Adversaries are using OSINT to attack. Are you ready to use it for good?
As illegal Russian tanks rolled into Ukraine, the ground also shook inside one of Russia’s most notorious ransomware gangs. The cause of this quake? OSINT.
An anonymous Ukrainian security researcher had leaked over 60,000 internal chat logs and source files from Conti, a Ransomware-as-a-Service (RaaS) syndicate responsible for crippling hospitals, governments, and corporations with brutal cyber attacks.
The leaks were posted on open platforms like Twitter, GitHub, and VirusTotal. Armed with this Open-Source Intelligence (OSINT), cybersecurity researchers around the world could do the unthinkable. They could piece together Conti’s operations, map their infrastructure, and delineate the financial flows of a Kremlin-fueled monster. In a matter of days, law enforcement, security organizations, and independent analysts were working off the same open data to dismantle the group’s global reach, using their own playbook.
It’s often said that today’s battles are fought with bytes not bombs. Today’s cyber battles are no longer fought with just firewalls and antivirus software either. Cybersecurity threats are evolving at an alarming rate, and as stealthy state-sponsored groups weaponize information itself at scale, OSINT has emerged as an essential line of defense – making up an estimated 80% of law enforcement intelligence.
Attacks against networks, systems, and data are coming from cyber adversaries who can use data as sophisticated weaponry against sensitive infrastructures – including those that keep the world running. For those looking for a shield that also evolves at pace, Open-Source Intelligence (OSINT) provides valuable defense via detecting, assessing, and mitigating threats
Best of all, unlike some other forms of intelligence gathering, OSINT for cybersecurity relies on only legal and ethical data collection methods. This is an important point of difference when it comes to not only enhancing safety, but holding those who threaten it accountable in legal proceedings.
Defining OSINT in Cybersecurity
(For the fundamentals of how OSINT works, including a quick historical rundown, check out our comprehensive OSINT Basics article, ‘What is OSINT?’)
In cybersecurity, OSINT – also known as Internet intelligence investigation (III) or Publicly Available Information (PAI) – is a structured and strategic approach to gathering intelligence that only utilizes publicly accessible information. OSINT can offer real-time insights into threat landscapes, adversary tactics, and emerging risks in ways that other approaches can't.
OSINT in cybersecurity draws from a diverse set of information channels:
- Public Databases: Registries and government transparency websites provide publicly accessible records, often including corporate filings and domain registrations
- Search Engines: Google, Bing and Yahoo can be ‘dorked’ for results, with international search engines a key source for Russian or Chinese data
- Social Media Platforms : Twitter, LinkedIn, Facebook, and Telegram – or VK and Weibo – can reveal discussions, personal details, leaked credentials, chatter about past or future attacks, and useful SOCMINT on individuals and organizations
- Dark Web Marketplaces & Forums: Cybercriminals use dark, deep or Tor-accessible forums and marketplaces to buy and sell stolen data, develop malware, and swap hacking tools and techniques
- Corporate Websites & Metadata: Publicly available documents and metadata can sometimes (unintentionally) expose sensitive internal details
- Leaked Data Repositories: Have I Been Pwned and similar platforms track compromised credentials and data breaches, with many OSINT tools (like ours) incorporating these sites into search results
- Code Repositories: Open-source coding platforms like GitHub can sometimes contain misconfigured credentials, API keys, and source code vulnerabilities – or just revealing data about the tech activities of users
By continuously monitoring these sources – or automating tools that do – cybersecurity professionals can proactively detect security risks. All it takes is OSINT.
Cybersecurity OSINT in the Real World
The 2022 Conti ransomware leaks are not the only example of cybersecurity OSINT at work IRL. Here’s a few more that showcase what defensive (and offensive) OSINT can do.
- Hafnium/Microsoft Exchange Breach (2021):
Chinese APT group ‘Hafnium’ was a state-sponsored group targeting infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs to exfiltrate data from structurally vital Microsoft Exchange and 365 servers
As their counterassault, cybersecurity analysts used OSINT methods. They located Hafnium's vulnerabilities and then publicly shared any found malware methodologies and indicators of compromise (IOCs) like exploit URLs, malicious web shells (i.e. China Chopper), or IP addresses and domain names used in C2 infrastructure. This ingenious OSINT strategy made for a more rapid and collective response during a devastating global pandemic.
- SolarWinds Supply Chain Attack (2020):
OSINT played a crucial role in unraveling the scope and methods of the 2020 SolarWinds breach. This advanced supply chain compromise was quickly attributed to the Russian-sponsored group APT29: the hackers had accessed the SolarWinds network, injected a malicious code called SUNBURST into third-party monitoring system Orion, and subsequent Orion updates had spread this malware to 18,000 customers.
Analysts used OSINT – publicly available DNS records, SSL certificates, domain registrations, and malware samples shared on platforms like VirusTotal – to identify C2 infrastructure at work, track back the SUNBURST malware’s spread and find out who’d been affected.
- Secondary Infektion Disinformation Campaign 2014-2020
The long-running Russian disinformation campaign Secondary Infektion had been responsible for misleading ‘fake’ posts on more than 300 social media and news platforms. Russian government operatives had spent six years promoting pro-kremlin conspiracies and falsehoods; the lies that NATO is an interfering aggressor, Ukraine is a failed state and an unreliable partner, Western elections are rigged and Russia is the victim of Western plots – alongside islamophobic portrayals of Muslims and smears against Kremlin critics as morally corrupt, substance-addicted and mentally unstable.
The “Secondary Infektion” title was itself a reference to the Soviet-era “Operation Infektion” disinformation campaign. Fortunately, an OSINT fightback meant this initiative was less widespread and damaging. OSINT analysts scraped Reddit, Facebook, and Medium and analyzed posting patterns, reused accounts, language mismatches, and shared metadata in PDF documents.
They soon tied the effort to a coordinated Russian influence operation, demonstrating how information security has changed in forty years. OSINT behavioral analysis can expose coordinated inauthentic activity before it becomes a worldwide crisis.
- FSB Operative Exposed via Palette OSINT Tool (2024):
Our CEO Nathaniel Fried demonstrated how FBI Most Wanted Russian FSB operative Andrey Stanislavovich Korinets could be traced, using only OSINT.
Using OSINT Industries’ Palette graph visualization tool, this investigation began with Korinets’ name – taken from sanctions lists – and quickly expanded through phone numbers, leaked databases, email addresses, and social media accounts. Cross-referencing with breached data from Russian credit institutions and the courier service SDEK, found via HaveIBeenPwned, revealed phone numbers for Korinets tied to WhatsApp, Telegram, and VK profiles.
From here, Nathaniel mapped Korinets’ connections in real-time on Palette, exposing aliases, accounts – and ultimately beer reviews on Google Maps that placed the operative still in his hometown of Syktyvkar, Russia.
How OSINT Strengthens Cybersecurity
1. Threat Intelligence & Early Warning Systems
As the cases above show, OSINT can help identify indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs), and use this intelligence on attackers to predict future threats.
With automation, an early warning system can integrate OSINT data. Machine learning algorithms can identify patterns of malicious activity, meaning human security teams can implement preemptive countermeasures. Analysts and AI can work together as one.
2. Attack Surface Management & Vulnerability Detection
OSINT plays a critical role in attack surface management (ASM). Exposed assets, misconfigurations, and weak security controls make an organization vulnerable to cyber threats; security analysts are often oblivious to the OSINT sources that are just as helpful to bad actors – publicly accessible servers, unpatched software, and leaked credentials.
Before adversaries exploit them, OSINT reconnaissance can help to detect:
- Publicly exposed databases, Internet-of-Things (IoT) and cloud devices
- Vulnerabilities in software and networks
- Leaked credentials and sensitive business data
3. Incident Response & Digital Forensics
OSINT’s forte is tracking down perpetrators, analyzing attack patterns, and collecting digital evidence. Security teams can use OSINT to:
- Trace malicious IP addresses, domain registrations, and server locations
- Connect cybercriminal groups and understand attack methodologies
- Support legal investigations with a strong OSINT chain-of-custody
4. Social Engineering Prevention
Social engineering attacks like phishing or business email compromise (BEC) can be extremely convincing. However, OSINT can find exposed employee information before it can be utilized by attackers.
OSINT can help security teams to train employees in Operational Security (OpSec) best practices: how to recognize social engineering attempts, and reduce digital footprints to minimize attack vectors.
5. Dark Web & Cybercrime Monitoring
The darkweb is a hub for any and all cybercriminal activities. Illicit data sales, ransomware negotiations, and exploit-sharing forums abound. Still, OSINT-driven dark web monitoring can:
- Track the sale of stolen credentials, intellectual property (IP), and financial data
- Identify chatter around planned cyberattacks
- Monitor hacking forums for emerging malware and exploit kits
With real-time insights from OSINT, enterprises can take proactive Dark Web Intelligence (DARKInt) measures that protect assets and respond to threats before they escalate.
Overcoming Challenges & Limitations of OSINT in Cybersecurity
Despite its advantages, OSINT presents several challenges too. Here’s how to overcome them – reflexively, with OSINT itself.
Challenge: Information Overload
The amount of data on the internet will reach 182 zettabytes by the end of this year. That avalanche of publicly available data is one overwhelming opportunity.
Solution: Automation and AI
Luckily, automation and AI-driven tools mean robust filtering mechanisms can keep all that OSINT data in check.
Challenge: False Positives
Manual searching and some OSINT tools – especially those that rely on databases – can contain outdated, misleading, or inaccurate information that can take time to verify, or worse mislead an investigation with false positives.
Solution: Real-time OSINT Tools
Swift real-time tools like OSINT Industries can bypass databases altogether, with selector enrichment technology designed to meet our high standards for (unbeatable) accuracy. Cross-reference the information your search brings up.
Challenge: Legal Considerations
Adhering to data privacy laws like CCPA and GDPR, and vital ethical guidelines, is all- important. Not doing so can jeopardize bringing cyber offenders to justice.
Solution: Stick to Open-Source
Open-source data is what makes OSINT, OSINT. Using only open-source data and OSINT tools (like OSINT Industries) with firm ethical and legal compliance can help ensure your investigations respect privacy laws, and maintain the integrity of both the data and analyst.
Challenge: Evasion Techniques
Cybercriminals know analysts are looking. They often use obfuscation methods, like encrypted channels and fake identities to evade OSINT detection.
Solution: Stay One Step Ahead
Stay informed about both new OSINT methodologies and new adversary tactics. Adopt structured OSINT methodologies that undercut obfuscation techniques, and always adapt faster than threat actors can hide.
To see cybersecurity OSINT in action, check out our Case Studies.
‘Welcome, everybody. Today, we're gonna be looking at a very interesting investigation into the FSB…’
Read: FSB Operatives Exposed with OSINT: A Live Palette Investigation