Case Study 1: Bellingcat — OSINT Investigations Tracking Military Movements
Overview
Bellingcat, an independent investigative journalism collective founded by Eliot Higgins in 2014, has become the world's most prominent example of how open-source intelligence techniques can be used to investigate major geopolitical events. Their work demonstrates that the same OSINT methodologies used in penetration testing — image analysis, geolocation, social media investigation, and public records research — can be applied to investigations of global significance.
This case study examines Bellingcat's most notable investigations to illustrate how OSINT principles work in practice and how they directly parallel the reconnaissance skills needed by ethical hackers.
The MH17 Investigation
Background
On July 17, 2014, Malaysia Airlines Flight 17 was shot down over eastern Ukraine, killing all 298 people on board. The Russian government denied involvement, and the conflict zone made traditional investigation extremely difficult. Bellingcat's investigation would ultimately prove instrumental in identifying the weapon system and the military unit responsible.
OSINT Techniques Applied
Social Media Geolocation: Bellingcat researchers collected hundreds of photos and videos posted by residents along a route through eastern Ukraine. By analyzing buildings, road signs, power lines, and terrain features visible in the background of social media posts, they geolocated a Buk missile launcher being transported on a low-loader truck. They traced its route from Russia into Ukraine and back to Russia, establishing a timeline that matched the shoot-down.
The parallel to penetration testing is direct: during passive reconnaissance, security researchers analyze publicly posted photos and social media content to identify physical locations, building layouts, access control systems, and employee behaviors. The technique of using background details to extract intelligence from images is identical.
Metadata Analysis: Photos posted to social media platforms often retain EXIF metadata including GPS coordinates, timestamps, and camera model information. Bellingcat used metadata from images to verify timing and location claims. Even when platforms stripped metadata, the content of the images themselves (shadow angles, weather conditions, vegetation state) provided temporal and geographic data.
In ethical hacking, metadata from documents published by target organizations reveals author names, internal file paths, software versions, and GPS coordinates — the same category of information that Bellingcat used to track military equipment.
Vehicle Identification Through Open Sources: Bellingcat identified the specific Buk missile system (registration number 332) by cross-referencing social media images with Russian Ministry of Defense parade photos and satellite imagery. They traced it to the 53rd Anti-Aircraft Missile Brigade based in Kursk, Russia.
This mirrors how penetration testers trace infrastructure through registration data, certificate records, and public disclosures to identify specific systems and their ownership.
Results
Bellingcat's findings were independently verified by the Dutch-led Joint Investigation Team (JIT), which formally charged four individuals with murder. The investigation demonstrated that rigorous OSINT methodology could produce evidence of sufficient quality for international criminal proceedings.
Tracking the Poisoning of Sergei Skripal
OSINT Techniques
In 2018, after the poisoning of former Russian spy Sergei Skripal in Salisbury, England, Bellingcat identified the two Russian intelligence operatives responsible using OSINT techniques:
Travel Record Analysis: Bellingcat obtained publicly available Russian telephone and travel databases to trace the suspects' movements. They identified "Alexander Petrov" and "Ruslan Boshirov" as aliases used by GRU (Russian military intelligence) officers.
Cross-Referencing Public Records: By cross-referencing car registration databases, residence records, and phone databases, Bellingcat established the real identities of the operatives. They identified "Petrov" as Colonel Anatoliy Chepiga, a decorated GRU officer, by finding records where the alias and real identity shared the same phone number, car registration, or address.
Open Data Correlation: The investigators used passport databases that had leaked online, combined with military unit addresses and personnel records from graduation yearbooks that were publicly available. No single source revealed the operatives' identities — the intelligence came from correlating dozens of individually innocuous data points.
Parallel to Penetration Testing
This investigation perfectly illustrates the OSINT principle that individual data points become intelligence when correlated. In a penetration test: - A LinkedIn profile reveals a name and title (one data point) - A DNS record reveals an email format (another data point) - A conference presentation reveals technical expertise (another data point) - A GitHub profile reveals coding projects (another data point)
Individually, these are unremarkable. Combined, they create a comprehensive target profile that enables highly effective social engineering.
Monitoring Military Movements via Satellite and Social Media
TikTok and the 2022 Invasion of Ukraine
In the lead-up to Russia's February 2022 invasion of Ukraine, OSINT researchers — including Bellingcat contributors and independent analysts — tracked massive Russian military buildups using:
Commercial Satellite Imagery: Maxar Technologies and Planet Labs provided satellite images showing the assembly of military forces along Ukraine's borders. Analysts identified specific unit types, equipment quantities, and field hospital deployments from commercial satellite data that is available to any subscriber.
Social Media Monitoring: Russian soldiers posted TikTok videos and Instagram stories from their deployment positions. Geolocation of these posts revealed unit positions, movement patterns, and morale. Some soldiers inadvertently shared GPS coordinates through their social media apps.
Flight Tracking: Publicly available ADS-B flight data (via sites like Flightradar24 and ADS-B Exchange) revealed unusual patterns of Russian military and government aircraft activity near the Ukrainian border.
Rail Movement Tracking: Train enthusiasts and open-source analysts tracked military equipment being transported by rail through Russia using webcam feeds from Russian cities, shared on YouTube and VK (Russia's social media platform).
Implications for Cybersecurity
These techniques have direct cybersecurity applications:
- Geolocation from social media: Employees posting from office locations, server rooms, or company events inadvertently reveal physical security information.
- Satellite imagery analysis: Google Maps and satellite views reveal office layouts, server building locations, HVAC systems (indicating server room placement), and physical security measures.
- Flight and transport tracking: Business travel patterns of executives can be monitored through flight tracking services, revealing relationships and meeting schedules.
- Webcam and public camera feeds: Publicly accessible cameras near target facilities can reveal employee movements, delivery schedules, and security patrol patterns.
Technical OSINT Tools Used by Bellingcat
Bellingcat has published extensively about their methodology, making their techniques accessible to the security community:
| Tool/Technique | Bellingcat Use Case | Penetration Testing Parallel |
|---|---|---|
| Google Earth/Maps | Geolocating photos and videos | Physical recon of target facilities |
| Social media search | Tracking military movements | Employee profiling and OSINT |
| Reverse image search | Identifying individuals and locations | Verifying employee identities |
| EXIF data analysis | Verifying photo authenticity | Document metadata extraction |
| Public records databases | Cross-referencing identities | WHOIS, corporate records |
| Satellite imagery (Maxar, Planet) | Monitoring infrastructure changes | Identifying physical security |
| ADS-B flight tracking | Tracking government aircraft | Monitoring executive travel |
| Chronolocation (shadow analysis) | Determining photo timestamps | Verifying temporal claims |
Ethical and Legal Considerations
Bellingcat's work raises important ethical questions that are directly relevant to ethical hacking:
Public Interest vs. Privacy: Bellingcat's investigations serve the public interest by exposing war crimes and state-sponsored violence. However, the same techniques used to identify intelligence operatives could be used to stalk, harass, or endanger private individuals. The ethical boundary lies in intent, authorization, and proportionality.
Verification and Accuracy: Bellingcat emphasizes rigorous verification of findings. In penetration testing, similarly, we must verify our OSINT findings before including them in reports. Incorrectly attributing a domain or misidentifying an employee can lead to wasted effort and damaged professional relationships.
Data Handling: Bellingcat collects massive amounts of personal data during investigations. They must balance investigative needs with the privacy rights of individuals who are not subjects of the investigation. Ethical hackers face the same challenge: during OSINT collection, you will inevitably encounter personal information that is not relevant to the engagement. This information should not be collected, stored, or included in reports.
Discussion Questions
-
Bellingcat's methodology relies on correlating data from many sources to build a picture that no single source could provide. How does this principle apply to penetration testing reconnaissance? Can you think of an example where correlating two seemingly insignificant findings produced actionable intelligence?
-
Bellingcat has faced criticism for potentially endangering sources and subjects through their publications. How do ethical hackers manage similar risks when reporting OSINT findings to clients? What information should be redacted from penetration test reports?
-
The Russian military has attempted to counter OSINT by restricting soldiers' phone usage and deploying disinformation. What analogous countermeasures can organizations deploy to reduce their OSINT exposure? Which countermeasures are most effective?
-
Bellingcat's investigations demonstrate that even sophisticated intelligence agencies leave OSINT trails. What does this tell us about the realistic expectations for corporate OSINT defense?
-
Consider the ethical difference between Bellingcat investigating war crimes and a penetration tester profiling a company's employees. Both use the same techniques. What makes one acceptable and the other requiring explicit authorization?
Key Takeaways
- OSINT investigations at the highest level use the same fundamental techniques as penetration testing reconnaissance: social media analysis, metadata extraction, geolocation, public records research, and data correlation.
- The power of OSINT lies not in any single data point but in the correlation of many data points into a coherent intelligence picture.
- Rigorous methodology, verification, and documentation are as important in OSINT as in any scientific discipline.
- The same techniques that expose war crimes can invade individual privacy — ethical boundaries and authorization are essential safeguards.
- Organizations face a fundamental challenge: the information they publish for legitimate business purposes can be systematically collected and analyzed by adversaries.