Lashkar tech expert who hid in plain sight

In the fall of 2008, a 30-year-old computer expert named Zarrar Shah roamed from outposts in the northern mountains of Pakistan to safe houses near the Arabian Sea, plotting mayhem in Mumbai, India’s commercial gem.

Shah, the technology chief of Lashkar-e-Toiba, and fellow conspirators used Google Earth to show militants the routes to their targets in the city. He set up an Internet phone system to disguise his location by routing his calls through New Jersey. Shortly before an assault that would kill 166 people, Shah searched online for a Jewish hostel and two luxury hotels, all sites of the eventual carnage.

But he did not know that by September, the British were spying on many of his online activities, tracking his Internet searches and messages, according to former American and Indian officials and classified documents disclosed by Edward J Snowden, the former National Security Agency contractor.

Shah drew similar scrutiny from an Indian intelligence agency, according to a former official briefed on the operation. The United States was unaware of the two agencies’ efforts, American officials say, but had picked up signs of a plot through other electronic and human sources, and warned Indian security officials several times in the months before the attack.

What happened next may rank among the most devastating near-misses in the history of spycraft. The intelligence agencies of the three nations did not pull together all the strands gathered by their high-tech surveillance and other tools, which might have allowed them to disrupt a terror strike so scarring that it is often called India’s 9/11.

“No one put together the whole picture,” said Shivshankar Menon, who was India’s foreign secretary at the time of the attacks and later became the National Security Adviser. “Not the Americans, not the Brits, not the Indians.”

Menon, now retired, recalled that “only once the shooting started did everyone share” what they had, largely in meetings between British and Indian officials, and then “the picture instantly came into focus”.

The British had access to a trove of data from Shah’s communications, but contend that the information was not specific enough to detect the threat. The Indians did not home in on the plot even with the alerts from the United States.

Clues slipped by the Americans as well. David Coleman Headley, a Pakistani-American who scouted targets in Mumbai, exchanged incriminating emails with plotters that went unnoticed until shortly before his arrest in Chicago in late 2009. United States counterterrorism agencies did not pursue reports from his unhappy wife, who told American officials long before the killings began that he was a Pakistani terrorist conducting mysterious missions in Mumbai.

That hidden history of the Mumbai attacks reveals the vulnerability as well as the strengths of computer surveillance and intercepts as a counterterrorism weapon, an investigation by The New York Times, ProPublica and the PBS series Frontline has found.

“We didn’t see it coming,” a former senior United States intelligence official said. “We were focused on many other things — al-Qaeda, the Taliban, Pakistan’s nuclear weapons, the Iranians. It’s not that things were missed — they were never put together.”

After the assault began, the countries quickly disclosed their intelligence to one another. They monitored a Lashkar control room in Pakistan where the terror chiefs directed their men, hunkered down in the Taj and Oberoi hotels and the Jewish hostel, according to current and former American, British and Indian officials.

That cooperation among the spy agencies helped analysts retrospectively piece together “a complete operations plan for the attacks,” a top-secret NSA document said.

Asked if Government Communications Headquarters, or GCHQ, Britain’s eavesdropping agency, should have had strong suspicions of a looming attack, a government official responded in a statement: “We do not comment on intelligence matters. But if we had had critical information about an imminent act of terrorism in a situation like this we would have shared it with the Indian government. So the central allegation of this story is completely untrue.”

Some former counterterrorism officials warn against promoting billion-dollar surveillance programmes with the narrow argument that they stop attacks.

That monitoring collects valuable information, but large amounts of it are “never meaningfully reviewed or analyzed,” said Charles (Sam) Faddis, a retired CIA counterterrorism chief. “I cannot remember a single instance in my career when we ever stopped a plot based purely on signals intelligence.”

Lashkar’s Computer Chief

Zarrar Shah was a digitally savvy operative, a man with a bushy beard, a pronounced limp, strong ties to Pakistani intelligence and an intense hatred for India, according to Western and Indian officials and court files. The spy agencies of Britain, the United States and India considered him the technology and communications chief for Lashkar, a group dedicated to attacking India. His fascination with jihad established him as something of a pioneer for a generation of Islamic extremists who use the Internet as a weapon.

According to Indian court records and interviews with intelligence officials, Shah was in his late 20s when he became the “emir”, or chief, of the Lashkar media unit. Because of his role, Shah, together with another young Lashkar chief named Sajid Mir, became an intelligence target for the British, Indians and Americans.

Lashkar’s alliance with the ISI came under strain as some of the militants pushed for a Qaeda-style war on the West. As a result, some ISI officers and terror chiefs decided that a spectacular strike was needed to restore Lashkar’s cohesion and burnish its image, according to interviews and court files. The plan called for a commando-style assault in India that could also hit Americans, Britons and Jews there.

The target was the centerpiece of Indian prosperity: Mumbai.

Hatching a Plot, Leaving a Trail

In early 2008, Indian and Western counterterrorism agencies began to pick up chatter about a potential attack on Mumbai. Indian spy agencies and police forces gathered periodic leads from their own sources about a Lashkar threat to the city.

By the fall of 2008, the British had found a way to monitor Lashkar’s digital networks. So had the Indians. But until the attacks, one Indian official said, there was no communication between the two countries on the matter.

Britain and India, while cooperative, were not nearly as close as the United States and Britain. And India is not included in the tightest intelligence-sharing circles of international, eavesdropping agencies that the two countries anchor.

Not long after the British gained access to his communications, Shah contacted a New Jersey company, posing online as an Indian reseller of telephone services named Kharak Singh, purporting to be based in Mumbai. His Indian persona started haggling over the price of a voice-over-Internet phone service — also known as VoIP — that had been chosen because it would make calls between Pakistan and the terrorists in Mumbai appear as if they were originating in Austria and New Jersey.

“its not first time in my life i am perchasing in this VOIP business,” Shah wrote in shaky English, to an official with the New Jersey-based company when he thought the asking price was too high, the GCHQ documents show. “i am using these services from 2 years.”

Shah had begun researching the VoIP systems, online security, and ways to hide his communications as early as mid-September, according to the documents. As he made his plan, he searched on his laptop for weak communication security in Europe, spent time on a site designed to conceal browsing history, and searched Google News for “indian american naval exercises” — presumably so the seagoing attackers would not blunder into an overwhelming force.

Ajmal Kasab, the only terrorist who would survive the Mumbai attacks, watched Shah display some of his technical prowess. In mid-September, Shah and fellow plotters used Google Earth and other material to show Kasab and nine other young Pakistani terrorists their targets in Mumbai, according to court testimony.

The session, which took place in a huge “media room” in a remote camp on the border with Kashmir, was part of an effort to chart the terrorists’ route across the Arabian Sea, to a water landing on the edge of Mumbai, then through the chaotic streets. Videos, maps and reconnaissance reports had been supplied to Mir by Headley.

“The gunmen were shown all this data from the reconnaissance,” said Deven Bharti, a top Mumbai police official who investigated the attacks, adding that the terrorists were trained to use Google Earth and global positioning equipment on their own. “Kasab was trained to locate everything in Mumbai before he went.”

If Shah made any attempt to hide his malevolent intentions, he did not have much success at it. Although his frenetic computer activity was often sprawling, he repeatedly displayed some key interests: small-scale warfare, secret communications, tourist and military locations in India, extremist ideology and Mumbai.

He searched for Sun Tzu’s Art of War, previous terror strikes in India and weather forecasts in the Arabian Sea, typed “4 star hotel in delhi” and “taj hotel,” and visited mapsofindia.com to pore over sites in and around Mumbai, the documents show.

Still, the sheer scale of his ambition might have served as a smokescreen for his focus on the city. For example, he also showed interest in Kashmir, the Indian Punjab, New Delhi, Afghanistan and the United States Army in Germany and Canada. He constantly flipped back and forth among Internet porn and entertainment sites while he was carrying out his work. He appeared to be fascinated with the actor Robert De Niro, called up at least one article on the singer Taylor Swift, and looked at funny cat videos. He visited unexplainable.net, a conspiracy theory website, and conducted a search on “barak obama family + muslim.”

In November 2008, the VoIP company’s owner wrote to the fictitious Indian reseller, Singh, complaining that no traffic was running on the digital phone network. Shah’s reply was ominous, according to Indian law enforcement officials, who obtained evidence from the company’s communications records with FBI assistance after the attack. “Dear Sir,” Shah replied, “i will send trafic by the end of this month.”

Before the attacks started on November 26 evening, the documents show, Shah pulled up Google images of the Oberoi Hotel and conducted Wikimapia searches for the Taj and the Chabad House. Shah opened the hostel’s website. He began Googling news coverage of Mumbai just before the attacks began.

An intercept shows what Shah was reading, on the news website NDTV, as the killings proceeded.

“Mumbai, the city which never sleeps, was brought to its knees on Wednesday night as it came under an unprecedented multiple terror attack,” the article said. “Even as heavily armed police stormed into Taj Hotel, just opposite the Gateway of India where suspected terrorists were still holed up, blood-soaked guests could be seen carried out into the waiting ambulances.”

A Trove of Data

“Analysis of Zarrar Shah’s viewing habits” and other data “yielded several locations in Mumbai well before the attacks occurred and showed operations planning for initial entry points into the Taj Hotel,” the NSA document said.

That viewing history also revealed a longer list of what might have been future targets. M K Narayanan, India’s National Security Adviser at the time, appeared to be concerned about that data from Shah in discussions with American officials shortly after the attacks, according to the WikiLeaks archive of American diplomatic cables.

A top secret GCHQ document described the capture of information on targets that Shah had identified using Google Earth. The analysts seemed impressed by the intelligence haul — “unprecedented real-time active access in place!” — one GCHQ document noted. Another agency document said the work to piece the data together was “briefed at highest levels nationally and internationally, including the US National Security Adviser.”

On November 30, Anish Goel, director for South Asia at the National Security Council in the White House, sat in his office, reading a stack of intelligence reports that had accumulated on his desk and reviewing classified electronic messages on a secure terminal.

Amid the crisis, Goel, now a senior South Asia Fellow at the New America Foundation, paid little attention to the sources of the intelligence and said that he still knew little about specific operations. But two things stood out, he said: The main conspirators in Pakistan had already been identified. And the quality and rapid pacing of the intelligence reports made it clear that electronic espionage was primarily responsible for the information. “During the attacks, it was extraordinarily helpful,” Goel said of the surveillance.

In the stacks of intelligence reports, one name did not appear, Goel clearly recalls: David Coleman Headley. None of the intelligence streams from the United States, Britain or India had yet identified him as a conspirator.

The Missing American

Headley’s many-sided life — three wives, drug-smuggling convictions and a past as an informant for the United States Drug Enforcement Administration — would eventually collapse. But for now, he was a free man, watching the slaughter on television in Lahore, Pakistan, according to his later court testimony. At the time, he was with Faiza Outalha, his Moroccan wife, having reconciled with her after moving his Pakistani wife and four children to Chicago.

Headley’s unguarded emails reflected euphoria about Lashkar’s success. An exchange with his wife in Chicago continued a long string of incriminating electronic communications by Headley written in a transparent code, according to investigators and case files. “I watched the movie the whole day,” she wrote, congratulating him on his “graduation”.

About a week later, Headley hinted at his inside information in an email to fellow alumni of a Pakistani military school. Writing about the young terrorists who carried out the mayhem in Mumbai, he said: “Yes they were only 10 kids, guaranteed. I hear 2 were married with a daughter each under 3 years old.” His subsequent emails contained several dozen news media photos of the Mumbai siege.

Headley also exchanged highly suspicious emails with his Lashkar and ISI handlers before and after the Mumbai attacks, according to court records and American counterterrorism officials. The NSA collected some of his emails, but did not realise he was involved in terrorist plotting until he became the target of an FBI investigation, officials said.

Kasab, was executed after a trial. Although Pakistan denies any role in the attacks, it has failed to charge an ISI officer and Mir, who were indicted by American prosecutors. Though Shah and other Lashkar chiefs had been arrested, their trial remains stalled six years after the attack. Shivshankar Menon said that a lesson that emerged from the tragedy in Mumbai was that “computer traffic only tells you so much. It’s only a thin slice.” The key is the analysis, he said, and “we didn’t have it.”

Excerpted from report in The New York Times