How EchoSec Found Evidence of a Russian Fighting in Ukraine

Originally posted on the EchoSec Blog, reproduced with permission.

Recently, the media has been paying close attention to the Donetsk region in northeast Ukraine. We decided to look for ourselves to see if we could identify military personnel of Russian origin in the area.

In a military, or global security context, the data pouring from this region can play a pivotal role in command, control, communications and coordination of operations.

Quick, informed decisions are the best decisions.

We used a systematic, 3-phase approach to find, filter, and investigate the social media coming out of Ukraine and Russia.

We started by using a systematic grid search to identify clusters and outliers, then reviewed each cluster and outliers for interesting information. Finally, we reviewed each piece of flagged information across multiple social media sources to correlate information and draw conclusions.

This investigation took us less than 6 hours, and the results were astounding.

Here is how we did it:

Initially, our analyst drew a box over the Donetsk region in Northeast Ukraine. The purpose of this large initial search is not to find posts immediately, but to determine where a large number of the posts are clustering. These clusters are going to be prioritized, then analyzed later for anything that stands out.

Upon further inspection of the clusters in the Donetsk region on January 23rd, our analysts found an individual of interest. Due to the nature of the data, no firm conclusions can be draw about the pictured soldier; however, he appears to have crossed the Russian boarder into Ukraine to join the fighting, only recently.

2

This particular soldier identified himself as Amigo Desperado, probably an alias. Our analyst then tracked him to using a different social media source, VK. VK is Facebook-like application popular in Russia. As can be seen in the picture below, we can find his date of birth, current city, and the location of several recent posts.

3

In the following picture, we can see that he was located in Russian territory in early December. He is clearly pictured with the Russian flag, a tank, and a group of men.

4

We then found a photograph of him 8 days later on December 22nd. The location associated with this post was from within the Ukrainian boarder.

5

Finally, we find a photograph that he has posted, where the location tag was directly from the Donetsk region. Using Echosec we tracked this individual from his Russian home to the center of the conflict within Ukraine. Further information about his identity, his motivations, and his associations can be derived from other social media accounts similar to VK.

6

While our analyst was looking at the Donetsk region, he saw a number of graphic social media posts that captured the severity of the conflict in the region. These posts included several graphic images of bodies, ordnance and other evidence of the conflict. We elected not to display these graphic images on our blog, however, a social media search near the Donetsk airport, or near Mariupol may yield similar results.

Ultimately, the Echosec social media search tool was an effective tool for finding interesting information that is publicly available online. An effective user can sort through large amounts of information quickly to find what he needs. This can include tracking a person of interest, finding out new information in a crisis situation or gathering actionable intelligence.

All information contained in this post is open source and implications or inferences made by this publication are solely views of the writer.

Written by: Jason Jubinville @jpjubinville.