Open-source investigations were once potent journalistic tools, but in Ukraine, they’re being used on the battlefield.
On Oct. 12, 2022, Russian soldier Aleksey Lebedev logged onto VKontakte, Russia’s most popular social network, and uploaded a photo of himself in military fatigues crouching in a large white tent. He had been smart enough to obscure his face with a balaclava, but unfortunately for Lebedev and his comrades, he did not obscure the exact location from which he had posted: Svobodne village in southern Donetsk.
Lebedev’s post was picked up by a Ukrainian military investigations company called Molfar. This lead was transferred to an analyst in its open-source intelligence (OSINT) branch, and investigators spent the next few hours constructing a target location profile for Lebedev and his military unit. The unit’s location was believed to be a training base for Russian and pro-Russian separatist troops. After discovering two other photos posted from the same location by pro-Russian servicemen—as well as other corroborating evidence, which was shared with Foreign Policy—Molfar passed its findings onto Ukrainian intelligence.
Two days later, according to Molfar, explosions and “fireworks” were observed at the site of Lebedev’s selfie, approximately 40 miles behind Russian lines. On its Telegram channel, the Security Service of Ukraine (SBU) reported the attack. It is unknown how many casualties were sustained during the blasts. Lebedev deleted his original photo afterward, indicating he survived the explosions. Molfar said that, based on his VKontakte posts, it appears that Lebedev has continued to fight Ukrainian forces, though he is now wise enough not to include his geolocation data.
The first major Russian digital mishaps in wartime date back to 2014. At that time, the Kremlin was denying the presence of its forces in Crimea, while the same forces were posting geolocated images of themselves on social media, exposing Moscow’s lie. (Because of failures like these, it’s been illegal since 2019 for Russian servicemembers to use smart phones while on duty.)
This is what most people think of when they think of OSINT, which refers to gathering intelligence from any publicly available materials: open-source investigative techniques deployed to prove military or criminal wrongdoing. High-profile investigations such as Bellingcat’s investigation of Syrian dictator Bashar al-Assad’s usage of chemical weapons in Douma, Syria, and its exposé of the Russia-backed separatists that shot down Malaysia Airlines Flight MH17, among others, have established OSINT as a potent journalistic tool.
But what is new in Ukraine is how these techniques are being reverse-engineered: not to retrospectively expose atrocities and malfeasance but to proactively kill enemy forces and destroy enemy hardware on the battlefield itself.
The use of OSINT to track down and then target enemy fighters has prompted significant changes to the way operational security (OPSEC) is handled by militaries. In Ukraine and elsewhere, this has actually impaired how war is covered by television and photojournalists.
Lebedev’s is one of seven such examples shared with FP by Molfar where information on the internet was used to locate Russian soldiers. Molfar said it then passes its findings to Ukrainian intelligence, which uses it to plan and execute attacks.
The private and volunteer sectors are pioneers in this kind of work. Molfar was formed from the due diligence wing of Noosphere—a company specializing in rocket and satellite technology—that was bought out by Artem Starosiek, a Ukrainian, and formed into an independent corporate entity. Based in Ukraine with 56 employees, Molfar’s primary enterprise is corporate investigations, but after the invasion on Feb. 24, 2022, its portfolio quickly diversified.
The Security Services of Ukraine (SBU) will not confirm its partnership with the company, or any other third-party company, for security reasons. Molfar agreed to share this account of their work with FP and, where possible, FP has corroborated with additional linked evidence.
“We just transferred our knowledge from space startup companies to military [applications],” Starosiek, who serves as Molfar’s CEO, said. Starosiek first made contact with Ukrainian intelligence prior to the war at a security conference where Molfar was invited to train new SBU recruits on OSINT techniques.
“They told me that two weeks after our seminar, they were already able to find the location of Russian military and hit them,” Starosiek said.
Since the beginning of the war, Molfar has received funding from the Civilian Research and Development Foundation—a nongovernmental organization that includes the U.S. State Department, U.S. Defense Department, and the U.K. government among its backers—to give additional OSINT trainings to officials from the SBU, as well as to the Defense Intelligence of Ukraine and other government bodies.
Molfar’s pivot to military investigatory services is indicative of a broader growth in demand for OSINT services over the past decade, said Di Cooke, a technology fellow at the Center for Strategic and International Studies. That growth has been accelerated by Russia’s war in Ukraine.
“While OSINT has been used to uncover human rights crimes and disinformation in conflicts before, like the Syrian civil war, this is the first major active conflict that has very visibly and viscerally shown the advantages leveraging OSINT can have both on and off the battlefield,” Cooke said.
The private-sector OSINT market is booming, Cooke said. She cited the expansion of threat intelligence companies such as Recorded Future and Janes, event-detection platform Dataminr, and commercial satellite imagery providers Orbital Insight and Planet Labs. In response to the war in Ukraine specifically, Cooke noted the creation of new investigatory groups such as the Ukraine Digital Verification Lab, OSINT for Ukraine, and initiatives such as Ukrainian Weapons Tracker or the North Atlantic Fellas Organization.
“Between them and the growing engagement of volunteers and supports with existing organizations like Bellingcat, the civilian OSINT community has grown significantly in the last year,” she said.
The big five U.S. intelligence conglomerates (Booz Allen Hamilton, CSRA, Leidos, SAIC, and CACI International) are also making significant commitments to open-source intelligence. As a result, the OSINT industry, valued at $5.1 billion in 2021, is projected to reach $34.9 billion by 2030, according to market research company VMR.
Eight decades on from when the U.S. government established the Foreign Broadcast Monitoring Service to keep an eye on overseas media, things have changed radically. Unlike in 1941, when there was no satellite technology, foreign news reporting can now become rapidly actionable intelligence.
Like Russia, Ukraine has learned this the hard way and has suffered through its own OPSEC blunders, such as when Russian OSINT researchers successfully identified the location of a tank repair facility in Kyiv from a report on April 7 by Ukrainian TV channel 1+1. Local media reported that the facility was targeted shortly after, on April 15, by a Russian missile, reportedly resulting in “destruction and casualties.”
This failure inspired Starosiek to start Molfar’s targeting operations in June. He said he thought, “We could do better and reverse this method against the enemy.”
Starosiek’s revenge came in July 2022 against a company of Akhmat forces, who are loyal to Chechen strongman Ramzan Kadyrov. A Russia Today report by Chechen correspondent Sargon Hadaya was picked up on May 6 by Molfar on a pro-Russian group on VKontakte called Beyond the Edge.
In the report, Hadaya gives away the approximate location of the troops, citing the city in which they are arriving, Rubizhne. In the video, men alight from military trucks, one with the letter “Z” across its front. The report’s voiceover track states that 240 volunteer soldiers are arriving at the site.
Once the location came to Molfar’s attention, more details soon followed. A similar video, referencing the RT report and posted on May 10 by another user of VKontakte, was captioned: “From Kamchatka to Dagestan—volunteers from different regions of Russia arrive in Rubizhne to the location of the Akhmat special forces.” Regnum, a pro-Russian website, also published an article on May 12 about the opening of a military hospital in Rubizhne to treat soldiers wounded at the front.
To Molfar, it appeared that a significant Chechen deployment was present in Rubizhne. The remaining work was to identify the soldiers’ exact location.
Observing Molfar’s investigative process underscores how small the details can be that identify a target once an approximate location has been established. The RT report included no wide shots of the broader area, but other shots made it clear that the location was flanked by tall residential apartment buildings. Minor additional details quickly gave the company’s position away. In one shot, below, the distinctive right-angled roofline of the Lyubystok kindergarten building could be observed and was identified by Molfar on Google Earth.
In another photo, a gazebo with corrugated blue walls and roof paneling further helped to triangulate the troops’ exact location in relation to the kindergarten building. In the background of another shot, sculpted in distinctive concrete lettering, is the word “Vizit,” the name of the health center situated opposite the kindergarten.
Another photo—published on the pro-Russian news site URA on June 3, in an article about a soldier who “liberated” Rubizhne with Chechen forces—showed soldiers standing in a room with children’s wallpaper depicting birds and a cartoon sun. This suggested they were in a kindergarten or similar educational facility for children.
In Molfar’s assessment, there was little to no likelihood that children were still in the kindergarten, having been supplanted by the Chechen troops. But it described the risk of civilians being nearby as “high” due to the residential buildings surrounding the target.
Molfar transferred its findings to the Main Directorate of Intelligence on June 5, though it was not until July 24 that Molfar received confirmation that the target had been struck. Images of the damage to a building directly adjacent to the kindergarten in Rubizhne—in which Molfar believed the Russian soldiers were staying—were published on Aug. 3, 2022, on an anonymous but ostensibly pro-Ukrainian Telegram channel named “Rubezhnoe.”
It is not clear by what means the site was bombarded. A mere 12 miles from the front line, it was within shelling range, but Molfar believed the use of HIMARS—High Mobility Artillery Rocket Systems—was most likely due to its high level of accuracy.
There was no visible indication that any Chechen soldiers had been killed or injured, though if the company was present at the time of the attack, it’s likely that significant casualties were sustained. Regnum reported that four civilians had been killed in the attack. Questioned further as to whether or not civilian casualties would have resulted from a strike, Starosiek wrote in a Signal message: “Civilians who refused to leave the city for personal reasons (lack of possibility, reluctance to leave their own homes, existing pro-Russian views, collaborators) could be in the specified area.” He said it was likely that some apartments were occupied by Chechen fighters, as suggested by a photo posted by Chechen fighter on July 7. It is unclear how many civilians remained in the area, and Starosiek pointed out that reporting civilian casualties is a common tactic used by Russian propagandists when troop losses are sustained. At the time of publication FP was unable to verify either side’s claims.
In another example of the Russians compromising their own troops’ safety shared with FP, Molfar targeted the Pyatnashka international brigade’s base in Donetsk from an array of OPSEC breaches. These included an on-site interview by the pro-Russian news site Donetsk Time with Russian TV presenter and celebrity Yulia Baranovskaya posted on Telegram. The brigade also posted multiple videos of its base on its own Telegram channel (celebrating the brigade’s anniversary). These plus additional content shared by Molfar with FP provided ample opportunity to triangulate the base’s location. A strike on the Pyatnashka brigade was confirmed by drone footage of the base’s ammunition silo exploding, published by local media on Aug. 22.
Molfar’s reports, shared with FP, appeared to show that Russian military officer Sergei Marenko helped to give away the location of the 185th Rifle Battalion of the Donetsk People’s Republic after filming the screen of a drone flight over his position. The videos were subsequently posted on the Telegram channel of Russia’s most famous propagandist Vladimir Solovyov — who has over 1 million subscribers — in July. And in September, Molfar’s reports appeared to demonstrate that Russian volunteer Alexander Heres did the same for its 123rd Regiment after posting similar videos of drone footage to his own Telegram channel.
Molfar said its targeting operations continue. It claims to provide an average of 15 actionable intelligence reports to Ukrainian intelligence per month.
Fully aware of the lethal potential of OSINT, the Ukrainian government has heavily restricted journalists reporting from the front line and other sensitive locations. A law in force since March 2022 has made filming the movements of Ukrainian military personnel, sites of shelling, street names, transport stops, shops, factories, and other civilian and military facilities punishable by up to 12 years in jail.
Reporting the war for visual media has become very difficult. As a TV journalist, I have struggled to convince military commanders to allow me to film at the front. In one instance, leaving the scene of a Grad rocket launch in Donetsk, a Ukrainian soldier ordered me to stop filming through the front window of the car as we raced away because a distinctive industrial landmark was clearly identifiable in my frame and could be used to locate their point of attack.
Veteran BBC war correspondent Jeremy Bowen said that even in the pre-digital age journalists sought not to give away the position of the forces with which they were embedded: “There was always an understanding that if you weren’t a complete shit, then you wouldn’t show a wide shot.”
Now, digital technology, real-time connectivity, and artificial intelligence have made the smallest details—from a tree line to a mountain range to a minor architectural feature—liable to identification and geolocation, particularly when the approximate location of the target is already known. “Those techniques hadn’t been worked out, or hadn’t gone mainstream, until about 10 years ago,” Bowen said. Previously, Bowen said, “Life was a lot simpler for TV news teams. The extra complications now were not so apparent then.”
If secrecy is paramount, and given all the benefits Molfar reaps from Russian digital OPSEC infringements, why is the company showing off its methodology? A third-party intelligence analyst who reviewed the OSINT targeting analysis shared with FP vouched for the “very high quality” of Molfar’s work but was cynical about the company’s motives. “I bet you in six months they’ll get bought out,” the analyst said. Starosiek was indignant at the suggestion that he was motivated by self-interest. “I don’t think much about business at this time,” he said. It is Starosiek’s contention that Molfar loses money from its work targeting Russian soldiers, and that it is supplemented by the company’s commercial income streams. In his words: “There’s no sense to make profits right now, because if we lose this war there will be no Ukraine in which to conduct business anyway.”
Either way, Molfar’s disclosures to FP could be construed as a major OPSEC failing. That’s apparently what Illia Vitiuk, head of SBU cybersecurity, thinks.
When FP asked Vitiuk about the SBU’s relationship with Molfar and how it used its intelligence to strike Russian targets, he refused to acknowledge any relationship that the SBU might have with any third-party company. Vitiuk further said that Molfar left itself vulnerable to targeting by Russian assassins. “[The Russians] have their agents here as well. So, it’s too dangerous. In public we only say there is an IT army here in Ukraine, a lot of people, 300,000 working against Russia, offensive and defensive, helping. We do a lot of jobs. This is not the right time to reveal all of these connections,” he said. “Maybe even Molfar doesn’t understand that they need to be more silent.”
Starosiek said he was not overly concerned for his personal safety and that most Russian infiltrators had been captured in the first months of the war. To him, the use of OSINT was already well understood by the Russians, and their repeated OPSEC infringements were the product of a deeply ingrained lack of discipline and operational ineptitude. He justified his disclosures in terms of a propaganda victory: saying he hoped they would raise the morale of Ukrainians, show Russia as weak, and stand as a warning to Ukrainian soldiers not to make social media posts from the front line. “I think the first goal is to show Russians that we are not afraid of them,” he said.
(c) 2023, Foreign Policy