Open-source intelligence is piercing the fog of war in Ukraine

On May 29th 1982 Robert Fox had just witnessed 36 hours of intense warfare over Goose Green, a remote spot on the Falkland Islands, an archipelago in the South Atlantic then being fought over by Britain and Argentina. It was the decisive battle of the war and it had gone Britain’s way. Mr Fox, then a BBC radio correspondent, was keen to tell listeners. It took him ten hours to get to a satellite phone aboard a warship, he recalls. It took another eight hours to decrypt his text in London. The story was not broadcast for 24 hours. Television journalists had it worse, says Mr Fox. Their shots took ten days to reach home.

When the southern Ukrainian city of Kherson was liberated in November, it took just hours, if not minutes, for the news to flood out. Images circulating on Telegram, a messaging service popular in Russia and Ukraine, showed Ukrainian soldiers strolling into the centre of the city and Ukrainian flags lofted over buildings (see clips above). A network of amateur analysts on Twitter tracked the Ukrainian advance, almost in real time, by “geo-locating” the images—comparing trees, buildings and other features to satellite imagery on Google Maps and similar services.

The rise of open-source intelligence, OSINT to insiders, has transformed the way that people receive news. In the run-up to war, commercial satellite imagery and video footage of Russian convoys on TikTok, a social-media site, allowed journalists and researchers to corroborate Western claims that Russia was preparing an invasion. OSINT even predicted its onset. Jeffrey Lewis of the Middlebury Institute in California used Google Maps’ road-traffic reports to identify a tell-tale jam on the Russian side of the border at 3:15am on February 24th. “Someone’s on the move”, he tweeted. Less than three hours later Vladimir Putin launched his war.

Satellite imagery still plays a role in tracking the war. During the Kherson offensive, synthetic-aperture radar (SAR) satellites, which can see at night and through clouds, showed Russia building pontoon bridges over the Dnieper river before its retreat from Kherson, boats appearing and disappearing as troops escaped east and, later, Russia’s army building new defensive positions along the M14 highway on the river’s left bank. And when Ukrainian drones struck two air bases deep inside Russia on December 5th, high-resolution satellite images showed the extent of the damage.

But whereas satellites were well-suited to cataloguing Russian battalions laid out neatly in open fields in January, it is harder to capture compelling images of small companies of men dispersed over a wide area and often ensconced in trenches or bunkers. The single most important repository of data during the war has been Telegram.

OSINT analysts scour Telegram channels such as Rybar, an account with over 1m followers, to harvest images of battle, testimony from the front line and the mood among troops. Rybar is not neutral—its founder once worked for the press service of Russia’s defence ministry, and reportedly once had links to Yevgeny Prigozhin, the head of the mercenary Wagner group—but it offers relatively accurate and timely accounts of battlefield movements, including Ukraine’s blitz through Kharkiv in September, and is often critical of Russian policy.

Telegram has become a platform for Russian ultra-nationalists, supportive of the war but dissatisfied with its conduct, to air their grievances against Russia’s military leadership. Popular accounts have circulated images of troops without basic equipment. During the Kherson offensive in early October, one panicked Russian account even used Telegram to make a desperate plea for air support. The first ten years of the Syrian civil war produced video footage running to 40 years, notes Matthew Ford of the Swedish Defence University. In the first 80 days of the Ukraine war, there was ten years of footage—an order of magnitude more.

For armies seeking to maintain operational security, this profusion of data is a nightmare. In 2019, after a series of blunders, Russia passed a law banning soldiers from uploading sensitive photos or videos. It began shutting down railway-tracking websites shortly before the war began, removing a valuable source of data. It has also attempted to obscure patches on soldiers’ uniforms and vehicle markings, to avoid giving away the position of whole units. In October the Kremlin began cracking down on prominent critics on Telegram, such as Igor Girkin, a hardline ex-spook who led Russia’s proxy war in Donbas in 2014. But they remain as garrulous as ever. After at least 89 Russian servicemen—possibly hundreds—were killed by a Ukrainian attack on New Year’s Day in Makiivka, a Russian-occupied town in the Donbas region, Mr Girkin lambasted the incompetence of Russian generals, describing them as “untrainable”.

Nor has Russia staunched the flow of information. “There’s a lot of lessons being learnt very slowly,” says Tom Bullock, an OSINT analyst at Atreides, an intelligence company, “but I think that’s on Telegram, where they know people are looking”. On VKontakte (VK), the Russian equivalent of Facebook, says Mr Bullock, “it’s basically just as bad as it always has been. There’s so many geo-tagged pictures of their bases just floating around at all times.”

This sloppiness can have lethal consequences. In December a Russian volunteer posted photos on VK of forces encamped in a country club in Sahy, an occupied part of Kherson province. His post included a geo-tag of the exact location. Ukrainian missiles later struck it, after which the volunteer posted yet again. This time he uploaded a video showing the extent of the destruction, in effect giving Ukraine a damage assessment from on the ground, noted Rob Lee of King’s College London.

As Russia mobilises hundreds of thousands of recruits, most with little experience of a warzone and minimal security training, this vulnerability is likely to grow. “A lot of them see posting on social media as part of their tour of duty,” says Mr Bullock. He recalls tracking a Russian volunteer who was sent to Kherson province in June. The soldier obligingly posted a photograph of every village he drove through on his way from Rostov, in southern Russia, to Kherson, revealing the precise route of Russian supply lines.

“There have been efforts to close or limit OSINT collection,” says HI Sutton, a naval analyst who uses SAR imagery to track ship movements. “But OSINT evolves and people, if they are keen enough, find new ways to figure stuff out.” He gives the example of NASA's Fire Information for Resource Management System (FIRMS), which uses infra-red sensors on satellites to detect active fires. It was originally developed to track things like forest fires. Now it is used to identify missile launches, shellfire and explosions, allowing researchers to discern the latest front line.

Open sources undoubtedly have their limitations. The torrent of images that emerged from Kherson did so with unusual speed, in part because euphoric residents were keen to take and upload the footage. On one occasion, Ukrainian forces managed to target a Chechen unit near Kyiv within 40 minutes of videos being uploaded to TikTok, according to the New York Times. But on average it takes one to three days for an image to circulate widely and be geo-located, says Andro Mathewson, an OSINT analyst for the HALO Trust, a landmine clearance charity. Images often arrive in bursts when a unit is rotated off the front lines and has time and connectivity to upload footage.

Open sources also entail a form of survivorship bias, akin to the problem, in the second world war, of drawing the wrong lessons by analysing only those planes which returned from missions rather than also those which were shot down. “The footage we see of this war is not necessarily representative of how it is being fought,” says Mr Lee. Tanks hit by anti-tank missiles are more likely to be caught on video than those struck by mines, he notes. Yet a big chunk of Ukrainian tank losses are from mines, according to informed sources.

In a recent talk, General Sir Jim Hockenhull, who ran British defence intelligence until 2022, compared old-fashioned intelligence to assembling a jigsaw puzzle without the lid, showing the complete picture, or all the pieces. “What’s happening with open source is that we still don’t have the lid…but what we have is an almost infinite number of jigsaw pieces.” The result, he said, was that one could assemble “an almost infinite number of pictures”.

That creates “splintered realities”, says Mr Ford. He is working on an open-source narrative history of the war, and reckons it can be done “at what might be considered US intelligence standards”—a remarkable acceleration of military history. But he acknowledges that the infinite jigsaw poses serious challenges. One is the problem of self-deception: seeing the war “as we want to see it, rather than as it is”. Images of cold and hungry Russian recruits huddled in trenches paint a picture of shambolic mobilisation. In practice, Western and Ukrainian officials say they are worried about the units being formed out of sight.

The other problem is seeing what belligerents want you to see. In the early months of the war, videos showed strike after strike by Ukraine’s Bayraktar TB2 drones, many set to catchy music. It was a piece of theatre. “Ukraine recognised very quickly as part of an extremely effective information operations strategy that this was some of the best footage they had,” noted Justin Bronk of the Royal United Services Institute, a think-tank, speaking on a recent podcast. “And so the Ukrainains stored up a lot of that footage and kept drip-feeding it, having got rid of date, time and location stamps to give the impression this was still a major thing a couple of months in.”

Despite those limitations, Western intelligence agencies are taking a keen interest in OSINT. Satellite imagery is old hat. America has had it for more than 60 years, though never quite so much. But a world in which Telegram channels convey a steady stream of battlefield imagery is new and unsettling. “Open source contributes somewhere in the region of 20% of our current processes,” says General Hockenhull, “but the availability and opportunity means that we’ve got to invert this metric.” Rather than sprinkling OSINT over a bedrock of secret intelligence, the secrets should be the icing on an open-source cake. “It’s crucial that we are able to merge those together.” ■