The "keys to the cyber caliphate": The daring U.S. raid to seize the ISIS personnel database

How U.S. counterterrorism intelligence got their hands on the data that changed the fight against ISIS

Published July 2, 2017 1:00PM (EDT)


Excerpted with permission from "Hacking ISIS" by Malcolm Nance and Christopher Sampson. Copyright 2017, Skyhorse Publishing, Inc. Available for purchase on Amazon, Barnes & Noble and IndieBound.

When he woke for dawn prayers on 17 May, 2015, “Caliph” Ibrahim, a.k.a. Abu Bakr al-Baghdadi, the commander of the forces of the Islamic State of Iraq and the Levant al-Sham, a.k.a. ISIS, would be informed of a massacre that had occurred near Deir ez-Zor in eastern Syria. US Special Operations forces had completed a bold and daring direct action, penetrating directly into the heart of the territory occupied by the self-proclaimed “ISIS.” The Americans had not just carried out a raid but had flown hundreds of miles behind ISIS lines to capture a man named Abu Sayyaf. When the smoke cleared, the Delta troopers had killed every terrorist present including their intended target, but the mission was still considered a resounding success. The New York Times and the Wall Street Journal reported that even though Abu Sayyaf had not been taken alive, during the sensitive site’s exploitation, the intelligence team collected four to seven terabytes of computer data that gave US intelligence a treasure trove of information about the financial workings of ISIS.

Hacking ISIS

There was nothing routine about the mission to seize or kill Abu Sayyaf, whose real name was Fathi ben Awn ben Jildi Murad al-Tunisi. He was a Tunisian jihadi and keeper of the keys to the ISIS oil wealth. Abu Sayyaf worked out of the offices of the Euphrates Oil Company at al-Omar, the largest oilfield in Syria. As treasurer to ISIS, it was his job to produce, collect, and distribute hundreds of millions of dollars in profits throughout the caliphate from illicit oil, sale of antiquities and slaves, and levying taxes on Christians. He was a very high-value target, but the generals at the Pentagon would have been reluctant to risk the lives of the most elite soldiers America possessed, the National Mission Force, just to recover a pile of financial data. That could be electronically collected by NSA or purchased by gold or cash from CIA assets. No, there had to be something far more valuable and important in his possession that made the mission an imperative. Whatever it was would have to be a game changer.

The most critical indicator of the importance of the mission and its objective was the fact that the President was moved to sign the order. The intelligence community does not undertake these missions on a whim, and, even with solid intelligence, the payoff would have to exceed the risk by an order of magnitude. The amount of people, intelligence, and weapons dedicated to this type of mission is staggering.

To approve the al-Omar raid would require solid, triple-checked intelligence from multiple sources from inside ISIS itself. The sources would have to be considered extremely reliable and their information triple checked. Once confidence was high, the Director of National Intelligence, the CIA, and Pentagon would have to convince the President that the success-to-failure ratio exceeded ninety percent or more before he would sign the “Go” order to invade ISIS-controlled Syria.

Why would the notably cautious “No-Drama Obama” authorize such a momentous mission? He must have been convinced that it would result in something so damaging to ISIS that the risk would outweigh the potential for disaster. The objective could only be one thing—the intelligence ‘keys to the caliphate’: a softcopy database, not linked to the Internet, containing the personal data of every man, woman, child, and slave in and under the control of ISIS, as well as the communications and financial links to its affiliates worldwide.

The Internal Security Database

When Samir Abd Muhammad al-Khlifawi, whose nom de guerre was Haji Bakr, became the shadow commander of ISIS’s military wing and its Chief of Spies, he emphasized that ISIS should gather all possible information about every person in their society in order to control behavior, blackmail the influential, or eliminate resistance. He sketched out the design for a massive paper database detailing each member’s biographical, social, and psychological data.

Derived directly from his experience as a loyal spy under Saddam Hussein, he put together an organization identical to the Baathist intelligence apparatus, but one that could compile information with much more detail on the religious and family aspects of the ISIS communities. He wanted to create a hybrid al-Qaeda-Saddamist religious extremist police state impervious to foreign intelligence penetration and resistant to rebellion.

He was the right man for the job. To this end, he did a complete brain-dump of everything he had learned as a Baathist and implemented a new network for the religious terror nation. In this respect, Haji Bakr was pitch-perfect. Der Spiegel’s discovery of his handwritten notes on how ISIS collects intelligence and databases the histories of all who fall under its control were found after he was ambushed and killed in 2014. He ordered his intelligence division Emirs (“Princes”) and subordinate cells to check and cross-reference information on all levels of ISIS society to ensure the trustworthiness and loyalty of its subjects.

ISIS’s internal spying effort was extraordinary, eclipsing even Saddam Hussein’s lust for manipulative information. It evolved into an incredibly complex operation that Haji Bakr detailed in dozens of notes. ISIS depends on slavish loyalty of all official operatives throughout each “Wilayat” or “State.” The ISIS chain of intelligence reporting relies on sources, starting at the street level, prepared to inform on anyone in the caliphate for a reward. This information goes up from the individual jihadi to the regional Emirs, through a chain of Deputy Emirs, sub-Emirs, and their assistant subdeputies in the intelligence apparatus. Every level cross-checks the accuracy and reliability of the person below to guard against deception or penetration by enemy agents.

The entire ISIS spy chain of command is backed up by highly experienced officers who can fill the roles of those who are martyred. This is a very old-school al-Qaeda system to ensure no link in the chain is lost. Add to this the ability of virtually any jihadi to spy for the apparatus and the result is a world that Der Spiegel correctly called an “Islamic Intelligence State.”

But in a financial system collecting and disbursing billions, each written dossier on a member of the internal security arm had to be placed in a modern computer database in order to ensure that people collecting and spending money were closely monitored. Each database had to be compared to the regular financial activity of ISIS’s subjects for anomalies. Abu Sayyaf’s remote oilfield was the perfect spot for compiling the financial and intelligence information fed into the database.

A second component of the ISIS personnel database was already well known to US intelligence since Americans had created it at a cost of billions during its occupation of Iraq. The Iraqi government implemented computerized databasing and biometrics of all citizens in 2005. It recorded personal information including digital photos, fingerprints, and even some retina scans of anyone who registered to vote, served in government or the military, collected pensions, and received a passport or the new digital Iraqi national identity card. Additionally, anyone with a terrorist or criminal background or held in a detention center was entered into a national criminal database. During the battle for Mosul, ISIS had either rapidly seized or already had in their possession these databases. Additionally, the army and police biometric databases for each solider were located in three major headquarters lost to ISIS in Mosul, Tikrit, and Ramadi. To this end, Haji Bakr employed everything he had learned as a Baathist to create a new intelligence and security network for the religious terror nation.

ISIS regional databases integrated the information in the Iraqi databases found in the intelligence and security offices at Camp Kindi, headquarters of the Nineveh Operations Command and in the Iraqi 2nd Army Division and the Iraqi Security Forces Intelligence office in Mosul. A third database was located at the intelligence and admin branch headquarters of the Iraqi 12th Division at Camp Speicher near Tikrit, and the fourth was located in the ISF offices in Ramadi. All of these gave ISIS knowledge of Sunni loyalists in the government and Shia who would need to be killed. The loyalist Sunni soldiers who came over to ISIS would have their biometrics and personal data compared and kept in the ISIS database.

When Mosul was taken, ISIS members were videotaped openly checking the national identity cards of Iraqis in the city against this database held in laptops at roadblocks to determine who would live or die.

ISIS immediately tried to take precautions against the loss of Abu Sayyaf and the databases. They immediately banned Wi-Fi by all outside of approved Internet cafés in Raqqa. Most interestingly, it included the prohibition of the use of private Wi-Fi by all ISIS members and commanders. This move not only centralizes monitoring of citizens and opposition groups to a few central IP addresses, but it indicates that they were trying to tear out the elements of the old online communications structures root and branch before the American exploited it.

Combined, the ISIS financial/personnel databases could be exploited by the United States not just for capturing or killing more senior ISIS members, but for a mission far broader and more important: it identified the national origin of every person in the group; where they were assigned to fight; how much they were paid; who were their parents, grandparents, and next of kin; who were their wives, children and slaves’ names and dates of birth; as well as their level of loyalty and the rewards and punishments they received. Perhaps the greatest jewel in the crown was the mobile phone numbers, Twitter handles, Facebook accounts, and other social media links. Especially exciting for America’s intelligence managers and operatives, whether on the ground or in the US, including the NSA, CIA, DIA, and others, all of these data points would give the precise locations of where ISIS-authorized mobile phones were being used and who used them.

The keys to the caliphate gave America the ability to determine who could be blackmailed or turned into a double agent, or to mark their most loyal commanders for death by Hellfire missile or JAM bomb. ISIS’s own obsession for detail and knowledge proved to be the base alloy for America to craft a near-perfect weapon for the Pentagon to kill whomever they pleased, whenever they pleased. For spies and drone operators, the prospects were bone-chillingly thrilling and were coldly being applied. Perhaps with the Abu Sayyaf raid, America had defeated ISIS long before the caliphate would physically fall.

Treasury of Terror

The “ISIS” fancied itself a nation. But even a self-proclaimed caliph needs a treasury, a general accounting office, and a social security administration. The RAND Corporation estimated in 2014 that ISIS ran a budget surplus that exceeded $2 billion per year from all sources of illicit revenue-generating activities, such as the sale of oil and stolen antiquities, taxes on members of other religions, and sex slavery. This financial web worked outside of the formal global economies until cleansed by regional profiteers. In the ruins of their captured Iraqi and Syrian cities, ISIS cannot disburse money electronically from a bank network, so for both international and local disbursing they are using an archaic money transfer process used widely throughout the Middle East called Hawala.

Hawala is as old as informal banking. You deliver money to a trusted Hawala broker, and he uses his personal contacts and pre-positioned funds to deliver the same amount of money, in cash, to your contact in another city. It is considered complying with Islamic law for brokers to charge only a flat fee rather than interest. Billions of dollars pass through the Middle East and Europe this way annually with almost no paper trail. It was the fastest and most secure way for ISIS to move funds from Raqqa to Mosul, Aleppo, or Ramadi to its fighters and tribes without losing it to theft or airstrike. Spain’s El País newspaper detailed the network supporting cash transfers to ISIS and al-Nusra Front to pay Spanish jihadists their monthly salaries using the system operating through entities like European Hilal butcher shops and phone banks. Newsweek reported that this ancient system is done with almost no oversight from international banks. It’s an honor system in which no records are kept by the transferees apart from a receipt.

The significance of exploiting an ISIS financial/personnel database cannot be underestimated. As ISIS’s de facto treasurer, Abu Sayyaf, as US intelligence agencies had extrapolated, had to maintain an off-line central database where the paper information from throughout the caliphate is entered into a computerized internal accounting program in order to report on and pay the fighters, finance businesses, build or repair infrastructure, buy weapons, influence tribes, or sell women and children.

Such a database would necessarily be complex even for a small group like ISIS but would not require a large data storage capacity. If the New York Times report is correct, then just four to seven terabytes of data recovered on the mission would be equal to the sum of data in the disk memories of eight to ten average laptops or external backup hard drives. That was more than enough power for the group’s data entry and accounting needs.

This payment system with its information about people giving and receiving money can, thanks to ISIS’s extreme paranoia about what those in the caliphate are doing daily, be cross-checked against their highly detailed internal security database on personnel. Any nexus between ISIS’s financial payments, its personnel rosters, and the internal security data on its own people are Spy gold for counterterrorism operations.

By Malcolm Nance

Malcolm Nance is a globally recognized counterterrorism expert and intelligence community member who has been deployed to intelligence operations in the Balkans, the Middle East and sub-Saharan Africa. He is the author of "The Plot to Hack America" and "Defeating ISIS" and he appears regularly on MSNBC. He lives in Philadelphia.

MORE FROM Malcolm Nance

By Christopher Sampson

Related Topics ------------------------------------------

Book Excerpts Books Iraq Isis Syria Terrorism