Russia and Ukraine – an Intelligence goldmine

Russia and Ukraine – an Intelligence goldmine

Russia and Ukraine – an Intelligence goldmine

As the crisis between Russia, Ukraine and the West continues to deepen and speculation over a potential conflict, and its scope, grows, what is clear is President Putin has given the West an unprecedented opportunity for intelligence gathering at so many different levels.

What has been noticeable on the many open-source aircraft monitoring platforms are the airborne intelligence gathering platforms that have been bracketing Ukraine, Russia and Belarus from Poland, the Baltics, inside Ukraine and from the Black Sea, hoovering up information from different sources and turning it into intelligence.

There hasn’t been an opportunity since the Cold War for the deployment of large formations of Russian Ground Troops, configured for a large-scale warfighting operation to be looked at and examined in so many different ways. So, what is likely to be going on and what will we know?

The first caveat is that I have to be more generic that I would like to but within the intelligence game there are only so many ways to gather information whether through the use of humans or through exploitation of the electromagnetic spectrum.  The actual capability of many if not all of the collection platforms being targeted at the Russian build up remain highly classified and my analysis is therefore speculative but from a position of knowledge having overseen many operations to monitor large formation deployments of Russian style formations.

There is a real alphabet soup of intelligence techniques that will be targeted against Russia, and each will be hoovering up vast amounts of information, processing it into a specific brand of intelligence that will then be fused together to provide all source intelligence thereby building a much better and clearer picture as to what is going on.

I do have to caveat that when a sensor picks something up it means it has happened, i.e. it is history and intelligence is all about looking at what has happened in order to predict what will happen. Predicating the future is never an exact science and if fraught with potential misinterpretations; especially when the opposition know what you are doing and are therefore actively trying to deceive you.

So, what are the aircraft doing and what can they see from so far away from the Russian border? Essentially, they are carrying out 3 types of intelligence gathering, SIGINT, ELINT and MASINT.

Signals Intelligence (SIGINT) will be listening to all of the broadcast communications between military units, formations, headquarters and bases, looking at the frequencies used, the networks that are operational and what is being said in the messages. This will have the ability to conform the order of battle, i.e., what formations with what kit are deployed and, as the units and formations practice their communications, it will give the intelligence specialists a lot of material to decrypt, confirm previous knowledge and prepare wider indicators and warnings for certain activities.

Electronic Intelligence (ELINT) will be monitoring all of the Radar and other emitters operating in support of Russian activity.  It will be looking at what they use to find and track targets and what weapon systems could be used supported by the radars.  It will also be looking at the control mechanisms for weapon systems.  The very act of flying aircraft, and in the case of the HMS Queen Elizabeth deployment, sailing a warship along the Ukrainian Coast, will stimulate a lot of electronic activity. The ELINT Sensors will hoover all of that activity up and use it to make sense of what systems are being used, but also use it to understand how to disrupt those systems if needed.

Next comes MASINT – Measurement and Signature Intelligence, and this is where the operational and tactical magic happens when monitoring large ground-based formations. vehicles are effectively lumps of metal and they emit different heat and radar signatures to natural surroundings and even buildings. MASINT can be used to monitor what is where, what has moved and give indication on what could be happening. It takes a long time to prepare Armoured formations for operations and they must prepare for specific formations as they advance, all of this data can be picked up utilising a number of techniques when applied to MASINT sensors. This message the Russians will know well, as they have their own capabilities, nothing is hidden, no matter how many camouflage nets there are over it, the only real secret is how much can be seen and how far away?

As platforms are flying, they will be stimulating activity on the ground in response, stimulating reports being sent up chains of command, sent to military and political masters and these reports relate to activity we know about, because we will have caused it. These reports will be targeted by more strategic collection capabilities to identify how they are processed and sent and therefore identify potential vulnerabilities in the systems used to process them and the mechanisms of their transmission. This information is vital in allowing newer responses through cyber to be brought to bear if necessary.

It is the good old tactic espoused by General Rupert Smith during the first Gulf War, when he said, “If the pond is still, don’t be afraid to thrown in a pebble and watch how the waves promulgate.” This is exactly the same tactic used in June 2020 when HMS Defender sailed along the Crimean Coast and for the whole of the HMQ Queen Elizabeth task force deployment, watching those who were watching it, was invaluable.

Of course, the airborne assets will be complementing what the space-based assets are monitoring and being used to complete the picture from 2 other critical intelligence disciplines.  The first being HUMINT, at a strategic level the national agencies of many countries will be trying to find out what is going on inside the Russian Political, military, and operational headquarters and working to get a handle on the wider intent of President Putin and the real capability of the military forces deployed.

It is almost certain Ukraine will have HUMINT assets targeting the Russian formations deployed close to its borders looking at the orders of battle and the levels of preparations. However, one of the most valuable resources is the huge amount of Open-Source material that is circulating on various social media platforms. There are hundreds of pictures and videos of Russian equipment being moved towards the borders, pictures of training and troops putting personal pictures onto social media.  This Open Source Intelligence (OSINT) is invaluable and colours in or targets much of the information and intelligence gathered from more classified sensors.

So, what is likely to happen? That is anyone’s guess at this point, but there are certain factors that come to bear. Putin won’t want the full might of the international community to come to put pressure on his fragile economy, but he must be seen to do something for his domestic audience and for the massive deployment to seem ‘legitimate.’  He seems to like the NATO Kosovo scenario of going to protect an element of the local population, but to do that he needs to escalate the crisis to the international community before he can think of going, else he needs to de-escalate his preparations in the eyes of the Russian public.

The sorts of potential indicators and warnings of a potential move could include:

  • Increasing domestic rhetoric suggesting Western Interference
  • Increased international rhetoric accusing the west of interference
  • Increasing Rhetoric around ethnic Russians being targeted
  • Rhetoric around Ukrainian incursion into Russia
  • Increased Belarus activity on Polish border with refugees
  • Ukraine Cyber attack
  • Global Cyber attack
  • Russian Black Sea fleet deployed
  • Elements of the Russian Med Fleet deployed
  • Elements of the Russian Northern Fleet Deployed
  • ‘Manufactured’ terrorist activity both against Ethnic Russians but also inside Russia itself – bombs in Moscow / Airliner Shot Down?

However, if he does, he will have limited objectives the worst-case scenario could be annexing a large part of Eastern Ukraine where the majority Russian Speakers live. He is likely to calculate this as being just under the threshold of a very robust Western intervention as the last thing Putin could afford is a conflict with the West and he knows this, but emotionally he wants all of Ukraine. He could easily de-escalate but indicators of that will be domestically focused rhetoric regarding meeting Russias objectives and capitulation by the West in some way. We live in interesting times and the robustness of our political leaders will likely be tested to their fullest extent.

A potential Op Plan schematic for a limited Russian Invasion is:

Russia and Ukraine

 

 

 

 

As the situation develops, further blogs will drill into the detail of what we are seeing but the author can be contacted at any time and details are available on the Contact Us Page. Philip Ingram MBE is a former Colonel in British Military Intelligence.

Traffic Analysis for MI5 – If I were Putin, I would, wouldn’t you?

Traffic Analysis for MI5 – If I were Putin, I would, wouldn’t you?

Traffic Analysis for MI5 – If I were Putin, I would, wouldn’t you?

By Philip Ingram MBE

I am going to start this blog with a caveat, not good practice, but important as what I am saying in it is purely speculative, it is not based on anything more than the supposition of a rambling mind, but I do like to question things I observe.  In addition, I wish to make it clear that I have no evidence, nor am I stating that RT is engaged in espionage in any way, I am merely using its geographical presence for illustrative purposes.

“Covert activity – using false identities – was blended with overt information through Russian media outlets like RT. Too often those in the West focused on one element of this activity – hacking or social media – but failed to see the full spread,” said the BBC Security Correspondent Gordon Corera in his new book Russians Amongst Us when he was talking about interference in elections in 2016.

In 2014 Russia Today launched a dedicated TV channel in the UK rebranded as RT.  Again, according to Gordon Corera’s book he said, “Putin had said the aim of the network had been “to try to break the Anglo-Saxon monopoly on the global information streams.”  I will come back to RT later.

One of the key activities during the Second World War that enabled the Top-Secret team at Bletchley Park to break the Enigma code was what is referred to as Traffic Analysis.  That Traffic Analysis allowed a picture of what communications networks operated where and when and technical analysis of that traffic, i.e. operator fingerprinting, frequencies used, network discipline and more.

According to the US Manual TM 32-250-AFll 100-80, Fundamentals of Traffic Analysis (Radio Telegraph) published on 9 Jun 1948, it defined Traffic analysis as, that branch of signal intelligence (SIGINT) analysis which deals with the study of the external characteristics of signal communications and related materials for the purpose of obtaining information concerning the organisation and operation of a communication system.”

The modern equivalent of Traffic Analysis would be the identification of work and personal mobile phones associated with an organisation. However, would need a collection capability to be able to collect the information from phones as they first switch on and connect to a network and that rarely happens in one place, or does it?

Speaking to Matthias Wilson is a former SIGINT analyst with the German military and Germany’s foreign intelligence service he said, “What happens when a mobile phone first connects to the network? In order to understand this, we have to look at the unique identifiers each phone has. The first would be the serial number of the phone itself called IMEI, the International Mobile Equipment Identity. This 15-digit number contains information on the brand and model of the phone and number unique number allocated to one specific device.

Secondly, each mobile phone will have one (or more) SIM cards containing information provisioned by the provider. The SIM has the IMSI, or International Mobile Subscriber Identity, saved on it. In most cases the IMSI will also consist of 15 digits and is linked to one’s phone number. It is used to identify a user within the mobile network. From the IMSI, you can derive the country and provider the card has been issued through.

When a mobile phone is switched on, it immediately searches for a network to connect to. If a preferred network is found, the phone will send a request to the network and basically ask for a connection to this network. This request will contain the IMSI and in some cases the IMEI as well. If the IMSI is registered in the networks databases, an authentication process takes place between the phone and the network.” The critical data is contained in the initial network login.

He concluded, “data intercepted from mobile phones logging into a network will provide a rough location, the IMSI that can be linked to a phone number and thus an intelligence target, and in some cases even information on the type of device that is used through the IMEI. Collecting this initial logon is also crucial to following a target of the course of time, as apart from this first connection, a phone will be identified by the temporary IMSI in all further connections.”

OK, so the theory is there, what is next? This comes down to Location, Location, Location.

The RT Studios in London opened in 2014 occupy a couple of floors of the 118-meter-high Millbank Tower, the highest tower block in the area. Its roof is the natural place for mobile phone antenna from many networks, providing good coverage for this area of London. RT have a direct feed over a high capacity communications link to their main studios in Moscow via satellite with the uplink dishes also on the roof.

They have a legitimate reason to be on the roof of the building with specialise engineers and their own equipment, configured in any way they need.

When anyone goes into the MI5 or MI6 building, they are not allowed through reception without mobile phones being taken off them and locked away, in most cases people will switch them off before locking them away or putting them in special faraday bags, cutting their signal off from the networks.

When people leave the building again, they naturally switch their phones on, and they register with the nearest and strongest network. I have noticed this on the many occasions I have walked past both MI5 and MI6 HQs and observed people leaving. That network, in proximity to the buildings is likely to be via the antenna on the roof of the Millbank Tower, where RT have sophisticated data uploading capabilities, transmitting their TV data from Russian state-controlled assets, back to Moscow.

Over time simple pattern of life analysis combined with the Traffic Analysis would enable a picture to be built up of the movement of every phone that registered if that could be identified. Whose phones do the most registering through these masts on a regular basis, who is switching on and off more than normal?

Matthias Wilson continued, “Given the close proximity to the target, I could do this with my own passive collection device and a small stub antenna.”  “There are so many more opportunities,” he added, “as Bluetooth tracking and collection would be easy as well.” Another SIGINT specialist who asked not to be named said, you’d probably forget about the cellular side of things and tap into the backlink,” referring to the signal from the antenna going back to the network.

As I said at the start of this blog, this is pure speculation based on observation from the ground, a vivid but partially informed imagination and I am sure the security teams in MI5 and MI6 will have examined this particular threat scenario carefully.  However, If I were Putin, I would, wouldn’t you?

 

This blog was written by Philip Ingram MBE, a former senior military intelligence officer with the overt help from Matthias Wilson and covert advice from a number of others for which he is very grateful.  Philip is available for comment if necessary.

 

 

 

The Science behind the Intelligence – MASINT

The Science behind the Intelligence – MASINT

The Science behind the Intelligence – MASINT

Why have global leaders from the 5 eyes countries started to blame Iran for shooting down Ukrainian airline flight PS752, a Boeing 737-800 from Tehran on Thursday? How would they know not having access to the on the ground investigation? Philip Ingram MBE a former Colonel in British Military Intelligence explains the science behind the intelligence, MASINT.

Talking about the crash, Justin Trudeau, the Canadian Prime Minister, said in a news conference in Ottawa in Canada on Thursday “We have intelligence from multiple sources, including our allies and our own intelligence. The evidence indicates the plane was shot down by an Iranian surface-to-air missile.”

Before that, CBS News in the US said, “U.S. intelligence picked up signals of a radar being turned on, sources told CBS News.”

The UK’s Daily Mail said, “US intelligence says the Boeing 737 was tracked by satellite data which showed the plane airborne for two minutes before detecting the heat signatures of two surface-to-air missiles.

That was quickly followed by an explosion, officials say, before infrared emissions from the plane showed it burning as it crashed to the ground.”

US President Donald Trump said, ‘It was flying in a pretty rough neighbourhood. Somebody could have made a mistake,’ and went on to tell reporters at the White House on Thursday. ‘I have a feeling that something very terrible happened, very devastating.’

The official Iranian line remains the aircraft suffered mechanical failure, so what is the truth and how can we believe reports from unnamed ‘intelligence sources’ that to the nay-sayers will smack of what the Russians love to call – маскировка (maskirovka) or masking. This is “Fake News” in Donald Trump’s vocabulary, at a time when accurately apportioning blame is critical in the international powerplay and need to de-escalate an unfolding crisis.

It was fascinating that CBS first quoted the unnamed intelligence source describing what had been seen from satellites, most of the intelligence derived from satellites is classified at a level of above TOP SECRET simply because the US doesn’t want the world to know what it sees.

The quotes in the press allow me to introduce the little-known world of what is called MASINT, or Measurement and Signature Intelligence, again a discipline where little is released because of the sensitivities of capabilities.  However, the science around what has been mentioned is relatively straight forward and it is that science that gives a degree of certainty as to what has happened.

According to US intelligence publications, “Measurement and Signature Intelligence (MASINT) is technically derived intelligence (excluding traditional imagery (IMINT) and signal intelligence (SIGINT) which when collected, processed, and analysed, results in intelligence that detects, tracks, identifies, or describes the signatures (distinctive characteristics) of fixed or dynamic target sources.  MASINT includes the advanced processing and exploitation of data derived from IMINT and SIGINT collection sources.  MASINT sensors include, but are not limited to, radar, optical, infrared, acoustic, nuclear, radiation detection, spetroradiometric, and seismic systems as well as gas, liquid, and solid material sampling systems.”

From the reporting we have 2 signatures that have been analysed. The first is the “signals of a radar being turned on.” There is no one radar signature that does everything for everyone, different radars are designed to carry out different task, for example a long-range air traffic control radar will use a particular frequency to look out long distances, will rotate relatively slowly looking for objects a long way away and all around it.  Radar uses a radio wave frequency and then analyses how that bounces off a particular object as it moves, using what is called the doppler shift, to work out how that object is moving and where it is relative to the Radar.

There are 3 signatures that are examined with Radars to identify their purpose and unique signature, every type of radar has a unique fingerprint of signals. These are the frequency of the signal it transmits and the way that transmission is coded, what is called the PRF, or pulse repetition frequency, and the rotation (including speed of rotation, if any) of the radar transmitter, some Radars are fixed and some, like those you see at airports, rotate.  Putting all 3 together you can easily classify a radar as “Air Defence, fire control associated with TOR M-1 (SA15),” and rule in or out what the radar is usually used for, i.e. If it is a search radar or a fire control radar.

The second signature is more interesting.  The quote that, “satellite data which showed the plane airborne for two minutes before detecting the heat signatures of two surface-to-air missiles. That was quickly followed by an explosion, officials say, before infrared emissions from the plane showed it burning as it crashed to the ground.” This tells us a lot.

It mentions heat signatures and infra-red signatures, simplifying the science behind these terms they are effectively the same but hide the detail within those phrases.  It is widely reported in scientific journals how astronomers can tell the make-up of a star or the atmosphere around a planet by looking at the different light signatures received by the Hubble, other space or ground based optical or wide spectrum telescopes.  That is looking billions of miles into space and examining the minutest electro magnetic signatures received.  Infra-Red, is merely an electromagnetic signature.

When you burn coal on a home fire it gives off a different heat signature to burning wood or when the fire brigade is using their thermal cameras, through temperature differentials they can see the seat of a fire and in some cases if there are accelerants feeding it.

It is the same with a missile launch, compared to a rocket launch, compared with an explosion.  The spectrum of visible and infra-red radiation detected is different for a solid rocket motor, liquid propelled rocket or an explosive substance going off and these are vastly different to a fuel or oil fire in an engine. For the geeks amongst you the energy released with the breaking of molecular bonds in the fuel or explosive compounds is different depending on the way the molecule breaks down and the excitement of different elections in atoms as they move between different valence levels. Apologies, my degree was in Applied Science from the Royal Military College of Science, and apologies to my old professors for the inaccuracy caused by oversimplification.

If scientists can use these techniques to work out what is happening billions of miles away, it is reasonable to believe that satellites a few hundred miles into space can detect the same and the intelligence analysts make the same conclusions that scientists can. In addition, a rocket, propelling a warhead to a target will ‘burn’, give an Infra-Red signature for a lot longer than an explosive incident that lasts a fraction of a second and then burning debris will have yet another different Infra-Red signature. Again, this is all part of MASINT.  The Lockheed Martin Space Based Infra-Red Surveillance programme (SBIRS) provides the US with such a capability.

Putting all of this together is not a rapid task when it comes to properly identifying a system, putting it together in a way you can release information outside the classifications used with the systems deployed is a challenge. The science is in the public domain, the claims are in the public domain, putting both together is a naturally logical process and this is how I can be confident that the claims made by Justin Trudeau, reinforced by Boris Johnson, initially reported by CBS and now others, are probably true.

This can easily be reinforced by the suspicions raised when the pilots didn’t transmit a MAYDAY, they were probably incapacitated or killed in the missile explosion, the aircraft was new and had been inspected 2 days beforehand reducing the probability of mechanical failure, the crew were experienced and the Iranians have cleared the crash site before international inspectors could get there. Additional intelligence from SIGINT transmission around the time of the incident will probably tell more if, as is likely, Western intelligence can and has intercepted them. I am more certain than not by a large degree that this was a shoot down and almost certainly accidental. The only positive is that it could cause Iran to rethink the need a spectacular event as a revenge for the killing of Soleimani, at the very least in the short term.

 

Philip Ingram MBE is a former Colonel in British Military Intelligence and has studied the science behind many different systems at The Royal Military College of Science bot at degree and masters level. He remains available for comment.

 

 

 

How can we be certain, the intelligence game?

How can we be certain, the intelligence game?

How can we be certain, the intelligence game?

In the run-up to the action in the early hours of Sat 14thApril to bomb very specific targets in Syria to send a clear message, not just to Bashar Al-Assad but the world, that the use of chemical weapons is completely unacceptable, I have noted with sadness the large number of dissenters questioning the decisions of 3 elected heads of state, who represent the worlds policing body, the P5 of the United Nations Security Council.

Even after the attack, we have the leader of the opposition calling it illegal, questioning the decision making and the evidence to say it was Assad who carried out the horrific chlorine attack on Douma killing countless women and children.

The reports that came out of Douma alongside video released by the Syrian civil defence force, the White Helmets was not the evidence or intelligence the leaders of the USA, France and UK used to make their decision to bomb Syria, it was merely the initiator of a complex, layered process to understand what happened.

For the uninitiated, I am going to describe the sorts of processes that are in place to ensure that our leaders know that Assad’s forces were behind the chemical attack.  I am leaving myself open to criticism as I cannot go into the real detail of how systems work and what their exact capabilities are, but I ask that people recognise I have used these systems and processes in the past, I have personal experience. Also, intelligence can be wrong but the more independent sources used and the fact here there would be 3 independent national collection and assessment operations reduces that possibility enormously.

The Middle East and Syria, in particular, is a focus for the intelligence capabilities of many countries involved or affected by the conflict.  These will include the USA, UK, France, Russia, Turkey, Israel, Iran and many more. It is a part of the world with a huge volume of intelligence gathering platforms listening, sniffing, watching, reporting every piece of activity. Banks of analysts will be trying to analyse and interpret that activity, 24/7, 365 days a year – the intelligence cycle of direct, collect, analyse and disseminate is unending.

So, starting with the video from the White Helmets it gave a possible activity at a claimed time with a claimed weapon, how can we know it was a chlorine bomb dropped from an aircraft by Assad’s forces?

Once the reports started coming in, the banks of analysts pouring over their intelligence databases will have started to put together the questions they need answering, and looking for information collected that relates to those questions.  The first in this instance would be – was there an aircraft at the claimed time over Douma and if so what type was it, where did it come from and who owned it?

AWACS Airborne early warning aircraft and other capabilities are watching all aircraft movements on a continual basis – they can track hundreds of movements simultaneously and will know if one was there, what type of aircraft it was, civilian/military, fixed wing/rotary wing and possibly even the callsign and model.   They will know where it took off from, the route it took to Douma and where it went back to and the route with the exact times of all activities.

Cross-referencing the movement with signals intelligence data gathered from the aircraft, ships, UAVs and other assets hoovering up all radio traffic and more, there will be recordings of the aircraft’s crew checking in with their air traffic control and operational base. Those recordings will be translated, and translations checked.

So, we now know there was an aircraft in the right vicinity at the right time and we know where it came from and when.  Imagery Intelligence of the base it flew from the moment it took off going back in time will be poured over by imagery intelligence specialists looking for the preparation of the aircraft, the weapons being loaded onto it, the crew joining it and everything that happened prior to it taking off.  That capability exists and can be cross-referenced with capability from partner nations.

It will take time, but the loading of the aircraft will have been photographed. From those pictures an assessment of the weapon can be made – a barrel bomb is not easy to hide from the prying eyes of Western Intelligence. Once that assessment has been made and the number and types of vehicles used to move the weapon to the aircraft identified, the next task is to find the convoy which brought the bomb to the airfield.  Intelligence gathered by the likes of the US JSTARs or UK Sentinel R1 can look for movement from known weapons dumps to the airport over a period of time.  Various possibilities will be identified and will be cross-referenced with detailed imagery analysis of all of these sites and communications to and from the sites. The picture is building.

Human Intelligence (HUMINT) agents on the ground and Signals intelligence (SIGINT) assets will have been tasked to see what they can find out, what are personnel from the bases saying? What are the discussions Syrian military and political decision-makers having? How are they reacting to the international condemnation? What is being said between Assad’s people and the Russians? What are the Russians saying back to Moscow? Information in little snippets will be being fed to the analysts, agents will be talking to their contacts, supercomputers will be cross-referencing thousands of communications.

It is highly unlikely that there will be a report of the clarity, “Hello base, this is the heli, we have just dropped the chlorine bomb on Douma and are returning to base, over.” But what our intelligence will have told us is there was a Syrian aircraft over Douma at the time the alleged incident occurred, that aircraft came from an airfield where an object consistent with a barrel bomb was seen to be loaded.  That object is consistent with one loaded onto trucks from a known chemical weapons storage site. HUMINT and SIGINT will add further context.

Intelligence is an art, scientifically approached, it can be wrong, it never (well rarely) gives a 100% picture, but we can be confident that the picture it does give is pretty close to what actually happened.

What I have described above is not necessarily what happened in the run-up to the decision to attack Syria but it will be in the right ballpark….

Note: This blog is written by Philip Ingram MBE, a former British Army Intelligence Officer who has served in the Middle East and Cyprus. If you would like any further comment from Philip, please contact him by clicking HERE