By Patrick BAHZAD
Following the Paris attacks, it quickly became clear to investigators that they had underestimated the one guy who would prove a decisive element in this terror plot. While the Kouachi brothers – who attacked the "Charlie Hebdo" newspaper – had been monitored for a while by French intelligence, Coulibaly – the hostage taker of the Kosher supermarket – was released from jail in March 2014 and disappeared from every radar in April of that year. The investigation into this man's actions during the 8 months prior to the attacks will be crucial to the uncovering of the whole group of conspirators, as well as their potential backers in France and the Middle-East.
The veil of mystery that still shrouds these tragic events – i.e. the fact they might be the result of some collusion between Al Qaeda and ISIS affiliated radicals – has not been lifted yet, but the evidence that is slowly trickling in reveals a gradually more consistent and complex picture.
The Kouachi brothers, a genuine Al Qaeda cell
On the one hand, it makes no more doubt that the "Charlie Hebdo" attackers had been trained in Yemen. Al Qaeda in the Arab Peninsula has officially endorsed their action, claiming to have both ordered and organised it. Saïd and Cherif Kouachi had travelled to Yemen on at least one occasion and have been in touch with senior AQAP members there. During that time, probably in July or August of 2011, they were assigned the task of attacking "Charlie Hebdo". The Kouachi brothers can therefore be considered a genuine terrorist cell: recruited, trained and tasked with a specific mission, aimed at achieving a certain objective.
What remains unclear at this point is whether or not they were in contact with AQAP after their return to France. Given that they knew or assumed to be under surveillance, they had to blend in again into France's social fabric, leading a normal life and avoiding any suspicious activity, and only launched the attack once they were certain they could reach their target. One hypothesis, regarding the timing of events, is that once the order for the attack was given, the Kouachi brothers prepared it and carried it out, independently from any direct connection with the organisation. Nonetheless, it is possible also that they found a way of communicating with AQAP and that a small number of associates, some of whom may already have been arrested, provided the two brothers with the necessary logistics and information.
In that regard, it's been known for some time now that Islamic radicals used online gaming platforms in order to communicate and exchange information, or even transfer funds to cells or individuals in various countries. Certain pieces of evidence that was uncovered during a previous investigation into Cherif Kouachi points into such a direction. French police are following up on that lead but it is too early to say whether they are really onto something.
The other possible scenario leading to the Paris attacks is much simpler and has Amedy Coulibaly, the terrorist nobody had seen coming, as the primary person of interest.
In order to understand how the events could unfold the way they did, it is important to keep in mind that Coulibaly was in prison in the years 2010-2014. We may never know exactly what the Kouachi brothers had in mind back then, but if we assume the most likely course of events to be the right one, they had to lie low for a while, lead a perfectly normal life, and wait for their old "buddy" to be released from jail before going about their business.
In truth, until he shot two police officers on the morning of January 8th 2015, Coulibaly was never considered a high priority target by French intelligence. He was just one individual among a number of drug dealers, bank robbers and criminals who had been radicalized in prison and were never regarded as serious enough "customers" for something of this magnitude.
Based on what we know already, it's pretty clear that after he got out, Coulibaly acted as an accelerator for the whole terror plot. How he came to an understanding with the Kouachi brothers might be indefinitely open to conjecture, but the result of this division of labour transpires through the evidence: when he got out of jail in March 2014, he quickly understood he could do pretty much anything he wanted without triggering police scrutiny.
In fact, during the eight months prior to the January attacks, Coulibaly and Cherif Kouachi called each other over 500 times, using their wives' mobile phones. At that time, French police had already given up surveillance on the two brothers and even if they hadn't, they wouldn't have been able to tap the wives' phones, given that they had no evidence for a judge to sign a court order authorising such a wiretap.
The fact that the investigation is now focusing on reconstructing Coulibaly's whereabouts and activities during the period between April 2014 and January 2015 is clear enough evidence that he's considered the key to the whole conspiracy.
Retracing the terrorist's moves
Thanks to DNA traces found in his car, as well as other forensic and electronic evidence, French police have already arrested four men known for their close links to Coulibaly. Although these men have no record of terrorism related charges, they have a long criminal past and could be part of Coulibaly's network of "little hands", that helped him get the weapons used in the attack or organise physical surveillance of the "Charlie Hebdo" offices.
At this stage, it's clear also that Coulibaly staked out several possible targets, particularly Jewish schools, and that he was in touch with dubious individuals in France in Belgium, especially Brussels and Verviers, where most of the military grade weaponry used in the attacks was bought.
What all these pieces of information show is that Coulibaly was certainly the most active of the three men involved in the attacks, the one who used his connections both with organised crime and radical islam to achieve the group's goals.
Before he was killed by French SWAT, he also formally stated his affiliation to ISIS. Finally, a posthumous video was posted, showing Coulibaly in typical "mujahedeen" fashion claiming allegiance to Abubakr Al-Baghdadi, the ISIS Caliph, although his Arabic leaves much to be desired and gives this pledge a somewhat bizarre twist. The Islamic State on the other hand has not endorsed Coulibaly yet, limiting itself to acknowledging his deeds.
To most experts and analysts, the attacks thus look very much like the actions of a structured Al Qaeda cell – consisting mainly in the two Kouachi brothers – working hand in hand with Coulibaly and his network of informal ISIS affiliates. The general consensus therefore is that the Paris attacks were a one-off venture between members of an AQAP cell and a number of individuals who were more recently radicalized, and for whom ISIS may have had a stronger appeal.
This hypothesis certainly is the most credible one. All the evidence submitted so far supports it. However, a deeper and more structured connection between Coulibaly and ISIS shouldn't be dismissed outright, however unlikely it may seem at this point, as there are pieces in this puzzle that are worth looking into.
A plausible ISIS connection ?
First of all, it should be noted that Coulibaly's wife left France before the attacks, flying to Istanbul through Madrid and crossing into northern Syria, a territory under ISIS control, the day after the attacks began. She was not alone for this trip though: a man identified as Mehdi Belhoucine, was accompanying her.
Belhoucine is the younger brother to a well-known ISIS cyber-terrorist (Mohamed Belhoucine), who also served time with Coulibaly and fled into Syria sometime in 2014. One could certainly argue that Coulibaly just trusted the Belhoucine brothers enough to ask for his wife to be taken to safety, should anything happen to him. But the mere fact that these two men were involved in the exit strategy of Coulibaly's wife should certainly raise suspicions as to this being purely a coincidence.
There's also the Belgian connection, although the evidence about it is by far the most sketchy. Suffice to say that one of the places where Coulibaly bought his weapons from, i.e. the city of Verviers, was home to what Belgian police now consider another terror cell that was planning for imminent action. The leader of that cell was identified as Abdelhamid Abaaoud, a Belgian national who has fought for ISIS in Syria and is now allegedly hiding in Greece.
Seen independently, these pieces of information might be considered circumstantial evidence at best. Taken together, they reveal a certain trend. Added to well documented personal links between Coulibaly and proven ISIS members, they make up for a consistent body of corroborating evidence that will need looking into.
Personal links to the Islamic State
Two men in particular are of interest in that regard. One of them was already part of the Kouachi brothers network, back in 2003, the other one belongs to a group of more recent recruits.
The first man is Abubakr Al-Hakim, a close associate of Cherif Kouachi in the early 2000s, arrested in 2005 and subsequently sentenced to 7 years in jail. After his release in 2013, he left for Tunisia, where he joined "Ansar al Sharia", a jihadi group that pledged formal allegiance to ISIS in 2014 and is said to coordinate directly with Syria.
The other man worth mentioning, one who's even closer to ISIS' centre of gravity, is Salim Benghalem. He too served time in the mid-2000s and finally left France after his release from prison in 2012. But instead of leaving for North Africa, he chose to go to Syria and has since risen to fame in the ranks of ISIS.
Both these men, Abubakr Al Hakim and Salim Benghalem, were long-time acquaintances of Coulibaly. Both of them were in a position to coordinate or exchange information with Coulibaly, who was under no surveillance during the months prior to the Paris attacks. Both men are therefore could be the personal links connecting Coulibaly, the self-proclaimed ISIS affiliate, to the organisation itself.
Lots is still unclear about Amedy Coulibaly's activities in 2014. He has been on a kind of road trip during that year, visiting a number of Mosques in the Paris area, going to Belgium, driving through France. Who did he meet with ? How much of it had anything to do with the planning of the attacks ? Was there some kind of information exchanged with a higher echelon of ISIS ? All these questions remain unanswered yet, but they are at the core of the investigation and the case to be made about a possible "hybrid" cell, mixing trained Al Qaeda operatives with ISIS returnees, would be jihadis and a number of unknown middlemen.
More importantly for the future, the investigation will also have to look into a number of mistakes, wrong threat assessments and possible corrective measures to be taken, as the number of "old school" Islamic radicals that are still around - combined with the ever growing number of prison converts and jihad returnees - increases the likelihood of these attacks only being the beginning of something much more serious coming Europe's way.
Patrick, I experienced a lot of resistance reading this text. At one point I wondered if it had to do with the fact that you seem to be writing a suspense tale, where no doubt you have to draw in your readers, in a very different way, then you have to write if you are a reporter.
Then I wondered if you are simply trying to uphold your possible ISIS-AlQuaeda connection.
There was one point that raised my interest, since it was something that made me wonder as a sideline in trying to find out, why I have more problems with this ASUS laptop, then I ever, ever noticed before. And I am no novice. But for the first time in my life I have serious complaints about the apparent compilation of the larger system setup. Apparently Windows has troubles with recognizing the registered API or interfaces of the firm. It runs in circles. While acknowledging funnily enough, that I basically trust them.
At one point I stumbled across something peculiar. A search for something that raised my interest in the larger attempts to find out what exactly is happening, led me to a site where I was confronted with "on the surface" with something seemingly suggestive of "Arab interests", the information was buried somewhere behind that "front". There was much too much to follow it closely.
I was a bit puzzled about that fact. But strictly I wondered if they had in fact discovered something about our new IT security industry, I paid no interest to, matters are complex. Or in fact Arabic interest circles.
Concerning Belgium:
Verviers has a derelict charm, reminiscent of it's earlier wealth as a central cog in the textile industry. Molenbeek is slightly North of the part of Belgium that I know. A friend grew up there. Of the Beligium town you keep out of your tale as important: Charleroi, I mainly know the "Église romane"...
How many cities or suburbs do you think exist in Belgium or in France (Germany) for that matter, that could attract emigrants for the same reason, as e.g. artists. In search of cheap rent?
I have mainly followed your articles concerning this case. But at one point I took a look at, maybe a Guardian article. In any case that would fit.
Not sure, if I finished reading it. But among other things they dealt with Coulibaly's specific prison. Even had a video on that. All I remember beyond that, is the debates and "administrative necessities" or tools suggested in for being able to more easily administer it. ... At which point I stopped reading. But no doubt the prison itself may be interesting.
Posted by: LeaNder | 21 January 2015 at 10:10 AM
Thx for your input Leander. This last bit was the most tricky one, as we're dealing with events that are basically unfolding as we speak, while at the same time there are connections between the main players that go back for years in some cases.
Also, there's only so much "open source" info about the ongoing investigation, which is why the line has to be drawn here.
I also had to recapitulate some of the events and aspects already covered in previous parts, as not everybody might be such an good reader and have such as good memory as you ;-)
Also I don't want to be affirmative about the ISIS connection so I might add a question mark somewhere in there, because I'm definitely not keen on any kind of conspiracy theory, even a basic one such as this.
I might edit this version a little, but I wanted to get it out as quickly as possible ...
BTW, I would be interested in knowing more about the IT problems you encountered while doing your research, I didn't quite get that bit !
Posted by: Patrick Bahzad | 21 January 2015 at 10:44 AM
"BTW, I would be interested in knowing more about the IT problems"
I can imagine you are. Unfortunately my story would need to contain a series of events that did not contain IT evidence. But other peculiarities and odd coincidence, I never once experienced in my close to 65 years of life. Or that seemed and some still seem to feel peculiar in hindsight. Beyond pure IT forensics and questions..
I have not ever been politically active, but yes, I am interested in people and basically an observer in that context. The hyper-suspicious in the public mind: loner. That's why your reports drew my attention. You deal with people, and I somewhat hate to judge based, maybe, on my religion, although I hardly know much about it.
I had a rather crazy teacher in grade school, seriously, and later got my first two-week expulsion from school because I questioned my priest's knowledge of the architecture of Romanesque churches. And basically did not learn much about my church after that. My ethics are inspired by my secular mother. ...
Posted by: LeaNder | 21 January 2015 at 12:26 PM
What I wonder is if there exits a deep network of Islamist "Sayanim" (Hebrew: helpers).
I also wonder where the money for these operations came from? I suspect that Black market Kalashnikovs and RPGs would not be cheap in Western Europe.
Posted by: Walrus | 21 January 2015 at 04:21 PM
Yes There is a deep Network although network sounds very formal ... Remember they want to keep it as low profile as possible ... Low tech, high concept ... Or as AQAP theorists said "no organisation, just a system" ... But their number shouldn't be overestimated, let's not get paranoid yet ;-)
Posted by: Patrick Bahzad | 21 January 2015 at 04:30 PM
Sorry, Patrick, for cluttering your thread with another series of meditations above.
*********
Shortly about the "superficially Arab" website, or why I for loss of a better term called it "front".
It was one of very, very few links that turned up in Google of whatever item had caught my attention on the system. Maybe it was even the only link.
I write front, because it could be used as a way to go somewhere else. I searched for system specifics and ended on a simple clutter of ads. I don't pay attention to ads very much. Thus I cannot tell, apart from the fact that the text was in Arabic, what products were offered. Movies, soap, ... you know.
I didn't click on any of the ads, to see where it would lead me. I did not look up who registered the site.
All I did was use the site's search with the system files name. The result was a link to somewhere else, which was indeed helpful.
Which left me with the overall impression it was simply some type of entrance into the deeper/hidden web that search tools usually don't bring up.
Ages ago I had a specific search tool for this. Fact is I only seem to need it when I am getting too interested in what is going on my system, in other words when searches turn up empty, Mark Russinovich's tools and his and his comrades in IT arms and their books leave me alone on issues.
********
In the post 911 universe I stumbled across early Cyber war threat scenarios. The pictures found by police looking for deleted files, reminded me of something. Somewhere it was suggested that "the bad guys" could hide text and messages in image files.
Have they taken the thread scenario advise I wondered. Because strictly the cyber war scene at that point seemed to be like anyone else assessing danger from the ME.
http://rt.com/op-edge/224823-cyber-war-obama-speech-leaks/
A couple of years ago I curiously opened one item in my online Spam account. Mainly since it looked like a better trap. Out of curiosity I also opened the word text file attached. Only in the online reader. The web.mails security didn't register anything out of the usual. Neither did my Firewall/Protection software register anything. Only when I looked closer into matters I noticed that the file apparently contained a sophisticated macro routine.
Posted by: LeaNder | 21 January 2015 at 08:34 PM
I wish someone would try a more decentralized, localized approach to their internal counterterrorism effort and put the resources into that effort rather than into creating and beefing up national level centers. I'm afraid the lesson learned will be just more mass surveillance as Cameron recently babbled. All that does is bloat the bureaucracy and enrich the contractors. I would think a local police investigative effort that's better resourced, better coordinated and nationally (and internationally) supported would be a better answer to the one off, system rather than organization type attacks that are bound to increase.
Posted by: The Twisted Genius | 21 January 2015 at 10:50 PM
Patrick,
And thanks for this series of posts. Very informative.
Posted by: The Twisted Genius | 21 January 2015 at 10:51 PM
there are lots of ways of "smuggling" in malware, or even plain text MSGs, through something that looks very harmless, like a .jpg file for example.
The one thing that could set alarm bells off is the size of the attachment, if there is an obvious discrepancy between the usual size of an attachment like that and the one you receive in your mail box.
hidden text in files exchanged on legal/illegal "peer to peer" sites is a thing of the past now mostly, unless of course, there's no interception of the whole traffic going to a certain account or IP address, in which case you need physical access to the hard-drive or "brute force" entry to the site.
Posted by: Patrick Bahzad | 22 January 2015 at 03:49 AM
You're right and that is definitely one way of solving the problem, at least from a preventive intelligence point of view. CT officers in the field have been complaining for a while now about too little being done on the issue of HUMINT in our own backyard, i.e. regarding "homegrown" radicalism.
Posted by: Patrick Bahzad | 22 January 2015 at 03:51 AM
I intend on doing a piece sometime soon hopefully, about AQ and ISIS networks recruiting young radicals from western countries, mostly Europe or US. how they get trained on Syria or Iraq, what they're asked to do when they come back and how their clandestine activities are financed, etc. so financial issues will be covered as well, you would be surprized at how simple it is for these organisations to channel even significant amounts of money back into Western countries.
Posted by: Patrick Bahzad | 22 January 2015 at 03:54 AM