Cyber and Physical Risks Targeting the 2026 Winter Olympics
In this post we analyze the multi-vector threat landscape of the 2026 Winter Olympics, examining how the Games’ dispersed geographic footprint and high digital complexity create unique potential for cyber sabotage and physical disruptions.
The Milano-Cortina 2026 Winter Olympics represent a historic milestone as the first Games co-hosted by two major cities. However, the event’s expansive geographic footprint—covering 22,000 square kilometers across northern Italy—presents a complex security environment. From the metropolitan centers of Milan to the alpine peaks of Cortina d’Ampezzo, security forces are contending with a multi-vector threat landscape.
Kinetic and Physical Security Challenges
The geographically dispersed nature of the Milano-Cortina 2026 Winter Games also creates unique physical security challenges. Because venues are spread across thousands of square kilometers of the Alps, securing transit corridors and ensuring rapid emergency response across different Italian regions—including Lombardy, Veneto, and Trentino—is an incredible logistical hurdle. New tunnels, increased train services, and extended bus routes have been welcomed but create new potential targets for physical disruption by threat actors or protestors.
Terrorist and Extremist Threats
Flashpoint has not identified any terrorist or extremist threats to the Winter Olympic Games. However, lone threat actors in support of international terrorist organizations or domestic violence extremists remain a persistent threat due to the large number of attendees expected and the media attention that this event will attract.
Authorities in northern Italy are investigating a series of sabotage attacks on the national railway network that coincided with the opening of the 2026 Winter Olympic Games. The coordinated incidents—which included arson at a track switch, severed electrical cables, and the discovery of a rudimentary explosive device—caused delays of over two hours and temporarily disabled the vital transport hub of Bologna.
Protests
Flashpoint analysts identified several protests targeting the 2026 Winter Olympics:
US Presence and ICE Backlash: Hundreds of demonstrators have participated in protests in central Milan to demand that US ICE agents withdraw from security roles at the upcoming Winter Olympics.
Anti-Olympic and Environmental Activism: The most organized opposition comes from the Unsustainable Olympics Committee. They have already staged marches in Milan and Cortina, with more planned for February.
Pro-Palestinian Groups: Organizations such as BDS Italia are actively campaigning to boycott the games, demanding that Israel not be permitted to participate. Other pro-Palestinian groups have attempted to disrupt the Torch Relay in several cities and are expected to hold flash mob-style demonstrations in Milan’s Piazza del Duomo during the Opening Ceremony.
Labor Strikes: Italy frequently experiences transport strikes, which often fall on Fridays. Because the Opening Ceremony is on Friday, February 6, unions are leveraging this for maximum impact. An International Day of Protest has been coordinated by port and dock workers across the Mediterranean for February 6.
On February 7, a massive protest of approximately 10,000 people near the Olympic Village in Milan descended into violence as a peaceful march against the Winter Games ended in clashes with Italian police. While the majority of demonstrators initially focused on the environmental destruction caused by Olympic infrastructure, a smaller group of masked protestors engaged security forces with flares, stones, and firecrackers.
Cyber Threats Facing the 2026 Winter Olympics
The Milano-Cortina 2026 Winter Olympics will be among the most digitally complex global events, making it a prime target for cyberattacks. The greatest risks stem from familiar tactics such as phishing, spoofed websites, and business email compromise, which exploit human trust rather than technical flaws. With billions of viewers and a vast network of cloud services, vendors, and connected systems, the games create an expansive attack surface under intense operational pressure.
Italy blocked a series of cyberattacks targeting its foreign ministry offices, including one in Washington, as well as Winter Olympics websites and hotels in Cortina d’Ampezzo, with officials attributing the attempts to Russian sources. Foreign Minister Antonio Tajani confirmed the attacks were prevented just days before the Games’ official opening, which began with curling matches on February 4.
Past Olympic Games show a clear pattern of heightened cyber activity, including phishing campaigns, distributed denial-of-service (DDoS) attacks, ransomware, and online scams targeting both organizers and the public. A mix of cybercriminals, advanced persistent threats, and hacktivists is expected to exploit the event for financial gain, espionage, or publicity. Experts emphasize that improving security awareness, verifying digital interactions, and strengthening supply chain defenses are critical, as the most damaging incidents often arise from ordinary threats amplified by scale and urgency.
Staying Safe at the 2026 Winter Games
The security success of Milano-Cortina 2026 relies on the integration of real-time intelligence, advanced technological safeguards, and public vigilance. As the Games proceed, the intersection of cyber-sabotage and physical protest remains the most likely source of operational disruption.
To stay safe at this year’s Games, participants should:
Download Official Apps: Install the Milano Cortina 2026 Ground Transportation App and the Atm Milano app for real-time updates on transit, road closures, and “guaranteed” travel windows during strikes.
Plan Around Friday Strikes: Be aware that transport strikes (Feb 6, 13, and 20) typically guarantee services only between 6:00 AM – 9:00 AM and 6:00 PM – 9:00 PM. Plan your venue transfers accordingly.
Secure Your Digital Footprint: Avoid public Wi-Fi at major venues. Use a VPN and ensure Multi-Factor Authentication (MFA) is active on all your ticketing and banking accounts.
Stay Clear of Protests: While most demonstrations are expected to be peaceful, they can cause sudden police cordons and transit delays.
Respect the Drone Ban: Unauthorized drones are strictly prohibited over Milan and venue clusters. Leave yours at home to avoid heavy fines or interception by security units.
Stay Safe Using Flashpoint
While there are no current indications of imminent threats of extreme violence targeting the Milano-Cortina 2026 Winter Olympics, the event’s vast geographic footprint and digital complexity demand constant vigilance. Securing an event that spans 22,000 square kilometers requires more than just a physical presence; it necessitates a multi-faceted approach that bridges the gap between digital and kinetic risks.
To effectively navigate the intersection of cyber-sabotage, civil unrest, and logistical challenges, organizations and attendees must adopt a comprehensive strategy that integrates real-time intelligence with proactive security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.
Each year, the Super Bowl draws one of the largest live audiences of any global sporting event, with tens of thousands of spectators attending in person and more than 100 million viewers expected to watch worldwide. Super Bowl LX, taking place on February 8, 2026 at Levi’s Stadium, will feature the Seattle Seahawks and the New England Patriots, with Bad Bunny headlining the halftime show and Green Day performing during the opening ceremony.
Beyond the game itself, the Super Bowl represents one of the most influential commercial and media stages in the world, with major brands investing in some of the most expensive advertising time of the year. The scale, visibility, and economic significance of the event make it an attractive target for threat actors seeking attention, disruption, or financial gain, underscoring the need for heightened security awareness.
Cybersecurity Considerations
At this time, Flashpoint has not observed any specific cyber threats targeting Super Bowl LX. Despite the absence of overt threats, it remains possible that threat actors may attempt to obtain personal information—including financial and credit card details—through scams, malware, phishing campaigns, or other opportunistic cyber activity.
High-profile events such as the Super Bowl have historically been leveraged as bait for cyber campaigns targeting fans and attendees rather than league infrastructure. In October 2024, the online store of the Green Bay Packers was hacked, exposing customers’ financial details. Previous incidents also include the February 2022 “BlackByte” ransomware attack that targeted the San Francisco 49ers in the lead-up to Super Bowl LVI.
Although Flashpoint has not identified any credible calls for large-scale cyber campaigns against Super Bowl LX at this time, analysts assess that cyber activity—if it occurs—is more likely to focus on fraud, impersonation, and social engineering directed at ticket holders, travelers, and high-profile attendees.
Online Sentiment
Flashpoint is currently monitoring online sentiment ahead of Super Bowl LX. At the time of publishing, analysts have identified pockets of increasingly negative online chatter related primarily to allegations of federal immigration enforcement activity in and around the event, as well as broader political and social tensions surrounding the Super Bowl.
Online discussions include calls for protests and boycotts tied to perceived Immigration and Customs Enforcement (ICE) involvement, as well as controversy surrounding halftime and opening ceremony performers. While sentiment toward the game itself and associated events remains largely positive, Flashpoint continues to monitor for escalation in rhetoric that could translate into real-world activity.
Potential Physical Threats
Protests and Boycotts
Flashpoint analysts have identified online chatter promoting protests in the Bay Area in response to allegations that Immigration and Customs Enforcement (ICE) agents will conduct enforcement operations in and around Super Bowl LX. A planned protest is scheduled to take place near Levi’s Stadium on February 8, 2026, during game-day hours.
At this time, Flashpoint has not identified any calls for violence or physical confrontation associated with these actions. However, analysts cannot rule out the possibility that demonstrations could expand or relocate, potentially causing localized disruptions near the venue or surrounding infrastructure if protesters gain access to restricted areas.
In addition, Flashpoint has identified online calls to boycott the Super Bowl tied to both the alleged ICE presence and controversy surrounding the event’s halftime and opening ceremony performers. Flashpoint has not identified any chatter indicating that players, NFL personnel, or affiliated organizations plan to boycott or disrupt the game or related events.
Terrorist and Extremist Threats
Flashpoint has not identified any direct or credible threats to Super Bowl LX or its attendees from violent extremists or terrorist groups at this time. However, as with any high-profile sporting event, lone actors inspired by international terrorist organizations or domestic violent extremist ideologies remain a persistent risk due to the scale of attendance and global media attention.
Super Bowl LX is designated as a SEAR-1 event, necessitating extensive interagency coordination and heightened security measures. Law enforcement presence is expected to be significant, with layered security protocols, strict access control points, and comprehensive screening procedures in place throughout Levi’s Stadium and surrounding areas. Contingency planning for crowd management, emergency response, and evacuation scenarios is ongoing.
Mitigation Strategies and Executive Protection
Given the absence of specific, identified threats, mitigation strategies for key personnel attending Super Bowl LX focus on general best practices. Security teams tasked with executive protection should remove sensitive personal information from online sources, monitor open-source and social media channels, and establish targeted alerts for potential threats or emerging protest activity.
Physical security teams and protected individuals should also familiarize themselves with venue layouts, emergency exits, nearby medical facilities, and law enforcement presence, and remain alert to changes in crowd dynamics or protest activity in the vicinity of the event.
The nearest medical facilities are:
O’Connor Hospital (Santa Clara Valley Healthcare)
Kaiser Permanente Santa Clara Medical Center
Santa Clara Valley Medical Center
Valley Health Center Sunnyvale
Several of these facilities offer 24/7 emergency services and are located within a short driving distance of the stadium.
The primary law enforcement facility near the venue is:
Santa Clara Police Department
As a SEAR-1 event, extensive coordination is expected among local, state, and federal law enforcement agencies throughout the Bay Area.
Stay Safe Using Flashpoint
Although there are no indications of any credible, immediate threats to Super Bowl LX or attendees at this time, it is imperative to be vigilant and prepared. Protecting key personnel in today’s threat environment requires a multi-faceted approach. To effectively bridge the gap between online and offline threats, organizations must adopt a comprehensive strategy that incorporates open source intelligence (OSINT) and physical security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.
Flashpoint’s Top 5 Predictions for the 2026 Threat Landscape
Flashpoint’s forward-looking threat insights for security and executive teams, provides the strategic foresight needed to prepare for the convergence of AI, identity, and physical security threats in 2026.
As the global threat landscape accelerates its transformation, 2026 marks an inflection point requiring defensive strategies to fundamentally shift. The volatility observed in 2025 has paved the way for an era soon to be defined by AI-weaponized autonomy, information-stealing malware, systemic instability of public vulnerability systems, and the complete convergence of digital and physical risk.
Flashpoint offers a unique window into these complexities, providing organizations with the foresight needed to navigate what lies ahead. Drawing from Flashpoint’s leading intelligence and primary source collections, we highlight five key trends shaping the 2026 threat landscape. These insights aim to help organizations not only understand what’s next but also build the resilience needed to withstand and adapt to emerging challenges.
Prediction 1: Agentic AI Threats Will Weaponize Autonomy, Forcing a New Defensive Standard
2026 will see continued evolution of AI threats, with future attacks centering on autonomy and integration. Across the deep and dark web, Flashpoint is observing threat actors move past experimentation and into operational use of illegal AI.
As attackers train custom fraud-tuned LLMs (Large Language Models) and multilingual phishing tools directly on illicit data, these AI models will become more capable. The criminal intent shaping their misuse will also become more sophisticated. Additionally, 2026 will see a greater marketplace for paid jailbreaking communities and synthetic media kits for KYC (Know Your Customer) bypass.
These advancements are enabling criminals to move beyond simple tools and engage in scaled, autonomous fraud operations, leading to two major shifts:
Agentic AI is becoming the true flashpoint: Threat actors will be using agentic systems to automate reconnaissance, generate synthetic identities, and iterate on fraud playbooks in near real-time. In this SaaS ecosystem, AI will help attackers leverage subscription tiers and customer feedback loops at scale.
The attack surface will shift to focus on AI Integrations: Organizations are increasingly plugging LLMs into live data streams, internal tools, identity systems, and autonomous agents. This practice often lacks the same security vetting, access controls, and monitoring applied to other enterprise systems. As such, attackers will heavily target these integrations, such as APIs, plugins, and system connections, rather than the models themselves.
“The ubiquity of automation has dramatically increased attack tempo, leaving many security teams behind the curve. While automation can replace repetitive tasks across the enterprise, organizations must not make the critical mistake of substituting human judgement for AI at the intelligence level.
This is paramount because a critical threat in 2026 is Agentic AI autonomy weaponized against soft targets—API integrations and identity systems. The only winning defense will be human-led and AI-scaled, prioritizing purposeful use to keep organizations ahead of this exponential risk.”
Josh Lefkowitz, CEO at Flashpoint
These evolving AI threats will force a fundamental shift in defensive strategies. Defenders will have to shift to deploying systems around AI rather than trust them on their own.
Prediction 2: Identity Compromise via Infostealers Will Become the Foundation of Every Attack
Infostealers will become the entry point, the data broker, the reconnaissance layer, and the fuel for everything that comes after a cyberattack. This shift is already in motion and is accelerating rapidly: in just the first half of 2025, infostealers were responsible for 1.8 billion stolen credentials, an 800% spike from the start of the year. However, 2026 will redefine the malware’s role, making its most valuable output being access, rather than disruption.
Infostealers will become the upstream event that powers the rest of the attack chain. Identity and session data will be increasingly targeted, since it gives attackers immediate access into victim environments. Ransomware, fraud, data theft, and extortion will simply be downstream ways to monetize.
This upstream approach defines the new reality of the attack chain, which is already operational. Nearly every major stealer strain Flashpoint observes now exfiltrates the following:
An organization’s attack surface is no longer just composed of their own networks. It is the entire digital identity of their employees and partners. This new reality requires security teams to take a new approach. Instead of attempting to block attacks, they must proactively detect compromised credentials before they are weaponized. This will be the difference between reacting to a data breach and preventing one.
“The infostealer economy has fully industrialized the attack chain, making initial compromise a low-cost commodity. Multiple security incidents in 2025 tie back to credentials found in infostealer logs. This reality has underscored the critical importance of digital trust—specifically, verifying who can access what resources. For 2026, identity is the perimeter to watch, and security teams must proactively hunt for compromised credentials before they’re weaponized.”
Ian Gray, Vice President of Intelligence at Flashpoint
Prediction 3: CVE Volatility Will Force Redundancy in Vulnerability Intelligence
The temporary funding crisis at CVE in April 2025 and the subsequent CISA stopgap extension through March 2026 exposed the systemic fragility of a centralized vulnerability intelligence model. With the future of the CVE/NVD system hanging in the balance, 2026 will be defined by the urgent need for redundancy and diversification in vulnerability intelligence.
In today’s vulnerability intelligence ecosystem, nearly every organization’s vulnerability management framework relies on CVE and NVD—including its “alternatives” such as the EUVD (European Union Vulnerability Database). The CVE system has grown into a critical global cybersecurity utility, relied upon by nearly all vulnerability scanners, SIEM platforms, patch management tools, threat intelligence feeds, and compliance reports. A complete shutdown of CVE would result in a widespread loss of institutional infrastructure.
The next generation of security needs to be built on practices that are resilient, diversified, and intelligence-driven. It should be focused on providing insights that can be used to take action such as threat actor behavior, likelihood of exploitation in the wild, relevance to ransomware campaigns, and business context. Security teams will need to leverage a comprehensive source of vulnerability intelligence such as Flashpoint’s VulnDB that provides full coverage for CVE, while also cataloging more than 100,000 vulnerabilities missed by CVE and NVD.
Prediction 4: Executive Protection Will Remain a Critical Challenge as Cyber-Physical Threats Converge
The continued blurring of lines between cyber, physical, and geopolitical threats will elevate the risk to organizational leadership, turning executive protection into a holistic intelligence function in 2026. The rise of information warfare combined with physical world convergence means the threat to key personnel is no longer purely digital.
In the aftermath of the tragic December 2024 assassination of United Healthcare’s CEO, Flashpoint has seen the continued circulation and glorification of “wanted-style posters” of executives in extremist communities. Additionally, Flashpoint has seen nation-state actors participate, using espionage and influence to target high-value individuals. Organizations must adopt an integrated approach that connects insights from threat actor chatter and a wealth of other OSINT sources. This fusion of intelligence is essential for applying frameworks to ensure the safety of leadership and key personnel.
Prediction 5: Extortion Shifts to Identity-Based Supply Chain Risk
2025 was marked by several large-scale extortion campaigns, demonstrating how the threat landscape is rapidly evolving. Ransomware operations have shifted into a straight extortion play. Flashpoint has observed a surge in new entrants to the ransomware market, accompanied by a decline in the quality and decorum of ransomware groups.
Furthermore, vishing campaigns attributed to “Scattered Spider” have highlighted weaknesses in identity, trust, and verification. Campaigns from “Scattered LAPSUS$ Hunters” have also exposed vulnerabilities in third-party integrations. These attacks culminated in extortion, showcasing that modern attacks will target trusted users and trusted applications for initial access, and will forgo ransomware in place of data access.
As this shift continues into 2026, threat actors will increasingly focus their efforts on exploiting human behavior and identity systems. Instead of attempting to spend resources on breaking network perimeters, attackers will instead socially engineer employees to gain access to corporate systems at scale. This change in TTPs will undoubtedly greatly increase supply chain risk, especially for third parties.
Charting a Path Through an Evolving Threat Landscape with Flashpoint Intelligence
These five predictions highlight the transformative trends shaping the future of cybersecurity and threat intelligence. Staying ahead of these challenges demands more than just reactive measures—it requires actionable intelligence, strategic foresight, and cross-sector collaboration. By embracing these principles and investing in proactive security strategies, organizations can not only mitigate risks but also seize opportunities to enhance their resilience.
As the threat landscape continues to rapidly evolve, staying informed and prepared are critical components of risk mitigation. With the right tools, insights, and partnerships, security teams can navigate the complexities ahead and safeguard what matters most.
In the midst of the Israel-Hamas War, which erupted with a surprising and devastating attack on October 7, 2023 that resulted in the deaths of more than 1,300 Israelis, it is becoming increasingly apparent that the dynamics of this complex conflict extend beyond the actions of Hamas alone. While Hamas took the lead in launching the initial assault, there is evidence, outlined in this article, that numerous other militant and terrorist groups worked in concert with Hamas, which continues to shape the trajectory of the ongoing conflict.
Based on frontline reportage, open-source intelligence, including social media and message platforms, and Flashpoint collections surrounding the events on October 7, we explore the roles and actions of additional militant and terrorist factions, shedding light on their collective impact in the evolving Israel-Hamas War.
We will update this article as the situation in Israel, Gaza, and the Middle East develops.
Militant and Terrorist Groups Involved in October 7 Attack on Israel
Izz al-Din al-Qassam Brigades (كتائب الشهيد عز الدين القسام)
Operation Al-Aqsa Tufan (Flood) involved coordinated attacks from the Gaza Strip into bordering areas in Israel on October 7, coinciding with a major Jewish holiday and marking the beginning of the 2023 Israel–Hamas war. The attack included a rocket barrage of thousands of missiles, vehicle-transported incursions into Israeli territory, kidnappings, including at a music festival, and significant civilian casualties. It has been described as one of the bloodiest days in Israel’s history and the deadliest for Jews since the Holocaust. Founded in the late 1980s, Izz al-Din al-Qassam Brigades is the militant wing of the terrorist organization Hamas. It has been designated as a terrorist organization by several countries, including the United States, Israel, and the European Union.
Palestinian Islamic Jihad (الجهاد الإسلامي الفلسطيني)
As we previously reported, Hamas and PIJ communicate often with followers via Telegram. On the day after the October 7 attacks, PIJ, in one of its main channels, posted that “the elite of Al-Quds Brigades is entering the border to support al-Qassam Brigades fighters (Hamas) and supply them with weapons.” It has also been reported that PIJ took part in the October 7 attacks alongside Hamas.
On October 17, a rocket hit the Al Ahli Arab Hospital in Gaza, killing hundreds of Palestinian civilians. In a statement, Israeli Defense Forces said that “[Palestinian] Islamic Jihad is responsible for the failed rocket launch which hit the hospital in Gaza.” PIJ has denied the allegation in a statement, reportedly calling it “false and baseless.”
Palestinian Islamic Jihad (PIJ) is a Palestinian terrorist organization that is designated by several countries, including the United States, Israel, and the European Union. It was founded in the late 1970s with the goal of establishing an Islamic Palestinian state and has carried out attacks against Israel.
Al-Aqsa Martyrs Brigade (كتائب شهداء الأقصى)
The Al-Aqsa Martyrs Brigade is a Palestinian militant organization affiliated with Fatah, a major Palestinian political party, that has carried out attacks and other activities against Israel. One of the key players in Palestinian politics today, Al-Aqsa Martyrs brigade was founded in the late 1950s and has historically been associated with the Palestine Liberation Organization (PLO). The group was designated a Foreign Terrorist Organization by the US Department of State in 2002.
Above: Screengrab from October 7 showing a video of a man wearing a headband with the Al-Aqsa Martyrs Brigade emblem. The video, posted in an official Al-Aqsa Martys Brigade Telegram channel, shows the man speaking alongside a gravely injured Israeli soldier. The message hashtag translates to “#Scenes_of_enemy_soldiers_capture” (Image: Flashpoint)
Democratic Front for the Liberation of Palestine (الجبهة الديمقراطية لتحرير فلسطين)
The Democratic Front for the Liberation of Palestine (DFLP) is a Palestinian political and militant organization founded in 1969, known for its left-wing and Marxist ideologies. It has historically aimed for the liberation of Palestine and the establishment of an independent Palestinian state through both militaristic and political means. While a member of the Palestine Liberation Organization (PLO), it has not been as prominent as other Palestinian factions like Fatah or Hamas in recent years.
Above: Pictures posted by an official Democratic Front for the Liberation of Palestine showing armed militants reportedly inside Israeli territory on October 7. (Image: Flashpoint)
Palestinian Mujahideen Movement (حركة المجاهدين الفلسطينيين)
The Palestinian Mujahideen Movement is a Palestinian militant organization that emerged in the early 1970s with the goal of resisting Israeli occupation and achieving Palestinian self-determination through various armed activities and operations against Israeli forces. However, it is not as widely recognized or prominent as Palestinian terrorist groups like Hamas or the Palestinian Islamic Jihad (PIJ).
Above: Screengrab of an official Palestinian Mujahideen Movement channel showing an image of Dr. Asaad Abu Sharia, the General of the Palestinian Mujahideen Movement, congratulating the “heroes…who stormed the positions and settlements of [Israel].”
We have shared this Telegram message in lieu of the many messages shared in the same channel the day prior, October 7, that showed graphically violent images of what appears to be soldiers in IDF uniforms. (Image: Flashpoint)
Popular Resistance Committees (لجان المقاومة الشعبية)
The Popular Resistance Committees (PRC), whose military wing is referred to as Al-Nasser Salah al-Deen Brigades (ألوية الناصر صلاح الدين), are a coalition of various Palestinian factions and armed groups in the Gaza Strip. They were formed in the early 2000s during the Second Intifada, a period of intense Palestinian-Israeli conflict. The PRC includes members from different political and militant backgrounds and has carried out attacks against Israel. While not as prominent as terrorist organizations like Hamas or the Palestinian Islamic Jihad (PIJ), the PRC has played a role in the ongoing Israeli-Palestinian conflict, as evidenced by the events of October 7, 2023.
Above: Screengrab of communications within the official Al-Nasser Salah al-Din Brigades Telegram channel from October 7, alongside photos of allegedly confiscated military equipment and IDs belonging to captured Israeli soldiers. (Image: Flashpoint)
Those who could join the fight
Lebanese Hezbollah (حزب الله اللبناني)
Though not directly involved in the October 7 attacks, Lebanese Hezbollah and Israel have exchanged assaults in connection with the ongoing Israel-Hamas War since October 8.
Also known as Hezbollah, Lebanese Hezbollah is a Shiite Islamist political and militant organization based in Lebanon. It was founded in the early 1980s with support from Iran, following the Israeli invasion of Lebanon. Hezbollah’s primary goal is to resist Israel and promote Shiite interests in Lebanon and the wider region. The group was designated a Foreign Terrorist Organization by the US Department of State in 1997, the same year as Hamas and PIJ.
Lions’ Den (عرين الأسود)
Saraya al-Quds Military spokesman Abu Hamza has calledfor Lions’ Den and Jenin Brigade, another Palestinian militant group, to join the fight.
The Lions’ Den is a Palestinian militant group in the Israeli-occupied West Bank, formed in August 2022. Comprising members from various Palestinian militant and terrorist organizations, including Hamas and Palestinian Islamic Jihad, along with disaffected Fatah members, it resonates with some young Palestinians frustrated by the Israeli occupation, settlements, settler violence, and the perceived ineffectiveness of the Palestinian Authority. They have engaged in various West Bank attacks, funded in part by Hamas.
These profiles represent the most meaningful actors on the digital and physical frontlines of the Israel-Hamas War at the moment. Flashpoint has seen an expansion of participants as the conflict unfolds and expands into new physical and digital theaters. We will therefore update this article as the situation continues to develop.
Telegram, with its 700 million-plus-strong user base, has evolved into a pivotal communication hub for Hamas and Palestinian Islamic Jihad (PIJ). Its robust privacy and encryption protocols safeguard communications while also providing a covert operational space for militant groups and cybercriminals. The platform’s role in open-source intelligence (OSINT) is vital, offering real-time insights into unfolding global events, such as the ongoing military conflict between Hamas and Israel, and becoming an essential tool for intelligence professionals navigating the multifaceted landscape of contemporary warfare. Organizations with regional interests should perceive Telegram as a crucial asset in understanding their risk apertures and navigating through conflict complexities.
In the context of recent global conflicts, including the Russia-Ukraine war and the Hamas-Israel conflict, platforms like Telegram have demonstrated their significance by providing real-time updates, documenting potential war crimes, and offering a platform for anti-war narratives amidst governmental censorship. Both scenarios underscore Telegram’s evolving role in modern warfare, influencing narratives and strategies, and providing a digital battlefield for organizations and intelligence professionals to navigate and anticipate conflict dynamics.
This digital battlefield, while shaping the narratives and strategies in contemporary conflicts, abruptly collided with reality on October 7, when the virtual orchestrations of Hamas transformed into a tangible, devastating surprise attack on Israel.
Hamas militants launched an unexpected, devastating attack on Israel on October 7, resulting in hundreds of casualties and numerous hostages. Over 2,000 rockets were fired into Israel, causing significant casualties and prompting Prime Minister Benjamin Netanyahu to declare war on Hamas, mobilizing the military and reserves. The assault, occurring on the fiftieth anniversary of the 1973 Egypt and Syria attack and during the Jewish holiday, Shemini Atzeret, took Israel by surprise.
Reports state that the attack resulted in hundreds dead and more than 500 injuries, the kidnappings of Israeli soldiers, and vehicle takeovers, while Hezbollah celebrated the assault. The US Embassy in Jerusalem issued an alert and initiated shelter-in-place protocols for its personnel. Militants breached the Gaza-Israel barrier using various methods, and Hamas commander Mohammed Deif urged Palestinians and Arabs to join the operation, raising fears of a wider conflict.
At around 5:30 a.m. UTC, Hamas posted in one of its main Telegram channels, that the Commander-in-Chief of Al-Qassam Brigades announced the beginning of Hamas’s Al-Aqsa Tufan (Flood) and the firing of over 5,000 rockets aimed at Israel. Shortly thereafter, reports show that air raid sirens sounded in Jerusalem around 6:30 a.m. local time, signaling an attack and instructing citizens to take cover.
Hamas Telegram post announcing the start of Al-Aqsa Tufan (Image: Flashpoint)
This message represents one of 1,145 messages sent over Hamas’s main Telegram channel on October 7. For context, the day prior, 373 messages were sent over the same channels, showing more than a 3X spike in chatter from October 6.
October 8: Violence escalates
The conflict intensifies with continued assaults and counter-assaults from both Israel and Hamas. The death toll rises sharply on both sides, and the situation garners international attention and condemnation. Hamas issues a threat to execute Israeli hostages, prompting further international outrage. The U.S. confirms that several American citizens have been killed in the attacks and expresses its unwavering support for Israel. Various nations and international leaders continue to condemn the violence and express solidarity with Israel.
On October 8, Palestinian Islamic Jihad posted that “the elite of Al-Quds Brigades is entering the border to support Al-Qassam Brigades fighters and supply them with weapons.” (Image: Flashpoint)
On Sunday, 1,129 posts were sent between PIJ and its followers on Telegram, with messages such as above sharing updates of the assault.
October 9: Broadening battlefields
The conflict takes a new turn as rockets are fired from Lebanon toward Israel, prompting Israeli forces to retaliate against Lebanese territories. The U.S. updates the number of American citizens killed in the attacks and acknowledges that Americans are among those taken hostage by Hamas. Israeli Defense Minister Yoav Gallant orders a “complete siege” on Gaza and promises a robust and unrestrained response to the ongoing attacks, vowing to eliminate any threats against Israel.
Telegram post from a major Hamas channel linking to a video of Abu Obaida, the spokesperson for the al-Qassam Brigades, in which he signals further violence to Israelis, particularly hostages (Image: Flashpoint).
Throughout Monday, Telegram activity from Hamas and PIJ fell by almost half compared to the day prior. Within the first 72 hours of the Israeli-Hamas War, Flashpoint observed a total of 5,472 Telegram posts shared by both Hamas and PIJ across their main channels.
Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism
Social media and messaging platforms like Telegram continue to play a key role in understanding events, rumors, and ideas as they unfold in the Russia-Ukraine war
The once-cordial relationship between Vladimir Putin and Yevgeny Prigozhin, commonly known as “Putin’s chef,” has soured completely, marking one of the most compelling storylines in Russia’s now 16-month-long invasion of Ukraine. This particular conflict, however, played out in Russia on June 23 and lasted a scintillating ~36 hours, ending in a schism whose implications continue to reverberate across the world, especially in Russia.
Mentions count in Flashpoint collections for variations on searches for Prigozhin and the Wagner Group. (Image: Flashpoint)
Social media and messaging platforms like Telegram continues to play a key role in helping individuals and organizations alike understand events, rumors, and ideas as they unfolded, often in real time. As we describe in this article, and as we highlighted in our popular report on the role of open-source intelligence (OSINT) in the Russia-Ukraine War, organizations are rightfully viewing OSINT as a key element of their intelligence and security operations and leveraging it to understand organizational risk as it relates to the cyber, physical, and informational battlefields of this war.
Let’s zoom in on two crucial days—June 23 and June 24—of the conflict between Putin and Prigozhin and examine the importance of OSINT in understanding the events, then and now.
Flashpoint’s physical security intelligence platform showing results for a global search seeking mentions of Prigozhin across OSINT-related collections.
June 23: Wagner Accuses MOD of Missile Strike, Potential Military Coup Brews
On June 23, Yevgeny Prigozhin, the founder of the paramilitary company Wagner Group, accused Russia’s Ministry of Defence (MOD) and its leader, Sergei Shoigu, of conducting a missile strike on his mercenaries. Prigozhin claimed that the strike resulted in numerous fatalities. He characterized the MOD as “evil” and called for those responsible to be held accountable. It was unclear whether this move should be classified as a coup, insurrection, mutiny, or hardline bargaining tactic at the time.
In retaliation, Prigozhin has appeared to openly advocate for armed resistance against the MOD, adding fuel to an already tense stand-off. Prigozhin warned that “the next move will be ours,” and that those who are responsible for the deaths of the Wagner troops killed today, as well as the deaths of many tens of thousands of Russian soldiers, will be “punished” and “justice” will be “returned,” both to Russia’s armed forces and all of Russia. The MOD has rejected these accusations, claiming that they “do not correspond to reality” and labeling them as an “informational provocation.”
"All the video frames distributed on social networks on behalf of Yevgeny #Prigozhin about the alleged 'strike by the Russian Defense Ministry on the rear camps of the PMC Wagner” do not correspond to reality and are an informational provocation. pic.twitter.com/pBIPdFEdLc
The current events, particularly the Wagner Group turning on Putin, can be traced back to the devastating fighting at Bakhmut, where the Wagner Group suffered heavy losses. This battle resulted in significant costs and losses for Russia.
June 24: Prigozhin’s March To Moscow
On June 24, Prigozhin announced that Wagner Group, the private military company (PMC) he leads, would cease its march on Moscow, ending what has been widely regarded as an armed insurrection and potential coup attempt targeting Russia’s military and government leadership.
In an interesting twist, Belarusian President Lukashenko stepped in, providing a means for Wagner to continue operating in a “legal” manner. This intervention prompted the move of Wagner Group and Prigozhin to Belarus. This is particularly noteworthy as PMCs are technically illegal under Article 359 of the 1996 Russian Criminal Code. As a result of the negotiations, the sides agreed that a “bloodbath” on Russian territory should be averted and de-escalatory steps should be taken. Prigozhin agreed that Wagner would halt its advance on Moscow, which Prigozhin claims Wagner got within 200 kilometers of, and turn back to “go in the opposite direction to [their] field camps.” In return, Wagner personnel would be granted “security guarantees.”
Related Blog
Timeline of Russia’s Invasion of Ukraine: Cyber and Physical Warfare
Prigozhin claims that Wagner had not spilled “a single drop of blood of our fighters” since the start of their march on Russia the day prior. However, Prigozhin claims that Russia’s military had attempted to fire at the PMC during their march, reportedly downing at least one and potentially multiple Russian military helicopters. There are also reports of a fire at a fuel depot in Voronezh, which may have been hit by a Russian helicopter.
Screengrab of a video posted on a pro-Wagner Telegram channel showing Wagner supporters in Rostov as they demonstrate support to departing Wagner troops. (Image: Telegram)
Wagner troops seized control of multiple military and administrative buildings in the Russian city of Rostov-on-Don early on Saturday morning and had since reportedly reached Voronezh, which lies 500 kilometers north of the city and on the way to Moscow. On June 24, Russian media reported that Wagner was preparing to leave Rostov-on-Don.
Since then, the Kremlin has said that Prigozhin would not have to face charges in Russia, but he has been dubbed a “traitor” by Putin. As of this publishing, Prigozhin is allegedly in Belarus, according to the country’s President, Lukashenko, who brokered the deal on Prigozhin behalf.
Concluding thoughts
In today’s dynamic geopolitical climate, staying ahead of the curve necessitates more than just monitoring mainstream media. Open-source intelligence collections have emerged as a game-changing tool for keeping abreast of the latest events in Ukraine and Russia, which can help various organizations and sectors sift through vast amounts of information, quickly filter out the noise, and deliver the most salient insights in real-time. The recent events in Russia showcase the value of this intelligence resource in offering a multifaceted perspective on ground realities.
Get Flashpoint on your side
Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.
When most people think of physical security, they often think about access control measures or physical security systems. These include gates, alarms, surveillance cameras, and security guards. These measures are fundamental to protecting facilities, as well as the people, assets, and infrastructure inside of them. However, these measures fail to address several external factors. These factors include the impact of natural disasters, terrorist attacks, and insider threats on physical security.
Why is Physical Security Intelligence Important?
That is where physical security intelligence comes into play. Physical security intelligence delivers mission-critical insights into real-time situations occurring globally. It empowers governments and commercial enterprises to safeguard, defend, and enhance the security of individuals, locations, and physical assets.
Physical security intelligence is built on external information. This includes social media and other online channels. It provides situational awareness and insights into potential physical security threats in their earliest stages.
Where Physical and Cyber Threat Intelligence Collide
Cyber and physical threats are increasingly related. In fact, most attacks on people, places, and infrastructure involve some degree of online communication. Real-world events are often enabled or bolstered by cyber-related activities. An example is when a threat actor uses an online discussion forum or social media network to plan a physical attack.
Decentralized open-source channels like Telegram have become an increasingly popular medium for both cyber and physical threat actors. These channels have eroded long-standing barriers to entry to the deep and dark web. When that communication takes place in publicly available channels, security teams can use that information to investigate the incident. Ideally, they can be alerted to early warning indicators and prevent it altogether.
Case Study: Physical Security Intelligence
How Flashpoint Helped the Community Security Initiative (NY) Stop a Potential Synagogue Shooting
Physical security intelligence reduces information gaps and leads to more proactive physical security. Open-source intelligence is a critical resource for these applications.
OSINT involves gathering and analyzing publicly available information to derive meaningful insights. In recent years, OSINT has become one of the most relied-upon forms of intelligence for the US government. Its abundance and low barrier to entry make OSINT increasingly useful for commercial enterprises as well.
Thanks to the smartphone, open sources like social media often provide the most up-to-the-minute information about breaking events. Tapping into this data gives security and intelligence teams the real-time information necessary for addressing immediate crises and generating timely intelligence. OSINT provides incredible value for both public and private sector teams. This is true as long as they have the tools and capabilities to gather and analyze the abundance of information effectively.
Examples of Physical Security Intelligence Use Cases
How understanding physical risk can enable corporate physical security teams and public sector organizations to address a wide range of challenges.
Global Situational Awareness
Open-source data can improve situational awareness. It does this by providing insight related to geopolitics, public sentiment, technology developments, and on-the-ground activities in areas of interest. This is especially true when that data is enriched with geospatial information. This information includes where the posts originated, or what locations were mentioned within the post contents and metadata.
Crisis Response
Open-source data provides real-time information for events like natural disasters, public health crises, and terrorist attacks. This information helps security teams stay alert to breaking events, assess impacts, and respond appropriately.
Executive Protection and Force Protection
Across the public and private sectors, threats to personnel come from all directions. This ranges from unforeseen travel risks to doxing and reputational risks, such as bad press. Leveraging OSINT is crucial for surfacing this information and reducing blind spots. It is a strategic complement to traditional executive protection methods like bodyguards and security cameras.
Flashpoint Ignite equips physical security teams with real-time access to the most extensive breadth of open-source information available.
Flashpoint Ignite equips physical security teams with real-time access to the most extensive breadth of open-source information available.
Persistent Threat Analysis
Persistent security concerns like terrorism rely on social media and other online channels to spread. OSINT helps physical security and intelligence teams monitor evolving web-based chatter to improve visibility and defend against those threats.
Insider Threats
Social dissent, burnout, and various other factors have dramatically shifted the insider threat landscape. Disgruntled employees may take action against organizations. This could include disclosing confidential data or disrupting business operations. They often discuss these topics online before taking action. Government, healthcare, big tech, and media are especially vulnerable.
Physical Attacks
Social media and discussion websites are often used to share violent intent and plan events. For example, the Capitol Hill insurrection was planned online for weeks prior to the attack. Bad actors tend to be more candid in online settings. This is because their identity is anonymous, and they are engaging with like-minded communities.
Supply Chain Disruptions
Disruptions like natural disasters or geopolitical conflicts can halt or delay the flow of goods along the supply chain. Monitoring open sources for these disruptions can provide early warning indicators. It can also help you assess if your organization will be impacted down the line.
Event Monitoring
It is vital to have the right physical security intelligence protocols in place. This ensures the security of an event and its attendees. Physical security intelligence can augment an organization’s overall security and intelligence operations during an event. This could be a high-profile conference with global attendees or a smaller affair. Physical security intelligence can include pre-event assessments, daily stand-ups, and monitoring and alerting of imminent and potential threats. Protecting a location—and the people around it—is also essential to strengthening brand reputation
Flashpoint Ignite for Physical Security Teams
Flashpoint’s Physical Security Intelligence (PSI) solution is part of the Ignite platform. It gathers open-source data from a variety of online spaces. These range from mainstream social media, discussion forums, fringe networks, messaging apps, and regional sources from around the world. The solution is fast and intuitive. It allows users to search, filter, monitor, and analyze the data in a customizable dashboard. User-generated alerts ensure that the right team gets notified if new, relevant content is detected. Enrichments like geolocation, language detection, and threat detection provide valuable context to the information discovered.
At the end of last year, Flashpoint correctly forecasted that Taiwan would prove critical to US-China relations. In the same way its asserted authority over Hong Kong, recovering Taiwan, we wrote, would also continue to be a primary pillar of China’s geopolitical strategy.
Fast forward to the present-day, as US-China tensions around the Taiwan Strait are elevated—buttressed by observed trends that may indicate that an increase in Chinese aggression around the Taiwan Strait is likely within the next 6-12 months.
Here are five key indicators that may represent current and future escalations in US-China tensions related to Taiwan.
1) Xi’s Third Term and the NPC
China’s National People’s Congress (NPC), scheduled for October 16, is held by the Chinese Communist Party every 5 years. It is considered to be the largest and most important time period for the CCP—this is when it typically announces political priorities as well as senior leadership appointments. This year’s NPC will be the 20th conference since the Party’s founding in 1921; without a planned successor, President Xi will take a third term—a first in CCP history since term limits were officially abolished by President Xi himself.
President Xi has remained vocal about his desire to complete reunification with Taiwan, which was most recently outlined in China’s most recent whitepaper, “The Taiwan Question and China’s Reunification in the New Era.” Notably, this is the first whitepaper that omits China’s desire to reunify with Taiwan peacefully, suggesting that an attempt to forcefully reunify is possible.
2) China’s Show of Might in the Taiwan Strait
Directly following the Speaker Pelosi’s August trip to Taipei, China’s military, the PLA, scheduled a series of live-fire drills around Taiwan, the most impactful particularly occurring from August 4-7 that included short, unprecedented incursions into the “median line” dividing Taiwan from China.
China’s air and sea exercises included several frigates, fighter jets, drones, and cyber attacks, and from the Chinese perspective, demonstrated China’s ability to encircle Taiwan swiftly and effectively on the world stage. The 22 ballistic missiles fired around Taiwan—five of which landed in Japan’s Exclusive Economic Zone (EEZ)—were the first launched near Taiwan since 1996. Additional military exercises around Taiwan occured on August 15, coinciding with the visit of five senior lawmakers from the US Congress.
3) US-Taiwan Economic Partnership
On August 17, the US government announced its intention to begin formal trade negotiations with Taiwan to support US trade facilitation, including its support of state-owned small to medium enterprises in Taiwan. Though the US has maintained that its policy towards Taiwan remains unchanged, the Biden administration has unveiled new initiatives like these to suggest a deepening of the US-Taiwan partnership due to mutually perceived threats to democracy in the Indo-Pacific region.
On August 30, the Biden administration introduced another lever to its cooperation with Taiwan, announcing a planned $1B arms package with the island nation that will reportedly include “60 anti-ship missiles and 100 air-to-air missiles.” The package, officially approved by Congress on September 2, signals a commitment by the US to help Taiwan defend itself in the event of conflict with China.
Related Resource
‘Great Cyber Power’ China and Its Influence Across APAC: Analysis and Timeline
Taiwan continues to prepare its military for an increased likelihood of conflict with China, including a sharp increase in its announced FY2023 defense budget. On August 25, Taiwan said that it will increase its military budget by 13.9 percent—approximately triple its usual four-to-five percent increase year over year. Several aspects of Taiwan’s military are set to be modernized as well, including its naval capabilities, which will be a key component in any kinetic conflict with China.
5) China Cutting Key Diplomatic Channels with US
China has made a handful of quiet, diplomatic moves that signal its unhappiness with the current state of US-China relations, including severing cooperation with the US on key mutually beneficial touchpoints, such climate change and counternarcotics.
On August 25, US Deputy Secretary of State Wendy Sherman met with China’s Ambassador to the US, Qin Gang, to discuss China’s moves to cut diplomatic communication with the US. According to Chinese officials in Beijing, these moves were a series of “demarches” made by China regarding several recent US CODEL visits to Taiwan, including US Indiana Governor Holcomb’s August visit to Taiwan to discuss US-Taiwan semiconductor cooperation.
APAC Intelligence that Drives Decision-Making
To see firsthand how Flashpoint can help your organization leverage APAC-centric intelligence to protect critical assets and stakeholders, sign up for a free trial today.
What Is Open Source Intelligence: The Importance of OSINT in Your Organization’s Threat Landscape
In order to gain the upper hand, security strategies must include a diverse means of gathering intelligence, both for a predictive and reactive approach. Open-source intelligence has become crucial to completing this picture
A modern security professional’s job is becoming more and more complex, and it’s no surprise considering the influx of unexpected places where threats are beginning to surface. In order to gain the upper hand, your security strategy must include a diverse means of gathering intelligence, both for a predictive and reactive approach. In an era where content is being created at an exponential rate – 90% of the world’s data was created in the last 2 years alone – the future of security must be intelligence-led.
A major source of intelligence that cannot be overlooked is the vast amount of publicly available information (PAI) being produced by consumers, hackers, newsmakers, and bloggers every single day. Globally, almost every person and organization is communicating across multiple platforms and networks, as well as handling personal and corporate needs virtually – such as shopping, travel planning, and data management. Finding like-minded communities and audiences online is the goal; however, wherever you have people congregating, especially if there is potential for monetary gain, the risk of nefarious behavior rises. This has created an increased need for open-source intelligence (OSINT) and OSINT platforms.
What is OSINT?
Open-source intelligence, or OSINT, refers to the process of gathering information from public, legal data sources to serve a specific function. Some open sources might include social media, blogs, news, and the dark web.
The concept of OSINT very basically works like this:
Public information exists → data is gathered → information is analyzed for intelligence.
The purpose of seeking information from public data varies on the type of insights you wish to gather. Many industries and professionals look to open sources to uncover workplace security threats, protect executives, prevent loss, manage assets, gauge brand sentiment, and monitor conversations for creating marketing strategies. Intelligence professionals use certain types of OSINT and OSINT platforms for investigations, prosecution, evidence gathering, and events monitoring.
What is finished intelligence?
Finished intelligence, or ‘cooked’ data, is raw data that has undergone processing to gain context and become actionable. The collection, processing, and analysis of raw data are foundational steps along the threat intelligence lifecycle.
In other words, raw data is unaltered from its original source. This could look like a network’s traffic data logs, dark web discussions, or even public social media posts.
Finished intelligence would look like a report summarizing the context interpreted from relevant raw data points and suggested security responses.
Finished intelligence services allow organizations to skip the raw data collection and analysis steps, which are time-consuming and require skilled analysts. Those steps are instead supported by automation and machine learning capabilities, and/or third-party analyst teams.
The main goal of finished intelligence is to operationalize the process so organizations can respond faster to active threats and invest less time and resources in gathering and contextualizing large volumes of raw data. The result is a finished intelligence report that the client can immediately act on. While expensive, finished intelligence solutions can be ideal for private sector organizations seeking a “comprehensive” security solution.
What can OSINT tools do?
OSINT tools can identify and separate entities within a data set (parsing), and organize and display those entities by category to glean meaning and avoid redundancies (normalizing). OSINT tools can also index raw data so that it’s quickly and easily searchable and filtered for relevancy.
Access to publicly available online data is often free, but the true value lies in what can be analyzed and extracted from the data. Organizations using OSINT for security and intelligence require the ability to detect key information quickly and efficiently. They can do so by using robust OSINT tools.
The vast amount of online data is overwhelming to sift through, and with the complex ways today’s online threat actors conduct themselves, the vulnerabilities to organizations are becoming more elusive. Open-source data, when gathered, enriched, and monitored effectively, can be extremely valuable for predicting, analyzing, and reviewing incidents at every stage of their occurrence. But where to begin?
Where you look for information depends on what you want to find. Running a Google search is a simple form of OSINT, but when you are responsible for the safety and security of a particular person, place, or asset, you need to be casting a keen eye over multiple sources. Criminal behavior tends to be hidden, and it is unlikely a surface web search will take you there.
What threats can OSINT help with?
The emergence of intelligence-led security is a direct result of the varied and growing range of on-the-ground threats that are being plotted, planned, discussed, and executed online. As our physical and digital realities are becoming more and more interlaced, individuals and organizations are creating more informational weaknesses and thereby more opportunities for an ever-widening range of attacks and other threats to occur.
OSINT tools can be invaluable for handling internal processes such as:
Brand protection
Workplace and facilities safety issues
Real-time event monitoring
Executive protection and force protection
Natural disasters and incident response
OSINT for enterprise security
Global enterprises are operating in the age of digital transformation. This has plenty of benefits for companies, helping improve customer experience, productivity, and resource management. But along with these benefits, wider technology adoption also means increasing opportunities for compromise.
This stands true for almost any industry with an online presence—including finance, retail, and transportation, which make up some of the world’s most cyber-targeted industries. Digital transformation also affects physical security and cyber-enabled threats as criminals adopt anonymized online communication channels. What do these risks look like?
Cyber threats
Data breaches targeting corporate and customer information
OSINT tools support enterprise security teams in identifying and responding to these risks. Social media networks provide real-time updates from on-the-ground threats near executives and other physical assets like offices, employees, and corporate events. Paste sites, forums, and marketplaces across the deep and dark web often publish the earliest indicators of data breaches and executive-targeted doxxing. Anonymized discussions on these covert sites help security teams identify fraud, insider threats, and cyber-attack strategies directly from the source.
Combined with other risk management feeds and tools, OSINT platforms provide security teams with more context and earlier risk indicators so they can respond faster and avoid blind spots.
But many organizations face challenges in responding to risk quickly and effectively, especially as more enterprise teams—from marketing to IT and compliance—require OSINT.
According to a 2021 report by Forrester Research, 42% of corporate decision-makers are currently improvising when it comes to risk management. Almost 70% claim that risk information is siloed across their departments and only 29% are confident in their risk management technologies.
What do security teams need from OSINT platforms to address information gaps?
Broad data coverage
There are thousands of different online sources out there, from social media platforms to the deep and dark web, where relevant risk data is hiding. Many risk management tools focus only on one data source type—such as social media or the dark web—to help security teams find relevant risk information. A more ideal solution combines a variety of these sources within one platform so teams don’t have to juggle more tools than are necessary. This can just lead to information gaps and slower responses.
Simplicity and usability
Not everyone who needs access to online risk data has a technical background. OSINT solutions should be accessible to anyone in an organization without the click-heavy processes and complex interfaces that are typical of IT-based risk management software. Personnel should be able to easily and quickly separate the most pertinent data and view it in a digestible format.
Speed-to-information
OSINT tools that prioritize real-time data allow security teams to get critical insights faster. This gives organizations a much better chance of avoiding or mitigating threats from all angles.
Collaboration features
For risks where cross-department visibility is necessary, OSINT solutions should offer permission settings and collaboration features that allow teams to view each other’s activities or tackle a security threat together when there is overlap.
Integrations
Many global organizations already have a suite of risk management tools. OSINT solutions should be able to easily integrate with third-party solutions, whether they include a UI or funnel data directly into existing systems.
OSINT for national security: What national security initiatives does OSINT support?
Counter-terrorism and counter extremism
Foreign jihadist groups like the Islamic State and Al-Qaeda are no longer solely responsible for the threat of terrorism and extremism. Domestic extremist movements based on conspiracy theories, right-wing ideology, and discriminatory worldviews now also pose serious national security threats. Public online spaces are leveraged similarly for both extremist types, playing a huge role in spreading propaganda, recruitment, financing, and sometimes planning. This data helps governments understand how extremist groups operate so they can then predict public safety risks and protect citizens and assets from domestic and global terrorism.
Addressing misinformation and disinformation
National security threats have expanded to include online influence campaigns, which can compromise democratic processes and lead to real-world security risks. Disinformation (which is engineered to deliberately deceive) and misinformation (false information that is not necessarily spread with malicious intent) is widely prevalent online. Monitoring online spaces is crucial for tracking disinformation campaigns so governments can mitigate their impact and keep the public safer and more informed.
Cybersecurity
Breaching government data is financially and politically lucrative for lone-wolf attackers, organized hacking groups, and nation-state actors. Sophisticated technologies are available to a greater diversity of adversaries than ever before. Persistent online threats include breaches and cyber espionage targeting classified data, network attacks disrupting critical infrastructure, and botnets enabling malware attacks and information warfare. Paste sites, discussion forums, and marketplaces on the deep and dark web often provide early indicators of breaches, malware, and attack techniques. Combining this open-source data with other cybersecurity feeds helps intelligence teams more confidently predict, mitigate, and investigate cyber compromise.
Transportation security
National transportation networks, including airports, seaports, and highways, make up a country’s critical infrastructure. When this infrastructure is compromised, governments and security teams need to stay prepared and alerted to prevent damage to assets, data, and human life. Online data plays a crucial role in providing the intelligence required for informed transportation security planning and incident response. For intelligence teams, social media networks and deep and dark web content can:
Provide the earliest alerts for location-based threats near airports, seaports, and other transportation hubs
Inform security teams about tactics used to bypass security systems or commit attacks, particularly at airports
Monitor for threats directly targeted at the security/public sector organizations themselves
Stay alert to vulnerable data that could compromise a transportation network’s digital or physical security
Addressing national and global crises
When a national crisis occurs, governments must make timely, informed decisions to protect their data, assets, and citizens. As we’ve seen with the COVID-19 pandemic, adversaries co-opt real-world events in their strategies. Whether it’s a natural disaster, public health crisis, or terrorist attack, intelligence teams need to know how and where the crisis is occurring and how to allocate response resources. Online spaces are often the earliest sources of information to provide this context—for example, social media users often post public updates and images from the scene of a crisis. Aligning this data with other feeds can help provide a faster and more informed response.
Intelligence professionals require specialized software to collect this information and generate actionable intelligence. Commercial OSINT tools help intelligence teams gather open-source data more efficiently and align with a team’s unique requirements. Because intelligence teams often work with their own interfaces and tooling, they often require direct access to raw data that can be plugged into their existing systems.
How do OSINT platforms address data overload?
The intelligence community is increasingly challenged by growing volumes of online data available for collection, processing, analysis, and triage. The western world is also facing a data analyst shortage coupled with a growing demand for military AI. As a result, data scientists in the public sector tend to handle more complex tasks, developing tooling and data sets to support lower-level analysts on intuitive platforms.
Intelligence teams are also challenged by a lack of access to some emerging online sources. For example, fringe networks (like alt-tech platforms, deep and dark web imageboards and paste sites, etc.) do not offer their own API or are unavailable through commercial API providers. To gather data from these sources, analysts are often required to create dummy accounts, make group requests, and navigate networks manually. This requires a significant amount of HUMINT resources that could be allocated to other areas of the intelligence cycle.
To address these challenges, OSINT tools must:
Improve data coverage by providing access to relevant sources, including fringe web spaces, that are not commonly available through commercial, off-the-shelf vendors.
Leverage machine learning capabilities. AI is a major priority for governments, helping analysts process and contextualize intelligence more efficiently.
Be intuitive and user-friendly for lower-level intelligence analysts, providing more efficient workflows and better speed-to-information.
Types of OSINT tools
There are many types of OSINT tools on the market, both free and paid. The truth is, no single OSINT tool is 100% effective as a standalone solution. Rather, combining a variety of solutions is the best practice. Remember that the best OSINT tools will have a geographical element, providing a digital window to view data by location. The tools you choose will depend on the specific needs of your organization. Here are some types of OSINT tools to consider:
Social media monitoring
Our OSINT Platform allows organizations to use online information to gain situational awareness on the ground. Security teams utilize predictive intelligence and real-time crisis management, as well as brand monitoring and post-incident review.
Deep and dark web monitoring
The Flashpoint product suite includes targeted, automated collection systems that capture information from the deep and dark web, enabling your security and intelligence teams to identify and prioritize relevant threats and leverage their intelligence to act quickly.
Email hacks
Have I Been Pwned? is a free online resource to check if your email address has been put at risk due to a data breach.
Twitter monitoring
TweetDeck allows you to view multiple timelines in one user view. TweetDeck allows a user to create specific filters such as specific activity and geographical locations.
Internet archives
Wayback Machine is an internet archive tool, like a library, of historical data. This tool allows the user to search the history of archived websites, metadata, text contents, and TV news captions.
Link analysis
Maltego is a graphical link analysis tool that accelerates and simplifies complex investigations by allowing users to build visualizations and connections between disparate data sets.
Conclusion
Business is happening online, and today’s security strategies need to be informed by the masses of social data being created every day. Gathering, filtering, and analyzing this information requires the advanced capabilities of OSINT platforms.
Both amateur and professional criminals are using sophisticated strategies and seemingly innocuous networks to conduct illicit business. More and more media networks are being infiltrated and used outside their intended purposes. Evolving threats require predictive and intelligence-led security strategies. Security teams must gather intelligence from every corner that they can. Open source threat intelligence software is essential for any enterprise using public data sources to inform their decision-making.
Not only can OSINT help protect against hidden intentional attacks such as information leaks, theft, and fraud, but it also has the ability to gain real-time and location-based situational awareness to help protect people at work, at events, institutions, or even the shopping mall. The right OSINT toolkit will give your security and intelligence teams the upper hand.
Login
Table Of Contents
