Cyberspace Gives Al Qaeda Refuge

Times Staff Writers

In December, Al Qaeda operatives posted a manifesto on the Internet calling for attacks inside countries allied with the United States in Iraq. Spain, with elections approaching, was singled out as a target.

On March 11, terrorists set off bombs on four commuter trains in Madrid and killed 191 people. Three days later, Spanish voters replaced the pro-war government with a party whose leader had promised to withdraw the country’s 1,300 troops from Iraq.

The posting of the strategy and the timing of the Madrid bombings shocked even the most hardened Al Qaeda watchers recently when they reviewed the little-known manifesto.


“It’s quite extraordinary in that you have a group of people ... talking about influencing a political process and then having it happen,” said a U.S. national security official who analyzed the 54-page posting and spoke on condition that his name not be used. “Reading through this thing, it is just mind-blowing.”

Since Osama bin Laden and his followers were driven from their bases in Afghanistan, the Al Qaeda terrorist network has demonstrated an increasing ability to exploit the Internet as it reconfigures itself as a semi-leaderless global extremist movement far more elusive than the original incarnation.

Websites run by Al Qaeda and its backers have become virtual classrooms for terrorists, offering instructions for activities such as kidnapping and using cellphones to set off bombs, like the ones used in Madrid. Independent Al Qaeda cells and the network’s loose hierarchy use easily available encoding programs and simple techniques to exchange virtually undetectable messages between Internet cafes in Karachi and libraries in London.

The Internet’s importance to Al Qaeda was highlighted this month by the disclosure that Pakistani authorities had apprehended Mohammed Naeem Noor Khan, a suspected Al Qaeda computer engineer, and collected a wealth of electronic material.

E-mail and other information from Khan’s computers led to the arrests of 13 suspects in Britain and sent investigators scrambling to unravel electronic links among militants in Pakistan, Europe and the United States, British, U.S., and Pakistani authorities said. The discovery of files on financial institutions in New York and Washington among Khan’s trove also played a role in prompting the Bush administration to issue a terrorist warning.

Although it has long been known that Al Qaeda used the Internet to conduct reconnaissance on potential U.S. targets, the disks and hard drives taken from Khan disclose much about the resiliency and adaptability of a far-flung network hiding in plain sight, said U.S. and foreign intelligence officials and outside experts interviewed for this report.

“The Internet allows the organization to become a virtual self-perpetuating and changing entity in cyberspace that provides technological guidance and moral inspiration to a new generation,” said Magnus Ranstorp, a counter-terrorism expert at the University of St. Andrews in Scotland.

Rather than the computer whizzes often described by government officials and the press, the Al Qaeda operatives are more often people with everyday skills who have harnessed the Internet in a campaign against the United States and its allies. Even Khan, whom senior U.S. officials describe as extremely computer savvy, used skills available to many people with computer training.

Over time, they developed and shared techniques to avoid detection. An Al Qaeda survival manual warned adherents not to use the same Internet cafe too many times. Messages should be written on a word processor and pasted into an e-mail to avoid keeping the computer connected to the Internet for too long, it said.

The result is a changing definition not only of Al Qaeda but also of the threat from what is known as cyber-terrorism. After Sept. 11, the biggest fear of terrorists using the Internet was their potential to disable air traffic control systems or disrupt the electric power grid of the United States. Billions were spent shoring up infrastructure defense.

Although those concerns remain, authorities said no incident of cyber-terrorism has been recorded and worries have receded.

Instead, the discovery of the December manifesto, the arrest in Pakistan last month and the accumulation of other evidence are leading to recognition that for now, at least, cyberspace is not a weapon for Al Qaeda, but a tool -- one more difficult to counter than gunmen huddled in caves and tents.

James Lewis, director of technology policy at the Center for Strategic and International Studies in Washington, said one clear advantage for Al Qaeda is that the Internet gives it a communications system that rivals that of a superpower without the accompanying risk.

“There is no central headquarters,” he said. “There is no central place you can knock out.”

U.S. and foreign authorities interviewed in recent days generally agreed with a report last spring by the U.S. Treasury and Justice departments, which concluded that the Internet poses tough challenges “because it is largely anonymous, geographically unbounded, unregulated and decentralized.”

Al Qaeda is not a newcomer to the Internet.

In 2000, the group hacked into the e-mail and bank accounts of a U.S. diplomat in Saudi Arabia as part of an effort to track his movements and plot an assassination attempt, which was later abandoned, Ranstorp and a security official in the region said.

In the final stages of planning the Sept. 11 attacks, hijacker Mohamed Atta sent a coded message over the Internet that said: “The semester begins in three more weeks. We’ve obtained 19 confirmations for studies in the faculty of law, the faculty of urban planning, the faculty of fine arts and the faculty of engineering.”

After the Sept. 11 attacks on the World Trade Center and Pentagon, the camps and safe houses in Afghanistan where Atta and his accomplices had once trained were destroyed in the U.S. air assaults.

Thousands of Al Qaeda adherents fled to hiding places in the tribal areas along the Afghan-Pakistani border, to Pakistan and to dozens of other countries. They left behind computers with files on how to build nuclear bombs, diagrams of U.S. buildings and software for stealing passwords off the Internet.

In the months that followed, key leaders were killed or captured. Bin Laden has remained so deeply hidden that most intelligence officials think he no longer exercises much control over the network.

The U.S. and its allies worked with some success to shut down the flow of money to Al Qaeda through Saudi charities, wealthy benefactors and other means.

Faced with this multi-pronged assault, Al Qaeda reinvented itself, with a new reliance on the Internet.

Manuals from the training camps were posted on websites. Praise for the “holy war” and appeals for money to continue the fight started popping up. Information was shared among members, and alliances with local and regional extremist groups were formed through cyberspace.

More recent Internet postings reflected the adaptations of the new Al Qaeda, with its independent cells and new, often untrained recruits scattered throughout the Middle East, Europe and Africa.

In late May, a website linked to Al Qaeda in Saudi Arabia published detailed instructions for carrying out a kidnapping. Three weeks later, U.S. aerospace engineer Paul M. Johnson Jr. was kidnapped in Riyadh, the Saudi capital, and later beheaded.

Saudi extremists have proved particularly adept at using the Internet to communicate with other Al Qaeda groups and to promote their aim to topple the royal family, security officials in the country said.

But the posting that called for attacks on U.S. allies in Iraq -- and its chilling effectiveness -- has proved the most startling.

“It shows that they are very strategic in what they are doing,” the U.S. national security official said.

The document was posted on a website run out of the Middle East. Its language, religious references and other telltale signs convinced U.S. experts that an Al Qaeda member wrote it, though they have not identified the author.

Titled “Jihad in Iraq: Hopes and Dangers,” the posting advocated attacking countries aligned with the U.S. that were most vulnerable to pressure to withdraw their troops from Iraq. Italy and Spain were singled out, with a special mention of Spain’s approaching elections.

“Withdrawal of Spanish or Italian forces would put immense pressure on the British presence in a way that Tony Blair might not be able to bear,” it said in one of several paragraphs underlined for emphasis. “In this way the dominoes will begin to fall quickly.”

At another point, the posting said, “We think that the Spanish government could not tolerate more than two, maximum three blows, after which it will have to withdraw as a result of popular pressure.”

The posting was available on one of the hundreds of Arabic-language websites that cater to extremists and moderates alike. Many of them are watched by intelligence and law enforcement agencies, but experts say there are far too many to monitor thoroughly.

Evan Kohlmann, a Washington-based terrorism analyst who has been a consultant to the U.S. government, said he was monitoring an Internet chat room frequented by Islamic extremists last month when someone posted copies of the complete Windows desktop of a U.S. soldier serving in South Korea.

The soldier had apparently installed a program to access his work computer through another computer and the hacker found a back door and took control of the machine by using simple techniques, Kohlmann said.

Simplicity seems to work best. One common method of communicating over the Internet is essentially an e-mail version of the classic dead drop.

Members of a cell are all given the same prearranged username and password for an e-mail account on an Internet service provider, or ISP, such as Hotmail or Yahoo, according to the recent joint report by the Treasury and Justice departments.

One member writes a message, but instead of sending it, he puts it in the “draft” file and then logs off. Someone else can then sign onto the account using the same username and password, read the draft and then delete it.

“Because the draft was never sent, the ISP does not retain a copy of it and there is no record of it traversing the Internet -- it never went anywhere, its recipients came to it,” the report said.

Secure messages also can be transmitted using widely available encryption tools.

Slightly more advanced methods allow messages to be embedded in image, sound or other files transferred over the Internet through a process called “steganography.” The files cannot be distinguished without a decoding tool.

The difficulty of intercepting and deciphering messages has given rise to a game of cyber cat and mouse, according to government and independent experts.

In an effort to gather information on potential recruits and donors, U.S. law enforcement agencies operate websites that are set up to resemble extremist Islamic sites. Visitors leave an electronic trail when they enter the site.

On the other side, Al Qaeda can transmit false information to determine whether its members are being monitored by law enforcement.

The Internet offers stealth to its users, but authorities can get valuable information if they can get their hands on data stored in computers or on disks.

U.S. and foreign investigators still are sifting through the material taken from Khan. By cross-referencing the data with old files on people, places and methods of attacks, they hope to get a new picture of the organization’s operations and identify its operatives, senior U.S. law enforcement officials say.

They also are getting a closer look at the role of the Internet in Al Qaeda’s strategies -- and a rare chance to turn the tables on the organization’s computer prowess.

“Al Qaeda relies on the Internet just like everyone else, and increasingly more so,” a senior Justice Department official said. “But that reliance could also come back to bite them.”




Mohammed Naeem Noor Khan

Mohammed Naeem Noor Khan, right, a suspected Al Qaeda computer expert, was arrested July 15 in Pakistan.

Khan reportedly has told his FBI interrogators that the terrorist network has monitored top U.S. political officials so closely that its operatives know where they live and the names of their neighbors.

Authorities believe Khan may have been a key link among Al Qaeda cells in Pakistan, Britain and the United States.

He was arrested while uploading information to several Al Qaeda-affiliated websites at an Internet cafe in Karachi.

He reportedly was in the process of sending an e-mail death threat to President Bush, claiming that it was from Al Qaeda.

-- Los Angeles Times


Frantz reported from Istanbul and Meyer and Schmitt from Washington.