Posts

Our Yemeni “Allies” Did More Damage than Edward Snowden

The NYT reports that some counterterrorism analysts think the reports of the Ayman al-Zawahiri call with Nasir al-Wuhayshi have done more damage to our SIGINT collections than all of Edward Snowden’s leaking.

As the nation’s spy agencies assess the fallout from disclosures about their surveillance programs, some government analysts and senior officials have made a startling finding: the impact of a leaked terrorist plot by Al Qaeda in August has caused more immediate damage to American counterterrorism efforts than the thousands of classified documents disclosed by Edward Snowden, the former National Security Agency contractor.

Since news reports in early August revealed that the United States intercepted messages between Ayman al-Zawahri, who succeeded Osama bin Laden as the head of Al Qaeda, and Nasser al-Wuhayshi, the head of the Yemen-based Al Qaeda in the Arabian Peninsula, discussing an imminent terrorist attack, analysts have detected a sharp drop in the terrorists’ use of a major communications channel that the authorities were monitoring. Since August, senior American officials have been scrambling to find new ways to surveil the electronic messages and conversations of Al Qaeda’s leaders and operatives.

[snip]

The drop in message traffic after the communication intercepts contrasts with what analysts describe as a far more muted impact on counterterrorism efforts from the disclosures by Mr. Snowden of the broad capabilities of N.S.A. surveillance programs. Instead of terrorists moving away from electronic communications after those disclosures, analysts have detected terrorists mainly talking about the information that Mr. Snowden has disclosed.

Reading between the lines, the story suggests one reason Snowden’s leaks haven’t hurt counterterrorism that badly is because they’re targeted at (or most effective with) non-terrorist targets.

Senior American officials say that Mr. Snowden’s disclosures have had a broader impact on national security in general, including counterterrorism efforts. This includes fears that Russia and China now have more technical details about the N.S.A. surveillance programs.

But I’m perhaps most interested in the way NYT points to McClatchy as the first report of the leak, not the NYT itself.

McClatchy Newspapers first reported on the conversations between Mr. Zawahri and Mr. Wuhayshi on Aug. 4. Two days before that, The New York Times agreed to withhold the identities of the Qaeda leaders after senior American intelligence officials said the information could jeopardize their operations. After the government became aware of the McClatchy article, it dropped its objections to The Times’s publishing the same information, and the newspaper did so on Aug. 5.

Remember, whereas the NYT sourced this leak to US officials, McClatchy very clearly sourced it to a Yemeni official. In fact, McClatchy’s editor, James Asher, said that the reporter (Adam Baron) said the intercept was “common knowledge” known in Yemen.

Our story was based on reporting in Yemen and we did not contact the administration to ask permission to use the information. In fact, our reporter tells me that the intercept was pretty much common knowledge in Yemen.

None of this excuses the US officials who leaked this to brag about the NSA’s capabilities at a politically sensitive time. (In fact, the intercept was discovered by an Air Force unit stationed at NSA’s Fort Meade.)

But even before that, someone in Yemen was leaking broadly enough about this intercept that it was “common knowledge.”

Which, given the divided loyalties of many within the Yemeni government may well mean AQAP got details of the intercept firsthand, not via McClatchy or NYT.

Those same Yemeni allies have long blabbed about our infiltration of AQAP. Now, apparently, they’ve alerted AQAP to the precise means of wiretapping them. Perhaps this should tell us something about those Yemeni allies?

Count Von Count Drones Yemen

The flurry of drone strikes in Yemen has gotten so difficult to keep up with that I imagine a twisted version of Count Von Count leading counting lessons after each one.

As of last count, he’d be up to the number 8. “You can hold it this way you can hold it that way.”

Three U.S. drone strikes killed a total of 12 suspected al-Qaida militants Thursday, a Yemeni military official said, raising to eight the number of attacks in less than two weeks as the Arab nation is on high alert against terrorism.

The uptick in drone strikes signals that the Obama administration is stepping up its efforts to target Yemen’s al-Qaida offshoot — al-Qaida in the Arabian Peninsula — amid fears of attacks after the interception of a message between its leader and the global leader of the terror network.

Since July 27, drone attacks have killed 34 suspected militants, according to an Associated Press count provided by Yemeni security officials.

Happy Eid, Yemen, Count Von Count would sing. Ha ha ha.

I can’t help but wonder whether the US wouldn’t look like it was in such a frenzy if it hadn’t leaked news of the conference call it compromised last week. It’s possible the compromise included location data. But at the very least, intelligence captured from the courier would seem to provide information that will lose value as AQAP figures out the US has it.

And given trickling reports that civilians are among the dead, on Eid? This drone frenzy could backfire if the attacks aren’t very carefully targeted.

Update: Tweaked courier language to reflect possibility he was never captured, just his message was.

Behind Legion of Doom: Breaking “Encrypted Electronic Communications between High Level Al Qaeda Leaders”

David Garteinstein-Ross, who did his own research into the Daily Beast Legion of Doom story, noted a couple of things via Twitter that I have been pointing to: the conference call behind the Legion of Doom scare wasn’t the first intercept, and Al Qaeda leaders on the conference call (which Eli Lake clarified wasn’t via telephone) assumed the call was secure.

3) There has been more than one intercept related to the plot. The report refers to a captured courier in addition to the conference call.

5) Many reactions to the report assume AQ completely broke OPSEC. The report states that AQ leaders assumed the call was secure.

And in the appearance above on MSNBC, he describes the conference call as,

Encrypted electronic communications between high level Al Qaeda leaders in which they were discussing this plot.

[snip]

This is encrypted communication. It’s hard to penetrate their communications. And if you make clear that we have, and which communications we’ve penetrated, then they’re simply going to adapt.

In general, that suggests that something the government got from the courier allowed them to break the encrypted conference call. And, if Gartenstein-Ross is accurately informed, that we did, in fact, break their encrypted communications.

While that doesn’t prove or disprove my outtamyarse guess that the Tor compromise had a connection to Legion of Doom, it does make it more likely.

It also means the leaks are that much more damaging, in that they would have ended the period when we had location data on operatives they didn’t realize had been exposed.

Maybe the Gimmick Is in the Timing of Legion of Doom?

In my first post on this Yemen scare — which I will henceforth call “Legion of Doom” in honor of the Daily Beast source’s use of the term — I suggested the big part of the plot might have already transpired.

There’s the increased drone activity in Yemen. Who knows! Maybe, like last year, the plot has already been rolled up and we’re just waiting to confirm one of the several recent drone strikes have taken out our target?

I made that suggestion because of evidence that the US rolled up UndieBomb 2.0 on April 20-24 of last year, and only then deployed a bunch of Air Marshals and fear-mongering about Ibrahim al-Asiri for the days leading up to the May 1 anniversary of Osama bin Laden’s killing. They eliminated the threat (which was minimal in any case, since the bomber was a British-Saudi-US mole), then rolled out fear-mongering about it, as if the threat still existed. Fairly clearly, the White House planned a big press conference on their operation once they killed Fahd al-Quso, and thus got furious when the AP managed to scoop their theater.

I increasingly think that may be the case. Whether or not there was ever a real threat, I suspect it may have partly passed before the big rollout of it last Friday (though the targeting of a top AQAP member, the presence of additional JSOC forces, or all the drone strikes may have increased the risk for Americans in Yemen).

Consider: back when Pentagon stenographer Barbara Starr was among the first to discuss the intercepts behind Legion of Doom, she suggested very fresh SIGINT chatter and a warning from President Abdo Rabi Mansour Hadi delivered on July 31 or August 1 had led the US to close a bunch of embassies (though even there, they waited a few days to start closing embassies).

Fresh intelligence led the United States to conclude that operatives of al Qaeda in the Arabian Peninsula were in the final stages of planning an attack against U.S. and Western targets, several U.S. officials told CNN.

The warning led the U.S. State Department to issue a global travel alert Friday, warning al Qaeda may launch attacks in the Middle East, North Africa and beyond in coming weeks. The U.S. government also was preparing to close 22 embassies and consulates in the region Sunday as a precaution.

The chatter among al Qaeda in the Arabian Peninsula operatives had gone on for weeks but increased in the last few days, the officials said.

Taken together with a warning from Yemeni officials, the United States took the extraordinary step of shutting down embassies and issuing travel warnings, said the officials, who spoke on condition of anonymity.

While the specific target is uncertain, U.S. officials are deeply worried about a possible attack against the U.S. Embassy in Yemen occurring through Tuesday, the officials said.

[snip]

Yemeni intelligence agencies alerted authorities of the threat two days ago, when the Yemeni president was in Washington, said the official, who spoke on condition of anonymity. [my emphasis]

And the original and an update to the NYT’s original story on Legion of Doom says the intercept between Zawahiri and Wuhayshi came sometime last week.

The intercepted conversations last week between Ayman al-Zawahri, who succeeded Osama bin Laden as the head of the global terrorist group, and Nasser al-Wuhayshi, the head of the Yemen-based Al Qaeda in the Arabian Peninsula, revealed what American intelligence officials and lawmakers have described as one of the most serious plots against American and Western interests since the attacks on Sept. 11, 2001.

But the latest AP version of the intercept call says it was picked up “several weeks ago.”

A U.S. intelligence official and a Mideast diplomat said al-Zawahri’s message was picked up several weeks ago and appeared to initially target Yemeni interests. The threat was expanded to include American or other Western sites abroad, officials said, indicating the target could be a single embassy, a number of posts or some other site. Lawmakers have said it was a massive plot in the final stages, but they have offered no specifics.

Perhaps the discrepancy comes from confusion about two different Zawahiri-Wuhayshi intercepts. In its conference call report, the Daily Beast reports that authorities picked up a communication, via courier, between Zawahiri and Wuhayshi “last month.”

An earlier communication between Zawahiri and Wuhayshi delivered through a courier was picked up last month, according to three U.S. intelligence officials.

That earlier conversation may simply have been Zawahiri naming Wuhayshi his deputy, but the role of a courier in the interception suggests they may have gotten far more intelligence — perhaps not just intelligence tipping the US off to whatever conference call protocol AQ was using, but also to the location of Wuhayshi and other figures.

Read more

What If the Tor Takedown Relates to the Yemeni Alert?

Eli Lake and Josh Rogin reveal that the intercept between Ayman al-Zawahiri and Nasir al-Wuhayshi was actually a conference call between those two and affiliates all over the region.

The Daily Beast has learned that the discussion between the two al Qaeda leaders happened in a conference call that included the leaders or representatives of the top leadership of al Qaeda and its affiliates calling in from different locations, according to three U.S. officials familiar with the intelligence. All told, said one U.S. intelligence official, more than 20 al Qaeda operatives were on the call.

To be sure, the CIA had been tracking the threat posed by Wuhayshi for months. An earlier communication between Zawahiri and Wuhayshi delivered through a courier was picked up last month, according to three U.S. intelligence officials. But the conference call provided a new sense of urgency for the U.S. government, the sources said.

The fact that al Qaeda would be able to have such conference calls in this day and age is stunning. The fact that US and Yemeni sources would expose that they knew about it is equally mind-boggling.

But one thing would make it make more sense.

On Sunday, Tor users first discovered the FBI had compromised a bunch of onion sites and introduced malware into FireFox browsers accessing the system. Since then, we’ve learned the malware was in place by Friday, the day the US first announced this alert (though the exploit in FireFox has been known since June).

The owner of an Irish company, Freedom Hosting, has allegedly been providing turnkey hosting services for the Darknet, or Deep Web, which is “hidden” and only accessible through Tor .onion and the Firefox browser. The FBI reportedly called Eric Eoin Marques “the largest facilitator of child porn on the planet” and wants to extradite the 28-year-old man. About that time, Freedom Hosting went down; Tor users discovered that someone had used a Firefox zero-day to deliver drive-by-downloads to anyone who accessed a site hosted by Freedom Hosting. Ofir David, of Israeli cybersecurity firm Cyberhat, told Krebs on Security, “Whoever is running this exploit can match any Tor user to his true Internet address, and therefore track down the Tor user.”

If you’ve never visited the Hidden Wiki, then you should be fully aware that if you do, you will see things that can never be unseen. Freedom Hosting maintained servers for “TorMail, long considered the most secure anonymous email operation online,” wrote Daily Dot. “Major hacking and fraud forums such as HackBB; large money laundering operations; and the Hidden Wiki, which, until recently, was the de facto encyclopedia of the Dark Net; and virtually all of the most popular child pornography websites on the planet.”

But if you use Tor Browser Bundle with Firefox 17, you accessed a Freedom Hosting hidden service site since August 2, and you have JavaScript enabled, then experts suggest it’s likely your machine has been compromised. In fact, E Hacking News claimed that almost half of all Tor sites have been compromised by the FBI. [my emphasis]

So what if this takedown was only secondarily about child porn, and primarily about disabling a system al Qaeda has used to carry out fairly brazen centralized communications? Once the malware was in place, the communications between al Qaeda would be useless in any case (and I could see the government doing that to undermine the current planning efforts).

The timing would all line up — and it would explain (though not excuse) why the government is boasting about compromising the communications. And it would explain why Keith Alexander gave this speech at BlackHat.

terrorists … terrorism … terrorist attacks … counterterrorism … counterterrorism … terrorists … counterterrorism … terrorist organizations … terrorist activities … terrorist … terrorist activities … counterterrorism nexus … terrorist actor … terrorist? … terrorism … terrorist … terrorists … imminent terrorist attack … terrorist … terrorist-related actor … another terrorist … terrorist-related activities … terrorist activities … stopping terrorism … future terrorist attacks … terrorist plots … terrorist associations

[snip]

Sitting among you are people who mean us harm

Just one thing doesn’t make sense.

Once NSA/FBI compromised Tor, they’d have a way to identify the location of users. That might explain the uptick in drone strikes in Yemen in the last 12 days. But why would you both alert Tor users and — with this leak — Al Qaeda that you had broken the system and could ID their location? Why not roll up the network first, and then take down the Irish child porn guy who is the likely target?

I’m not sure I understand the Tor exploit well enough to say, but the timing does line up remarkably well.

Update: Some re-evaluation of what really happened with the exploit.

Researchers who claimed they found a link between the Internet addresses used as part of malware that attacked Freedom Hosting’s “hidden service” websites last week and the National Security Agency (NSA) have backed off substantially from their original assertions. After the findings were criticized by others who analyzed Domain Name System (DNS) and American Registry for Internet Numbers (ARIN) data associated with the addresses in question, Baneki Privacy Labs and Cryptocloud admitted that analysis of the ownership of the IP addresses was flawed. However, they believe the data that they used to make the connection between the address and the NSA may have changed between their first observation.

Update: On Twitter, Lake clarifies that this conference call was not telephone-based communications.

Who Will the Government Scapegoat Now on the Wuhayshi Leak?

Yesterday, I noted that McClatchy, the first outlet to publish (though probably not the first outlet to get the leak) the news that the big terror alert stems from an intercepted communication between Ayman al-Zawahiri and Nasir al-Wuhayshi, clearly labeled its source as a Yemeni official.

HuffPo not only confirmed this, but got McClatchy’s editor James Asher to provide a little lesson in journalism.

Our story was based on reporting in Yemen and we did not contact the administration to ask permission to use the information. In fact, our reporter tells me that the intercept was pretty much common knowledge in Yemen.
On your larger question about the administration’s request, I’m not surprised. It is not unusual for CNN or the NYT to agree not to publish something because the White House asked them. And frankly, our Democracy isn’t well served when journalists agree to censor their work.

As I’ve told our readers in the past: McClatchy journalists will report fairly and independently. We will not make deals with those in power, regardless of party or philosophy.

Now, predictably, some of the same people who generated the outrage over UndieBomb 2.0 have squawked about the danger of this leak (which, if it is what has been described, must be damaging).

“I’m very worried about leaks to the media of classified information because it warns the enemy,” Sen. John McCain, R-Ariz., told Ward. “That’ll be the last intercept of that kind, of means of communication that we intercept.”

Added Sen. Lindsey Graham, R-S.C., “If we compromise our ability to find out what these guys are up to and stop them before they act, we’ll pay a heavy price. They’re not deterred by dying. They embrace dying. They just want to take me and you with ’em.”

Frankly, McCain and Lindsey are right this time around. This feels like a politicized leak, and if the underlying intelligence was what the reports say, it may well badly damage our legitimate SIGINT efforts.

All that said, I confess I popped a little popcorn when I read this last night. Because it’s clear the Yemenis weren’t the only ones leaking like a sieve. Someone in the Administration (NYT’s sources)  It’ll be hard for the Administration to target McClatchy given that they’ve already made clear where their source is (though I can’t help to suspect McClatchy’s sharp response to relates to the reported treatment of McClatchy freelancer Jon Stephenson). So who are they going to scapegoat this time?

Was It NSA or a Yemeni “Ally” Leaking the “Clear Orders” from Zawahiri to Wuhayshi?

Apparently, it wasn’t enough for someone to leak this information to the NYT (which said that it withheld some information at the request from the government).

The United States intercepted electronic communications this week among senior operatives of Al Qaeda, in which the terrorists discussed attacks against American interests in the Middle East and North Africa, American officials said Friday.

The intercepts and a subsequent analysis of them by American intelligence agencies prompted the United States to issue an unusual global travel alert to American citizens on Friday, warning of the potential for terrorist attacks by operatives of Al Qaeda and their associates beginning Sunday through the end of August.

Then someone apparently in Sanaa leaked this to McClatchy.

An official who’d been briefed on the matter in Sanaa, the Yemeni capital, told McClatchy that the embassy closings and travel advisory were the result of an intercepted communication between Nasir al-Wuhayshi, the head of the Yemen-based Al Qaida in the Arabian Peninsula, and al Qaida leader Ayman al Zawahiri in which Zawahiri gave “clear orders” to al-Wuhaysi, who was recently named al Qaida’s general manager, to carry out an attack.

The official, however, said he could not divulge details of the plot. AQAP’s last major attack in Sanaa took place in May 2012 when a suicide bomber killed more than 100 military cadets at a rehearsal for a military parade. [my emphasis]

Which the WaPo has now reported too.

Al-Qaeda leader Ayman al-Zawahiri ordered the head of the terrorist group’s Yemen affiliate to carry out an attack, according to intercepted communications that have led to the closure of U.S. embassies and a global travel alert, said a person briefed on the case.

In one communication, Zawahiri, who succeeded Osama bin Laden, gave “clear orders” to Nasir al-Wuhayshi, the founder of al-Qaeda in the Arabian Peninsula, to undertake an attack, the source said. McClatchy newspapers first reported the exchange on Sunday. [my emphasis]

In a follow-up story, McClatchy attributes their information to a Yemeni official.

U.S. officials have been secretive about what precise information led to the worldwide travel advisory and embassy closings, but a Yemeni official told McClatchy on Sunday that authorities had intercepted “clear orders” from al Qaida leader Ayman Zawahiri to Nasir al Wuhayshi, the head of the affiliate in Yemen, to carry out an attack.

Remember, Saudis and Yemeni sources have a well-established history of leaking sensitive intelligence about our thwarted plots. But in this case, the original source (to the NYT) seems to be American, with a Yemeni first providing the really remarkable level of detail.

And thus far, no one from the government has called for the NYT, McClatchy, and WaPo sources to be jailed. How … telling.

Perhaps just as interesting, the US has used a C-17 to evacuate what State is calling emergency personnel from Yemen.

Pentagon officials said a U.S. Air Force C-17 transport plane carrying some American government personnel had taken off from Yemen. They said the State Department had ordered non-essential personnel to leave the country.

An unknown number of U.S. Embassy personnel remain in Sanaa.

Pentagon Press Secretary George Little said the Defense Department “continues to have personnel on the ground in Yemen to support the U.S. State Department and monitor the security situation.”

But someone wants Andrea Mitchell not to report this as an evacuation; whatever it is, almost 100 people have been, um, evacuated.

Are these “emergency personnel” people whose identity has been leaked?

Now, as a threshold level, the news that the US has collections of whatever presumably well-protected communication channel exist(ed) between Zawahiri and Wuhayshi sure seems to undermine government claims that Edward Snowden has ruined their collections, given that two of our very sharpest targets are still using communications accessible to US targeting.

Consider one more thing. If our collections are that good that we have a bead on either Zawahiri or Wuhayshi, why don’t we have their location?

We’ve launched 4 drone strikes in 10 days in Yemen. If we did have means of intercepting Wuhayshi’s communications and are clearly on a drone strike binge, then what does it mean that sources — including at least one Yemeni official — are leaking news that we have those intercepts?

Update: And here’s Michael Hayden, who for weeks has been arguing that Edward Snowden should be made an example of, suggesting this alert is good because it lets the bad guys know we’re onto them.

“The announcement itself may also be designed to interrupt Al Qaeda planning, to put them off stride,” Michael V. Hayden, a former C.I.A. director, said on “Fox News Sunday.” “To put them on the back foot, to let them know that we’re alert and that we’re on at least to a portion of this plotline.”