TERROR ATTACKS IN PARIS AND BRUSSELS: Going after the masterminds (1)

By Patrick BAHZAD

Capture - Copy Five months ago, Paris was hit by a series of simultaneous terror attacks the likes of which it had not seen before. Initial reactions by the French government were characterized by a long forgotten belligerent tone, which probably also bore testimony to the disbelief of the French people at the sight of these attacks in the nation's capital. France had entered a new phase in the struggle against Jihadi terrorism, just as Brussels would a few months later in a follow-up attack. The West has no choice but to brace itself for this type of events. In Europe, but also in the US, despite better protection through natural as well as man-made defences.

For now though, we must go after the individuals who were behind the attacks, even if they are hidden in some shadowy basement somewhere in the Middle-East. Getting to them however will not be an easy task and will involve more than just following up on the bread crums left by the footsoldiers who were sent to do the dirty work. Understanding how things got to the point we're at today, is also part of the process. That is the rationale for this piece, which will look into lessons that can already be taken from what happened and analyse what kind of threats are out there, before turning to the individuals who might possibly have ordered the attacks and for what purpose.

Arrests were made, but this is far from over

In truth, a number of people involved in these gruesome killings were already taken into custody and charged, particularly the much talked about Salah Abdelslam, brother to one of the Paris suicide bombers and driver to three men who blew themselves up outside the “Stade de France”. Considered a crucial piece in the European terror puzzle, Abdelslam managed to avoid capture for almost four months, before being arrested by Belgian police in March 2016, in what seems to have triggered his accomplices’ decision to organise the Brussels bombings.

Contrary to what many headlines suggest however, it’s highly unlikely that he’s anything like a ringleader or logistics expert. He may still hold some vital information nonetheless, in so far as he stood at the junction between various cells within the IS network. And while Abdelslam’s role as well as other aspects of the ongoing investigations were widely publicized, in particular the alleged use of encryption tools by the terrorists, other pieces of information have gone mostly unnoticed, even though they have much further reaching implications.

In the last two weeks however, a couple of articles and open source pieces were published that give some insight into the search for the real “masterminds” behind the Paris attacks. The Jamestown Foundation for example published an interesting piece about the men who pulled the strings ("Recent Attacks Illuminate IS' Europe Network"). So has French Intel newsletter “TTU” ("Abou Souleiman: l'émir français de Daech").

However incomplete and fragmentary, these pieces are asking the right questions and provide some good insights. Of particular interest is the role allegedly played by a French national in the planning and organisation of the attacks, a man whose executive position in the "Islamic State" would be quite uncommon for a European. But before getting there, it's important to look into how IS terror developed over the past years and what can be already be learnt from the recent attacks.

  From “lone gunman” incidents to mass-casualty attacks

The debate about IS influenced, inspired or planned attacks has been going on now ever since the first “lone gunmen” incidents took place on mainland Europe. Up until the Paris November attacks, this syndrome seemed to be the trademark of a renewed Islamic terrorism wave that swept across Western Europe after 2012, when French-Algerian Mohamed Merah killed 7 people in South-Western France. Merah was shot dead by French SWAT, but his case still isn’t closed and it would probably not be surprising if further evidence pointing to accomplices in the Middle-East was turned in at some point in the future.

Other attacks carried out by what looked like isolated individuals were thwarted by security forces and intelligence agencies in Europe, France in particular. One of the first and most overlooked incidents took place in September 2012, a few months only after the Mohamed Merah case, when unknown attackers threw a live grenade into a kosher grocery in a Paris suburb. This will sound most familiar to those still aware of the Paris attacks of January 2015, when Amedy Coulibaly, an ex-gangster turned Islamic radical gunned down four customers in another kosher supermarket on the outskirts of Paris, before being taken out by French SWAT. In September 2012 however, only one person was slightly wounded by the grenade and police managed to quickly arrest the group responsible for the attack, its leader also going down in a shootout with French police. Then, in February 2014, Syria returnee Ibrahim Boudina was arrested for a terror plot aimed at the Nice carnival, in South-Eastern France. Boudina had already managed to produce 3 kilograms of TATP explosive, enough to wreak havoc at an event attracting large crowds, very much like the Tsarnaev brothers had done during the Boston marathon. Five months only after Boudina, came Mohamed Ouharani, again a Syria returnee who had been trained by ISIS. Ouharani was planning to bomb Shia mosques or places of worship, but was on French law enforcement’s radar and was arrested in July 2014 before getting a chance to do anything.

As the war in Syria dragged on, the number of cases similar to those of Boudina and Ouharani started increasing significantly, gradually overstretching the resources and capabilities of European intelligence agencies, which also were not very well organised to cope with such an onslaught. Inevitably, some people would manage to pull off an attack. And what had to happen finally did in May 2014, in what should have been a wake-up call to Belgian law enforcement, when Brussels’ Jewish Museum was the scene of a heinous crime that left four people dead. Mehdi Nemmouche, the perpetrator of the attack, was of course also a returnee from the Syrian Jihad.

There were others still. Some known, others not so much. Some cooperated and provided law enforcement with useful intelligence, like Nicolas Moreau for example or Reda Hame, ex-ISIS members arrested upon their return to France. Both men gave chilling accounts of what the “Islamic State” and some of its French and Belgian members were up to regarding Europe. At the time of their statements however, nobody would have acknowledged the notion that mass casualty attacks were coming our way.

2014 as a turning point

In hindsight, looking at patterns in the development of Jihadi attacks, there is no denying that the year 2014 definitely marked a turning point. The long held theory according to which the most dangerous individuals were not the “foreign fighters” coming back home, but the Islamic "lone wolf" radicals who had never left European territory, turned out to be a fallacy. And what had become clear in 2014 was definitely confirmed in 2015, which continued the previous trend, on a larger and bloodier scale. Strangely, the Paris attacks of January 2015 stand out as an exception to that rule, given that none of the three men involved had fought in the Middle-East, even if two of them went through an AQAP training camp in 2011, maybe even earlier.

The year 2015, which started in such bloody fashion at the “Charlie Hebdo” newspaper, was marked by an ever increasing number of arrests and attempted attacks and plots, some of them failing only because of the sheer incompetence of the would-be terrorist, or the courage of an unlikely bystander. Significantly however, a few days after the January 2015 killings in Paris, Belgian police took out a genuine IS cell the city of Verviers. A small group had come back from Syria and was getting ready for a string of attacks against Belgian law enforcement and courts, under the operational command of a man who would epitomise IS’ commitment at carrying out large scale attacks against Europe.

Abdelhamid Abaaoud, the ringleader of the Paris November 2015 attacks, had organised the Verviers cell from a safe house in Athens. Wiretaps, in particular on his brother’s phone, leave no doubt as to his involvement in the Verviers plot. Unfortunately, he managed to leave his hideout in Greece before local police could get to him. But what intelligence agencies had feared all along finally happened in November 2015 on the streets of Paris, when eight IS terrorists killed over 130 people in the first mass-casualty attack on European soil since London 2004.

Coincidences that are anything but …

That night of November 2015 however marked a quantum leap in terms of organisation and sophistication. As public opinion had obviously figured out by then, the attack was not the work of some off balance self-radicalized individuals, not even of isolated groups. There was logic to it, and that logic came from the organisation that influenced, planned and directed the operation, as well as a number of foiled plots before.

Even in cases where a single individual carried out what is typically called a “lone wolf” attack, plenty of evidence now suggests or proves that there were men in the background pulling the strings, helping out with finances, giving advice, providing safe houses or getting weapons and explosives. Sometimes, the trail is quite thin, bordering on coincidences, but taken all together, there’s a lot of coincidences to answer for.

Ayoub el-Khazzani for example, the would be shooter of the Thalys train in August 2015, lived in a flat in the Molenbeek district of Brussels, next door to the hair-salon of Mohamed Abrini, one of the members of the cell which attacked Paris in November 2015 and Brussels in March  2016. Another failed terrorist, Algerian Sid Ahmed Ghlam, chose to rent a place only two streets away from where the attackers of the “Charlie Hebdo” newspaper were living in 2013. Circumstantial of course, but it gets better in some cases.

The Molenbeek house in which Salah Abdelslam was finally arrested belongs to a family which has sent three of its sons to fight in Syria. Two female members of that family, in their 50s already, were recently convicted of terrorism related charges and sentenced to long jail terms for their involvement in a Jihadi recruitment network in Brussels, probably one of the largest in mainland Europe.

And the killer of the Brussels Museum, Mehdi Nemmouche, was a close associate of Verviers and Paris ringleader Abdelhamid Abaaoud during his time in Syria. Taken as a whole, the matrix of personal links, communication patterns and other connections between the individuals involved makes for an ever growing spider-web, the final size of which is hard to determine at this point.


Analysis of the terrorists’ communications provides for a complementary and consistent picture. In many cases, it was documented that some form of communication existed between the attackers in Europe and some shadowy figures in the Middle-East. In that regard, much of the discussion in the US seems to have focused on whether or not the terrorists used encryption. This point certainly needs to be investigated, considering in particular what has emerged from the Paris November attacks.

Possibly, encryption tools (TrueCrypt or VeraCrypt) as well as other protocols (PGP) may have been used, in addition to the much vaunted Telegram messaging app, but as often before, the most efficient way to proceed seems to have been to “hide in plain sight” or to go for the “low tech, high concept” option.

Hyping up some pieces of the COMSEC puzzle in the way the New York Times has been doing lately is not necessarily going to help solve the riddle. It’s true though, some members of the Brussels cell may have uploaded encrypted files on a file storing site, allowing for their handlers in Raqqa or Mosul to use their logins and passwords to access their files, but what is much more significant is the fact that the terrorists would rather go for simple, easy to implement solutions rather than communication protocols that must have felt like NASA technology to some of their barely literate operatives.

Effective alternatives

In Paris, on November 13th 2015, the terrorists communicated with their Brussels associates using brand new burner phones, throwing them away after a couple of calls or text messages. They had stored dozens of these phones in their safe house in a Paris suburb. Or they used some of their hostages’ phones … What simpler way to get access to a phone that can’t be traced back to you?

In other instances, terrorists also used legal and simple, but very effective ways at covering their tracks. More than a year has passed since the January 2015 attacks and French IT specialists are still trying to work out who the perpetrators may have been in touch with over the phone or the Internet. They are focusing in particular on Amedy Coulibaly, the killer of the Kosher Supermarket. Coulibaly had exchanged unencrypted text messages with an anonymous figure in Syria who had given him instructions on how to proceed with his attacks.

Moreover, a couple of days after his death at the hands of French SWAT units, a video testament of Coulibaly surfaced on DailyMotion. The vid, in which Coulibaly pledged allegiance to IS, was uploaded using an IP address located in Texas. Needless to say, this came quite as a surprise to French investigators. Due to complexities of investigations into international terrorism, as well as a decent amount of red tape and jurisdiction issues, it took about eight months to work out what had happened.

The Texas IP address belonged to a tech company which had “sold” it to an IT company in Egypt. That IT company in turn had apparently sublet the same address to some other entity, based in Syria. But better still, the email account used to upload the Coulibaly video testament was one of those temporary/disposable accounts that go into self-destruct mode after an hour of use, leaving (almost) no traces and erasing anything that has been handled through that account. Who needs encryption, when being crafty and imaginative is enough most of the time!

HUMINT as an indispensable corollary

As recently exemplified by the conundrum about the San Bernardino shooters’ iPhone, going full speed ahead with the encryption argument in terrorism related cases may not be the best way to proceed. And in truth, the best evidence French and Belgian law enforcement managed to dig up in their investigations came from human sources: IS suspects willing to give away attack plans being made out of Raqqa, the Caliphate’s capital in Syria, informants infiltrated by allied intelligence agencies into the Jihadi organisation, or plain and simple citizens deciding to share crucial information about the whereabouts of a wanted man, like Abdelhamid Abaaoud, who was probably prevented from carrying out another mass-attack in Paris by a young woman who got word of his hideout.

Leads and solid evidence were also provided by IS defectors, although their testimony has to be taken with much more caution, as the “Islamic State” is customary to the use of double-agents and the organisation of Stasi-style disinformation operations. Credibility of such testimony needs to be monitored and evaluated closely, in order to properly analyse its value and turn it into actionable intelligence.

This is where piecing together the different types and sources of information provides for a “big picture” regarding the overall context and actual masterminds of IS of attacks against the West and Europe in particular. What emerges is the notion of a gradual shift in IS’ strategy towards the West. As they prepared to take over large parts of Northern Iraq and Eastern Syria, their leadership probably realized this might not go down too well with Western powers, mainly the US but also their allies in Europe, which were a much easier target.

Emergence of IS “foreign operations” division

In a period (late 2013 to late 2014) when their propaganda machine put a lot of emphasis on their State-like nature, parts of the IS security apparatus started drawing up contingency plans for “external operations” reaching out into the depth of enemy territory, i.e. as far as Paris, Brussels, and other European – or possibly US – cities. This is the context in which the men who organised the Paris attacks gradually reached executive positions within “Al-Maktab Al-Amni” (literally, security office or directorate), under the control of the most senior Syrian national within IS, Muhamad al-Adnani, a long time member and former close associate of AQI leader Abu Musab al-Zarqawi.

In addition to being IS’ spokesman, formally in charge of their media policy, Adnani built a security apparatus in his native Syria that would gradually reach further and further away from is home base as the Islamic State’s grip on its territory grew stronger. A number of European “foreign fighters” came to work in one of the Amniyat divisions. It’s among these men that one has to look for the individual, or rather the individuals who were put in charge of the Paris operation. Some of them, like Abaaoud, took charge of operational command on the ground. Others, like bombmaker Laachraoui, who finally blew himself up at Brussels airport in March, lead the logistics team put in place to support the operatives carrying out the actual attack.

But higher up the foodchain, some men still remain in the dark. There are only a small number of “suspects” who fit the profile however. Funny enough, if you can call this funny, those men bring back ghosts of the past, memories of the Iraqi Jihad when another (smaller) wave of European Jihadis joined AQI and Abu Musab al-Zarqawi. Some of these men fought in Fallujah in 2004, some were detained in Bucca. Others managed the logistics and the inflow of fighters from safe houses in Syria, for a time a meeting point and transit area for those who wanted to join in the fight against the Americans.

It’s probably in those places, in Fallujah, Bucca, Damascus and Hama, that the “masterminds” of the current IS terror wave first made contact with the organisation. It would be quite ironic, in a bit of a twisted way, if we had gone full circle from Anbar province or Hama countryside in 2006, all the way to the present day, to find the same men again at the forefront of the European Jihadi movement.

This entry was posted in France, Intelligence, Middle East, Syria. Bookmark the permalink.

14 Responses to TERROR ATTACKS IN PARIS AND BRUSSELS: Going after the masterminds (1)

  1. F5F5F5 says:

    Very good piece.
    I think the first case of “returnees” was the “Gang de Roubaix” in 96.
    The group was started by two recent converts who had been in a djihadi militia in Bosnia. The head organizer was based in Montreal.
    One thing to note is that more and more often the attackers are actual brothers, or close relatives. Family is probably the toughest network to crack.

  2. True, the Roubaix gang (from the same city as Mehdi Nemmouche, the killer of the Jewish Museum in Brussels) should have been seen as a “writing on the wall”. They combined many of the features we now see displayed by a growing number of young men (and women): more or less self-radicalized, converts and ex-Jihad fighters coming back from a bloody civil war.
    The only thing they didn’t pull off, was a successful terror attack, which is probably why this lesson wasn’t learned properly. But they went down guns blazing when police stormed their safe house. None of them surrendered and they died in the burning building.
    Regarding family links, indeed, Jihad and radical Islam is often a family enterprise, as exemplified by numerous cases going as far back to that period of 2004-2006, which is a defining moment for the up-coming generation of European IS executives.

  3. LeaNder says:

    Thanks, Patrick. As always great work. Although is is the case in the larger field of organized crime pretty hard to wrap ones head around. Not least concerning surfacing actors and their names.
    Without doubt the Jewish Museum in Bruxelles and more low profile earlier events in France should have been on my mind in your earliest encounters here.*
    Encryption, my dear, on the surface without deep reflection it reminds me of earlier suggestions, like: couldn’t the bad guys possibly use images to hide their messages. To ignore earlier encounters in search of solving IT problems that for whatever reason remain on my mind.
    * mainly and yes OT, from a slightly more abstract position, admittedly. Whoever around here (Castillo?) sent me back to Mondoweiss more recently. And strictly I think Norman Finkelstein is an interesting case in the larger Lobby debate. First struggling against “the lobby” more precisely “the Dersh” and later with political activist circles, some around here like to tag with “Cultural Marxists”. To the extend the former did not quite manage to push him off the scene the latter accomplished:
    I am pretty sure that the ones with more military expertise then I have, may well challenge him on certain points:

  4. bth says:

    Patrick thank you for this extraordinary analysis.
    Are the methods of a drug cartel much different for say communications or logistical support?

  5. Charles Michael says:

    If my memory is correct the “Gang de Roubaix” was more in violent hold-up on Super Market. This could indicate that those days foreign financing was scarce.
    And yes since the catastrophic Balkans wars France has been flooded by AK47, many smuggled by lorries. Thanks to the EU rules the Balkan lorry drivers are cheaper.

  6. Barish says:

    PB, thanks for the insightful piece.
    To add to attacks smaller in scale, yet conspicuously ‘overlooked’, one happened in Germany earlier this month, on April 16:
    “Anschlag auf Sikh-Tempel in Essen: Polizei nimmt zwischenzeitlich weiteren Verdächtigen in Gewahrsam
    Freitag, 22.04.2016 – 10:05 Uhr”
    “Attack on Sikh-Temple in Essen: meanwhile, police take another suspect into custody.
    Friday, 04/22/2016”
    Details about the suspects are given thus by SPON:
    “Für den Anschlag sollen Yussuf T., 16, aus Gelsenkirchen und Mohammed B., 16, aus Essen, verantwortlich sein ; die beiden werden der salafistischen Szene Nordrhein-Westfalens zugerechnet. Sie sitzen in Untersuchungshaft und haben den Anschlag nach offiziellen Angaben teilweise eingeräumt. Nach Informationen von SPIEGEL ONLINE bestritten sie jedoch eine Tötungsabsicht. Sie hätten aus Übermut gehandelt und gedacht, das Gebäude sei leer.”
    “Those responsible for the attack are said to be Yussuf T., 16, from Gelsenkirchen and Mohammed B., 16, from Essen; both of them are counted among the Salafist scene of North-Rhine Westphalia [federal state of Germany]. They are in investigative custody and in part conceded having carried out the attack. According to information by SPIEGEL ONLINE they refuted any intention to kill. They would have acted out of mischief and thought that the building was empty.”
    That latter bit…yeah right. About the damage done by these two never-do-wells, this info is given at the end:
    “Am Samstag war vor dem Tempel eine selbstgebaute Bombe detoniert und hatte während einer indischen Hochzeit drei Menschen verletzt, einen von ihnen schwer. Die Polizei spricht von einem Terrorakt . Polizeipräsident Frank Richter sagte: “Die Beschuldigten haben klare Bezüge zur Terrorszene .”
    “On Saturday, a home-made bomb detonated in front of the temple wounding three people attending an Indian wedding, one of them critically. The police calls this a terrorist act. “The suspects have clear links to the terrorist scene”, chief of police Frank Richter said.”
    What’s perplexing about this entire incident is that, mostly, news coverage on it has been absent on a wider scale. Because there’s more to these two punks, as it happens:
    “Mutmaßliche Bombenleger sind IS-Sympathisanten
    Die jungen Männer, die den Anschlag auf ein Sikh-Zentrum in Essen verübt haben sollen, sympathisieren mit der Terrormiliz Islamischer Staat. Die Jugendlichen geben jedoch ein anderes Tatmotiv an.”
    “Suspected bombers are IS-sympathizers
    The young men who are said to have carried out an attack on the Sikh-centre in Essen sympathize with the terrorist militia “Islamic State”. The youths, however, state another motive for the deed.”
    Which is a repetition, basically, of the incredulous claim that they were just “boys being boys” and couldn’t possibly have noticed that there was a wedding ceremony inside.

  7. They were a kind of prototype group of what was to come, mixing violent crime with poorly implemented and failed terror attacks. Could have happened differently though, sometimes it doesn’t take much for things to get real ugly.

  8. with drug cartels being a very elaborate form of organized crime and domestic terrorists having sometimes a similar background, as former gang members for example, you might argue that they could rely on similar types of support, just as exemplified in the case of the Brussels fugitives. They got help from their buddies, family members and sympathizers to their cause.
    Regarding communications, the principles of covering your tracks apply to any illegal activity, the more illegal and dangerous, the more it’s necessary.
    That being said, I’m not saying terrorism is a form of organised crime, don’t get me wrong on that.

  9. Yes I am aware of that one and there was a 15 year old female teenager in Hannover who almost stabbed to death a LE officer a couple of months back.
    You can throw in the recent arrests made in Bremen, where Germany’s ex-top AQ recruiters was taken into custody in a case of attempted murder of rival Salafis.
    That was this week.

  10. LeaNder says:

    sorry, Patrick. When using the term it wasn’t my intention to send members of the SST community onto wrong tracks.
    What I was reminded of though were my struggles in dealing with the multitude of names and links in exactly the type of studies in the field bth refers to. And slightly less of the mistaken identities based on fast assumptions concerning names. It felt at the time, at least in some cases. Seems they have learned by now, at least to the extend I followed matters then, by using additionally some type ‘noms de guerre’.

  11. Charles Michael says:

    Yes, completly agreed and you did a very good piece of information;
    waiting for the second part.
    incidentaly, on RT flash just now: 2 brits arrested for financing the Brussels terrorists about 4.500 €

  12. turcopolier says:

    Well, you just have to keep on struggling to catch up. We are not going to dumb SST down for you. pl

  13. LeaNder says:

    You don’t need to. But I will interpret this as: please stop your mental meanderings. 😉
    Strictly I am pretty aware that you may have at times expanded your level of tolerance concerning my cluttering threads way beyond your usual “red lines”. 😉 And yes, I should respect that a lot more and try to somewhat better control my mental meanderings. Transcription: Simplistic dot connections by a nitwit?

  14. Y says:

    Good article.
    Additional point – worth remembering that there was an AQI/ISI link to the 2007 SVBIED Glasgow Airport Attack (the same team also left a car bomb in London).
    The attacker who survived was an Anglo-Iraqi doctor who qualified in Baghdad and reportedly had links to AQI. Abu Hamza al-Muhajir later claimed the attack in an al-Furqan audio (24.10.2008) as well as claiming another attack in the UK was foiled.
    As ever, little is new – most all the people arrested afterwards were relatives.

Comments are closed.