In this episode, we sit down with cyber threat analyst and SANS OSINT instructor, Steven Harris. Steven discusses how Telegram is a must-use channel for investigating the war in Ukraine, and why cyber threat actors are flocking to the app.
Steven Harris is a Cyber Threat Analyst at Protection Group International, where he focuses on investigating hostile cyber and information operations. Steven worked previously worked in UK law enforcement as a detective specialising in cyber crime.
He also a Certified SANS Instructor and teaches SEC497 Practical Open Source Intelligence at SANS to students from all over the world. Steven writes about OSINT and investigative techniques on his blog at www.nixintel.info.
Steve: [00:00:00] No one knows how to do everything. We will in this time next year, we'll be, might be talking about a platform or technology that none of us have even heard of today. And we'll have to figure out how that works. So having that, that desire to push on to continuously learn and to solve a, be a problem solver goes a really, really long way to success in this field for sure.
Jeff: Welcome to Needlestack. I'm Jeff Phillips.
Aubrey: And I'm Aubrey Byron. Today we're discussing telegram and social media intelligence.
Jeff: Yes, and joining us for that discussion is Stephen Harris. Stephen's a certified SANS OSINT instructor and a cyber threat analyst with Protection Group International. Welcome to the show.
Steve: Thank you very much for having me on here. It's my great pleasure to be with you [00:01:00] today.
Jeff: We're super excited to talk to you today. Um, now, I know from our earlier prep call that, um, you have a robust background in law enforcement and that's kind of where the OSINT, um, skills got their, got their start. Can you tell us a little bit about that background, um, how social media started you down this career of, uh, in OSINT? From law enforcement?
Steve: Yes, sure. So, um, I, I always had a, a very deep interest in computers right from being very young and right from the early days of the internet in the late nineties or just when I was finishing high school. Um, but I joined the police. In some about 2008 and I always wanted to be a detective. And I went down that career route and I did regular detective work. So investigating serious, violent crime. And then as social media became a thing, [00:02:00] um, so I come maybe. So yeah, 2008, 2009, things like Facebook and Twitter became much more widely used and they suddenly started to feature in most of the investigations or a large number of the investigations I was looking at.
And I think it took, it took the police a while to get to grips with this. It was sort of seen as a little bit of a nuisance. Um, and I, I had an interest in it and I still recall when I was a very new detective, I was using, I had a Twitter account and I was using Twitter to appeal for witnesses to a robbery, which now, like, Now is a standard thing like so, but go back 14, 15 years and I got in trouble for that.
I was threatened with, um, with discipline, uh, with the disciplinary action for, for using Twitter aid in the first place and be, um, to do something as brazen as like try to find witnesses to a robbery. Um, but I, the police changed a lot, uh, over the years and it [00:03:00] became very clear that we needed to have capabilities to understand social media and to get to grips with cyber crime and.
I kind of by accident really just pursued my own interests in that. So applied the stuff I learned in regular investigations in terms of methodology and started applying that to, uh, to digital problems, to social media. Uh, and I did that for many, many years. And only later did we start to call it OSINT, but yeah, I was doing that for quite a while and still do, of course.
Aubrey: Yeah, you, and now you're a SANS course instructor, and you recently had a talk at SANS OSINT Summit about Collecting information on the messaging app Telegram. Can, for those who aren't familiar, can you tell us a little bit about Telegram itself and then why it's so significant for research, particularly for the war in Ukraine?
Steve: Yeah, absolutely. So Telegram has actually been around for more than a decade now, and it originally started out just as a, as a messaging app. [00:04:00] And it never in Western Europe and in the U. S. It never got quite the traction it did in Russia. I mean, it is a Russian app made by the same guys who made VK, which are very popular Russian social media platform.
Um, but over the years, the telegram started to add in some extra features that make it more like a social media platform. So instead of just having private messages, You have, um, like you have a channel. So that's like a one way broadcast, a bit like a Facebook page, or you can have groups where of course you can have group chats and discuss particular themes.
You can share files, post videos and so on. Um, so that's been around for a while, but where Telegram has become much more, I guess, essential, um, Has for those of us who do OSINT in Western Europe and in North America is, uh, for the war in Ukraine and also wars in other parts of the world and in the world of cyber threat [00:05:00] intelligence, Telegram has become the primary platform.
So in, in the war in Ukraine, for example, probably more, I've seen recently that more than half the population of Ukraine and more than half the population of Russia treat Telegram as their primary news source. So soldiers who are fighting in conflict, um, both official channels and unofficial channels, they're on telegram to their combat footage, um, information operations and cyber operations related to the conflict.
They're all now on Telegram, maybe if you went back 5, 6, 7 years, Twitter might have been the primary source for that, um, though I found Twitter has become more of a secondary place that and Telegram, uh, seems to be the forefront for that, that lifetime, that primary source information.
Jeff: So can you tell us a little bit more about you described kind of what the app is, but what separates it from other?
Even social media apps that you, or even the web in [00:06:00] general for people that are out there collecting research. Like, what do you advise if you're going to go enter into the world of Telegram and searching across channels and individuals?
Steve: Okay, yeah,
Jeff: yeah
Steve: yeah, absolutely. So, um, so it's very different. It's, uh, it's a mobile first app.
So you have to have a mobile phone, a cell phone, uh, in order to act to install the app and activate your account. After that, once you've done that, you can use a telegram desktop client, uh, which to be honest is much easy to work with. And it has pretty much all the features that you get on the mobile device.
You don't need much in the way of like verification to create an account. So as long as you can receive a an SMS or phone call to activate the account, you don't need to provide a photo. You don't need to give your real name. You don't have to upload a copy of your driver's license, for example. Um, so actually staying on the platform is very, very easy once you're in there.
Obviously, it goes without saying from an [00:07:00] OPSEC point of view, not to use your own personal mobile number to keep that wall of separation between your online research and your private life, of course. Um, but what, um, when you load Telegram, uh, you, You can, it has an okay kind of search facility. You can use it for private messaging amongst your contacts.
Um, I, most researchers I know tend not to use it for that. Uh, but the, it's kind of front row seat of, what's going on in the world, but you have to, you have to find the channels that you want. So let's say, for example, I'm interested in finding out what's happening in the war in Ukraine. I would want to find, um, pro Russian channels made by the Russian military.
I would want to find Ukrainian channels and I would look for the, uh, the information operations actors and their channels. Um, and once you find their channels, It's as simple as you join that channel, and then you essentially have a feed for it. So every time they post, every [00:08:00] time they share a video, upload a file, post an image, that's all there in the app, just like a curated feed, similar to what you'd see on other apps. And you can search across it. A little bit more easily than you can on most of the platforms.
Jeff: So, I know we've mentioned Ukraine and Russia and the conflict there. Now, you're a cyber threat analyst in your day to day life. Um, how valuable are you finding Telegram on the CTI front? And is there any examples of things or channels, even that you may have found in follow.
Steve: Oh, yeah, I mean, there are many of them and we we go back a little bit to find why Why telegram has become so useful for cti? Because the way Telegram is made, obviously, it's Russian owned. I think the guys who own it now, they are Russian, but based in Dubai. Um, but Telegram is, they don't cooperate with Western law enforcement, or any law enforcement, for that matter.
So, you, for people who use [00:09:00] Telegram, they feel as though they have a certain degree of safety from law enforcement in a way that they would not on, say, Facebook or Twitter, or another platform, for example. So, Because people feel safe, they are more willing to, um, do things which are illegal or borderline illegal, um, on Telegram, such as trading stolen databases, uh, planning DDoS campaigns, um, sharing content, which might be too violent for other platforms, for example.
And they can do that relatively safely, uh, compared to other platforms in terms of that, their law enforcement interference. Um, but also if you are, if you're a threat actor. It's a lot easier to set up and run a Telegram channel than it is to set up a website on the dark web. Of course, they serve different purposes, um, and, but Depending on your offset concerns as a threat actor, it's relatively easy to set up and run things on Telegram than having to worry about keeping my Tor [00:10:00] server running and everything else.
So in terms of the kind of stuff that you would find, find there, that's really useful. Um, a lot of data breaches. So, um, stolen data offered for sale that many, many channels which pop up and go away where They will often share, um, small fragments of a database. And then if you're interested in purchasing that database, you can talk to them and usually buy the full set with a cryptocurrency.
Usually they'll take you to the private, uh, private chat apps for that. Also, and kind of closely linked to the, the war in Ukraine and other conflicts as well, is a lot of threat actors, um, will, they will have a telegram channel. So they will, I mean, a couple of Russian ones, uh, Hacknet, uh, being one, uh, Beregini, another one, uh, let's think who else, NoName, um, quite, these are quite prominent Russian hacker groups, but they will announce, it's the PR wing of their, uh, their [00:11:00] operations.
So they will say today we, we DDoSed. the Ministry of Defense in Sweden, because Sweden gave some money to Ukraine, so we will punish them by doing this. And they'll, they'll, they claim their credit and they announce their targets, um, based on, on Telegram. So Telegram is a front row seat. It's a primary source to get that kind of information.
Aubrey: You said that, uh, the threat actors kind of feel more protected on Telegram. I'm curious, is that A feeling that's justified or is it largely kind of rooted in a myth that they're um a little bit insulated
Steve: I think No platform is 100 percent safe. I mean, even if you think about the most organized, the most complex darknet communities, there are still plenty of high profile threat actors in jails or under indictment who thought they were safe from the dark web.
So nowhere is a hundred percent safe. Um, but, um, it, it probably slightly easier to run an operation on [00:12:00] Telegram because if, if I was stupid enough to run my hacking campaign or On Facebook, for example, of course, even if Facebook don't ban me, which they probably would, I would. Law enforcement could subpoena Facebook and say, who's this guy tells everything you know about him.
And then I have a knock on my door and go to jail. Uh, but on Telegram, that is much less of a risk because Telegram are very polite about law enforcement. They will base, but their take is we'll cooperate with law enforcement, but our data is distributed across. Hundreds of different servers all over the world.
So you need to go and get your subpoena that's valid in all those different countries, which of course is impossible. Um, so it's kind of a polite refusal. They do say they'll cooperate with law enforcement only in cases of terrorism. Um, but they claim on their website at least to never have done that.
Um, there are some rumors that perhaps they did. With the German authorities a few years ago, but officially telegram said they've never [00:13:00] cooperated with law enforcement. So the impact of that is that threat actors seem to persist on there for quite a long time, and the disruption is a little bit more difficult.
Or at least it appears to be.
Aubrey: Interesting. Well, speaking of the cyber threat world, um, you know, one of the things you investigate is political influence and it's 2024, an election year, not just in the U S but, um, all around the world, including Mexico and South Africa and India. Um, are you seeing any trends as far as, you know, disinformation campaigns or just political influence on these apps?
Steve: The short answer is yes. Uh, I mean, as you've highlighted there, there are everyone in the world seems to be having an election this year. I mean, we have one in the UK now. Um, in fact, when I had the, when I spoke to you a few weeks ago, we weren't having one, we are now. Um, so we, we having election, um, the French announced yesterday.
They're going to have an election. Now there's the U S elections coming up. [00:14:00] So, um, yeah, and obviously. So foreign threat actors who are hostile to the West, who are hostile to the U. S., will try to influence the elections. Um, that's not a new phenomenon that has been going on for some time. Um, so how that, the form that takes, uh, we haven't, we are seeing some things which have, Have been well reported on by by other threat.
Other companies, though, in the terms of the US, which is the may obviously the main electoral event of the year, I guess. I noticed when Microsoft published their election threat report a few months ago, and they remarked on how it had been relatively quiet compared to 2020 and 2016. That does seem to be changing slightly.
And I think that is because Um, we're still a good six, seven months out from, from the sharp end of the election, actually, no, no, no, five, five, six months out from the, from the sharp end of the election. Um, so expect to see an uptick, but, um, in some political [00:15:00] interference information operations by countries that are hostile to the West, they run 24, seven, so they become more, more of a mainstream news thing, uh, in, during electoral cycles and.
They put more effort during, during electoral cycles, but they're going all the time. And the ones we've been following for a few years are as busy as they ever were.
Jeff: Switching gears a little bit back to your, um, you know, back to SANS and the fact that your instructor, you mentioned, um, when we, when we talked that one of your biggest passions in OSINT, um, are teaching folks about the investigative foundations.
Can you tell us a little bit about that? What do you mean by that? What are the investigative foundations and why are you so passionate about them?
Steve: Yeah, so, the The key to success, I think, as an OSINT investigator or an investigative professional in any capacity is to understand why you're conducting an investigation, what the parameters of that investigation are, what you're actually [00:16:00] trying to achieve, and all the, you know, the psychological and logistical things that will derail you because the bulk of, uh, the core of good intelligence work is analysis.
So you're not just collecting data, you know, intelligence is not like CTF where you just go, here's a flag, here's a flag. The data you collect, you are trying to analyze and summarize what it means. For your audience, your client, your boss, whoever. So here's the risk to your organization. Here's the likelihood of this very bad thing happening.
Here are some things you need to be aware of. Here are some trends and connections that we've noticed, depending on what your objective is. And the reason I, I emphasize this so much in the teaching I do at SANS and, and, and, um, sort of mentoring colleagues and so on. Is the key to success is not skipping, um, the investigative planning and analysis part.
It's certainly it's not the most exciting. So I know, for example, if I submitted a paper to a conference and said, Hey, guys, I want [00:17:00] to do, I'm going to submit a paper and talk for an hour. about cognitive bias, no one would ever accept that paper because it's not exciting. Um, they want to hear about a tool, they want to hear about technique, they want to see a demonstration or a case study, and all that stuff's great.
Um, but what will set you up for success as an OSINT practitioner is understanding how to plan an investigation, how to identify your gaps, and how to conduct your analysis effectively. And then, uh, and this is the hill I will die on, by the way, once you've done that, then you decide what tools and resources you are going to, you're going to choose.
Uh, you choose the tools and the resources. To meet the needs of your investigation, the great, um, sort of a great trap that people fall into is they start with that tool. So I've got my favorite tool, be that one I've made or it's, uh, or my favorite Google Docs or something we just purchased. They start with a tool and then let that define the parameters of their [00:18:00] investigation.
Um, and that can cause all kinds of problems. So you will always if you come to my class or you ever chat about this with me, you will always hear me. Try to encourage it, like understand how to conduct what you actually trying to achieve first. How are you going to analyze it? What's your final goal? Then pick the tools and techniques that you need to be successful in doing that.
Jeff: That makes a lot of sense in a lot of areas of work or study, right? To create that plan and what do you think the outcomes that you want to get to are? But you got to create that plan versus just jumping into the rabbit holes.
Aubrey: You mentioned your gaps, um. What do you teach your students about dealing with bias and investigations and how do you separate biases from instinct?
Steve: Yeah, that's, that's a really good question. So the bias is, it's something that affects all of us. I mean, and it doesn't matter how long you've been in [00:19:00] investigations and intelligence for bias affects everybody, uh, in very different ways because that's how we behave as humans and that's fine. Uh, so we don't pretend that we don't have bias What we try and teach is to recognize that you do have bias, how to identify it, and then how, how to mitigate it.
Uh, but so really the way bias shows up in investigations is you cut court, you cut corners to come to your conclusions, because in real life, that's fine. Like if I decide what I'm going to make for dinner, if I decide where I'm going to go at the weekend. If I weigh up whether this guy on the other side of the street looks dangerous, I don't do a full detailed analysis of that.
I will just go with the bare facts that are presented to me. I can't do that when I'm writing an intelligence report. But when we have gaps in our information, We tend to not quite naturally close those gaps. We just fill in based on our own experience. So I don't know. I don't know about this guy here, or I'm not sure [00:20:00] how a is linked to be, but I reckon it's probably something like this on the way.
We close those gaps even subconsciously. is we, we tend to, we bring out our bias and usually in a way that is not always obvious to us. We don't, we don't consciously do it. So, um, three really common ones, uh, that are common pitfalls is confirmation bias. So when I'm doing my research, I have a particularly strong view about hypothesis or a certain group or as I said, operation or so on.
And I own, so I only look for evidence that supports my existing viewpoint. That's really, really common. Um, I guess a well known logical fallacy. It's a well known challenge, but we still do it all the time as a confirmation bias is a really, really tricky one to deal with. Um, availability error is another one that's sort of second, most common bias.
I guess availability error is when we, we take the data that's most [00:21:00] readily presented to us Even if it's not the right one for our case or the right one for our project. Really good example or simple example, I suppose. Um, I'm researching somebody, so I'll go straight to Google. I'll put their name in to Google and I'll, I'll begin to work from the first five Google results.
Why have I chosen those? Because they're the first five that were presented to me. Google might not be the best search engine. English might not be the best language to search in. Um, maybe the person I'm looking for. Uh, Google isn't gonna be helpful at all because it's not, it doesn't index the data in their country.
There might be a better resource hidden on page 250 of Google resources. That's actually better. So availability error is just jumping at the things that present themselves most readily to you. even if they aren't the right bit of data that you need, uh, you need. And that's, so that's my, my second, uh, sort of biggest analytical enemy, uh, I suppose.
Um, and the last one is a logical [00:22:00] fallacy called the law of the instrument or the golden hammer, uh, which I, which kind of people have been using that term for a while, but, um, the law of the instrument, it means I have my favorite tool, Therefore, I will always use this to solve all my problems. So, uh, the guy, um, the philosopher who came up with this, he came up with a saying, um, if you only have a hammer, every problem looks like a nail.
So, I have my favorite technique, or I have my favorite Google Doc, or I have my favorite software that we've just purchased. Therefore, I am going to make my investigation fit into this tool, whether that's the right thing to do or not. Uh, so yeah, those are, uh, There are many, many biases and we teach students who come to us how to deal with those common strategies, how to, um, sort of do something called the analysis competing hypotheses, where you will kind of encourage people to don't just argue the case you believe in.
You take the opposite point of [00:23:00] view, look for stuff that undermines your argument. Don't just pick the stuff that enforces it. And there's many other counter countermeasures and mitigations too. But yeah, it's good fun. Uh, and it's and it's a core skill that we need to continue to be refreshed.
Jeff: No, that makes that make the three of those.
Those those make a lot of sense and having a huge impact on your investigations. Now, I know those techniques and understand your biases are key to OSINT. Um, and we talked about everyone likes to talk about tools. But are there any tools that you'd recommend on the on the telegram front in particular, um, that you find valuable besides the app itself?
Steve: There's, there's a few different tools. So first one is, um, a free tool called Telegargo, which is a, it's a custom Google search engine. So it's built a custom search engine or sorry, programmable search engine that Google calls them. Now, uh, Telegargo, um, builds on Telegram's, uh, [00:24:00] So it's well, not doesn't build on.
Sorry. I'll rephrase that telecargo. Um, looks for third party information that links back to telegram because telegram itself is not very well indexed by the main search engines.
So it does things like, um, it will look for third party mentions of telegram channels. Um, it will search through marketing sites that work on Telegram to find things. It's, it's about as close as it gets to a Google for Telegram itself. So that's, uh, that's Telegargo. It's been around for a few years. It's quite useful.
Obviously, I mentioned the, the Telegram desktop app itself, um, is also, I don't think that counts as a Telegram tool, but it has so many features that you don't find in the other apps. Um, The, in terms of tooling for working with Telegram, Telegram has a relatively accessible API. So there are a lot of third party tools and bots made for Telegram.
Um, [00:25:00] there was, there is Telepathy, uh, which has been around for a while. Um, was a, a way, basically uses the Telegram API to, to conduct searches, to scrape and so on and so on. Because Telegram has, uh, An open API or relative the open API. Also, you need to have somebody with some programming skills. Um, I think, yeah, telepathy is one that I've used, uh, sort of more regularly, although that's now developed from a command line tool into a full fledged, um, cloud service.
And there are others too that ingest that data, but yeah, that's the, the most. So telegram specific one that I can think of right now
Aubrey: before we wrap up. Do you have any advice for digital investigators out there, maybe who are exploring new apps or just, you know, Looking at how they can kind of upload all their CTI research.
Steve: Oh, yeah. So, um, This this sounds really [00:26:00] trite, but it's really really good advice, which is Um, you need more than any one particular skill, um, is to have that hunger for knowledge because staying still in digital investigations, like the world moves on and it keeps moving, the technology changes. And I think that the people who do the best in digital investigations are the ones who, they have that curiosity.
So they're driven to find out how does this work? How do I find this out? Um, so that, That drive, that persistence, um, cultivating those characteristics, um, goes a very, very long way, because even if you don't know how to do something, or how to solve the problem that's in front of you, the having that inner drive to do that, um, goes a long way, because I'm telling you someone who's done this for a long time.
No one knows all the answers in this field. No one knows how to do everything. We will, in this time next year, we might be talking about a platform or technology that [00:27:00] none of us have even heard of today, and we'll have to figure out how that works. Having that desire to push on to continuously learn and to solve and be a problem solver goes a really, really long way to success in this field, for sure.
Aubrey: Yeah, just in social media alone, it feels like there's new ones popping up all the time, old ones retiring or half going out of relevancy.
Jeff: Yeah, absolutely. Even, boy, even seems like keeping track of tools can be a full time job as everyone posts and shares their, their tools everywhere. I mean, you could, you could just look to do that.
Um, Stephen, thank you so much for joining us today that this was a super interesting conversation. So thank you for spending time with us.
Steve: It's been an absolute pleasure to talk to you and thank you very much
Jeff: for having me. Uh, to our listeners, thank you. You can find out more about Stephen and where to find him in our show notes.
And thank you, as usual, for listening. To find transcripts and episode info, visit authenticate. [00:28:00] com slash Needlestack. That's authentic with the number eight dot com slash Needlestack. And be sure to let us know your thoughts on X, formerly Twitter. Uh, you can also find us on Blue Sky. at Needlestackpod, and please like and subscribe wherever you are listening today.
We'll see you next time on Needlestack.
Bye.