On February 17 2021 a large oil slick reached Israeli beaches with no clear origin. The spill affected over 90% of Israel coasts and was by all means an ecological disaster which would take years to fully recover from.

Investigations where immediately launched, rumours begun spreading, and wrong allegations where made.

Then, three weeks after the slick was first detected, Gila Gamliel, Israeli Environment Protection Minister, issued a clamorous statement accusing Iran of eco-terrorism.

Especially thanks to OSINT, we are able to verify, deny and expand some of the claims and in this article we will try to describe some of the techniques out our disposal to do so.

The Allegations

Minister Gamliel, presenting the results of an investigation coordinated by her ministry and aided by Windward, an Israeli private maritime risk assessment company, alleged that a “pirate” Libyan owned tanker, EMERALD, carrying Iranian oil to Syria, after having passed the Suez Canal, had switched off AIS (naval transponder) to covertly get close to Israeli shores and willingly leak crude oil in a act of “environmental terror”.

Gamliel went on stating that Israel would bring the case to UN so to have the perpetrators punished and obtain international relief for the damage caused by the event.

Weirdly, in the hours and days immediately following Gamliel statements, representatives of both the IDF (Israeli Defence Force) and the Mossad (Israel intelligence service) distanced themselves from the claims, even Defence Minister Benny Gantz later stated that there was no evidence supporting the eco-terrorism allegations.

Important to remember that the allegations came just 3 weeks after the event and just 19 days from Israeli general elections, elections which were for the first time in over a decade, seriously menacing then Prime Minister Netanyahu leadership.

An Iranian attack on Israeli soil, large scale and vicious as a deliberate oil spill, could have surely helped unifying the country around what the leadership at the time.

More cautious allegations stated that while EMERALD was probably the source of the leak, there was no hard evidence to prove it, and that in general an accident was more plausible, possibly also an accident during the oil transfer (illegal as per UN sanctions) from the tanker to Syria which usually happens at sea to attempt to mask the illicit operation.

The Questions

Given the facts (oil reached Israeli shores) and the allegations, we are left with various questions, among which :

  • Was the EMERALD really responsible for the spill ?
  • Was the spill intentional ?
  • Was the spill the result of a badly handled ship to ship transfer of oil ? (common practice to get oil from Iran linked vessels to Syrian refineries)

OSINT data and analysis of it can help us answer some of this questions or if anything get a better idea of the probable answers.

The OSINT Techniques And Tools

Various OSINT techniques and resources can help us in this case, especially thanks to the large size of the type of vessels involved (large oil tankers) and nature of an oil slick in the sea which is large and relatively slow moving.

The Satellites

SENTINEL is a ESA (European Space Agency) mission composed of multiple satellites of varying capabilities that since over a decade has been providing important data, mainly, for climate research. Especially pertinent to this investigation, two types of SENTINEL satellites :

  • SENTINEL-2 satellites have optical sensors operating across a wide range of wavelengths with a relatively low resolution of 10 meters per pixel, but more than sufficient to detect and identify both large vessels as oil tankers and a large oil slick.
  • SENTINEL-1 satellites are built around a CSAR (C band Synthetic Aperture Radar) sensor which provides 10 meters per pixel radar data, data that can be processed to reveal vessels and oil over the sea surface (in some conditions at least)

Both fresh daily and historical SENTINEL missions data can be found, browsed and processed, on the sentinel-hub website (where you can access also LANDSAT satellites images, which while having a lower resolution and revisit time than SENTINEL-2, can still be useful)

Screenshot of the web interface of the sentinel-hub website which allows (free of charge) to consult SENTINEL satellites data

Higher resolution, paid, satellite services exist such as planet.com which thanks to a constellation of dozens of satellites provide almost daily, higher resolution, coverage of most of the planet.

AIS

All vessels above a certain size have (sort of) to transmit their location and some general informations about them via a transponder system called AIS (Automatic Identification System), while not technically compulsory when in open sea (AKA international waters), transponders are fundamental in high traffic areas such as straits and ports and are generally kept constantly on by most (civilian) vessels.

Numerous websites (a good example is marinetraffic.com) exists allowing users to browse current AIS data from across the globe, and (with paid accounts) historical data is available too.

MarineTraffic.com is just one of the many services that allow to monitor live AIS data

While far from perfect and easy to spoof or disable, the system and related websites are widely used in the OSINT maritime community and are by now since many years a fundamental tool when investigating events at sea.

In this specific case, AIS data gave us two important locations and date / times which will prove fundamental in reconstructing EMERALD path.

Maritime registration data

All vessels at sea have three main means of identification, their name and two numeric based codes, IMO ( International Maritime Organization) and MMSI (Maritime Mobile Service Identities).

This means of identification can be used to recover important informations about a vessel such as its current and past owners, managers, the country where it is, or was, registered (which issues the flag the vessels flies), past names, inspection history etc..

An incredibly good (and free, just need to register) website to access this data is Equasis, which will have up-to-date informations about practically all vessels. Beware that some of the other services available, especially among the free ones, are slower to updated data, leading to potentially misleading results (as we suspect happened in Minister Gamliel report)

The website Equasis.org allows to explore detailed informations about vessels, in this case the full ownership and management history of the crude oil tanker EMERALD

Sea Currents Flow Data

Oceans and seas across the globe are constantly monitored. Buoys (both fixed and daily air launched ones), satellites and planes use their sensors to acquire data on water movements, temperature, salinity etc.. across the whole planet, often multiple times a day.

The data is then collated and processed to produce models and datasets for further analysis. One of such datasets is OSCAR which provides global, daily, grid based data about the worlds water oceans and seas.

Given the subject of our investigation, we will use OSCAR data to reconstruct water currents in the area of the Mediterranean Sea interested by the spill, this in the hope to “reverse engineer” the spill tracing backward its path from where it was detected by satellites towards where it could have originated from.

More generally, the ESR website (Earth Space Research) is a treasure cove of datasets and models about most things pertaining our planet, fascinating and possibly inspiring even just to browse.

Google Earth Pro (Desktop)

Especially for similar investigations Google Earth Pro is a fundamental tool, completely free, it allows us to map, take measurements and geolocated notes as we proceed with our investigation.

It might happen to find via news stories, social media, videos etc, important informations for your investigation already mapped on some (often low resolution) image. Extracting the coordinates that interest you from such files is made easy thanks to the capability of Google Earth Pro to “overlay” images over its base map. With a bit of dragging and stretching you can get the source image (a map) to match the application map and once you got that, extracting the exact coordinates is really easy.

Google Earth Pro (desktop) is a great tool to take geolocated notes during investigations, take measurements and extrapolate additional informations.

The Investigation

In most cases OSINT investigations have to rely on multiple tools, techniques and sources, and this one in particular is a good example of this.

Oil slick

In the days following the first detection of tar on Israel beaches, @HarelDan (which readers of the site will recognise) used SENTINEL data to detect the oil as it moved in the Mediterranean before reaching the coast, this provided precious information about the possible location of the slick at specific times / dates.

EMERALD

As the slick was being investigated it was discovered that just few tankers (4 specifically) where carrying crude oil in the area and timeframe consistent with the spill. Israeli authorities then singled out EMERALD as the most probable culprit. While we can’t (at investigation start) assume the information to be valid, it provides a solid starting point as we can attempt to either confirm or disprove the identification.

Having the name of the vessel we can easily get many more informations about it, especially useful in this case, the size, deck features, the color scheme if possible (many maritime tracking websites provide an impressive amount of pictures taken by vessel spotters) and the available AIS data.

Websites as marinetraffic.com collect also pictures of the tracked vessels as shared by vessel spotters around the globe

If available, AIS data will be the easiest to map (in Google Earth app at this point), and provide a fundamental help for the next phase.

While we don’t have access to historical AIS data for EMERALD (requires a paid account we don’t have at the moment..), some of the news published when the story broke (as well as footage from the Israeli press report on the eco-terrorism allegations) contain screenshots of such data. Using Google Earth Pro image overlay functionality it is easy to map those locations for our investigation.

Fast video showing how to use the image overlay feature in Google Earth Pro

Given the size, deck features and color scheme (and hopefully some AIS data to help us narrow down our search area) we can (with a lot of patience) attempt to identify the vessel on satellite images. But where to look ?

With vessels it is useful to extrapolate possible routes. Knowing a position (like from the last broadcasted AIS data, just north of Suez in this case), a potential direction (Syria) and the average cruise speed (available on marinetraffic.com), we can use Google Earth drawing features to draw lines, circles and/or paths which we can then measure and extrapolate additional informations from.

Since we are going to attempt finding the vessel on satellite images, we will take note of the time and date of the relevant satellite passes over our search area. In this case, the difference (in hours) between the satellite pass time and the last AIS spotting time can be multiplied by the vessel average speed (in knots) to obtain an estimate of the plausible distance traveled (in nautical miles) by the vessel since the last AIS reported position. This helps us narrow down dramatically the area to search on satellite images, especially since we also have a second AIS reported location just east of Cyprus in the late evening of February 2, allowing us to define a possible linear path between the two positions and further defining our search area.

Fast video showing how to use Google Earth Pro to extrapolate possible vessel paths and in this case reduce the area where to look for the vessel on satellite images.

When searching for a vessel on satellite images, its size, color scheme, deck layout, location and heading will be fundamental for a confident identification. The sentinel-hub platform allows (once you register a free account) to take measurement directly in the web interface, a fundamental feature for our goal. Important altho to note that given the resolution of SENTINEL-2 satellite images, 10 meters per pixel, the measured size of the vessel should be considered approximative with up to 20 meters of total error, but in most cases such error will be less, up to 10 meters.

Given the possible error in measurements due to the satellite sensors resolution, if more than one vessel is present in your search area matching the one you are looking for, deck features and proportions can be another important discriminator. While measurements can’t be precise, proportions will be, so for example the relation between length and width or the relative distance between deck features can be used to make correct identifications. Pictures of the vessel (again, marinetraffic.com and similar sites often host many) will provide important details about deck layout and colors. For EMERALD they show a red painted deck, white helipad on the front left of the vessel and two cranes (white) roughly in the middle of it.

EMERALD picture from marinetraffic.com shows important details about the deck layout. Particularly useful indicators the cranes and the helipad.

In this case we are lucky and have a (relatively) very clear image of EMERALD as it was cruising north. This information too (coordinates and time) should be mapped on Google Earth.

EMERALD as captured by SENTINEL-2 satellites on 2/2/2021. The darker area in the middle of the vessel is caused by the shadows casted by the two cranes visible in the marinetraffic.com picture, while the white spot in the front left portion of the vessel is caused by the helipad.

We now have three important pieces of data which allow us to reconstruct, with reasonable precision, the path of EMERALD from Suez to the sea between Cyprus and Syria (area very common for Iranian illicit oil deliveries to Syria)

  • EMERALD position, time and heading, as reported via AIS, just before she turned off the AIS transponder north of Suez.
  • EMERALD position, time and heading, as captured by SENTINEL-2 satellite
  • EMERALD position, time and heading as reported via AIS when she switched the transponder back on just east of Cyprus.

“Connecting the dots” we have a route that is perfectly compatible with EMERALD cruise speed, actually, compatible with the high end of EMERALD cruise speed, which tells us immediately one thing : (some) Israeli claims suggesting the vessel switched off the transponder to get close to Israeli coast and leak oil aren’t compatible with our data. Given the spottings and the vessel possible speed, there would have been no time for any major deviation from the very linear course from Suez to her destination East of Cyprus. While this doesn’t exclude the possibility of an intentional leak aimed at polluting Israel, it makes it way less probable as the vessel, as opposed to initial Israeli statements which vaguely spoke of EMERALD reaching within tens of kilometres from the coast, in reality never got closer than 130 kms to Israeli shores , requiring some kind of a oil spill “sniper” shot to release the oil at such distance knowing where it would end up. Risky and very hard to predict exactly.

We can also use Equasis.org to gather more informations about the vessel, which tells us that the current owner (since December 23 2020) is EMERALD MARINE LTD based in Lebanon, with no apparent connection to Libya as instead reported by Israeli authorities. The same data shows altho that the vessel was Libya owned (LIBYAN OIL CARRIER LTD) until December 23 2020 which is if anything suspect. Some google searching will reveal that on a couple of popular (free) maritime information services the owner of the vessel is still reported to be the Libyan one. This allows us to infer that there is the possibility that the Israeli investigation used not up to date data to reach the conclusion that EMERALD was a “Libyan pirate vessel”.

Having a generic area (and potential/plausible behaviour pattern for vessel), we can check satellite images for further spottings of the vessel which in this case reveal that once reached the sea East of Cyprus in the night of February 2, EMERALD spent the following days, until February 10, in the same area (just north east of Cyprus) after which she moved south east to meet with LOTUS and transfer her oil while at sea (in international waters).

SENTINEL-2 satellite image showing EMERALD performing STS oil transfer with LOTUS while in International Waters west of Syrian coast

Satellites then place LOTUS in Baniyas, Syria, just a few days later, allowing us to affirm with a pretty high degree of confidence that the oil loaded (that not spilled at least) on EMERALD reached the UN sanctioned Syrian regime.

Tanker LOTUS captured by planetscope satellites in Baniyas, Syria, just a few days after having received oil from EMERALD.

Oil slick movement simulation

We now have a pretty accurate idea of the path the EMERALD took while AIS was switched off, but don’t have evidence that it was actually the origin of the spill. We altho have the potential location of the oil slick just a few days after the tanker transit.

In theory, knowing sea currents and movements we could infer the path the spill took both after and prior to detection and OSCAR data can help us in this. The data is provided as a daily grid of water speed vectors (providing both speed and direction of water flow), but we still need a way to actually use the data and visualise the results.

At this point UNITY 3D comes into play. Born as a 3D video game engine, UNITY (free version feature complete) provides us a relatively easy to use platform to import the data, map it, do some calculations with it and visualise the results. We will publish in the near future a more detailed article on the potential of UNITY for OSINT investigations, so won’t dive into the technicals details here, but the basis of what was done is :

  • Code a simple importer for OSCAR data
  • Map each data point into a geographically accurate rapresentation
  • Code a controller to access the daily data and interpolate values between data points given a precise time / date
  • Map EMERALD path in our simulation space
  • Code a general time controller that will interface both with the interpolated OSCAR data and with the interpolated EMERALD path.
  • Adapt the builtin particle system to roughly simulate our oil slick by having the particles moved by the OSCAR data we imported and processed.
  • Map the locations of the oil slick detections (those provided by @HarelDan and SENTINEL satellites) into our representation and use our modified particle systems to represent them
  • Starting from the date/time of the oil slick detection, apply OSCAR water flow data in reverse so to move our “oil particles” opposite to the water flow to extrapolate a potential (rough) path for the oil slick in the days prior to detection

All this done, we end up with some pretty interesting results which show our simulated oil slicks following a path that intersects that of EMERALD, in one case, the position detected on February 7, the time and date of the intersection with the tanker path are consistent with where (given our previous work to reconstruct EMERALD course while off AIS) the vessel should have been. While this simulation is missing many elements to make it more accurate, the general path simulated should be roughly correct, allowing us to have a decent idea of where and when the leak begun and allows us to be rather confident that EMERALD was indeed the culprit.

Initial Findings

We can now affirm with a relatively high degree of confidence that :

  • EMERALD path didn’t deviate from the “usual” one taken by tankers headed for Syria, and especially those headed for the sea between Syria and Cyprus where oil is transferred at sea.
  • Satellite image show that EMERALD transferred oil to LOTUS which in turn unloaded it in Baniyas in Syria, confirming that the tanker was involved in illicit oil trade with the UN sanctioned Syrian regime.
  • Israeli initial allegations that the tanker had switched off AIS to approach Israeli coasts don’t hold up, it did switch off AIS but that is normal for tankers headed for Syria (to perform illegal oil transfer to Syria), and AIS and satellite data shows us that her path was linear (no deviations towards Israel)
  • Our simulation confirms Israeli allegations that it was EMERALD the most likely culprit of the oil spill
  • We know where and when the spill plausibly occurred, the location, tanker path and distance from Israel shores makes it hard to think the spill was a deliberate act of “eco-terrorism” aimed at Israel (oil reached Lebanese coasts too, and according to sea currents it could have moved much farther north).
  • Claims stating that the spill could have happened accidentally while the vessel was transferring oil at sea to another vessel don’t hold up. Actual oil transfer, in this and in many other cases, happened in a different area, while the path of the vessel shows she never stopped for what would have been a long transfer of oil at sea while navigating the relevant area of sea.

Attack / Sabotage ?

Just days after Gila Gamliel allegations, the Wall Street Journal published a pretty revelatory article alleging (quoting sources among Israeli government officials) that Israel had attacked, with varying means and techniques, over a dozen Iranian tankers headed for Syria since late 2019. Among the attacks plausibly perpetrated by Israel that of tanker SABITI which suffered 2 explosions while transiting the Red Sea in October 2019, explosions which caused a significant oil spill.

On March 3 2021, Shahr-e-Kord, an Iranian freighter headed for Syria was attacked by “unknown forces” just 56 kms from the position our investigation revealed as that of the plausible origin of EMERALD oil spill. Images from the aftermath of the attack show some damaged containers on the deck of the containership, pointing to some kind of aerial weapon being used (either a “suicide drone” or missile of sorts). While potentially unrelated, the location is interesting, as it reveals that the specific area of Mediterranean Sea, has been (plausibly) used by Israel to attack Iranian interests.

Damage on the deck of Shahr-e-Kord allegedly hit by a drone or missile just 56 kilometres from the possible location of EMERALD oil leak

You can read more about the covert war ongoing between Israel and Iran fought targeting commercial vessels from both countries in our “Tanker War 2.0” article.

In late July 2021 another potentially relevant series of articles is published, SKY news acquired secret Iranian documents showing their research into cyberattack possibilities against Western assets. Among the means researched that of sabotaging key systems on vessels (such as tankers) to damage or even sink them. Officials and analysts contacted by HAARETZ then suggested that the Iranian documents, or at least some of them, could be defensive in nature in the sense that Iran was looking into the types of cyberattacks it could suffer and the means to deliver them. One of the sources of the article, described as senior maritime officer with relevant ties to Israeli defence apparatus, stated that many of the cyberattacks described in the Iranian papers where descriptions of techniques Israel actually used to attack Iranian vessels. This information, while far from detailed or certain, appears to suggest that at least some of the attacks on Iranian vessels where carried out using cyberwarfare means and some of the attacks might have involved the manipulation of key centrifuges and pumps on the vessels potentially leading to, among other effects, leak of oil from the vessels.

While just a speculation, given the campaign of attacks against Iranian vessels, the main targets of such campaign, the specific precedent which caused a significant oil spill (SABITI) , and the areas in which this attacks took place, it is at least possible to speculate that EMERALD might have been targeted just as the other vessels and that however the attack was carried out, a miscalculation lead to the significant oil spill reaching Israeli shores.

This possibility would also fit the relatively unexpected comments from IDF and Mossad officials who immediately distanced themselves from minister Gamliel accusations (presumably wanting the story to be forgotten as soon as possible). Of notice also that while initial claims stated that the matter would have been brought to UN for further investigation, Israel never actually did so…

Conclusions

We can’t be sure about many aspects of the event but OSINT techniques allowed us to confirm some Israeli claims while dismissing others. It is rather safe to state that EMERALD was the source of the oil slick that reached Israeli and Lebanese shores in mid/late February 2021, but at the same time it doesn’t look likely that the spill was intentional. EMERALD appears to have leaked a significant amount of oil while navigating, which is rather rare (unprecedented?) for Oil tankers. The spill didn’t occur while the ship was performing STS (Ship To Ship) transfer of its oil cargo, nor did the vessel altered its course in any relevant way to get closer to Israeli shores.

Given this informations, other related events, the tensions between Iran and Israel, the incomplete informations about other similar events, we can just speculate on what really happened but such speculations can if anything be a little more informed thanks to OSINT.