Caucasian fire: a beginner’s OSINT tips to monitor the Nagorno-Karabakh conflict
Open-source intelligence (OSINT) is the process of collecting, analysing, and reporting publicly available information in an organised fashion. When dealing with breaking events and monitoring ongoing incidents, there is a wealth of data out there and it is easy to get lost. I share here my first steps into the OSINT realm as a threat intelligence intern reporting on the Nagorno-Karabakh conflict. This is OSINT from scratch.
Open-source intelligence: more mindset, fewer tools
Open-source intelligence (OSINT) is usually depicted as a magic box of tools to uncover deep secrets into the life of people, entities, or even countries, just by having access to a Wifi, a good soundtrack in the background, and a certain dose of investigative mindset.
Like every stereotyped portrait, of course, it is not exactly like that — yet it is, in some way.
My first approach to open sources personally started when working for an investigative journal, and indeed I had no more than an Internet connection and the commitment typical of a new intern, in a foreign land, reporting on illicit flows of money and shadowy businesspeople. In other words, a mixture of pure excitement and the desperate need to find information by googling any possible tool out there.
It was not the right approach. Real experts — and not myself, as I am starting from scratch — would define OSINT as a subset of the wider intelligence discipline, intended as a scientific way to search, collect, verify, and report sparse information to produce intelligible and actionable insights. This, simply by exploiting publicly available sources: social media accounts, news, research reports, government databases.
Therefore, there is more to the methodology than to the tools. Open-source intelligence is the product of a specific mindset, basically grounded on the ability to pivoting any piece of information into another one: you start from a name, you get an email, then an IP address, some social network handles, maybe you draw a timeline, then you build a tree with all the information gathered. Certainly, some tools and techniques come at hand to dig deeper and build a well-informed case — yet, without the basics, you could just end up like me, drowning in Google, Github, and cyber-fancy blogs that you and I can’t actually understand.
Threat intelligence and political risk: real-time events flooding your laptop
Okay, looks like a cool intro from a newbie. But what’s the selling point? It is that if you want to start with OSINT, I can’t tell much, but sure I can share what’s working for me. Since I am interning for a political risk and threat intelligence analysis company, I have to monitor news from around the globe, focusing on specific regions. From traffic incidents to shooting, from flooding to street crimes, I am requested to cover anything which could have an impact to the business continuity of clients’ activities (such an ongoing protest, a closed road, a wildfire near a certain village, etc.).
This practically translates into reviewing news, checking their reliability, geotagging the location of the incident, and editing data that is automatically fed into the system by the software. Although it doesn’t sound as much fun, this activity allows for tons of practice into some basic OSINT steps: you need to be organised, you need a plan, you must triangulate sources to check out for places, time, and protagonists — you are really investigating. Especially with breaking news, it is exciting trying to catch the latest information, statement, event, and report it as clearly as possible. Since I have to monitor Eastern Europe, Central Asia and Russia, I must confront cultural barriers, language obstacles, and knowledgeability limitations regarding the regions themselves (e.g. it would be useful to exactly know how a country is administratively organised, how its transport system works, and so on). Indeed, those challenges are my opportunity to practice OSINT. To illustrate that, let me tell you about Armenia, Azerbaijan, and their conflict over the Nagorno-Karabakh region.
*Disclaimer: This blog post is updated to Sunday, September 27, 2020.*
Caucasian scars: disputed land and unbearable pasts
Armenia and Azerbaijan are disputing over the contested region of Nagorno-Karabakh, a mountainous 4,000 square km area under Azerbaijani control, but inhabited almost exclusively by ethnic Armenians and ruled by the government of Artsakh, since the collapse of the Soviet Union. In the 1990s the two countries engaged in a conflict leaving one million people displaced and 30,000 killed, until a ceasefire in 1994. Since then, tensions between Yerevan (Armenia) and Baku (Azerbaijan) have never been settled. Recently, in July 2020, border clashes left at least 16 dead, prompting large demonstrations in Baku and demands to solve the Nagorno-Karabakh’s issue, defeating once for all the Armenian separatists. On Sunday, September 27, at 04:10 GMT, Armenia’s Minister of Defence blamed an Azerbaijani artillery attack on the frontline involving local civilian population, to which Armenian forces had retaliated by downing two enemy helicopters and three drones. As of September 27, at 21:30 GMT, several casualties among civilians and service officers have been reported, amidst international concern, as countries like France, Iran, and Russia have stepped in proposing to mediate and facilitate de-escalation. Additionally, regional tensions are highly likely considering that Armenia is potentially backed by Russia, while Turkey has expressed fervent support to the Azerbaijani’s cause.
And so, there I was, with little knowledge about the region, its history, and the intimate causes of the trembling equilibrium between Yerevan and Baku. A post on Twitter published by the Agence France-Presse (AFP) was forwarded to me by my supervisor.
“So please focus on the clashes, and possible civilian casualties”, the message said.
Yet, the topic was delicate, and the report needed to be as informed and precise as possible.
What I did: OSINT tips to monitor breaking events
STEP #1: Twitter and TweetDeck
I started on Twitter. The platform is incredibly useful as there you can find breaking news information posted by legit media outlets, along with official statements by political representatives and senior officers detailing a wealth of reliable information (once you get past layers of propagandistic-rhetoric tones!). The escalation in Nagorno-Karabakh made no exception to this rule. Therefore, I started with the governments’ channels of Armenia and Azerbaijan to look for official declarations: both were blaming the enemy for initiating the attack. Searching for prominent political figures, the cases of Armenia’s Prime Minister Nikol Pashinyan was extremely interesting to follow the country’s official stance. He called for the people to protect their homeland, as mobilisation was initiated. In another video searched by the keyword “Armenia”, sirens could be heard as civilians were urged to take shelter to protect themselves against the shelling.
Video footage of anti-bomb sirens in Karabakh, September 27, 2020.
Let’s admit that, I was going quite randomly searching by basic keywords like “Nagorno-Karabakh” or other similar identifiers, scrolling down posts popping up talking about national pride, aggression, call to arms, and regional escalation. There was even social media footage claiming to portray Turkish mercenaries arriving in Azerbaijan from Syria, but this was not simple to verify, therefore I could not report it.
To get past the messy storm of over-information and thus to tailor my research further, I opted for the built-in Twitter Advanced Search functionality to narrow down results.
For instance, to monitor what was going on in terms of Azerbaijani-Turkish relations, I used the names of the presidents of the respective countries, Aliyev and Erdogan, forcing Twitter to retrieve only official tweets by @presidentaz, the account of Azerbaijan’s President Ilham Aliyev.
When dealing with current events and flooding streams of information in real-time, it is always a good call to exploit the organisational power of TweetDeck. This is a free online tool that allows for multiple searches organised in columns; it is basically a dashboard to collect tweets based on your interests. Its main function is the “add a column” button; if you then set the column type as “search”, you can use keywords and boolean logic operators to filter content. Hence, in a column you can have something like “Armenia” AND “breaking”, in another one “Nagorno-Karabakh” AND “casualties”, and so on.
Of course, Tweetdeck is just a tool, meaning that if you do not tide up your search process, you are going to be fed with a huge amount of irrelevant data. You can narrow down your results by specifying precise strings of text, or tell Tweetdeck to get you only Tweets containing videos or images; you can even reduce the time frame to make sure to filter only updated content. In terms of geolocation, there is the option of setting up a location of interest, requesting a certain radius of coverage.
STEP #2: Local media outlets and translation
Apart from Twitter-served media results, manually googling local news can be pretty useful to put aside some background noise, focusing on specific information to be gathered. That said, you should try out different sources, especially if not used to a country’s media landscape (in terms of trustworthiness and preciseness). I have therefore listed three local media websites per country and started scrolling down articles. Headlines were all for the ongoing conflict; sometimes, those news sites cover breaking events such as conflicts and protests in real-time, updating data consistently. This comes at hand when dealing with ongoing situations that require constant monitoring; of course, you must not completely trust your source. Especially with clashes in delicate regions, you must expect extreme rhetoric and propaganda manoeuvres that are likely to pollute the reliability of your data. This happens with Tweets posted by personal accounts, from common users to official representatives, let alone partial media outlets which endorse a certain political agenda.
By comparing news websites standing for one side or the other, the first, obvious sensation is that of truly fierce information warfare: both contestants address the other as “fascist” and as fighting an “unjust war” with cruel and violent attacks against civilians. This is the case of Azer Tac, the Azerbaijan State News Agency. When you get past through propaganda claims, you have a wealth of information “from the frontline”, with constant updates backed by pictures of allegedly destroyed vehicles hit by enemy forces and satellite imagery of tanks devoured by flames (this would open an immense chapter on how to investigate and question the reliability of such statements, but we’ll leave it outside the scope of this introductory article). Accordingly, Armenian local news published on Armenpress blames enemy actions and reports of civilian casualties. Using local media allows for timely information and, if you can vet their accurateness, this is good to corroborate Tweets and official statements, at least when the situation is ongoing and well-known press agencies are still channelling data to prepare detailed reports.
It’s easy to search for local news by using keywords and text in the original language; for instance, I was requested to look for “civilian casualties”, which translates “mülki itkilər” in Azerbaijani and “քաղաքացիական զոհեր” in Armenian. Therefore I just copied and pasted those strings on google News, narrowing the search down to the the “Past hour” option in “Tools”. Remember to handle the number you get with extreme care and scepticism! (Probably this is my main OSINT tip within the entire article, and you could think it is an obvious thing — but it isn’t. “Open” does not stand for “any f****** information popping out when googling”).
STEP #3: Searching for live reportages, setting google alerts, and verifying contents
At this point, I have got this: there’s plenty of information out there, from official statements to smartphone-recorded videos displaying live incidents in remote areas. Therefore, I can explore those places from a certain distance. But what about understanding first, and verifying then the content? Distance constitutes both an advantage and a drawback: great investigations are conducted completely remotely (make sure to check the work of Bellingcat!), but generally speaking, distance is a broad concept that actually translates into “I am far away from the place when everything’s happening, I can’t speak a word of their language, why am I even looking at young soldiers chanting for a victory in a bad-illuminated street of a Caucasian village?”).
I wanted more on-the-ground material to corroborate my information about the initial artillery exchange between Armenia and Azerbaijan, so I started searching for videos from Nagorno-Karabakh on YouTube, setting the “Live” option, with no success. I tried with previous videos uploaded within a 24 hours time frame, but I mainly retrieved very general images of soldiers, trenches, and shelling with no elements I could use to report any precise activity or incident. Put aside YouTube, I moved back to the master Google, tailoring my research with precise time frames, locations, keywords in Armenian and Azerbaijani, failing to catch useful footages. Yet, I thought I would have had much more luck in the following hours, so I set up some Google alerts. This is a very simple tool Google offers you to keep updated with the content of your interest. I set it up to get me “As-it-happens” information about “Nagorno-Karabakh”, selecting “Video” as the source, “Armenian” as the language, “Armenia” as the region, and “All results” in terms of quantity, just to make sure. Google then asks you to provide your email address or select the RSS feed as the delivery option for the alert.
It’s like fishing: you wait for the catch, but you are not sure if you are really successful before vetting the content of your alert. If you are handling user-generated material, it is good practice to check if the upload date coincides with the date of recording, to make sure a video from a diverse incident has not been used. Amnesty International makes available for free a YouTube videos metadata viewer that is handy to check the uploading date and time; you can also use the video ID to cross-check if it has been used somewhere else online. I sometimes try with a reverse image search to verify that there are no data referring to the same images on different dates or locations. Amnesty’s solution offers a set of thumbnails extracted from the file and a button that redirects you to Google images.
The issue is that it is not really accurate, therefore I prefer to run a reverse search on Yandex, which scores far better in Eastern Europe, Central Asia, and Russia. Certainly, there are other expedients to verify videos and images, but I’d like to leave that for another blog: here’s sufficient to mention the importance of verification itself because it is likely that serious events in war-affected regions are manipulated by using edited, crafted, or just recycled pictures and footages from elsewhere.
Conclusions: some takeaways from a newbie
I reported about artillery fire, civilian casualties, and international statements regarding the conflict, but I was not completely satisfied.
OSINT is exciting because there is the perception that everything is accessible at a click, from a safe distance, within an incredible range of a free-choice buffet. It really is, but there is so much rotten food out there that you want to make sure to list your objectives, design a plan, run some background researches (as I had to about the Nagorno-Karabakh region and conflict) and tailor your collection to fit your purposes. For now, I’m focusing on narrowing down keywords, locations, and time frames, but I know there’s much more to learn. I’m seriously thinking of keeping on writing about my OSINT journey, from scratch.
I almost forgot: consider having a cool soundtrack in the background — some Lo-fi or chilling beats — especially when engaging in self-paced monitoring endeavours, or when exposed to distressing content for too long.