

Discover more from The OSINT Newsletter
The OSINT Newsletter - April 2023 OSINT Review
An overview of research in open source intelligence from April 2023
Welcome to the latest issue of The OSINT Newsletter!
In this newsletter, I provide you with the latest news and updates on open-source intelligence (OSINT) and its importance in investigative journalism, cybersecurity, and more.
In this issue, I cover topics such as the vulnerability of IP cameras, state-sponsored hacking on LinkedIn, and the investigation of ByteDance's use of TikTok to spy on journalists.
I also provide you with some useful OSINT tools and resources to help you in your investigations. Stay tuned for more updates and insights on OSINT in future issues of The OSINT Newsletter.
OSINT Reads
Cause of the Gangnam Plastic Surgery CCTV Leak, 400,000 IP Cameras Exposed to the Internet
A plastic surgery clinic in Gangnam, South Korea experienced a major data breach, in which over 30 female victims - including some celebrities - were recorded by IP cameras and leaked. This breach was caused by Chinese IP cameras manufactured by company "H", due to their weak security and being connected to the Internet.
It has been revealed that over 400,000 IP camera servers are exposed to the Internet and vulnerable, with some servers having CVE vulnerabilities or leaked credentials, which allow for the hacking of raw IP camera footage. It is worth noting that China has the highest number of exposed IP cameras, followed by the US.
To avoid similar breaches, experts recommend taking precautions such as using secure products, setting up authentication, updating software, and using OSINT search engines like Criminal IP when using IP cameras.
A Spy Wants to Connect With You on LinkedIn
A recent article by Wired has revealed that state-sponsored hacking groups from countries such as Iran, North Korea, Russia, and China are regularly using LinkedIn for their hacking activities. False accounts on LinkedIn have been utilized for cryptocurrency fraud, reshipping schemes, and identity theft.
The article highlights the case of a fake account of a researcher named Camille Lons, who was linked to the Iranian hacking group Charming Kitten. According to the report, LinkedIn has implemented new measures to tackle this issue, including the detection of AI-generated photos and message filters.
The latest transparency report by LinkedIn, covering the first half of 2022, indicates that 95.3% of the fake accounts it discovered were blocked by automated defenses. The article recommends using secure products, setting up authentication, updating software, and using OSINT search engines such as Criminal IP to protect oneself when using IP cameras.
The FBI And DOJ Are Investigating ByteDance’s Use Of TikTok To Spy On Journalists
We have learned that the FBI and the Department of Justice are investigating ByteDance, the Chinese parent company of the popular social media app TikTok, over allegations of using the app to surveil American journalists. According to sources, the DOJ Criminal Division and the FBI have issued subpoenas to ByteDance and conducted interviews related to attempts by its employees to access private user data and U.S. journalists' location information. This issue was first reported by Forbes in October 2022, and ByteDance confirmed the allegation after conducting an internal company investigation in December 2022.
This is the first time the federal government has investigated ByteDance's surveillance practices, and it is not yet clear if the DOJ's subpoena is connected to the FBI's interviews.
Investigating Digital Threats: Disinformation
In the last 15 years, social media has experienced unprecedented growth. With this growth, we've seen a rise in online manipulation and disinformation, making it crucial for journalists to understand the differences between the two and use the term "online manipulation" to describe this phenomenon.
Investigative journalists should also be asking whether they are looking at a single incident or a wide-scale attempt at manipulation. Understanding the targeted communities and the impact of the disinformation is crucial for responsible reporting.
To uncover the truth behind online manipulation campaigns, journalists can use traditional and digital methods, as well as tools like Hunchly, WeVerify, and Junkipedia. Staying organized, setting a high burden of proof, and digging for motivation are also important steps in investigating online manipulation.
The UK company spreading Russian fake news to millions
The BBC's Disinformation Team has revealed that a UK-registered media company, Yala News, is spreading Russian state disinformation to millions of people in the Arab-speaking world. Despite claiming to offer impartial news, BBC analysis has shown that most of its content directly mirrors stories on Russian state-backed media sites, and it actually operates out of Syria.
With over three million Arabic-speaking followers, the company regularly posts videos with a distinctly pro-Russian angle. Cyber security and disinformation specialists suggest that Yala News is acting as a "Kremlin loudspeaker" in the Middle East and "information laundering" propaganda through a third party to avoid being identified as being from the Kremlin.
Yala Group is registered in the UK but has no staff or physical offices there, while most of its social media profiles indicate it is based in Damascus. The company has a strong social presence, but its website mainly consists of dummy text and stock photos.
How governments and non-state actors may steer OSINT to their advantage
OSINT has revolutionized the way journalists worldwide make sense of scandals, predict eventualities beforehand, and bring justice to the victims of war crimes. It has become so significant that the International Criminal Court (ICC) is upholding it for the prosecution of war criminals.
However, there are challenges when monitoring the immoral advancements of governments and non-state actors. Anti-satellite facilities, space surveillance stations, tracking vessels from afar, spoofing GNSS, and using satellite lasers are some methods that hinder monitoring efforts. Additionally, the physical aspect of tracking vessels, loopholes in international maritime law, and tampering with vessel identities are issues that need to be addressed.
Social media analysis and data scraping also have their limitations due to laws that disallow data aggregation and the terms and conditions of a particular service. OSINT can also be beneficial for people employed in illegal activities, and the unreliability of data providers' sources can hinder thorough analysis.
To overcome these challenges, one must be prepared for the worst and use alternatives and the presence of mind in this constantly upgrading domain of online investigations.
OSINT Twitter
WhatsApp-OSINT
WhatsApp-OSINT is a tool that tracks the online/offline status of a WhatsApp user if they have the setting enabled. This is a grey-area tool so please use it ethically.
FaceCheck
FaceCheck.ID is another facial recognition tool, similar to PimEyes, that allows you to find websites that match a user’s face. Another grey-area tool, please use ethically.
There’s an ongoing issue as of the publication of this newsletter with Substack and Twitter regarding link sharing and embedding. Due to this, the OSINT Twitter section is intentionally shorter for this issue.
OSINT Resources
Strategy Tribe
StrategyTribe is an organization aiming to centralize, organize and incentivize the collection of widely important data by individuals, born from a need for higher quality, better-scaled OSINT work on the world's most important threat actors.
The organization collaborates with journalists, private sector companies, and governments to circulate their findings in line with their values, which include individual liberty, democracy, and the rule of law within these bounds, as well as the implementation of the Universal Declaration of Human Rights.
The mission is to bring efficient crowdsourced OSINT to the world as a capability to be used for immediate good. The organization recommends users create a fresh browser wallet for their interactions, and wallets and their corresponding submissions are the only data points that the organization stores on any given user.
ngrok
ngrok is a simplified API-first ingress-as-a-service that allows developers to add connectivity, security, and observability to their applications in one line. It enables developers to put their local servers on the internet, access IoT devices in the field, and connect to private-cloud software in seconds without port forwarding, dynamic DNS, or VPN.
ngrok also offers critical controls such as authentication, load balancing, and other security features. It is trusted by over 5 million developers and is recommended by category leaders like Twilio, GitHub, Okta, and Zoom.
CriminalIP
Criminal IP is a search engine for Cyber Threat Intelligence (CTI) that enables users to search for security-related information, such as malicious IP addresses, domains, and banners. Its consumer-grade web UI and API interface allow for easy integration with other security systems. The platform uses AI Spera's proprietary algorithm to provide risk-based scoring and IP address history information. With optimized system communications and a fast display of search results, Criminal IP meets the needs of end-users accessing the Live Service and Integration.