Article
OSINT in the Russian invasion of Ukraine
Western twentieth and twenty-first history often relates that the last ‘war’ ended in 1945 and that since then the world has been in relative peace. The ‘Cold’ war did not become ‘Hot’ and after 1991 there was a ‘peace dividend’ when defence spending, at least in the west, declined. This came to an end when the western world was shocked by images of the terrorist attacks on the World Trade Center in 2001 causing NATO’s governing body to invoke Article 5. This called on the alliance to support the United States in its response to the attacks. However, the reality is very different. Since 1945 the world has been in continuous conflict; some major such as Korea, Vietnam, Kuwait, and the former Yugoslavia, and some minor such as in the Falklands in 1982. In each of these conflicts, the belligerents used the weapons at their disposal. These ranged from legacy Cold War systems to the latest cruise missiles and stealth technology as seen in the 1991 ‘Shock and Awe’ campaign in Iraq.
In parallel to advances in weapons, new innovations in media and communications have also been deployed, bringing conflict to a wider audience. The war in Vietnam, often referred to as the first television war, brought daily reports to the families of those serving. It has been suggested that these graphic and often uncensored images contributed to undermining support for the war, which ultimately led to the US withdrawal in 1973. Two decades later, advances in communication technology brought 24 hour live televised news. CNN was the first global 24/7 news channel and the only one that broadcast live on 16 January 1991 Operation Desert storm began the campaign to liberate Kuwait. CNN was followed by additional news channels, some of which showed a clear bias towards promoting a particular narrative. In parallel to developments in the mainstream news, advances in Internet technology have seen the growth of social media with combatants and civilians alike posting material from the conflict zone.
The rise of social media – a treasure chest of OSINT
Unlike commercial news organisations, social media posts by private persons are often chaotic and uncontrolled, this has led to users unintentionally posting information that revealed operationally sensitive information. Since Russia’s first involvement in Ukraine, social media has tracked its illicit activities and has produced a steady stream of evidence that has undermined or countered Russia’s official narrative. One of the first examples of this was the work of Ukrainian bloggers in 2015, who over time were able to gather evidence that Russia was actively involved in the conflict in the eastern part of the country, contrary to the Kremlin’s claims. By following the posts of individual soldiers on Russian language social networking sites it was possible to identify their units, equipment, and activities[1]. In one well-publicised incident, the metadata contained within an Instagram post provided proof that Russian soldiers were in Ukraine despite Russian military denials. Russian activity within the borders of Ukraine was also revealed through the outstanding work of Eliot Higgins, the founder of Bellingcat. By analysing open source information, Higgins and his team were able to track the movements of the Buk anti-aircraft missile launcher that shot down the Malaysian Airways flight MH17. It was possible to confirm the location and time of each sighting, which provided evidence that it was in separatist-controlled territory at the time of the missile launch[2]. Bellingcat’s final report provided compelling evidence of the Russian origin of the missile and Dutch prosecutors named three Russians and one Ukrainian as being ultimately responsible for the incident.[3] The work of Bellingcat and others subsequently led the Russian authorities to ban their military from using social media.[4]
Future similar studies of activities in the current war in Ukraine will be able to draw on significantly more source material than the Bellingcat investigations had at their disposal in 2014.
[1] https://www.youtube.com/watch?v=2zssIFN2mso
[2] https://www.bellingcat.com/news/uk-and-europe/2015/10/08/mh17-the-open-source-evidence/
[3] https://www.bellingcat.com/app/uploads/2015/10/MH17-The-Open-Source-Evidence-EN.pdf
[4] https://www.bbc.com/news/world-europe-41510592
The Russian invasion of Ukraine – the first TikTok war
In 2022, the most popular social networking application is TikTok, which enables users to share short videos ranging between five and 120 seconds in length. Creators have access to a range of filters, effects, and a music library. The most popular TikTokers can generate income from their material. With around 1 billion users, TikTok is particularly popular among Gen Z born between 1997 and 2012. This group of Ukrainian users has become a primary source of information documenting the effects of the Russian invasion on their lives and communities. Personal and impassioned, their material has considerably more impact on a global audiences than mainstream news reporters viewing the conflict from an outsider’s perspective. They have also been able to broadcast graphic evidence of war crimes that are outside the editorial guidelines of other media.
Although for many users, TikTok is just the latest generation of social media, it does have a darker side. Owned by a Beijing-based technology company ByteDance, its terms and conditions freely admit to collecting as much user data as possible. This includes GPS location, contact information, and device identifications. Users must also surrender any control over how that data may be used.[1] Despite China’s attempts not to appear overtly supportive of Russia’s invasion, there is increasing evidence of material and financial aid.[2] This may conceivably include intelligence support such as data from TikTok users exposing their location. Although this information may be extracted directly from TikTok servers, ordinary users also have the means to extract metadata, including user profiles and their IP addresses.[3] This location tracking via IP address is particularly concerning when troop and equipment locations are shown.[4] Innocent postings intended to support Ukrainian forces and highlight Russian atrocities may unintentionally aid enemy operations.
From Russia’s initial incursion into Ukraine in 2014 to the 2022 full scale invasion has coincided with a doubling in Social Media usage which has vastly increased the volume of available open-source intelligence. Bellingcat’s work has exposed the power of this information, but also its potential for abuse by hostile powers. It is beholden on those who work in this area to both exploit its use for good, while educating users of potential for abuse by adversaries.
[1] https://goat.com.au/pop-culture/do-you-really-know-where-your-tiktok-data-and-content-is-going/
[2] https://edition.cnn.com/2022/03/14/politics/us-china-russia-ukraine/index.html
[3] https://apify.com/sauermar/tiktok-scraper#what-does-tiktok-scraper-unlimited-do
[4] https://www.istaunch.com/track-location-of-someones-tiktok-account/
Another skyrocketing Social Medias application is Telegram
Telegram is an instant messaging service, launched in 2013 by VK-s creator Pavel Durov. Following the 2014 takeover of VK Kremlin allies in 2014, Pavel Durov left Russia and has since focussed on developing the Telegram encrypted messaging service13. By January 2021 Durov announced that Telegram had reached "about 500 million" monthly active users14. The number of active Telegram users rose sharply on February 24, after Russia sent his troops into Ukraine. On March 21, 2022, after a Russian court has banned Facebook and Instagram in the country, Telegram usage jumped to 63% of all digital messaging in Russia, overtaking WhatsApp's usage share of 32% to become Russia's most popular messaging tool15.
Over the course of the conflict, Telegram has become a key digital battle space for both the Ukrainian and Russian governments. In Ukraine, President Zelensky has used the platform to rally support, while the Ukrainian government has used it to send air raid warnings, provide directions to bomb shelters, and assist people in finding loved ones. Concurrently, Russia, now cut off from many media channels has found Telegram one of the last remaining channels of communication open to them.[16]
Controlling social media channels, narrative meets the needs of operational security
Russia has banned FaceBook and Instagram to limit the spread of true war information among Russian citizens17. In March, Ukraine posting photos and videos of the war on social media a crime18. This concerns not only Ukrainian troops and military activities, but also the results of enemy attacks. The announcement likely followed Ukraine's findings that Russian troops are investigating photos and videos on social media to assess the effectiveness of their attacks. Ukrainian citizens and journalists have acknowledged the necessity of such a restriction, and since its announcement, the number of images and videos of war posted on social media has decreased significantly.
Russian troops are very well aware of the dangers associated with social media and there are almost no posts from their side. However, the President of Chechnya, Ramzan Kadyrov and his troops are prolific social media users on the battle filed. There are so many posts about the activities of Chechen forces that they have even earned the nickname TikTok warriors. In reality most of these videos are not genuine but staged. However, they provide good information on the location, equipment, activities, and tatics of the units as well as a gruesome insight into their desired ‘brand’ as warriors. Ukraine uses social media to disseminate information about Russia’s war crimes, such as the Butcha massacre and the bombing of the Kramatorsk railway station. Information which has proved vital in prosecutors’ confidence in successfully prosecuting Putin as a war criminal 19.
As the Russian invasion of Ukraine enters an unimaginably darker and even more horrific chapter the use of social media will become even more contentious on all sides. Commanders at the highest level will have to balance the need for operational security with the value in intelligence made available to them. Does a picture of dead civilians being put in body bags by friendly forces negatively impact an operation by revealing their position, or is the operational risk outweighed by how those images galvanise the support of overseas allies and populations?
These questions will be studied, assessed, and eventually enshrined in doctrine over the coming decades. Regardless of the outcome, the shift in narrative power from a waring state to the population of its victims is undeniable. The application for the intelligence that this creates on the tactical edge unprecedented.
15 https://www.brecorder.com/news/40162140
16 https://time.com/6158437/telegram-russia-ukraine-information-war/
17 https://www.theguardian.com/world/2022/mar/21/russia-bans-facebook-and-instagram-under-extremism-law