VAST 2010 Challenge

Mini Challenge #1 - Text Records - Investigations into Arms Dealing

Authors and Affiliations:

Adeel Khamisa , Oculus Info, akhamisa@oculusinfo.com

Pascale Proulx, Oculus Info, pproulx@oculusinfo.com

Rob Harper, Oculus Info, rharper@oculusinfo.com


nSpace2 is a web-based system combining TRIST (The Rapid Information Scanning Tool) and the Sandbox for visual thinking, while integrating advanced computational functions using Web Services protocols. TRIST is a data triaging tool with capabilities like planned query execution, automatic information extraction, and customizable multi-linked dimensions, which help provide rapid scanning, result characterization and correlation. Information gained from TRIST (e.g. snippets, entities, relationships, imagery, maps, video) is used in the Sandbox for evidence marshalling and further analysis. The Sandbox is a flexible and expressive thinking environment for analysts to visualize their cognitive mechanisms. It supports both ad-hoc and more formal analytical sense-making. It is a collaborative environment with linking and permissions. For reporting, Sandboxes are exported to MS Word documents with automatic formatting and references.

GeoTime improves the perception of entity movements, events, relationships, and interactions over time within a geospatial (or any conceptual diagrammatic) context. Events are represented within an X,Y,T coordinate space, in which the X,Y plane shows geographic or diagrammatic space and the vertical T axis represents time. Events animate in time vertically through the 3-D space as the time slider bar is moved. For analysts, GeoTime's single view representation of a combined temporal-spatial three-dimensional space amplifies concurrent cognition of entity relationships and behaviors in both space and time. Analysts can see the who and what in the where and when. A recent extension to GeoTime allows the analyst to automatically extract node-link network diagrams from the data and visualize transactions within these networks over time.


Text Records - Investigations into Arms Dealing Video


MC1.1: Summarize the activities that happened in each country with respect to illegal arms deals based on a synthesis of the information from the different report types and sources. State the situation in each country at the end of the period (i.e. the end of the information you have been given) with respect to illegal arms deals being pursued. Present a hypothesis about the next activities you expect to take place, with respect to the people, groups, and countries.

Analytic Process

The reports were added to nSpace2 via TRIST. Selecting Pakistan in the Places dimension highlighted associated results and related information from other dimensions, e.g.:

The content and terms convinced the analyst to examine activities in Pakistan more closely.

Figure 1: Analyst augments standard dimensions with tailored dimensions such as "arms dealing"

Three analysts worked on different countries in their Sandboxes for about a day. Analysts augmented the collected snippets by attributing metadata including communication type and entity involvement.

One analyst used the flow of money and weapons to determine whether a country was a supplier, intermediary, or receiver of weapons, organizing evidence around assertions (see Figure 2). This assessment structure was exported as an outline so that co-workers could reuse the method for the other countries.

Figure 2: Pakistan's profile supports the assertion that money flows out and weapons flow in

To examine geo-temporal behavior the evidence in the Sandbox was exported as a CSV file. Within 5 minutes the events from all countries were shown in a single GeoTime view. Examining the Ilyushin flight data in a geo-temporal context produced more insights about the weapon recipients, which was exported from GeoTime as HTML and imported back into the Sandbox (see Figure 3).

Figure 3: Comparing hypotheses on recipient of weapons from Ilyushin IL-76

Figure 4: Summary of current situation

Summary of Activities and Current Situation in Each Country

Pakistan / Dubai: Members of Lashkar-e-Jhangvi meet frequently to plot terrorist events. Three have been arrested while attempting to bomb Nishtar Park. Two of its members flying from Dubai were arrested with stolen Pakistani Identity Cards. The group's leader, Maulanga Haq Bhukari, has a Dubai bank account that was the origin of two money transfers through accounts in Saudi Arabia, Switzerland that ended in Moscow. Following that, something was delivered to Bhukari's house. In April members attended a suspected arms dealer meeting in Dubai.

Thailand / Myanmar: Khemkhaeng, an arms dealer with close connections to the Russian network, facilitates the movement of weapons from Russia to Myanmar. Khemkhang likely transferred money to the Russian and met with Dombrovski in Dubai.

Iran: The weapons (likely of North Korean origin) on the Ilyushin were meant to be delivered to Iran. After the failed flight, Khurshid remains in contact with Sviatoslavich's replacement in the network, Mikhail Dombrovski. They met in Dubai in April.

Lebanon / Gaza: Kasem and Khouri, both associated with the Martyrs of Judea, talked about an operation in May, a payment to a Saudi account, and a supplier out of the Russian Military. Together with Anka, the group brought a large quantity of cash to the arms dealer meeting in Dubai.

Syria / Turkey: Baltasar, Celik and Hakan, are likely Kurdish Rebels in need of weapons to arm a growing militia. They coordinate via phone with a Bosnian who is their connection to a Russian "Professor" (probably Dombrovski). The transfer of 120,000 lira for weapons likely took place at the Dubai meeting. Since encoded phrases refer to weapons as "textbooks", "Textbook Salesman" is another alias for Dombrovski, which places him in Dubai at the same time as the Kurdish Rebels.

Nigeria: An initial attempt to purchase weapons disguised as an engineering contract was made by Nigerian government engineer Funsho Kapolum to joetomski@hotmail.com, associated with Dombrovski. Dombrovski later calls Nigerian Dr. Neoki, after the contract for $30.6 Million is finalized and invites him to the Dubai meeting.

Venezuela: Online handles vwhombre and jhon make a weapons purchase from Dombrovski's online handles jt and jtomeski. After a money transfer is made to the Saudi account owned by the Russian suppliers, the Venezuelans are invited to complete the purchase in Dubai.

Kenya: Ukraine legitimately ships weapons to Kenya, however Otieno and Owiti, married smugglers, may have been diverting government weapons to local Saboat Land Defence Force, in coordination with a government official Onyango and Dombrovski. One weapon shipment on the MV Tanya, enroute to Kenya, was intercepted by Somaili Pirates. The couple was later arrested with weapons, but smuggling charges were dismissed. They attended the meeting in Dubai but were found dead soon after.

Yemen / Saudi Arabia: Saudi Arabia allows the sales of legal weapons while Yemen does not, creating a vacuum in Yemen. Saleh Ahmed tries to get weapons in but one of the shipments was intercepted. Ahmed attends the meeting in Dubai but then dies in May. Dombrovski likely established contact directly with Aden al-Sallal and Haik Hosain, all present at the same time in Dubai so the death of Ahmed probably has no impact on the supply chain.

Russia / Ukraine: The supply of illegal weapons is orchestrated from Moscow and Kiev. All phone calls and intercepted weapons shipments originate there, and a bank account in Moscow is the final destination of most money transfers. We suspect that Sviatoslavich organized the flight and died sometime after the interception, with a note linking him to Soltan from Iran and North Korea. Leonid died in Milan and Dombrovski replaced him. Georgiy Guinter is a known Russian counterfeiter handling financial matters for the arms traffickers.

What to Expect Next

Gaza: The most imminent threat to watch is a terrorist event to be perpetrated by Lashkar-e-Jhangvi sometime in May.

Turkey/Syria, Myanmar, Columbia, Nigeria, and Yemen: All steps in the arms trade have been completed except for the final delivery. Final weapons shipment and heightened violence in the receivers' country is expected.

Kenya: The death of the Kenyan smugglers may force Dombrovski to communicate directly with Onyango to prevent severing the supply chain.

Iran: Soltan, responsible for the coordination of the failed weapon delivery in Iran, is the only person known to be involved in the operation that is still alive. Thus, there is a remote chance that an attempt to kill him might occur and that it may be linked back to Dombrovski.

All: More communications could take place between Dombrovski and his various contacts. The use of the encoded phrases and the various aliases that have been identified should be monitored.

Figure 5: What to expect next and actionable information

MC1.2: Illustrate the associations among the players in the arms dealing through a social network. If there are linkages among countries, please highlight these as well in the social network. Our analysts are interested in seeing different views of the social network that might help them in counterintelligence activities (people, places, activities, communication patterns that are key to the network).

Summary and Recommendations

A forensic analysis of provided text records produced a social network of arms dealers with a core group of entities from Russia and Ukraine (Figure 1). Entities in this network were linked directly to each through communications; indirectly through bank accounts, organizational affiliations and inferred relationships

This Russo-Ukrainian core is comprised of Mikhail Dombrovski (central coordinator due to his direct and indirect communications with several sub-networks), Nicolai Kuryakin (suspected leader of the network), Arkadi Borodonski (weapon transporter), Georgiy Giunter (linked to the group's bank account in Moscow), Igor Sviatoslavich (deceased former coordinator), and Leonid Minsky (deceased former member of the group's leadership).

Apprehending Kuryakin and Dombrovski will disrupt arms transfers to all sub-networks. Access to the network and Kuraykin must be gained through Dombrovski and may be granted on received payment for an arms transfer using the Saudi bank account, "SA80 8000 0375 6080 2632 0160". Making an order for "car parts" on the message board "vwparts4salecheep" is the easiest way to initiate an order, but not the only way. An invitation to a meeting will be posted via the message board "savvytraveladvice". Monitoring the Saudi Bank Account for money flowing in will indicate other purchasers to apprehend at the central meeting and where future activity is expected.

Figure 1: : Russo-Ukrainian Arms Network

Analytic Process

Within 10 minutes the provided document set was parsed into 103 reports based on report date and source. Reports were loaded into TRIST where people, places and organizations were extracted and organized by country. Each country's documents were imported in the Sandbox list view, where date, latitude and longitude data were extracted. For a day analysts added meta-data such as communication type, entity involvement, and analytical notes to the list view. Once a list of events with location and time information was created, it was exported from the Sandbox as a CSV file and loaded into GeoTime. Within five minutes, analysts could simultaneously view a 3D space-time view and a link-node diagram.

Communications Analysis

To identify communication patterns within the social network, links were filtered by type: phone calls, email, message board posts and money transfers. This revealed the entities involved, their locations, the timing, and the directionality of each communication type within GeoTime's space-time viewer.

It was hypothesized that phone calls would only be made between entities with an established relationship. Phone calls between the Russo-Ukrainian network and other sub-networks should indicate countries that have made, or are in the process of making, weapons purchases. By isolating these calls (Figure 2), we can see that entities in Kenya, Yemen, Nigeria, Iran and Thailand have an established relationship. Analysts saw that there are no incoming calls to the Russo-Ukranian core, only outgoing ones.

Phone calls were a main source of communication between members within sub-networks located in Venezuela, Turkey, Thailand and Lebanon and Gaza. Each of these sub-networks had members or intermediaries who were geographically dispersed. For example, a member of the Turkish sub-network was located in Syria, and purchased arms via a Bosnian.

Figure 2

Figure 2: Entities Linked by Phone Call

Electronic communications were used by Nigeria and Venezuela to communicate with the Russo-Ukrainian core when initiating transactions. Email and message board communications functioned as a precautionary measure when communicating with new members. By isolating Dombrovski's communications with these networks, analysts observed Nigeria's initiation into the network. Nigerians Funsho Kapolalum and Dr. George Ngoki (Kapolalum's eventual replacement) communicated with Dombrovski via his email alias Joe Tomski (joetomski@au.ru). The text description of the only phone call from Dombrovski to Ngoki indicated that direct phone contact was only made when the transaction was finalized. This suggests that the Nigerian sub-network had been initiated.

Similarly, online aliases from Venezuela, vwhombre and jhon, only communicated with Dombrovski's online aliases, jt and jtomski, via message boards. Text from these conversations affirm that these communications were made during the initial phases of a transaction.

Figure 3: Electronic Communications

By analyzing the flow of money, analysts established a link between the Pakistani sub-network and the Russo-Ukrainian core and strengthened the existing link with the Venezuelan network. Bank accounts were geo-located based on the swift code associated with each account. A money transfer was visualized as a dashed line with an arrow to indicate the directionality of the transaction (Figure 4). Based on the timing, sequence, and exchange of money, a series of transactions link a Dubai bank account associated with Mulana Haq Bukari of Lashkar-e-Jangvi in Pakistan to a bank account in Moscow. There was also an earlier transfer linked through a bank account in Saudi Arabia, and a Swiss Bank account. Since Georgiy Guinter is a known Russian counterfeiter, analysts inferred that he handled the money for the Russo-Ukranian core. A connection between the account in Moscow to Guinter confirms this (Figure 1).

An account from Venezuela also transferred money to the Saudi Arabian account associated with the Pakistani transfer. Venezuelan sub-network telephone intercepts between an Unknown Caller and the phone number associated with vwhombre mention a money transfer of a similar amount. Analysts inferred that this was a payment for the transaction discussed with Dombrovski via the online message boards and telephone intercepts.

Figure 4: Countries linked via Money Transfers

Dubai Meeting

Charting the total number of events by month indicated that April 2009 was the most active period for the network. 76 recorded and inferred events happened in the April 2009, nearly double the second most active month (41 events). Focusing on this time period in GeoTime's space-time view shows a convergence of major players from every sub-network in Dubai from April 16th-23rd. This is a central meeting of the Russo-Ukranian network with all major suppliers, intermediaries and receivers. Isolating this period in GeoTime's calendar view, analysts can see who attends the meeting from each sub-network, and when they arrive. Adding an entity chart to each meeting cluster shows who is at each meeting, and places Dombrovski at five of the six meetings. A "Textbook Salesman", a likely alias for Dombrovski, represents the Russo-Ukranian core at the meeting on April 16 with members from the Turkish sub-network.

Figure 5: Central Meetings in Dubai

