the grugq

Cyber. Strategy. Deception.

Encryption Implied?

by Leave a Comment

There are tantalizing details surrounding some minor characters in the ISIS Brussels network that provide possibly the first evidence of the operational use of encryption. An ISIS militant in Brussels sent money to Abaaoud’s cousin at a time when the cousin was being actively monitored by security forces. How was this arranged without alerting the authorities about the militant in Brussels? Encryption seems the likely answer.

Cast of Characters

  1. Abdelhamid Abaaoud, ring leader for the ISIS network
  2. Chakib Akrouh, ISIS militant
  3. Hasna Aitboulahcen, Abaaoud’s cousin and entire logistics network
  4. The Muslim Woman, the surrogate mother of Hasna
  5. Mohamed Belkaid, aka Samir Bouzid, ISIS militant and sometimes flatmate of Salah Abdeslam

Timeline

Friday, November 13, 2015

  • The Paris attacks. Abaaoud and Akrouh flee the scene of the attacks and hide out in the woods

Saturday, November 14, 2015

Sunday, November 15, 2015

  • 8:30 p.m, Chakrib Akrouh calls Hasna Aitboulahcen and talks to her in Aesopian language (which, as it a frequent problem with this sort of code, she fails to fully undersand.) He tells her: “I am calling on behalf of your cousin,” and “I’m not going to explain everything. You saw what happened on TV.” Finally he asks that she “help [find] a place to hide “for no more than a day or two.” At this point, Aitboulahcen believes that the “cousin” referred to is Abaaoud’s younger brother.
  • 9.30 p.m, Aitboulahcen meets Abaaoud in the woods. He offers her €5000 to help him. He tells her to rent a safe house and buy clothing and shoes.
  • After Aitboulahcen leaves with the muslim woman and her husband, Chakrib Akrouh calls with a death threat: “You can tell the little couple that if they talk, my brothers will take care of them”

Monday, November 16, 2015

  • 2:00 pm, the muslim woman contacts the police to alert them about Abaaoud
  • 5:00 pm, security forces get back in touch with the woman who spends hours at their headquarters providing them with information
  • When the woman returns home she tells Aitboulahcen she’s been out to dinner and a movie

Tuesday, November 17, 2015

  • Aitboulahcen’s mobile phone is tapped
  • During the day Aitboulahcen “actively [seeks] accommodation” for Abaaoud and Chakrib
  • Aitboulahcen rents a flat in Saint Denis for €150 , she also buys the men clothes and shoes
  • The ID for Samir Bouzid is used “at a Western Union office in Brussels to transfer €750, or about $850, to Hasna Ait Boulahcen
  • Night: Aitboulahcen leaves the woman’s apartment with the suits and shoes she bought, “indicating she also needed to deliver 750 euros in cash” [NOTE: this suggests that she paid for the flat, clothes and shoes with her own money]
  • The woman asks Aitboulahcen where she can pick her up later that night, and Aitboulahcen provides the address in Saint-Denis. The woman relays this to the police.
  • 10:00 pm, Abaaoud, Aitboulahcen and Akrouh arrive at the safe house in Saint-Denis.

Wednesday, November 18, 2015

  • 4:00 am, the police begin their raid on the Saint-Denis safe house.
  • 10:am, the raid is over.

The Wire Transfer

One very interesting thing in this little drama is the Western Union money transfer. To transfer money via Western Union requires the sender and receiver to coordinate information, including names, addresses and optionally challenge / response codes. Obviously, Abaaoud would’ve also had to inform his comrade, Mohamed Belkaid, to send the money. This means that Abaoud (or Akrouh) must have made multiple communications to both Belkaid and Aitboulahcen. These messages would have to be sensitive, including personal identifying information (real names.)

How was this sensitive messaging triangle accomplished under the noses of the French security forces who were actively monitoring Aitboulahcen’s mobile phone? Were the French aware of the money transfer? It seems not as the name Samir Bouzid is not “wanted for his alleged connection to Salah Abdeslam” until December, weeks after the money transfer.

Was it encryption? Doesn’t matter.

I suspect that Aitboulahcen was using a chat app, probably either WhatsApp or Telegram, to communicate with Abaaoud. The basic client server encryption would have been sufficient to prevent French security forces from eavesdropping on the conversation. Additionally, without access to the messaging servers, they wouldn’t have access to metadata either.

The French security forces would’ve had to make requests for international assistance to get this information. Clearly, there was no time.

In 2014 Aitboulahcen was chatting with someone, believed to be Abaaoud, in Syria using WhatsApp. By November 2015, WhatsApp could enable end to end encryption between Android devices (with some versions of the app.) However, it is unlikely that end to end encryption was much of an issue in this case. Aitboulahcen and Abaaoud were dead a day after the counter terrorism forces began surveillance. Their phones were available for forensic analysis and any messages would’ve been recovered.

More questions than answers

I’m curious why Aitboulahcen wasn’t under physical surveillance on the 17th, and why the security forces didn’t use IMSI catchers to monitor her movements. The big question for me is why didn’t the French follow up on the Western Union money transfer? It seems like that was a pretty solid lead into the rest of the Brussels network.

Months later the man who sent that money was killed in a shootout with Belgian police, one of the key events leading to the capture of Salah Abdeslam (Belkaid’s roommate), and the subsequent Brussels airport bombing.

Belgian prosecutors identified the dead man, who was shot by a sniper, as Mohamed Belkaid, a 35-year-old Algerian. But on Friday the prosecutor said it now believed he was the same man who used a false identification card with the name Samir Bouzid, wanted since December for his alleged connection to Mr. Abdeslam.

The two were stopped with Mr. Abdeslam in a car traveling between Hungary and Austria in September, prosecutors said. That same identity card was used on Nov. 17, four days after the attack, at a Western Union office in Brussels to transfer €750, or about $850, to Hasna Ait Boulahcen. — Source: WSJ

Liked it? Take a second to support grugq on Patreon!

Leave a Reply

%d bloggers like this: