crew. And how they documented chemical weapons attacks in Syria and human rights abuses in Libya, all of which has been used by the International Criminal Court.
Simply put, in his view, the internet remains an astonishing resource for helping redress the power imbalances between the rulers and the ruled. History is no longer just written by the winners, but filmed by the losers on their smartphones. To me, Bellingcat stands at the nexus of journalism, activism, computer science, criminal investigation and academic research.
This is not meant to be review of the book so just a few points:
1. In the book, Higgins recounts how he dropped out of college in the 1990s and worked in a series of dead-end jobs in Leicester, UK, taking refuge in video games. But his fascination with the Arab Spring sparked a new obsession with current affairs. By scouring online videos, using translation services and Google Maps, Higgins was able to piece together the unfolding drama and contributed to news blogs before setting one up himself. He built up a network of fellow citizen journalists around the world, each having an area of particular expertise.
2. The investigators turn all their collected archive information into usable datasets, which can be used to identify patterns of behavior, visualize entire landscapes and show how things have changed over time, and cross correlate.
3. OSINT has enabled many forensic breakthroughs in recent years (many now used in eDiscovery and cybersecurity) and Bellingcat has certainly made full use of them.
As I noted above, the central pursuit in open-source investigations is finding publicly accessible data on an incident, verifying the authenticity of the data, using that data to confirm the temporal and spatial dimensions of the incident, and cross-referencing the data with other digital records. Eliot’s book explains how it is done.