NSA's cyberespionage found al-Qaida official later killed in drone attack
The Washington Post
It was an innocuous email, one of millions sent every day by spouses with updates on the situation at home. But this one was of particular interest to the National Security Agency, and contained clues that put the sender's husband in the cross hairs of a CIA drone.
Days later, Hassan Ghul — an associate of Osama bin Laden who provided a critical piece of intelligence that helped the CIA find the al-Qaida leader — was killed by a drone strike in Pakistan's tribal belt.
The U.S. government has never publicly acknowledged killing Ghul. But documents provided to The Washington Post by former NSA contractor Edward Snowden confirm his demise in October 2012 and reveal the agency's extensive involvement in the targeted killing program that has served as a centerpiece of President Barack Obama's counterterrorism strategy.
An al-Qaida operative who had a knack for surfacing at dramatic moments in the post-Sept. 11 story line, Ghul was an emissary to Iraq for the terrorist group at the height of that war. He was captured in 2004 and helped expose bin Laden's courier network before spending two years at a secret CIA prison. Then, in 2006, the United States delivered him to his native Pakistan, where he was released and returned to the al-Qaida fold.
But beyond filling in gaps about Ghul, the documents provide the most detailed account of the intricate collaboration between the CIA and the NSA in the drone campaign.
The Washington Post is withholding many details about those missions, at the request of U.S. intelligence officials who cited potential damage to ongoing operations and national security.
The NSA is "focused on discovering and developing intelligence about valid foreign intelligence targets," an NSA spokeswoman said in a statement provided to The Post on Wednesday, adding that the agency's operations "protect the nation and its interests from threats such as terrorism and the proliferation of weapons of mass destruction."
In the search for targets, the NSA has draped a surveillance blanket over dozens of square miles of northwest Pakistan. In Ghul's case, the agency deployed an arsenal of cyber-espionage tools, secretly seizing control of laptops, siphoning audio files and other messages, and tracking radio transmissions to determine where Ghul might "bed down."
The email from Ghul's wife "about her current living conditions" contained enough detail to confirm the coordinates of that household, according to a document summarizing the mission. "This information enabled a capture/kill operation against an individual believed to be Hassan Ghul on October 1," it said.
The file is part of a collection of records in the Snowden trove that make clear that the drone campaign — often depicted as the CIA's exclusive domain — relies heavily on the NSA's ability to vacuum up enormous quantities of email, phone calls and other fragments of signals intelligence, or SIGINT.
To handle the expanding workload, the NSA created a secret unit known as the Counter-Terrorism Mission Aligned Cell, or CT MAC, to concentrate the agency's vast resources on hard-to-find terrorism targets. The unit spent a year tracking Ghul and his courier network, tunneling into an array of systems and devices, before he was killed. Without those penetrations, the document concluded, "this opportunity would not have been possible."
At a time when the NSA is facing intense criticism for gathering data on Americans, the drone files may bolster the agency's case that its resources are focused on fighting terrorism and supporting U.S. operations overseas.
"Ours is a noble cause," NSA Director Keith Alexander said during a public event last month. "Our job is to defend this nation and to protect our civil liberties and privacy."
The documents do not explain how the Ghul email was obtained or whether it was intercepted using legal authorities that have emerged as a source of controversy in recent months and enable the NSA to compel technology giants including Microsoft and Google to turn over information about their users. Nor is there a reference to another NSA program facing scrutiny after Snowden's leaks, its metadata collection of numbers dialed by nearly every person in the United States.
To the contrary, the records indicate that the agency depends heavily on highly targeted network penetrations to gather information that wouldn't otherwise be trapped in surveillance nets that it has set at key Internet gateways.
The new documents are self-congratulatory in tone, drafted to tout the NSA's counterterrorism capabilities. One is titled "CT MAC Hassan Gul Success." The files make no mention of other agencies' roles in a drone program that escalated dramatically in 2009 and 2010 before tapering off in recent years.
Even so, former CIA officials said the files are an accurate reflection of the NSA's contribution to finding targets in a campaign that has killed an estimated 3,000 militants, as well as hundreds of civilians, in Pakistan, according to independent surveys. The officials said the agency has assigned senior analysts to the CIA's Counterterrorism Center, and deployed others to work alongside CIA counterparts at almost every major U.S. embassy or military base overseas.
"NSA threw the kitchen sink at the FATA," said a former U.S. intelligence official with experience in Afghanistan and Pakistan, referring to the Federally Administered Tribal Areas, the region in northwest Pakistan where al-Qaida's leadership is based.
NSA employees rarely ventured beyond the security gates of the U.S. Embassy in Islamabad, officials said. Surveillance operations that required placing a device or sensor near an al-Qaida compound were handled by the CIA's Information Operations Center, which that specializes in high-tech devices and "close-in" surveillance work.
"But if you wanted huge coverage of the FATA, NSA had 10 times the manpower, 20 times the budget and 100 times the brainpower," the former intelligence official said, comparing the surveillance resources of the NSA to the smaller capabilities of the CIA's operations center. The two agencies are the largest in the U.S. intelligence community, with budgets last year of $14.7 billion for the CIA and $10.8 billion for the NSA. "We provided the map," the former official said, "and they just filled in the pieces."
In broad terms, the NSA relies on increasingly sophisticated versions of online attacks that are well-known among security experts. Many rely on software implants developed by the agency's Tailored Access Operations division with code-names such as UNITEDRAKE and VALIDATOR. In other cases, the agency runs "man-in-the-middle" attacks in which it positions itself unnoticed midstream between computers communicating with one another, diverting files for real-time alerts and longer-term analysis in data repositories.
Through these and other tactics, the NSA is able to extract vast quantities of digital information, including audio files, imagery and keystroke logs. The operations amount to silent raids on suspected safe houses and often are carried out by experts sitting behind desks thousands of miles from their targets.
The reach of the NSA's Tailored Access Operations division extends far beyond Pakistan. Other documents describe efforts to tunnel into systems used by al-Qaida affiliates in Yemen and Africa, each breach exposing other corridors.
An operation against a suspected facilitator for al-Qaida's branch in Yemen led to a trove of files that could be used to "help NSA map out the movement of terrorists and aspiring extremists between Yemen, Syria, Turkey, Egypt, Libya and Iran," according to the documents. "This may enable NSA to better flag the movement of these individuals" to allied security services that "can put individuals on no-fly lists or monitor them once in country."
A single penetration yielded 90 encrypted al-Qaida documents, 16 encryption keys, 30 unencrypted messages as well as "thousands" of chat logs, according to an inventory described in one of the Snowden documents.
The operations are so easy, in some cases, that the NSA is able to start downloading data in less time than it takes the targeted machine to boot up. Last year, a user account on a social media website provided an instant portal to an al-Qaida operative's hard drive. "Within minutes, we successfully exploited the target," the document said.
The hunt for Ghul followed a more elaborate path.
Ghul, who is listed in other documents as Mustafa Haji Muhammad Khan, had surfaced on U.S. radar as early as 2003, when an al-Qaida detainee disclosed that Ghul escorted one of the intended hijackers to a Pakistani safe house a year before the Sept. 11, 2001, attacks.
A trusted facilitator and courier, Ghul was dispatched to Iraq in 2003 to deliver a message to Abu Musab al-Zarqawi, the al-Qaida firebrand who angered the network's leaders in Pakistan by launching attacks that often slaughtered innocent Muslims.
When Ghul made another attempt to enter Iraq in 2004, he was detained by Kurdish authorities in an operation directed by the CIA. Almost immediately, Ghul provided a piece of intelligence that would prove more consequential than he may have anticipated: He disclosed that bin Laden relied on a trusted courier known as al-Kuwaiti.
The ripples from that revelation wouldn't subside for years. The CIA went on to determine the true identity of al-Kuwaiti and followed him to a heavily fortified compound in Abbottabad, Pakistan, where bin Laden was killed in 2011.
Because of the courier tip, Ghul became an unwitting figure in the contentious debate over CIA interrogation measures. He was held at a CIA black site in Eastern Europe, according to declassified Justice Department memos, where he was slapped and subjected to stress positions and sleep deprivation to break his will.
Defenders of the interrogation program have cited Ghul's courier disclosure as evidence that the agency's interrogation program was crucial to getting bin Laden. But others, including former CIA operatives directly involved in Ghul's case, said that he identified the courier while he was being interrogated by Kurdish authorities, who posed questions scripted by CIA analysts in the background.
The debate resurfaced amid the release of the movie "Zero Dark Thirty" last year, in which a detainee's slip after a brutal interrogation sequence is depicted as a breakthrough in the bin Laden hunt. Ghul's case also has been explored in detail in a 6,000-page investigation of the CIA interrogation program by the Senate Intelligence Committee that has yet to be released.
Sen. Dianne Feinstein, D-Calif., the chairman of the panel, sought to settle the Ghul debate in a statement last year that alluded to his role but didn't mention him by name.
"The CIA detainee who provided the most significant information about the courier provided the information prior to being subjected to coercive interrogation techniques," Feinstein said in the statement, which was signed by Sen. Carl Levin, D-Mich.
The George W. Bush administration's decision to close the secret CIA prisons in 2006 set off a scramble to place prisoners whom the agency did not regard as dangerous or valuable enough to transfer to Guantanamo Bay. Ghul was not among the original 14 high-value CIA detainees sent to the U.S. installation in Cuba. Instead, he was turned over to the CIA's counterpart in Pakistan, with ostensible assurances that he would remain in custody.
A year later, Ghul was released. There was no public explanation from Pakistani authorities. CIA officials have noted that Ghul had ties to Lashkar-e-Taiba, a militant group supported by Pakistan's intelligence service. By 2007, he had returned to al-Qaida's stronghold in Waziristan.
In 2011, the Treasury Department named Ghul target of U.S. counterterrorism sanctions. Since his release, the department said, he had helped al-Qaida re-establish logistics networks, enabling al-Qaida to move people and money in and out of the country. The NSA document described Ghul as al-Qaida's chief of military operations, and detailed a broad surveillance effort to find him.
"The most critical piece" came with a discovery that "provided a vector" for compounds used by Ghul, the document said. After months of investigation, and surveillance by CIA drones, the email from his wife erased any remaining doubt.
Even after Ghul was killed in Mir Ali, the NSA's role in the drone strike wasn't done. Although the attack was aimed at "an individual believed to be" the correct target, the outcome wasn't certain until later when, "through SIGINT, it was confirmed that Hassan Ghul was in fact killed."