20 octobre 2021

A decade into the Syrian war: OSINT as a tool to investigate Syria’s chemical program supply chain

Par Sébastien

The war in Syria has been one of the most violent conflict of this past decade. Being one of the most documented conflict, it has provided a lot of material for open source research to take off. Multiple investigations have established the use of chemical weapons by the Syrian government on its population. Open source research has proven to be a valuable tool in verifying attacks and whether chemical weapons were used.

The Syrian chemical program and the need for accountability

At a time some Syrian officials have started to be trialed for war crimes, the need for accountability has never been greater. Individuals involved in the Syrian chemical program used during the war are Syrian officials but also businessmen who were used as intermediaries and fronts to obtain material and equipment for the Syrian Studies and Research Center. Investigating these proliferation networks has been difficult as establishing the full supply chain can be complex. A few investigations led by Syrian Archive, Bellingcat, C4ADS and Open Society Justice Initiative were published here and there on chemical weapons supply chains.

Proposing an open source research framework to detect a proliferation risk

On this occasion OpenFacto wanted to understand if an open source research framework could be created in order to detect proliferating companies supplying the Syrian Studies and Research Center. To test this framework we took two existing cases that were brought to the French and US justices for their alleged participation to the Syrian Chemical Weapon Program. OSINT research can establish risk levels for the Houranieh and EKT networks which can be summarized with the following scorecards.

Main findings

Open source research is a valid tool to establish a risk level associated with an entity suspected of proliferation or to detect high risk entities.

OSINT CAN PROVIDE SUPPORTING CONTEXTUAL INFORMATION. Open source research confirms a number of elements mentioned in both networks:

  • Both networks have an international dimension with front companies outside of Syria
  • What they trade can be established: metal, electronics, security
  • Multiple sources mention these networks seem close to Bashar Al Assad’s entourage and the SSRC
  • There is an history of customs inspection and/or sanction enforcement in US jurisdiction. 

THE IMPORTS POSE A HIGH RISK OF BEING USED FOR PROLIFERATION. Open source research gathers circumstantial evidence which indicates the items traded and the destination of Syria should have triggered enhanced customs inspections. 

NETWORK RESILIENCE. Both networks continue to operate to the present day. Despite asset freezes and sanctions they have demonstrated resilience to access international markets. 

SOCIAL MEDIA PLATFORMS USED FOR CREDIBILITY AND PUBLICITY. The Houranieh network, but mostly the EKT network, have been using Western social media platforms to create business accounts – ‘Pages’ – in order to promote their brand, products and generate potential sales leads. These social media accounts have been used as a resiliency tool to overcome domain name suppression. 

GAPS IN GLOBAL EXPORT CONTROL SYSTEM AND MEASURES ENFORCEMENT. High risk trade entities previously investigated for their contribution to a proliferation program continue to have access to international industrial markets and financial markets to make payments. It demonstrates a gap between several jurisdictions regarding export control systems. It also shows a lack of coordination and communication between the EU and national jurisdictions. Finally it shows a disjointed international effort to enforce measures against proliferating entities.

Methodology and Limits for investigating potential supply chain proliferation networks

Proliferation mainly involves the transfer and export of technology, goods, software, services or expertises that could be used in nuclear, chemical or biological weapon-related programmes and obviously poses a significant threat to security. Tracking proliferation networks and financing has been proven difficult because transactions take place within a normal business setting. 

The purpose of this project is to demonstrate the effectiveness of open-source research as a first and easily accessible tool to use in order to evaluate a proliferation risk associated with entities and goods traded.  

Financial organizations combating money laundering, terrorist financing and proliferation financing like the FATF – the Financial Action Task Force – have set up indicators to detect financing of proliferation to become better at flagging and characterising proliferation networks. These indicators often includes some the concepts which can be researched using OSINT:

  • The jurisdiction where the trades are taking place
  • The type of items traded
  • The legal form of the company proceeding to the trade and where it is incorporated
  • Links between several companies and/or the use of a broker
  • Discrepancies between the company’s activities and goods traded
  • Discrepancies between the type of goods imported and the technical level of their final destinations
  • The nationality of the company’s directors
  • The final destination of the goods
  • The ultimate beneficiary of the transaction or its likelihood

Our step by step approach 

This research project started from the information published by the French Authorities mentioning individuals’ names, dates of birth and corporate entities to the reconstitution of suspicious import transactions. The following research steps were taken:

  1. Researching sanctioned individuals and corporate entities digital footprint online and the links existing among them. 
  2. Identification of some of the companies’ suppliers
  3. Identification of the type of equipment, material or products imported. 
  4. Assessing the risk of proliferation: low, medium and high

Type of sources used in this report

A wide range of sources were used for research purposes in this report. They include: social media, press articles, academic reports, commercial databases and corporate registries, data obtained from bills of lading, leaked data from Syrian administration, online website analyzing tools. 

Investigating a proliferation network

Investigating a proliferation network is difficult as it takes the appearance of a normal business transaction. In this report we try focusing on several part of the transaction process:

  • the network of companies used to buy equipment and material
  • the link between this network and strategic governmental bodies in a red flag jurisdiction
  • the ultimate buyer if it appears
  • the type of goods which are bought 
  • the suppliers 

Researching corporate entities that may circumvent sanctions

Most of the corporate entities presented in this report can be verified by accessing commercial registries or databases, either for free or a small fee. However Syria does not provide online access to commercial corporate registries. The authors had to rely on multiple concordant sources to verify the existence of Syrian entities: emails, websites, addresses, mentions in local media, mention in official sources or social media.  

Researching import/export data

To identify the type of goods which are shipped, the suppliers involved and the corporate entities used by the network we relied on import/export data to get shipment data. These shipment data are extracted from bills of lading. A bill of lading is a standard document required to be issued by the shipper to identify the nature, quantity, quality of the goods. Usually these data indicate the supplier’s name, (air) port of origin, type of goods and quantity, consignee – the company receiving the goods – and (air) port of arrival. 

The goods are often referenced using a HS code – the Harmonized Commodity Description and Coding System. These codes are product classification codes used by  all the members of the World Customs Organization (WCO) to classify goods for customs purposes. While they do not indicate the exact product nor its specifications, it gives its good category. 

Shipment data providers like Panjiva or ImportGenius source the data directly to countries’ customs bureau or data brokers. Not all countries are available: China offers only a partial data set.

Researching equipment or material imported in cases of sanction circumventions: establishing a risk level

Dual-use items are goods, software and technology that can be used for both civilian and military applications. It does include raw material like certain types of steel or specific chemicals. Investigating such items is challenging as their official descriptions in available customs related documents are limited. These types of sources give an indication of risk level associated with an item.Consulting custom specialists can be helpful.

What about the beneficial owner?

According to the FATF, the beneficial owner is “the natural person who ultimately owns or controls and/or the natural person on whose behalf a transaction is being conducted”. In our two case studies the beneficial owner is known – the Syrian Scientific Studies and Research Center (SSRC) – and is the cause for the network of companies to be put on the French sanction list.

Some limits: no smoking gun but a risk level

Open sources have been used to gather information about a direct or indirect relation between the SSRC and the two different entities. This report does not offer definitive conclusions nor smoking gun evidence regarding Syria’s chemical weapon program. It captures a snapshot of the procurement chain which was in the public domain at the time of the research. Data available regarding the type of equipment sent are generic and do not replace a visual confirmation. Secondly, OpenFacto has had no access to data describing financial flows: there is nothing available in the public domain to characterize the financing aspect of proliferation networks. Thirdly, while OpenFacto uses official corporate records to verify some corporate holdings and commercial relationships, this information only represents a snapshot of corporate activity at a given time: records may not be updated regularly, may not be consistent or wholly accurate, and may not have the same standards of reporting across jurisdictions. Finally, the report should serve as a basis to raise further questions, identify gaps and launch deeper investigations into the cases.

Download our report

Our report is available for download in English here and an executive summary is provided in French [to come].

Rejoignez notre mission.

Adhérez à OpenFacto, et faites de l’OSINT un standard en France.