Active Measures

Активные Мероприятия | Aktivnyye Meropriyatiya: Agent-operational measures aimed at exerting useful influence on aspects of the political life of a target country which are of interest, its foreign policy, the solution of international problems, misleading the adversary, undermining and weakening his positions, the disruption of his hostile plans, and the achievement of other aims. (Mitrokhin, Vasili (2013-01-11). KGB Lexicon: The Soviet Intelligence Officers Handbook (p. 13). Taylor and Francis. Kindle Edition.)

Turning OSINT Lead into Gold

Published: 2019 January 27

The following is, among other things, a cautionary tail on why one should heed the advice of Bellingcat. They *did* try and warn folks about the dangers of apps preloading URLs. I will also touch on the issue of unique short URLs generated by apps such as Twitter.

This is also a story about using the dissemination of open source intelligence to generate not-so-open-source intelligence. On 15 January 2019 I posted an article about Manuel Ochsenreiter. The people most likely to be concerned about Manuel are his closest associates. In the network of 24 people/entities I discussed in the article, 10 are in Russia, and 3 in Serbia. The traffic analyzed below is all linked temporally, but may in fact be two (or three) distinct instances of data being shared by linked individuals. The source IP addresses are obfuscated enough to provide a degree of anonymity or deniability, but the netblocks are not obfuscated, because I'm not f/ing around.

A note about the data below. Devices on the Internet, such as the phones and computers seen here, are assigned numeric address (IP address). Those addresses are assigned in blocks or ranges to service providers, who then assign them to the devices of their customers as needed. Servers that host websites such as this one log traffic, for example requests for web pages including all the pieces and parts that make up the page (e.g. images, style sheets, the text of the page itself). The log entries seen below come from a server set to GMT -5, and in the narrative I have translated that to UTC. The log entries also contain data that describes the kind of device (e.g. computer vs. phone), the browser, the device's operating system (e.g. Android vs. iOS vs. Windows). Put this altogether and one gets a picture of who viewed a web page, when they did so, using what sort of device, and where (roughly) the visitor was located at the time.


The (first set?) of hits begin with this Twitter-generated t.co URL https://t.co/RNl■■■■■■■ which can be traced to a tweet at 04:07 UTC found here: https://twitter.com/■■■■■■■■■■■■■■■/statuses/■■■■■■■■■■■■■■■■■■■


05:08:11 UTC The first hit on it is via an IP address is assigned to Google Cloud, just checking that the file/page exists

NetRange: 35.208.0.0 - 35.247.255.255
CIDR: 35.224.0.0/12, 35.240.0.0/13, 35.208.0.0/12
NetName: GOOGLE-CLOUD

35.2■■.■■■.■■■ - - [16/Jan/2019:23:08:11 -0500] "HEAD /t/20190115-ochsenreiter.html HTTP/1.1" 200 - aktivnyye.com"https://t.co/RNl■■■■■■■"


05:40:28 UTC Page is viewed in Moscow via Android phone, having clicked on https://t.co/RNl■■■■■■■

inetnum: 5.228.0.0 - 5.228.127.255
netname: NCN-BBCUST
descr: NCNET Broadband customers
role: NCNET NCC Operations
address: National Cable Networks
address: Nagatinskaya str., 1, bldn. 26
address: 117105 Moscow, Russia

5.228.■■■.■■■ - - [17/Jan/2019:00:40:28 -0500] "GET /t/20190115-ochsenreiter.html HTTP/1.1" 304 - aktivnyye.com "https://t.co/RNl■■■■■■■?amp=1" "Mozilla/5.0 (Android 8.0.0; Mobile; rv:64.0) Gecko/64.0 Firefox/64.0" "-"


10:11:31 UTC Page is viewed at a second location in Moscow via Android phone, again by someone having clicked on the Twitter short URL https://t.co/RNl■■■■■■■

inetnum: 31.173.80.0 - 31.173.87.255
netname: MF-GNOC-STF-CGN-20150729
descr: Metropolitan branch of OJSC MegaFon AS25159 31.173.80.0/21
country: RU
role: Moscow Branch of PJSC MegaFon Internet Center
address: 27-42 Vyatskaya str., Moscow, Russia, 127015

31.173.8■.■■■ - - [17/Jan/2019:05:11:31 -0500] "GET /t/20190115-ochsenreiter.html HTTP/1.1" 304 - aktivnyye.com "https://t.co/RNl■■■■■■■?amp=1" "Mozilla/5.0 (Android 8.0.0; Mobile; rv:64.0) Gecko/64.0 Firefox/64.0" "-"



11:00:12 UTC Message with link arrives/is viewed in Belgrade via Telegram on an Android phone. At this point we lose the t.co short URL and visitors are arriving via links to aktivnyye.com. This traffic may in fact be related to the earlier hits on the t.co URL, but that's speculative. The traffic observed from here on is definitely all connected. As for who this is in Belgrade, I suspect it is person or persons associated with the Center for Syncretic Studies.

inetnum: 87.116.176.0 - 87.116.191.255
address: Serbia BroadBand
address: Bulevar Zorana Djindjica 8a
address: 11000 Beograd
address: SRBIJA

87.116.17■.■■■ - - [17/Jan/2019:06:00:12 -0500] "GET /t/20190115-ochsenreiter.html HTTP/1.1" 200 19580 aktivnyye.com "android-app://com.SecretTelegramMessenger" "Mozilla/5.0 (Linux; Android 8.0.0; VTR-L09) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36" "-"

11:03:20 UTC Message with link relayed out from Belgrade via WhatsApp installed on a Mac desktop/laptop using the same IP address

87.116.17■.■■■ - - [17/Jan/2019:06:03:20 -0500] "GET /t/20190115-ochsenreiter.html HTTP/1.1" 200 19580 aktivnyye.com "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/5.6.0 Chrome/45.0.2454.101 Safari/537.36" "-"

87.116.17■.■■■ - - [17/Jan/2019:06:03:27 -0500] "GET /t/20190115-ochsenreiter.html HTTP/1.1" 200 19580 aktivnyye.com "-" "WhatsApp/2.18.380 A" "-"


11:04:00 UTC Link arrives in Moscow via WhatsApp and is viewed via Android phone.

inetnum: 195.91.210.0 - 195.91.210.255
netname: SKSYS-DSL-NET
descr: SK Systems, Inc. xDSL-connected network
role: RiNet Hostmaster
address: Cronyx Plus Ltd (RiNet ISP)
address: Off.111, Bld.11a, 1st Khvostov Lane
address: Moscow 119180 RU

195.91.210.■■ - - [17/Jan/2019:06:04:00 -0500] "GET /t/20190115-ochsenreiter.html HTTP/1.1" 200 19580 aktivnyye.com "-" "Mozilla/5.0 (Linux; Android 6.0; ZTE BLADE A510 Build/MRA58K; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/71.0.3578.99 Mobile Safari/537.36" "-"

11:09:40 UTC Five minutes later, a visitor on another IP address and netblock - but with the same service provider as the hit at 11:04:00 UTC and also in Moscow - arrives at the front page of aktivnyye.com and then navigates to the Ochsenreiter story (11:10:17 UTC), using a Windows desktop/laptop machine. At 11:14:12 UTC the same visitor takes a look at Kochetkov's network graph (but not any of the others)

inetnum: 86.62.124.0 - 86.62.124.255
netname: RINET-INTERNAL
descr: Cronyx Plus Ltd.
descr: RiNet ISP
role: RiNet Hostmaster
address: Cronyx Plus Ltd (RiNet ISP)
address: Off.111, Bld.11a, 1st Khvostov Lane
address: Moscow 119180 RU

11:09:40 UTC Same location, person views index.html page

86.62.124.■■ - - [17/Jan/2019:06:09:40 -0500] "GET / HTTP/1.1" 200 27360 aktivnyye.com "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "-"

11:10:17 UTC Views Ochsenreiter page

86.62.124.■■ - - [17/Jan/2019:06:10:17 -0500] "GET /t/20190115-ochsenreiter.html HTTP/1.1" 200 19580 aktivnyye.com "http://aktivnyye.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "-"

11:14:12 UTC Views Kochetkov's network graph

86.62.124.■■ - - [17/Jan/2019:06:14:12 -0500] "GET /i/20190115/Kochetkov.gif HTTP/1.1" 200 626075 aktivnyye.com "http://aktivnyye.com/t/20190115-ochsenreiter.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" "-"


11:25:33 UTC Ochsenreiter page is viewed on a phone using a separate network in Moscow. This might be unrelated to other traffic we are looking at, but the visitor turned up without a referrer, i.e. they went directly to content they knew/had been told the location of, which is consistent with traffic generated by things like a group chat or email exchanged among multiple recipients.

inetnum: 213.87.128.0 - 213.87.159.255
netname: MTSGPRS-3
descr: Mobile subscribers pool
address: MTS PJSC
address: 4, Marksistskaya str., 109147 Moscow, Russia

213.87.1■■.■■■ - - [17/Jan/2019:06:25:33 -0500] "GET /t/20190115-ochsenreiter.html HTTP/1.1" 200 19580 aktivnyye.com "-" "Mozilla/5.0 (Linux; Android 7.1.1; SM-J510H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.99 Mobile Safari/537.36" "-"


11:56:43 UTC Back at the same location in Belgrade as hits at 11:00 UTC, an image from the page is loaded again on the phone, apparently in the context of an discussion with their associate in Moscow

87.116.17■.■■■ - - [17/Jan/2019:06:56:43 -0500] "GET /i/20190115/L-R-Bekier_Pisorski_Ochsenreiter_Prokopowicz.jpg HTTP/1.1" 200 191808 aktivnyye.com "-" "Mozilla/5.0 (Linux; Android 7.0; VTR-L09 Build/HUAWEIVTR-L09; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/59.0.3071.125 Mobile Safari/537.36" "-"

13:37:10 UTC Back in Moscow at the same IP address as the 11:04:00 UTC hit, the conversation with Belgrade continues, and the same image is loaded as at 11:56:43 UTC

195.91.210.■■ - - [17/Jan/2019:08:37:10 -0500] "GET /i/20190115/L-R-Bekier_Pisorski_Ochsenreiter_Prokopowicz.jpg HTTP/1.1" 200 191808 aktivnyye.com "-" "Dalvik/2.1.0 (Linux; U; Android 6.0; ZTE BLADE A510 Build/MRA58K)" "-"


From left to right: Falange leader Bekier, accused Russian agent Piskorski, currently jailed in Poland, Ochsenreiter, and Ochsenreiter's agent Prokopowicz.