New Cyber Tricks Make ISIS Sophisticated
Terror attacks in Europe have killed more than 200 people in the past 20 months, reflect ing the new operational discipline and technical savvy by the Islamic State terrorists who carried them out.
Weeks before Islamic State militant Abdelhamid Abaaoud led the Nov. 13 terror attacks in Paris, French authorities thought he was holed up in northern Syria. Western Intelligence agencies pursuing Abaaoud had tracked him there using cell-phone location data and other electronic footprints. The Paris attacks, which killed 130 people, showed how badly they were fooled. Abaaoud had slipped past the dragnet and entered the city unnoticed.
Drawing from a growing bag of tricks, Islamic State accomplices located in Syria likely used phones and WhatsApp accounts belonging to Abaaoud and other attackers to mask the group’s travel to Europe, said a Western security official: “We relied too much on technology. And we lost track.”
Terror attacks in Europe, which have killed more than 200 people in the past 20 months, reflect new operational discipline and technical savvy by the Islamic State terrorists who carried them out, security officials said. The extremist group’s communications, once commonly conducted on phones and social media accounts easily tracked by authorities, have evolved into a mix of encrypted chat-app messages over WhatsApp and Telegram, face-to-face meetings, written notes, stretches of silence and misdirection.
These techniques helped protect attackers from Western intelligence agencies by leaving few electronic clues in a sea of intercepted data.
In recent months, Europe has been convulsed by a string of simple yet lethal attacks. Some were committed by people who appear to have received little direct training from Islamic State. The suspects in a failed plot in France recently were “remotely controlled” from Syria by the group, prosecutors have said. Officials worry such attacks could be a way to distract intelligence services while militants prepare more complex plots.
The Paris attackers communicated sparingly, electronic silences sometimes lasted weeks, as they crossed the continent in September and October en route to their deadly rendezvous in Paris, security officials said. When they did communicate, they at times called or sent text messages on disposable cellphones they used once and tossed.
“Try to make it so that even if the idolatrous dogs intercept and decrypt your messages…the only information they will be able to find is your username and password,” advised Islamic State’s French-language magazine Dar Al Islam this spring.
Tips posted by Islamic State-related propaganda outlets describe high- and low-tech methods to avoid detection: Switch mobile phones frequently; sign up for online accounts using temporary phone numbers; hopscotch frequently between chat apps, making any intercepted conversations difficult to follow.
“Buy cheap burner phones; use and throw,” Islamic State sympathizers wrote in one chat-app message. “This will help you not to get tracked.”
The extremist group has also apparently learned to keep secrets off the grid and to limit who knows what, techniques long used by al Qaeda, which favors messengers and handwritten notes.
“They’re using anonymity as much as they use encryption, because encryption can attract the attention of intelligence services,” said Jean-Charles Brisard, president of the Center for the Analysis of Terrorism, a Paris-based think tank. “It’s a huge challenge.”
Patrick Calvar, head of France’s main domestic intelligence agency, told French parliament investigators in May that Islamic State had become a hierarchical, militarized organization, drawing expertise from experienced jihadists and veterans of Iraqi security forces.
“We’re dealing with people who are well versed in clandestine operations, and who understand our capabilities,” Mr. Calvar said. “We’re up against real professionals.”
Lessons Learned
Islamic State is a militant group of the Internet age, its followers steeped in Facebook , smartphones and text messaging. These tools, which helped spread the terror group’s message around the world, also helped authorities foil plots, capture suspects and win convictions in the group’s early years.
Karim Mohamed-Aggad, a brother of one of the Paris attackers, sent text messages extolling jihad and martyrdom in late 2013 before heading to Syria with friends from Strasbourg, France, according to a court document. Radouane Taher, a companion, talked in one message about joining a jihadist team. Then he added that French intelligence services “are reading this. You have a message for them?”
The two men were arrested on their return to France in spring 2014. Mr. Mohamed-Aggad was sentenced in July to nine years in prison, and Mr. Taher to eight years, both for terrorist association. A lawyer for Mr. Mohamed-Aggad said she was appealing the verdict. A lawyer for Mr. Taher didn’t respond to a request for comment.
Islamic State tightened security following airstrikes by the US-led coalition on its territories in Syria and Iraq. The terror group in October 2014 banned the use of GPS to avoid detection by Western allies, according to documents seized by US Special Forces and viewed by the Journal.
Western recruits have since returned from Syria better trained, security officials said.
“At the point at which they’re leaving Belgium, France, the UK, these guys are amateurs. By the time they are turned around and come back again, they are a different breed of terrorist,” said Rob Wainwright, the director of Europol, which coordinates law-enforcement agencies in the European Union.
Abaaoud had a close call before the Paris attacks that may have taught him a lesson about the vulnerability of electronic communications.
He coordinated a group, including fighters from Islamic State territory, to attack Belgium in late 2014, Belgian judges said in May during a trial of accused participants.
Members of the group used disposable phones and communicated, in part, through at least one shared WhatsApp account and Telegram. But they may not have been careful enough. Belgian police tapped their phone lines.
The phone taps started with a Belgian man they had suspected of returning from Syria. From there, phone taps and physical surveillance led authorities to accomplices and a house in Verviers, Belgium, used by the alleged plotters.
Authorities found weapons, bomb-making chemicals and police uniforms at the house during a January 2015 raid. Two suspected terrorists were killed in a gunfight with police.
Western intelligence services used Abaaoud’s communications with the suspected plotters to locate him in Athens. By the time Greek police cordoned off the streets surrounding Abaaoud’s hideout, he was gone.
Hunting Abaaoud
Western intelligence agencies continued to pursue Abaaoud electronically, intercepting data sent by phones linked with him, French officials said.
The trail led to Syria. Security officials suspect Abaaoud and accomplices there were making final plans for the Paris attacks early last summer, selecting targets and choosing attack teams. Around that time, intelligence agencies recorded calls between Abaaoud in Syria and his family in Morocco.
In mid-August, Western intelligence agents got an inkling that Abaaoud aimed to strike France. They arrested Reda Hame, an Islamic State operative and French national, who had returned to France from Syria. Officials say Mr. Hame told them that Abaaoud had ordered him to launch an attack. He also revealed that Abaaoud planned to strike a rock concert, according to a French parliament report.
Using cellular networks, Wi-Fi hot spots and satellites, intelligence agencies, including from the US, stepped up efforts to find Abaaoud and his accomplices. Cellphones pinged their locations. The data through mid-October showed Abaaoud moving among the Syrian cities of Raqqa, Manbij and Deir ez-Zor.
Officials aren’t certain exactly when or how Abaaoud and the others landed in Europe. Evidence assembled after the attacks suggests that Abaaoud and other attackers were on the continent at least by late September.
Once in Europe, the Paris attackers kept their conversations to a minimum. The three men assigned to attack the Bataclan concert hall with machine guns had no contact for weeks with the three accomplices assigned to set off bombs at the Stade de France arena.
“By the time these guys re-entered Europe, the plan was good to go, such that the communications necessary to decide on the plan and get it ready could be kept to a minimum,” said Mr. Wainwright of Europol.
When they did communicate, the terrorists used both encrypted message apps and disposable phones. Some phones were used for a single conversation, Bernard Bajolet, head of France’s foreign-intelligence agency, told French parliamentary investigators in May.
The scale of the Paris attack came as a shock. Three teams of men armed with rifles and suicide belts arrived in rental cars on Friday, Nov. 13. One group sprayed gunfire at outdoor restaurant terraces. Another tried to enter the soccer stadium where the French president was watching the national team. At the concert hall, three terrorists killed 89 people.
Three days later, French officials realized Abaaoud wasn’t in Syria, but had directed the Paris carnage in person.
On Nov. 18, five days after the killings, a combination of tips, phone taps and cellphone-location data led French officials to an apartment north of Paris, where Abaaoud and two accomplices were killed in an hours-long firefight.
The raid left other affiliated terrorists in Belgium, including alleged Paris attacker Salah Abdeslam, who had returned to Brussels, without a leader, officials said. Some of the men used encrypted communications in an apparent effort to reach allies in Syria for instructions, including Ibrahim el-Bakraoui, one of two brothers who died in the suicide-bomb attacks in Brussels.
Four months later, on March 22, Mr. el-Bakraoui and two others set off bombs in the Brussels airport; an accomplice blew himself up on a crowded train. Altogether, 32 people were killed.
The men left behind a laptop and other digital tools for authorities to mine for information, officials said, evidence their security precautions had grown lax.
In April, investigators stumbled across another communications tool, the encrypted audio message.
Italian prosecutors said Islamic State officials in the Middle East had in April sent audio messages over WhatsApp to Abderrahim Moutaharrik, a Moroccan-born Italian.
The messages ordered attacks in Italy and were found by chance: Mr. Moutaharrik played them aloud in his car and they were captured by a recording device planted by authorities, according to a court document and prosecutors.
“Light up the fire on the flowing crowd, pour grenades on the crusader’s head,” said one message, part of an Arabic-language poem. “Don’t have mercy until he’s broken.”
WSJ: