Russian Spy Discovers The Hard Way How Much His Smartphone's Metadata Reveals About His Activities

from the imagine-what-it's-like-for-the-rest-of-us dept

Smartphones are not just amazing pieces of technology that pack a range of advanced capabilities into a pocket-sized device. They are also the best tracking device invented so far. They reveal where we are, and what we are doing, every minute we have them with us. And the most amazing aspect is that we carry them not because we are forced to do so by authoritarian governments, but willingly.

A permanent state of surveillance is something most people just accept as the price of using mobile phones. But for one class of users, the built-in tracking capabilities of smartphones are far worse than just annoying. For spies -- especially more senior ones -- the information revealed by their mobile phones is not just embarrassing but poses a serious threat to their future operational usefulness.

That's evident from a new investigation carried out by the Bellingcat team in partnership with various media organizations. Techdirt was one of the first to write about Bellingcat's use of "open source information" -- material that is publicly available -- to piece together the facts about what are typically dramatic events. The latest report from the group is slightly different, in that it draws on mobile phone data leaked by a whistleblower in Russia. According to Bellingcat's research, the account seems to be that of the mid-ranking Russian military intelligence (GRU) officer Denis Sergeev:

Newly obtained telephone metadata logs from a telephone number registered in the name of the (cover) persona "Sergey Fedotov" has allowed us to analyze Denis Sergeev's telephone usage -- including calls and data connections -- in the period of May 2017 -- May 2019. The data -- and especially the cell-ID metadata that we have been able to convert to geo-locations -- allowed us to recreate Sergeev's movements. These movements were both in Russia and abroad, as well as his pattern of communications during his overseas operations. Bellingcat obtained the telephone metadata records from a whistleblower working at a Russian mobile operator, who was convinced s/he was not breaching any data privacy laws due to the fact that the person to whom this phone number was registered ("Sergey Fedotov") does not in fact exist.

It's a nice irony that the use of a cover name meant that Russia's data privacy laws were not broken by leaking the telephone metadata. There are two Bellingcat posts. The first uses the records to track Sergeev's movements around central London. Nothing special in that, you might say. Except that Anatoliy Chepiga and Alexander Mishkin, the two Russians suspected by the UK police of attempting to poison a former Russian spy who had been a double agent for the UK, Sergei Skripal (and his daughter), just happened to be in London at exactly the same time:

according to the timeline of Chepiga and Mishkin's movements, as presented by British police, they arrived from their hotel to Waterloo station at approximately 11:45 on that day. Their train to Salisbury, however, would have left at 12:50. Waterloo station is approximately 10 minutes walk from the Embankment. Thus, had a meeting in person been necessary between Sergeev and the Chepiga/ Mishkin team -- whether to pass on final instructions or a physical object -- the area between the Embankment and the Waterloo would have been a convenient place, and the one-hour time gap between their arrival to the station and their departure would have likely sufficed.

The rest of the first Bellingcat post provides further fascinating details about Sergeev's movements in London, and telephone calls with a mysterious "Amir from Moscow", probably a senior intelligence officer who was his handler back home. The second post tracks Sergeev as he visited Switzerland multiple times between 2014 and 2018. As Bellingcat explains, it is not clear what he was doing there, but there are a number of tantalizing hints.

For example, Sergeev's mobile telephone connected to the cell antenna inside the Maison du Sport, where the Lausanne office of the World Anti-Doping Agency (WADA) is located. That's interesting given Russia's problems with doping in international sport. Sergeev's metadata also indicates that at one point he was physically close to the former US Ambassador to Switzerland, Suzan LeVine, but it's not clear why. Here's one suggestion from Bellingcat:

Was he keeping an eye on Suzan LeVine and her husband while another team tried to introduce a virus or hack into a laptop computer left at the Palace Beau-Rivage where the couple had left their luggage? No longer in office, the diplomat was not entitled to any special security, so perhaps this was seen as a low-hanging opportunity by a GRU team that was already in town. Targeting foreign former government officials -- who may or may not come back into positions of political relevance under a future administration -- appears to be compatible with the long-term strategy of an intelligence service.

There is the intriguing fact that the alleged assassins Chepiga and Mishkin were also present in Geneva during one of Sergeev's visits. Although there is no evidence that they met, it would have been remarkable had they not, since they were in the same city, and often travelled together. Finally, it seems that Sergei Skripal was also in Switzerland during one of Sergeev's trips -- another interesting "coincidence."

Both Bellingcat posts are worth reading for the fascinating insights they give into Russian spycraft. The fact that so much can be deduced about someone who has decades of experience of not leaving a trail is a useful reminder of how much more could be gleaned from the smartphone metadata of ordinary citizens, who aren't even trying to hide anything.

Follow me @glynmoody on Twitter, Diaspora, or Mastodon.

Filed Under: anonymity, denis sergeev, metadata, surveillance, tracking


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Seegras (profile), 16 Jul 2019 @ 7:51am

    It's an excellent analysis, but there are some open points:

    • Who is behind bellingcat? Rumors say it's connected to MI6
    • Who is the "Russian leaker"?
    • Where is the gps-data from? The phone itself? Or the phone company?
    • Where is the flight data from?
    • Who exfiltrated the data? Englands MI6? the Swiss NBD? Or the Russian GRU?

    reply to this | link to this | view in chronology ]

    • identicon
      Anon, 16 Jul 2019 @ 9:11am

      Re:

      They have some origin story of being some bloke in his bedroom and financed by journalism workshops (?) but to anyone with even half a functioning brain they are MI6.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jul 2019 @ 10:47am

      Re:

      • Likely MI6
      • Some telco employee, likely to stay anonymous unless they've defected. Could also be a cover for an MI6 plant.
      • phone company. See previous response.
      • Likely MI6
      • Extremely good question.

      reply to this | link to this | view in chronology ]

  • identicon
    arie, 16 Jul 2019 @ 9:08am

    Bellingcat isn't a reliable source. Read the mea culpa from German paper Der Spiegel.

    https://www.spiegel.de/spiegel/spiegelblog/bellingcat-bericht-zu-mh17-was-wir-lernen-a-1037 135.html

    The reason why newspapers embrace Bellingcat is that everything Bellingcat publishes is in the format of (colorful) images and (info?)graphics.
    For a newspaper that is 'sexy', modern and therefore don't vet the source (Bellingcat) thoroughly.

    reply to this | link to this | view in chronology ]

  • identicon
    Personanongrata, 16 Jul 2019 @ 10:47am

    Bellingcat is a Propaganda Mill

    That's evident from a new investigation carried out by the Bellingcat team in partnership with various media organizations. Techdirt was one of the first to write about Bellingcat's use of "open source information" -- material that is publicly available -- to piece together the facts about what are typically dramatic events.

    You are really scrapping the bottom of the barrel in citing Bellingcat as a source (the only source) to your "report".

    Fact check on aisle 9.

    Italicized/bold text was excerpted from the website www.wsws.org found within a report titled -

    The Bellingcat research collective: War propaganda masquerading as “citizen journalism”:

    The Bellingcat “research collective” is a web site established in July 2014 by Eliot Higgins. Originally from Leicester in the UK, Higgins is, as of February, a senior fellow in the Atlantic Council’s Digital Forensic Research Lab and Future Europe Initiative.

    From 2012, Higgins maintained a blog, “Brown Moses,” which became notorious for its pro-imperialist coverage of the Syria conflict. Higgins trawled social media posts--primarily Facebook, Twitter and YouTube--for images and clips that purported to reveal the many types of both homemade and industrially manufactured weaponry in use in the bloodbath provoked by US imperialism.

    In 2013, Brown Moses became embroiled in allegations by the main imperialist powers that the Syrian government used chemical weapons against civilians in the Ghouta suburb of Damascus. By “studying” social media posts of damaged rockets embedded in the ground, the angle of shadows cast and satellite images of the area, Higgins claimed to be able to show that rockets, alleged to contain sarin, had been fired by the Syrian army.

    Higgins’ work was rubbished by a group of Massachusetts Institute of Technology scientists, led by Professor Theodore Postol, a professor of science, technology, and international security. Postol told Mint Press, “It’s clear and unambiguous this munition could not have come from Syrian government-controlled areas as the White House claimed.” Higgins, he added, “has done a very nice job collecting information on a website. As far as his analysis, it’s so lacking any analytical foundation, it’s clear he has no idea what he’s talking about.”

    By 2015, Higgins’ propaganda operation had become so discredited that the German news magazine Der Spiegel was forced to apologise for its uncritical recycling of Bellingcat allegations that the Russian Defense Ministry manipulated satellite image data to support its position on MH17. According to Jens Kreise, an expert in digital image forensics, Bellingcat's technique of “error correction analysis” was “subjective and not based entirely on science.” He added, “This is why there is not a single scientific paper that addresses it.” Kreise went on to describe Bellingcat's work as “nothing more than reading tea leaves.”

    In other words, Higgins/Bellingcat is useful for pumping out propaganda masquerading as “citizen journalism.” The so-called “research collective” is an Internet and social media adjunct of the US government and NATO. The conclusions of its “research” are determined by Higgins’ politics, which serve the interests of the imperialist powers as they gear up for war against Russia.

    https://www.wsws.org/en/articles/2016/10/13/bell-o13.html

    Italicized/bold text was excerpted from the website www.independent.co.uk found within a report titled -

    We should be asking for answers about the Skripals and Bellingcat – and not just from Russia

    What’s so suspect about this, you may ask. Well, let’s start with Bellingcat, which has presented itself in the past as a microcosm of well-meaning and very British amateurishness, based in a Leicestershire bedroom, producing results that put the professional sleuths to shame. In fact, Bellingcat has grown rather a lot beyond its shoestring origins. It has money – where from? It has been hiring staff. It has transatlantic connections. It has never, so far as I am aware, reached any conclusion – whether on the downing of the Malaysian plane over eastern Ukraine, or chemical weapons use in Syria, or now, with the Skripals – that is in any way inconvenient to the UK or US authorities.

    That need not cast doubt on its findings. But should the authenticity of the documents it cites not be subject, at very least, to the same scrutiny as might be applied to other evidence? And when, as this week, UK officials say they do not “dispute” Bellingcat’s identification of Chepiga and Mishkin, does this not prompt a few questions about whether, say, our “agencies” reached the same conclusions long ago, but kept quiet, or why most of the UK’s media apparently find Bellingcat a more trustworthy source than the UK intelligence services (possible answer: Iraq)? Might not the group’s good name be being used to get information into the public domain that officials do not want to vouch for? And, if so, would this be to inform, or to mislead?

    https://www.independent.co.uk/voices/skripals-bellingcat-gru-novichok-anatoly-chepiga-alexa nder-mishkin-putin-russia-a8577161.html

    reply to this | link to this | view in chronology ]

    • identicon
      bob, 16 Jul 2019 @ 2:05pm

      Re: Bellingcat is a Propaganda Mill

      As with any open source intelligence you take the data with a big grain of salt. It's raw Intel and could be 100% accurate, partially accurate, or 100% inaccurate. So take this data and see if it stands up to scrutiny and can be collaborated with other evidence.

      I think the bigger take away is, look what you can piece together with some meta data from a phone. Now as to who is responsible for this data? Not a clue and it very well could be a pure propaganda mill. But even the same piece of propaganda can be of use to both sides of a conflict.

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 16 Jul 2019 @ 1:27pm

    Hmmmm Older??

    I would think that the Older Operatives would understand a few things better.
    Considering you have the data for 2 other operatives.

    Considering Im abit of a Minor technophibe, I do understand wireless, and I do understand GPS.. And understand the cellphone system abit...its called GET A CHEAP OLD PHONE, dont use a smart phone..
    as well as a small dirty trick...you can link cellphones, so that Multiple phones ring and connect.. think about that for a moment. how many locations would you like to be in, at 1 moment in time??
    And its fun that SOME PERSONS, have never seen how this works..

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Jul 2019 @ 3:50pm

      Re: Hmmmm Older??

      A "cheap old phone" still won't protect you all that well, as every time you make or receive a call you're still connecting to a cellular tower somewhere, and even if you're not constantly connected to a data service, you're still showing up enough on the networks to be tracked.

      reply to this | link to this | view in chronology ]

      • icon
        ECA (profile), 17 Jul 2019 @ 12:13pm

        Re: Re: Hmmmm Older??

        Thats kinda the trick with the other phones...they only connect when you use your phone, but dont have speaker/mic.. they can be anywhere in the area..
        You would need to Check each connection to see which one is being really used.
        Then there is an old idea of a relay system..Not to hard, but setting up a Multi connection from 1 phone to another to another, or using a relay system of a sort(small transponders around an area) Can show you are in a Wide area, not just 1 spot. Connecting to/thru Other Cell towers..
        Wow this could be fun..

        90% of the restriction on cellphone and even regular base phones is that they mostly use the Human audio levels. Creating a secret msg, would be like creating a Recording, and the background sound is made from the msg to be sent. A bunch of Jackhammers, and noise from the city..
        This is fun, can we think of any other ways to mess up the system..

        reply to this | link to this | view in chronology ]

  • identicon
    Bobvious, 16 Jul 2019 @ 3:30pm

    Once more with feeling!

    All right choir, let's all sing the Chorus from "The government's never metadata it didn't like".

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Goo Of Unknown Osmolality, 16 Jul 2019 @ 4:01pm

    Oh, brother! "Bellingcat" is ONE fat guy in a London flat.

    That's established.

    By the way, if want to know WHO gets metadata on nearly every American call, look up "Amdocs", Israeli corporation.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.