Palantir Technologies – VAST10 Team
Brandon Wright, Palantir Technologies, firstname.lastname@example.org
Jesse Rickard, Palantir Technologies
Alex Polit, Palantir Technologies
Jason Payne, Palantir Technologies
Overview: Palantir is a platform for collaborative, all-source analysis and operations, enabling geospatial, social-network, temporal, statistical, and structured and unstructured analysis. Palantir provides flexible tools to import and model data, intuitive constructs to search against this data, and powerful techniques to iteratively define and test hypotheses. Our platform is most highly valued for:
Background: Palantir is operational today at many of the most prestigious intelligence, defense, law enforcement, and regulation/oversight organizations in the world. Palantir was put together by the founders of PayPal, capitalizing on the lessons learned by their anti-fraud department. Facing highly coordinated cyber attacks in order to commit payment fraud and exploit sensitive consumer information, an entirely new approach was required. Existing technology was poorly suited to dealing with sparse, cyber-specific data. To defeat the international fraud rings, high level conceptual access to the data was required. The analyst-driven intelligence analysis tools that eventually became the Palantir platform were a direct outgrowth of this effort.
Company Web site:
Check out our Analysis Blog to see more analysis using Palantir: http://www.palantirtech.com/government/analysis-blog.
MC1.1: Summarize the activities that happened in each country with respect to illegal arms deals based on a synthesis of the information from the different report types and sources. State the situation in each country at the end of the period (i.e. the end of the information you have been given) with respect to illegal arms deals being pursued. Present a hypothesis about the next activities you expect to take place, with respect to the people, groups, and countries.
The message streams were separated into individual messages to simulate message traffic seen within the intelligence community. Each message was copied, pasted, saved as individual Word documents, then mass-imported into Palantir. Each message appeared in the database as its own document object (103 total) and was automatically dropped, as an icon, onto the “Graph Application” (Palantir’s Graphic User Interface application).
The messages were then dragged onto the “Browser Application”, which allowed the analyst read the text. As the analyst read, he tagged each important entity by right clicking on it and filling in the object type, property type, date, and location information. The tagging automatically linked that entity to that document. The analyst dragged tagged entities within that document onto each other to create links. The links carry the same metadata as the entities, such as the reference document that proves the existence of that information. The detailed tagging took one analyst one day.
Figure 1: Tagged entities appear blue, tagged links appear purple
Once all of the documents were tagged, the analyst used the “Search Around” option in the graph to search for links within the database. The analyst highlighted every entity on the graph and used the “Histogram Helper”, which statistically analyzes all of the highlighted information by listing out all of the properties and looking for similarities. The analyst could click on a property to see the entity it pertains to highlighted on the graph. If the analyst was interested in activities in Kenya, he could click on any property citing Kenya. He could then copy the highlighted entities from the graph into a new investigation to start focusing on a specific country. Palantir automatically saves every investigation in the database.
The analyst used the “Timeline Helper” to see where each event or property occurred in time. He was also able to zoom in and out and filter by time. He then dropped all of the entities onto the “Map Application”. Every entity was automatically plotted according to the tagged geo-location data. The analyst conducted nodal analysis by moving entities within the graph to create visual hierarchies, clusters, and supply lines. If the analyst became interested in a particular entity, he could double-click it, bringing up its dossier in the “Browser”. The dossier displays all of the entity’s properties and related events, entities, and documents that were derived by tagging. The analyst could also double-click on any item in the dossier to further investigate in the “Browser”. This workflow was repeated for each country, giving the analyst greater understanding of the illegal arms sales.
Figure 3: Timeline Helper used to highlight events in Nov 08 -Jan 09
The illegal arms sales activities can be summarized as follows:
In October 2008, Khouri informed Kasem of a new Russian contact for supplies; presumably weapons. The main concern was getting supplies in time for their May operation. Khouri also mentioned they would be traveling to Dubai for a meeting at the Burj al-Arab Hotel on the 18th. Very little information was revealed, although it was evident that an important operation was to occur in May. Kasem is the leader of “Martyrs Front of Judea”, an extremist group dedicated to regaining a foothold in the Gaza area. It is likely that these individuals were traveling to Dubai to secure weapons for a terrorist operation in Gaza in May.
On October 10, 2008, the home of Jorge, a Venezuelan weapons supplier, was raided. A Venezuelan and Colombian were able to coordinate with another weapons dealer, alias JTomski, through an online message board. By conducting Boolean searches for Jtomski, we discovered that the email Joetomsk@au.ru belonged to Mikail Dombrovski, therefore signifying that this is who the individuals were communicating with. They were planning for a meeting at the Burj Hotel on April 22, 2009.
Illegal arms deals in Kenya were supporting both the Kenyan militant group, Sabaot Land Defense Force (SLDF) and the South Sudan Government Forces. Otieno and Onyago were stealing weapons from military caches and providing them to the groups. It is also possible they were providing weapons to Russian based weapons dealer, Nicolai Kuryakin. It is likely the militant groups around Mt. Elgon will conduct more operations soon after the meeting in Dubai.
Thailand had previously had weapons shipped from North Korea by air. The plane was intercepted, and although the members involved were released, the event may have cause a shortage in weapons. A Thai arms dealer was scheduled to meet with Nicolai in Dubai, likely about setting another arms air shipment to Thailand.
In September 2008, Yemen passed a strict gun control law to minimize access to weapons. In October, Houthi rebel fighting began to spill into Saudi Arabia. Minsky, a gun dealer supplying arms to Yemen, was found dead in January. Since then, Ahmed has been in contact with prominent Russian based weapons dealers to secure another order. It is likely that Ahmed is purchasing weapons for rebel activities in Saudi Arabia and Yemen.
Syrian-based Baltasar had been working with Turkey-based Celik and Hakan to acquire weapons. The three men were scheduled to fly to Dubai to receive the weapons in April. The first reported telephone call requesting weapons was spoken in Kurmanji, referenced new students, and originated in Aleppo, Syria (near Kurdistan). It is possible the weapons are meant for PKK/Kongra Gel operations in Kurdistan.
In February 2008, a part of the Karachi Lashkar-e Jhangvi (LeJ) cell was arrested. Reports claimed that other men were still at large. In the following months, Bukhari (the LeJ Karachi leader) was spotted taking several meetings throughout Karachi. Basra’s surveillance reports and Bukhari’s computer activity indicated they were planning on traveling to Dubai. It is likely Bukhari is trying to ramp up LeJ operations.
Figure 4: Pakistan cell arranged for visual analysis
MC1.2: Illustrate the associations among the players in the arms dealing through a social network. If there are linkages among countries, please highlight these as well in the social network. Our analysts are interested in seeing different views of the social network that might help them in counterintelligence activities (people, places, activities, communication patterns that are key to the network).
All of the entities were dropped onto the map and examined, using the histogram and timeline, for matching properties or relationships. The “heat map helper”, which analyzes densities, was used to show where on the map most of the activity took place. Those representative icons were then dragged and dropped onto the “browser application”, where their complete dossiers could be examined. Boolean logic searches can also be conducted in the search bar for other entities, documents, or properties. The analyst can then drag the tagged entity he’s interested in from the browser directly onto the “graph application”. Although Palantir automates a large portion of the analytical process and effortlessly organizes information, the analyst still needs to carefully read all of the data to understand the information and be able to analyze the social network.
Figure 1: Map Application with Heat Map, Timeline, and Histogram Helpers on
Dubai immediately caught our attention when looking at the heat map. We dragged and dropped all of the related icons (17 documents and 22 entities) onto the browser and then reviewed them to learn more about their relevance and role in the network. After spending about 30 minutes re-reading all of the documents and studying the entities dossier we realized that an important meeting was going to take place at the Burj Al Arab hotel in Dubai in mid-to-late April. Meetings hosted by Mikhail Dombrovski and Nicolai Kuryakin were going to be attended by potential buyers from Kenya, Syria, Yemen, Lebanon, Pakistan, Venezuela, Colombia, Iran, Thailand, and Turkey.
Figure 2: UAE related entities viewed in the “Browser Application”, important information tagged and seen with blue underlines
Mikhail Dombrovksi is notably well connected to international arms purchasers. Dombrovski was scheduled to meet with Funsho Kapolalum, a Nigerian financier and possible weapons purchaser. The Nigerian was having Dombrovski assist in withdrawing $30m and was going pay him a 10% commission, which was likely a way to purchase weapons and launder money. Further intelligence gathering on the Nigerian may provide vital information regarding international arms funding. Dombrovski also provided weapons to Venezuelan- and Colombian-based buyers. Detailed information regarding weapons orders and travel plans were posted on the “vwparts4salecheep” and “savvytraveladvice” online forums. Although unconfirmed, Mikhail may have also met with Muhammad Kasem and Abdul Khouri (Gaza-based individuals associated with the Martyrs Front of Judea). It is very possible that Kasem and Khouri have purchased arms from Mikhail to conduct radical Islamic terrorist operations in Gaza. Kasem and Khouri practiced poor OPSEC; monitoring Kasem’s and Khouri’s telephone numbers (08-02822906 and 972-599-265-531, respectively) may provide intelligence regarding future terrorist operations against Israeli interests.
Nicolai Kuryakin is also a prominent international weapons dealer. Kuryakin had links to Otieno in Kenya and the M/V Tanya, which was carrying large amounts of weapons to Kenya and Sudan. It is possible that Nicolai is getting a portion of his weapons from Kenya. Nicolai is also linked to Saleh Ahmed, a Yemen-based weapons supplier. Saleh is likely a weapons dealer focused in providing arms to the Arabian Penninsula, and likely acquires his weapons from Nicolai. Nicolai is also likely linked to the unknown individual in Bosnia responsible for linking Turkish-based militants to the meetings taking place in Dubai. The individual in Bosnia is undoubtedly a key middle-man capable of expanding Nicolai’s operations. Further signals analysis of the Bosnian number (90-242-244-8945) is highly recommended. It is also possible that Nicolai met with Mengal, Bhutani, and Naushewani (Pakistan-based militants). These three members have direct access to Basra, who is the number two to LeJ’s Karachi faction leader, Bukhari. Focusing collection efforts on these three Pakistani militants and Basra could provide vital intelligence on the LeJ.
Figure 3: Nicolai Kuryakin and Mikhail Dombrovski international contacts
By using the flow helper, which shows movement of funds according to the tagged data, we were able to see that two sets of payments (from Venezuela and Pakistan) went through Saudi Arabia to a Swiss account and then onto a Russian account. It is assessed that the Russian account either belongs to Dombrovski or Kuryakin (both Russian arms dealers). This coincided with reports specifying that the money must reach the Saudi account by January. The Swiss and Saudi accounts play a key role in transferring funds from international weapons buyers to the dealers.
Figure 4: Payment flows: Green dots move on graph move in direction of payment. Timeline Helper shows when they occurred