By Patrick BAHZAD
Five months ago, Paris was hit by a series of simultaneous terror attacks the likes of which it had not seen before. Initial reactions by the French government were characterized by a long forgotten belligerent tone, which probably also bore testimony to the disbelief of the French people at the sight of these attacks in the nation's capital. France had entered a new phase in the struggle against Jihadi terrorism, just as Brussels would a few months later in a follow-up attack. The West has no choice but to brace itself for this type of events. In Europe, but also in the US, despite better protection through natural as well as man-made defences.
For now though, we must go after the individuals who were behind the attacks, even if they are hidden in some shadowy basement somewhere in the Middle-East. Getting to them however will not be an easy task and will involve more than just following up on the bread crums left by the footsoldiers who were sent to do the dirty work. Understanding how things got to the point we're at today, is also part of the process. That is the rationale for this piece, which will look into lessons that can already be taken from what happened and analyse what kind of threats are out there, before turning to the individuals who might possibly have ordered the attacks and for what purpose.
Arrests were made, but this is far from over
In truth, a number of people involved in these gruesome killings were already taken into custody and charged, particularly the much talked about Salah Abdelslam, brother to one of the Paris suicide bombers and driver to three men who blew themselves up outside the “Stade de France”. Considered a crucial piece in the European terror puzzle, Abdelslam managed to avoid capture for almost four months, before being arrested by Belgian police in March 2016, in what seems to have triggered his accomplices’ decision to organise the Brussels bombings.
Contrary to what many headlines suggest however, it’s highly unlikely that he’s anything like a ringleader or logistics expert. He may still hold some vital information nonetheless, in so far as he stood at the junction between various cells within the IS network. And while Abdelslam’s role as well as other aspects of the ongoing investigations were widely publicized, in particular the alleged use of encryption tools by the terrorists, other pieces of information have gone mostly unnoticed, even though they have much further reaching implications.
In the last two weeks however, a couple of articles and open source pieces were published that give some insight into the search for the real “masterminds” behind the Paris attacks. The Jamestown Foundation for example published an interesting piece about the men who pulled the strings ("Recent Attacks Illuminate IS' Europe Network"). So has French Intel newsletter “TTU” ("Abou Souleiman: l'émir français de Daech").
However incomplete and fragmentary, these pieces are asking the right questions and provide some good insights. Of particular interest is the role allegedly played by a French national in the planning and organisation of the attacks, a man whose executive position in the "Islamic State" would be quite uncommon for a European. But before getting there, it's important to look into how IS terror developed over the past years and what can be already be learnt from the recent attacks.
From “lone gunman” incidents to mass-casualty attacks
The debate about IS influenced, inspired or planned attacks has been going on now ever since the first “lone gunmen” incidents took place on mainland Europe. Up until the Paris November attacks, this syndrome seemed to be the trademark of a renewed Islamic terrorism wave that swept across Western Europe after 2012, when French-Algerian Mohamed Merah killed 7 people in South-Western France. Merah was shot dead by French SWAT, but his case still isn’t closed and it would probably not be surprising if further evidence pointing to accomplices in the Middle-East was turned in at some point in the future.
Other attacks carried out by what looked like isolated individuals were thwarted by security forces and intelligence agencies in Europe, France in particular. One of the first and most overlooked incidents took place in September 2012, a few months only after the Mohamed Merah case, when unknown attackers threw a live grenade into a kosher grocery in a Paris suburb. This will sound most familiar to those still aware of the Paris attacks of January 2015, when Amedy Coulibaly, an ex-gangster turned Islamic radical gunned down four customers in another kosher supermarket on the outskirts of Paris, before being taken out by French SWAT. In September 2012 however, only one person was slightly wounded by the grenade and police managed to quickly arrest the group responsible for the attack, its leader also going down in a shootout with French police. Then, in February 2014, Syria returnee Ibrahim Boudina was arrested for a terror plot aimed at the Nice carnival, in South-Eastern France. Boudina had already managed to produce 3 kilograms of TATP explosive, enough to wreak havoc at an event attracting large crowds, very much like the Tsarnaev brothers had done during the Boston marathon. Five months only after Boudina, came Mohamed Ouharani, again a Syria returnee who had been trained by ISIS. Ouharani was planning to bomb Shia mosques or places of worship, but was on French law enforcement’s radar and was arrested in July 2014 before getting a chance to do anything.
As the war in Syria dragged on, the number of cases similar to those of Boudina and Ouharani started increasing significantly, gradually overstretching the resources and capabilities of European intelligence agencies, which also were not very well organised to cope with such an onslaught. Inevitably, some people would manage to pull off an attack. And what had to happen finally did in May 2014, in what should have been a wake-up call to Belgian law enforcement, when Brussels’ Jewish Museum was the scene of a heinous crime that left four people dead. Mehdi Nemmouche, the perpetrator of the attack, was of course also a returnee from the Syrian Jihad.
There were others still. Some known, others not so much. Some cooperated and provided law enforcement with useful intelligence, like Nicolas Moreau for example or Reda Hame, ex-ISIS members arrested upon their return to France. Both men gave chilling accounts of what the “Islamic State” and some of its French and Belgian members were up to regarding Europe. At the time of their statements however, nobody would have acknowledged the notion that mass casualty attacks were coming our way.
2014 as a turning point
In hindsight, looking at patterns in the development of Jihadi attacks, there is no denying that the year 2014 definitely marked a turning point. The long held theory according to which the most dangerous individuals were not the “foreign fighters” coming back home, but the Islamic "lone wolf" radicals who had never left European territory, turned out to be a fallacy. And what had become clear in 2014 was definitely confirmed in 2015, which continued the previous trend, on a larger and bloodier scale. Strangely, the Paris attacks of January 2015 stand out as an exception to that rule, given that none of the three men involved had fought in the Middle-East, even if two of them went through an AQAP training camp in 2011, maybe even earlier.
The year 2015, which started in such bloody fashion at the “Charlie Hebdo” newspaper, was marked by an ever increasing number of arrests and attempted attacks and plots, some of them failing only because of the sheer incompetence of the would-be terrorist, or the courage of an unlikely bystander. Significantly however, a few days after the January 2015 killings in Paris, Belgian police took out a genuine IS cell the city of Verviers. A small group had come back from Syria and was getting ready for a string of attacks against Belgian law enforcement and courts, under the operational command of a man who would epitomise IS’ commitment at carrying out large scale attacks against Europe.
Abdelhamid Abaaoud, the ringleader of the Paris November 2015 attacks, had organised the Verviers cell from a safe house in Athens. Wiretaps, in particular on his brother’s phone, leave no doubt as to his involvement in the Verviers plot. Unfortunately, he managed to leave his hideout in Greece before local police could get to him. But what intelligence agencies had feared all along finally happened in November 2015 on the streets of Paris, when eight IS terrorists killed over 130 people in the first mass-casualty attack on European soil since London 2004.
Coincidences that are anything but …
That night of November 2015 however marked a quantum leap in terms of organisation and sophistication. As public opinion had obviously figured out by then, the attack was not the work of some off balance self-radicalized individuals, not even of isolated groups. There was logic to it, and that logic came from the organisation that influenced, planned and directed the operation, as well as a number of foiled plots before.
Even in cases where a single individual carried out what is typically called a “lone wolf” attack, plenty of evidence now suggests or proves that there were men in the background pulling the strings, helping out with finances, giving advice, providing safe houses or getting weapons and explosives. Sometimes, the trail is quite thin, bordering on coincidences, but taken all together, there’s a lot of coincidences to answer for.
Ayoub el-Khazzani for example, the would be shooter of the Thalys train in August 2015, lived in a flat in the Molenbeek district of Brussels, next door to the hair-salon of Mohamed Abrini, one of the members of the cell which attacked Paris in November 2015 and Brussels in March 2016. Another failed terrorist, Algerian Sid Ahmed Ghlam, chose to rent a place only two streets away from where the attackers of the “Charlie Hebdo” newspaper were living in 2013. Circumstantial of course, but it gets better in some cases.
The Molenbeek house in which Salah Abdelslam was finally arrested belongs to a family which has sent three of its sons to fight in Syria. Two female members of that family, in their 50s already, were recently convicted of terrorism related charges and sentenced to long jail terms for their involvement in a Jihadi recruitment network in Brussels, probably one of the largest in mainland Europe.
And the killer of the Brussels Museum, Mehdi Nemmouche, was a close associate of Verviers and Paris ringleader Abdelhamid Abaaoud during his time in Syria. Taken as a whole, the matrix of personal links, communication patterns and other connections between the individuals involved makes for an ever growing spider-web, the final size of which is hard to determine at this point.
Analysis of the terrorists’ communications provides for a complementary and consistent picture. In many cases, it was documented that some form of communication existed between the attackers in Europe and some shadowy figures in the Middle-East. In that regard, much of the discussion in the US seems to have focused on whether or not the terrorists used encryption. This point certainly needs to be investigated, considering in particular what has emerged from the Paris November attacks.
Possibly, encryption tools (TrueCrypt or VeraCrypt) as well as other protocols (PGP) may have been used, in addition to the much vaunted Telegram messaging app, but as often before, the most efficient way to proceed seems to have been to “hide in plain sight” or to go for the “low tech, high concept” option.
Hyping up some pieces of the COMSEC puzzle in the way the New York Times has been doing lately is not necessarily going to help solve the riddle. It’s true though, some members of the Brussels cell may have uploaded encrypted files on a file storing site, allowing for their handlers in Raqqa or Mosul to use their logins and passwords to access their files, but what is much more significant is the fact that the terrorists would rather go for simple, easy to implement solutions rather than communication protocols that must have felt like NASA technology to some of their barely literate operatives.
In Paris, on November 13th 2015, the terrorists communicated with their Brussels associates using brand new burner phones, throwing them away after a couple of calls or text messages. They had stored dozens of these phones in their safe house in a Paris suburb. Or they used some of their hostages’ phones … What simpler way to get access to a phone that can’t be traced back to you?
In other instances, terrorists also used legal and simple, but very effective ways at covering their tracks. More than a year has passed since the January 2015 attacks and French IT specialists are still trying to work out who the perpetrators may have been in touch with over the phone or the Internet. They are focusing in particular on Amedy Coulibaly, the killer of the Kosher Supermarket. Coulibaly had exchanged unencrypted text messages with an anonymous figure in Syria who had given him instructions on how to proceed with his attacks.
Moreover, a couple of days after his death at the hands of French SWAT units, a video testament of Coulibaly surfaced on DailyMotion. The vid, in which Coulibaly pledged allegiance to IS, was uploaded using an IP address located in Texas. Needless to say, this came quite as a surprise to French investigators. Due to complexities of investigations into international terrorism, as well as a decent amount of red tape and jurisdiction issues, it took about eight months to work out what had happened.
The Texas IP address belonged to a tech company which had “sold” it to an IT company in Egypt. That IT company in turn had apparently sublet the same address to some other entity, based in Syria. But better still, the email account used to upload the Coulibaly video testament was one of those temporary/disposable accounts that go into self-destruct mode after an hour of use, leaving (almost) no traces and erasing anything that has been handled through that account. Who needs encryption, when being crafty and imaginative is enough most of the time!
HUMINT as an indispensable corollary
As recently exemplified by the conundrum about the San Bernardino shooters’ iPhone, going full speed ahead with the encryption argument in terrorism related cases may not be the best way to proceed. And in truth, the best evidence French and Belgian law enforcement managed to dig up in their investigations came from human sources: IS suspects willing to give away attack plans being made out of Raqqa, the Caliphate’s capital in Syria, informants infiltrated by allied intelligence agencies into the Jihadi organisation, or plain and simple citizens deciding to share crucial information about the whereabouts of a wanted man, like Abdelhamid Abaaoud, who was probably prevented from carrying out another mass-attack in Paris by a young woman who got word of his hideout.
Leads and solid evidence were also provided by IS defectors, although their testimony has to be taken with much more caution, as the “Islamic State” is customary to the use of double-agents and the organisation of Stasi-style disinformation operations. Credibility of such testimony needs to be monitored and evaluated closely, in order to properly analyse its value and turn it into actionable intelligence.
This is where piecing together the different types and sources of information provides for a “big picture” regarding the overall context and actual masterminds of IS of attacks against the West and Europe in particular. What emerges is the notion of a gradual shift in IS’ strategy towards the West. As they prepared to take over large parts of Northern Iraq and Eastern Syria, their leadership probably realized this might not go down too well with Western powers, mainly the US but also their allies in Europe, which were a much easier target.
Emergence of IS “foreign operations” division
In a period (late 2013 to late 2014) when their propaganda machine put a lot of emphasis on their State-like nature, parts of the IS security apparatus started drawing up contingency plans for “external operations” reaching out into the depth of enemy territory, i.e. as far as Paris, Brussels, and other European – or possibly US – cities. This is the context in which the men who organised the Paris attacks gradually reached executive positions within “Al-Maktab Al-Amni” (literally, security office or directorate), under the control of the most senior Syrian national within IS, Muhamad al-Adnani, a long time member and former close associate of AQI leader Abu Musab al-Zarqawi.
In addition to being IS’ spokesman, formally in charge of their media policy, Adnani built a security apparatus in his native Syria that would gradually reach further and further away from is home base as the Islamic State’s grip on its territory grew stronger. A number of European “foreign fighters” came to work in one of the Amniyat divisions. It’s among these men that one has to look for the individual, or rather the individuals who were put in charge of the Paris operation. Some of them, like Abaaoud, took charge of operational command on the ground. Others, like bombmaker Laachraoui, who finally blew himself up at Brussels airport in March, lead the logistics team put in place to support the operatives carrying out the actual attack.
But higher up the foodchain, some men still remain in the dark. There are only a small number of “suspects” who fit the profile however. Funny enough, if you can call this funny, those men bring back ghosts of the past, memories of the Iraqi Jihad when another (smaller) wave of European Jihadis joined AQI and Abu Musab al-Zarqawi. Some of these men fought in Fallujah in 2004, some were detained in Bucca. Others managed the logistics and the inflow of fighters from safe houses in Syria, for a time a meeting point and transit area for those who wanted to join in the fight against the Americans.
It’s probably in those places, in Fallujah, Bucca, Damascus and Hama, that the “masterminds” of the current IS terror wave first made contact with the organisation. It would be quite ironic, in a bit of a twisted way, if we had gone full circle from Anbar province or Hama countryside in 2006, all the way to the present day, to find the same men again at the forefront of the European Jihadi movement.