Skip to main content

How the invasion of Ukraine is shaping OSINT

OSINT, or Open-Source Intelligence, is the collection and analysis of data available from open sources, typically done by regular people like you and me. This means it's mostly non-state actors being thrust into an intelligence role, bonafide Internet detectives, solely thanks to the massive amount of data available online through things like social media, blogs, video sharing sites, corporate offerings, and other ways. It's not a new discipline, in fact it's something that has been done for many years and has accomplished a lot of good throughout the world, from finding kidnapped victims to conducting cybersecurity exercises. But the domain of OSINT goes much further, and sometimes people can get carried away, such as the time an online group used open source data to figure out who the Boston bombing suspect was, only to point the finger at several innocent people.

Yet regardless of the past successes and failures of OSINT, this year has seen the discipline expand to a completely new area, with many new people participating. This new area is that of military operations and the war in Ukraine. This war is the most widely seen, widely reported on thanks to the ubiquity of cellphone cameras, social media and high tech devices like drones and satellite antennas. Gone are the days of watching the war on TV, now we get updates straight from the battlefield onto our mobile apps in real time, as they happen. This in turn leads to actual real world actions by non-military actors, like people sourcing equipment for those on the front lines, helping with evacuations, espionage, scouting and more. In this post I'll go over how some of it is happening, and how you can participate.

If you pay attention to news reports about the war, one thing you may quickly notice is that most news channels don't have a large amount of reporters on the front line. Most of them will have a single correspondent in a hotel, and the videos they show all come from social media. This means that the news crews aren't the ones going to the event and filming it. Instead, they access thousands of videos from the front lines and take their picks, to then show on TV. But these videos, along with photos, posts and more, are accessible to all of us. Anyone can get them and reach our own conclusions about what's going on, sometimes to a much more detailed degree than your local news network is able to, and many groups have arisen doing just that. One example is the Institute for the Study of War which publishes very accurate and detailed reports every single day on all the large conflicts happening around the world.

To start with, the traditional networks such as Facebook, YouTube and Twitter contain a lot of data you can comb through once you identify which users you want to follow. But in the past few years, a messaging app called Telegram has emerged as the most popular platform for people who want the most unfiltered data possible. The biggest difference is censorship. Despite the Internet having once been called the 'wild west' when it comes to what people post online, these days there are a lot of automated controls in place on all the popular platforms. For example, if you scan YouTube for videos from the war, any gore will be masked. Same for photos posted on Twitter or Facebook. The reason is that algorithms constantly scan for this and content gets automatically removed. Telegram doesn't censor, so if you end up on the wrong channels in that app, you will see things that you literally cannot unsee. You've been warned.

Censorship is usually seen as a bad thing, but it's really a double edged sword. When Trump was removed from all the popular platforms, it was seen as a win in the fight against misinformation. But on a platform with no censorship like Telegram, the former President still has an active and very large following. So anyone looking to get deeper into OSINT needs a sharp, analytical mind to delve through never ending troves of data, before deciding what is real and what is fake. In this age of social media, everyone seems to have an agenda, a bias. By having access to the raw data, you can view multiple perspectives and over time, come to conclusions on your own.

So what can you actually find about the war on these open source sites? The most popular type of posts you will see are updates directly from the war, written by soldiers, officials or civilians on the front lines or nearby, along with photos and videos they take or share. There's even drone videos released by soldiers, civilians and the propaganda bureau of both sides. For example, this Ukrainian reports on advances by the Ukrainian Forces along with liberated villages:

On the other side of the fence, here you can see a Russian supporter posting a video where she claims that she is providing a large number of drones, night vision goggles and cameras to the Russian Forces, sourced from China:

There are thousands of such channels, some with millions of viewers, and whenever you see a news report on TV speaking about the war, it's usually pretty easy to get the same information hours or days beforehand by monitoring a handful of these sources. Just like good cybersecurity is done by delving in both the red and blue teams, meaning that you need to focus on both attack and defense, OSINT should be looked at from both sides as well. Only by watching channels from both Russian supporters and Ukraine supporters can you get a full picture of what's happening on the ground.

While most of this new generation of OSINT enthusiasts focus on free sources, this only scratches the surface of what's available out there. For example, only governments used to have access to satellite photos. The rest of us had to rely on Google Earth pictures which tend to be years out of date. Now, several companies have arisen with their own satellites that other companies and sometimes even individuals can use. Planet is one that became famous thanks to the war. When the Crimea bridge was attacked just recently, we quickly got access to satellite photos of the area every day after the attack, showing us in real time the repairs that the Russian occupiers were conducting. This was only possible because companies like that were available for regular people to use and capture this very time sensitive content.

Of course, all of this is very time consuming, and that still only focuses on social media. There are many other OSINT tools out there, focusing on everything from facial recognition, dark web searches, threat intelligence, geo-location and so on. Entire projects have been created around OSINT, like the popular DeepStateMAP which shows a map of the Ukraine invasion with all current military positions and changes day by day, based on all of these sources.

But as I mentioned above, while this new age of big data and the growing number of Internet detectives is helping us stay informed and even make real changes in the world, any tool can be used for good and evil. Ever since the invasion started back in February, there has been a growing number of channels dedicated to DDoS and other types of cyber attacks, on both sides of the conflict, going after whichever target the owner of the channel decides. Without any obvious monetary gain, solely based on patriotic desires, countless websites have been shut down for hours or days by attacks, and monitoring these sources can gain valuable intelligence on upcoming attacks, not only in the battlefield but online as well. It's very likely that this type of threat will remain long after the war is over.

I believe this year has seen the number of OSINT enthusiasts, people who learned how to plug into the deep web, scan and parse through large data sets, come up with conclusions and sometimes even act on those conclusions has gone up tremendously, and this is unlikely to change. There is more and more data being shared every day, and tools like drones, access to satellite photos, AI and so on are becoming ubiquitous. Most events, whether it's a war or a local disruption, can be detected online before any news or even government agency becomes aware of it, and that has large implications that go beyond the scope of this post. OSINT will need to be part of any company, organization or group, in order to stay ahead, the same way nation states have relied on their intelligence services previously.