Close Close Comment Creative Commons Donate Email Add Email Facebook Instagram Mastodon Facebook Messenger Mobile Nav Menu Podcast Print RSS Search Secure Twitter WhatsApp YouTube
PROPUBLICA The Right to Know Is Vital. Help Us Protect It.
DONATE

In 2008 Mumbai Attacks, Piles of Spy Data, But an Uncompleted Puzzle

Indian and British intelligence agencies monitored the online activities of a key plotter but couldn’t connect the dots.

The historic Taj Mahal Hotel in Mumbai, one of the sites of attacks by alleged militant gunmen on Nov. 27, 2008 (Indranil Mukherjee/AFP/Getty Images)

This story was co-published with The New York Times and Frontline.

In the fall of 2008, a 30-year-old computer expert named Zarrar Shah roamed from outposts in the northern mountains of Pakistan to safe houses near the Arabian Sea, plotting mayhem in Mumbai, India’s commercial gem.

Mr. Shah, the technology chief of Lashkar-e-Taiba, the Pakistani terror group, and fellow conspirators used Google Earth to show militants the routes to their targets in the city. He set up an Internet phone system to disguise his location by routing his calls through New Jersey. Shortly before an assault that would kill 166 people, including six Americans, Mr. Shah searched online for a Jewish hostel and two luxury hotels, all sites of the eventual carnage.

But he did not know that by September, the British were spying on many of his online activities, tracking his Internet searches and messages, according to former American and Indian officials and classified documents disclosed by Edward J. Snowden, the former National Security Agency contractor.

They were not the only spies watching. Mr. Shah drew similar scrutiny from an Indian intelligence agency, according to a former official who was briefed on the operation. The United States was unaware of the two agencies’ efforts, American officials say, but had picked up signs of a plot through other electronic and human sources, and warned Indian security officials several times in the months before the attack.

What happened next may rank among the most devastating near-misses in the history of spycraft. The intelligence agencies of the three nations did not pull together all the strands gathered by their high-tech surveillance and other tools, which might have allowed them to disrupt a terror strike so scarring that it is often called India’s 9/11.

“No one put together the whole picture,” said Shivshankar Menon, who was India’s foreign secretary at the time of the attacks and later became the national security adviser. “Not the Americans, not the Brits, not the Indians.”

Mr. Menon, now retired, recalled that “only once the shooting started did everyone share” what they had, largely in meetings between British and Indian officials, and then “the picture instantly came into focus.”

The British had access to a trove of data from Mr. Shah’s communications, but contend that the information was not specific enough to detect the threat. The Indians did not home in on the plot even with the alerts from the United States.

Clues slipped by the Americans as well. David Coleman Headley, a Pakistani-American who scouted targets in Mumbai, exchanged incriminating emails with plotters that went unnoticed until shortly before his arrest in Chicago in late 2009. United States counterterrorism agencies did not pursue reports from his unhappy wife, who told American officials long before the killings began that he was a Pakistani terrorist conducting mysterious missions in Mumbai.

That hidden history of the Mumbai attacks reveals the vulnerability as well as the strengths of computer surveillance and intercepts as a counterterrorism weapon, an investigation by The New York Times, ProPublica and the PBS series “Frontline” has found.

Although electronic eavesdropping often yields valuable data, even tantalizing clues can be missed if the technology is not closely monitored, the intelligence gleaned from it is not linked with other information, or analysis does not sift incriminating activity from the ocean of digital data.

This account has been pieced together from classified documents, court files and dozens of interviews with current and former Indian, British and American officials. While telephone intercepts of the assault team’s phone calls and other intelligence work during the three-day siege have been reported, the extensive espionage that took place before the attacks has not previously been disclosed. Some details of the operations were withheld at the request of the intelligence agencies, citing national security concerns.

“We didn’t see it coming,” a former senior United States intelligence official said. “We were focused on many other things — Al Qaeda, the Taliban, Pakistan’s nuclear weapons, the Iranians. It’s not that things were missed — they were never put together.”

After the assault began, the countries quickly disclosed their intelligence to one another. They monitored a Lashkar control room in Pakistan where the terror chiefs directed their men, hunkered down in the Taj and Oberoi hotels and the Jewish hostel, according to current and former American, British and Indian officials.

That cooperation among the spy agencies helped analysts retrospectively piece together “a complete operations plan for the attacks,” a top-secret N.S.A. document said.

The Indian government did not respond to several requests for official comment, but a former Indian intelligence official acknowledged that Indian spies had tracked Mr. Shah’s laptop communications. It is unclear what data the Indians gleaned from their monitoring.

Asked if Government Communications Headquarters, or GCHQ, Britain’s eavesdropping agency, should have had strong suspicions of a looming attack, a government official responded in a statement: “We do not comment on intelligence matters. But if we had had critical information about an imminent act of terrorism in a situation like this we would have shared it with the Indian government. So the central allegation of this story is completely untrue.”

The attacks still resonate in India, and are a continuing source of tension with Pakistan. Last week, a Pakistani court granted bail to a militant commander, Zaki-ur-Rehman Lakhvi, accused of being an orchestrator of the attacks. He has not been freed, pending an appeal. India protested his release, arguing it was part of a Pakistani effort to avoid prosecution of terror suspects.

The story of the Mumbai killings has urgent implications for the West’s duel with the Islamic State and other groups. Like Lashkar, the Islamic State’s stealthy communications and slick propaganda make it one of the world’s most technologically sophisticated terror organizations. Al Qaeda, which recently announced the creation of an affiliate in India, uses similar tools.

Although the United States computer arsenal plays a vital role against targets ranging from North Korea’s suspected assault on Sony to Russian cyberthieves and Chinese military hacking units, counterterrorism requires a complex mix of human and technical resources. Some former counterterrorism officials warn against promoting billion-dollar surveillance programs with the narrow argument that they stop attacks.

That monitoring collects valuable information, but large amounts of it are “never meaningfully reviewed or analyzed,” said Charles (Sam) Faddis, a retired C.I.A. counterterrorism chief. "I cannot remember a single instance in my career when we ever stopped a plot based purely on signals intelligence.”

The targeting of Mr. Shah’s communications also failed to detect Mr. Headley’s role in the Mumbai attacks, and National Security Agency officials did not see for months that he was pursuing a new attack in Denmark.

“There are small successes in all of this that don’t make up for all the deaths,” said Tricia Bacon, a former State Department intelligence analyst, referring to intelligence and broader efforts to counter Lashkar. “It’s a massive failure and some small successes.”

Lashkar’s Computer Chief

Zarrar Shah was a digitally savvy operative, a man with a bushy beard, a pronounced limp, strong ties to Pakistani intelligence and an intense hatred for India, according to Western and Indian officials and court files. The spy agencies of Britain, the United States and India considered him the technology and communications chief for Lashkar, a group dedicated to attacking India. His fascination with jihad established him as something of a pioneer for a generation of Islamic extremists who use the Internet as a weapon.

According to Indian court records and interviews with intelligence officials, Mr. Shah was in his late 20s when he became the “emir,” or chief, of the Lashkar media unit. Because of his role, Mr. Shah, together with another young Lashkar chief named Sajid Mir, became an intelligence target for the British, Indians and Americans.

Indian policemen prepare to take position at the site of attack in the Colaba area of Mumbai. (Indranil Mukherjee/AFP/Getty Images)

Lashkar-e-Taiba, which translates as “the Army of the Pure,” grew rapidly in the 1990s thanks to a powerful patron: the Inter-Services Intelligence Directorate (ISI), the Pakistani spy agency that the C.I.A. has worked with uneasily for years. Lashkar conducted a proxy war for Pakistan in return for arms, funds, intelligence, and training in combat tactics and communications technology. Initially, Lashkar’s focus was India and Kashmir, the mountainous region claimed by both India and Pakistan.

But Lashkar became increasingly interested in the West. A Qaeda figure involved in the Sept. 11, 2001, attacks on the World Trade Center was arrested in a Lashkar safe house in 2002. Investigators dismantled a Lashkar network as it plotted a bombing in Australia in 2003 while recruiting, buying equipment and raising funds in North America and Europe. In 2007, a French court convicted in absentia the ringleader, Mr. Mir. He remained at large in Pakistan under ISI protection, investigators say.

Lashkar’s alliance with the ISI came under strain as some of the militants pushed for a Qaeda-style war on the West. As a result, some ISI officers and terror chiefs decided that a spectacular strike was needed to restore Lashkar’s cohesion and burnish its image, according to interviews and court files. The plan called for a commando-style assault in India that could also hit Americans, Britons and Jews there.

The target was the centerpiece of Indian prosperity: Mumbai.

Hatching a Plot

Lashkar’s chiefs developed a plot that would dwarf previous operations.

The lead conspirators were alleged to be Mr. Mir and Mr. Lakhvi, according to interviews and Indian court files, with Mr. Shah acting as a technical wingman, running the communications and setting up the hardware.

In early 2008, Indian and Western counterterrorism agencies began to pick up chatter about a potential attack on Mumbai. Indian spy agencies and police forces gathered periodic leads from their own sources about a Lashkar threat to the city. Starting in the spring, C.I.A. warnings singled out the iconic Taj Mahal Palace Hotel and other sites frequented by Westerners, according to American and Indian officials. Those warnings came from electronic and human sources, not from tracking Mr. Shah, other officials said.

“The U.S. intelligence community — on multiple occasions between June and November 2008 — warned the Indian government about Lashkar threats in Mumbai,” said Brian Hale, a spokesman for the director of the Office of National Intelligence. “The information identified several potential targets in the city, but we did not have specific information about the timing or the method of attack.”

A redacted document contained an analysis of intelligence from Zarrar Shah’s online activities.

United States spy agencies also alerted their British counterparts, according to a senior American intelligence official. It is unclear if the warnings led to the targeting of Mr. Shah’s communications, but by the fall of 2008, the British had found a way to monitor Lashkar’s digital networks.

So had the Indians. But until the attacks, one Indian official said, there was no communication between the two countries on the matter.

Western spy agencies routinely share significant or “actionable” intelligence involving threats with allies, but sometimes do not pass on less important information. Even friendly agencies are typically reluctant to disclose their sources of intelligence. Britain and India, while cooperative, were not nearly as close as the United States and Britain. And India is not included in the tightest intelligence-sharing circles of international, eavesdropping agencies that the two countries anchor.

Intelligence officials say that terror plots are often discernible only in hindsight, when a pattern suddenly emerges from what had been just bits of information. Whatever the reason, no one fully grasped the developing Mumbai conspiracy. “They either weren’t looking or didn’t understand what it all meant,” said one former American official who had access to the intelligence and would speak only on the condition of anonymity. “There was a lot more noise than signal. There usually is.”

Flooded with Clues

Not long after the British gained access to his communications, Mr. Shah contacted a New Jersey company posing online as an Indian reseller of telephone services named Kharak Singh, purporting to be based in Mumbai. His Indian persona started haggling over the price of a voice-over-Internet phone service — also known as VoIP — that had been chosen because it would make calls between Pakistan and the terrorists in Mumbai appear as if they were originating in Austria and New Jersey.

"its not first time in my life i am perchasing in this VOIP business,” Mr. Shah wrote in shaky English, to an official with the New Jersey-based company when he thought the asking price was too high, the GCHQ documents show. “i am using these services from 2 years.”

Mr. Shah had begun researching the VoIP systems, online security, and ways to hide his communications as early as mid-September, according to the documents. As he made his plan, he searched on his laptop for weak communication security in Europe, spent time on a site designed to conceal browsing history, and searched Google News for “indian american naval exercises” — presumably so the seagoing attackers would not blunder into an overwhelming force.

Ajmal Kasab, the only terrorist who would survive the Mumbai attacks, watched Mr. Shah display some of his technical prowess. In mid-September, Mr. Shah and fellow plotters used Google Earth and other material to show Mr. Kasab and nine other young Pakistani terrorists their targets in Mumbai, according to court testimony.

Indian activists of the right-wing Hindu Shiv Sena organization burn an effigy of Pakistan’s Inter-Services Intelligence (ISI) during a demonstration against the November attacks. (Narinder Nanu/AFP/Getty Images)

The session, which took place in a huge “media room” in a remote camp on the border with Kashmir, was part of an effort to chart the terrorists’ route across the Arabian Sea, to a water landing on the edge of Mumbai, then through the chaotic streets. Videos, maps and reconnaissance reports had been supplied to Mr. Mir by Mr. Headley, the Pakistani-American who scouted targets.

“The gunmen were shown all this data from the reconnaissance,” said Deven Bharti, a top Mumbai police official who investigated the attacks, adding that the terrorists were trained to use Google Earth and global positioning equipment on their own. “Kasab was trained to locate everything in Mumbai before he went.”

If Mr. Shah made any attempt to hide his malevolent intentions, he did not have much success at it. Although his frenetic computer activity was often sprawling, he repeatedly displayed some key interests: small-scale warfare, secret communications, tourist and military locations in India, extremist ideology and Mumbai.

He searched for Sun Tzu’s “Art of War,” previous terror strikes in India and weather forecasts in the Arabian Sea, typed “4 star hotel in delhi” and “taj hotel,” and visited mapsofindia.com to pore over sites in and around Mumbai, the documents show.

Still, the sheer scale of his ambition might have served as a smokescreen for his focus on the city. For example, he also showed interest in Kashmir, the Indian Punjab, New Delhi, Afghanistan and the United States Army in Germany and Canada.

He constantly flipped back and forth among Internet porn and entertainment sites while he was carrying out his work. He appeared to be fascinated with the actor Robert De Niro, called up at least one article on the singer Taylor Swift, and looked at funny cat videos. He visited unexplainable.net, a conspiracy theory website, and conducted a search on “barak obama family + muslim.”

In late September and again in October, Lashkar botched attempts to send the attackers to Mumbai by sea. During that period, at least two of the C.I.A. warnings were delivered, according to American and Indian officials. An alert in mid-September mentioned the Taj hotel among a half-dozen potential targets, causing the facility to temporarily beef up security. Another on Nov. 18 reported the location of a Pakistani vessel linked to a Lashkar threat against the southern coastal area of Mumbai, where the attack would occur.

Eventually Mr. Shah did set up the VoIP service through the New Jersey company, ensuring that many of his calls to the terrorists would bear the area code 201, concealing their actual origin. But in November, the company’s owner wrote to the fictitious Indian reseller, Mr. Singh, complaining that no voice traffic was running on the digital telephone network. Mr. Shah’s reply was ominous, according to Indian law enforcement officials, who obtained evidence from the company’s communications records with F.B.I. assistance after the attack.

“Dear Sir,” Mr. Shah replied, “i will send trafic by the end of this month.”

By Nov. 24, Mr. Shah had moved to the Karachi suburbs, where he set up an electronic “control room” with the help of an Indian militant named Abu Jundal, according to his later confession to the Indian authorities. It was from this room that Mr. Mir, Mr. Shah and others would issue minute-by-minute instructions to the assault team once the attacks began. On Nov. 25, Abu Jundal tested the VoIP software on four laptops spread out on four small tables facing a pair of televisions as the plotters, including Mr. Mir, Mr. Shah and Mr. Lakhvi, waited for the killings to begin.

In a plan to pin the blame on Indians, Mr. Shah typed a statement of responsibility for the attack from the Hyderabad Deccan Mujahadeen — a fake Indian organization. Early on Nov. 26, Mr. Shah showed more of his hand: he emailed a draft of the phony claim to an underling with orders to send it to the news media later, according to American and Indian counterterrorism officials.

Before the attacks started that evening, the documents show, Mr. Shah pulled up Google images of the Oberoi Hotel and conducted Wikimapia searches for the Taj and the Chabad House, the Jewish hostel run by an American rabbi from Brooklyn who would die in the strike along with his pregnant wife. Mr. Shah opened the hostel’s website. He began Googling news coverage of Mumbai just before the attacks began.

An intercept shows what Mr. Shah was reading, on the news website NDTV, as the killings proceeded.

“Mumbai, the city which never sleeps, was brought to its knees on Wednesday night as it came under an unprecedented multiple terror attack,” the article said. “Even as heavily armed police stormed into Taj Hotel, just opposite the Gateway of India where suspected terrorists were still holed up, blood-soaked guests could be seen carried out into the waiting ambulances.”

A Trove of Data

In the United States, Nov. 26 was the Wednesday before Thanksgiving.

A long presidential election fight was over, and many officials in Washington had already drifted away for their long weekend. Anish Goel, director for South Asia at the National Security Council in the White House, left around 6 a.m. for the eight-hour drive to his parents’ house in Ohio. By the time he arrived, his BlackBerry was filled with emails about the attacks.

The Pakistani terrorists had come ashore in an inflatable speedboat in a fishermen’s slum in south Mumbai about 9 p.m. local time. They fanned out in pairs and struck five targets with bombs and AK–47s: the Taj, the Oberoi Hotel, the Leopold Cafe, Chabad House, and the city’s largest train station.

The killing was indiscriminate, merciless, and seemingly unstoppable over three horrific days. In raw, contemporaneous notes by analysts, the eavesdroppers seem to be making a hasty effort to understand the clues from the days and weeks before.

“Analysis of Zarrar Shah’s viewing habits” and other data “yielded several locations in Mumbai well before the attacks occurred and showed operations planning for initial entry points into the Taj Hotel,” the N.S.A. document said.

That viewing history also revealed a longer list of what might have been future targets. M.K. Narayanan, India’s national security adviser at the time, appeared to be concerned about that data from Mr. Shah in discussions with American officials shortly after the attacks, according to the WikiLeaks archive of American diplomatic cables.

A top secret GCHQ document described the capture of information on targets that Mr. Shah had identified using Google Earth.

The analysts seemed impressed by the intelligence haul — “unprecedented real-time active access in place!” — one GCHQ document noted. Another agency document said the work to piece the data together was “briefed at highest levels nationally and internationally, including the US National Security Adviser.”

As early reports of many casualties came in, Mr. Goel said the focus in Washington shifted to a question already preoccupying the White House: “Is this going to lead to a war between Pakistan and India?” American officials who conducted periodic simulations of how a nuclear conflict could be triggered often began with a terror attack like this one.

An Indian security official stands alert as smoke and flames billow from a section of The Taj Mahal Palace hotel. (Sajjad Hussain/AFP/Getty Images)

On Nov. 30, Mr. Goel was back at his office, reading a stack of intelligence reports that had accumulated on his desk and reviewing classified electronic messages on a secure terminal.

Amid the crisis, Mr. Goel, now a senior South Asia Fellow at the New America Foundation, paid little attention to the sources of the intelligence and said that he still knew little about specific operations. But two things stood out, he said: The main conspirators in Pakistan had already been identified. And the quality and rapid pacing of the intelligence reports made it clear that electronic espionage was primarily responsible for the information.

“During the attacks, it was extraordinarily helpful,” Mr. Goel said of the surveillance.

But until then, the United States did not know of the British and Indian spying on Mr. Shah’s communications. “While I cannot comment on the authenticity of any alleged classified documents, N.S.A. had no knowledge of any access to a lead plotter’s computer before the attacks in Mumbai in November 2008,” said Mr. Hale, the spokesman for the Office of the director of National Intelligence.

As N.S.A. and GCHQ analysts worked around the clock after the attacks, the flow of intelligence enabled Washington, London and New Delhi to exert pressure on Pakistan to round up suspects and crack down on Lashkar, despite its alliance with the ISI, according to officials involved.

In the stacks of intelligence reports, one name did not appear, Mr. Goel clearly recalls: David Coleman Headley. None of the intelligence streams from the United States, Britain or India had yet identified him as a conspirator.

The Missing American

Mr. Headley’s many-sided life — three wives, drug-smuggling convictions and a past as an informant for the United States Drug Enforcement Administration — would eventually collapse. But for now, he was a free man, watching the slaughter on television in Lahore, Pakistan, according to his later court testimony. At the time, he was with Faiza Outalha, his Moroccan wife, having reconciled with her after moving his Pakistani wife and four children to Chicago.

Mr. Headley’s unguarded emails reflected euphoria about Lashkar’s success. An exchange with his wife in Chicago continued a long string of incriminating electronic communications by Mr. Headley written in a transparent code, according to investigators and case files.

“I watched the movie the whole day,” she wrote, congratulating him on his “graduation.”

About a week later, Mr. Headley hinted at his inside information in an email to fellow alumni of a Pakistani military school. Writing about the young terrorists who carried out the mayhem in Mumbai, he said: “Yes they were only 10 kids, guaranteed. I hear 2 were married with a daughter each under 3 years old.” His subsequent emails contained several dozen news media photos of the Mumbai siege.

Almost immediately, Mr. Headley began pursuing a new plot with Lashkar against a Danish newspaper that had published cartoons of the Prophet Muhammad. He went to Denmark in January and cased the newspaper, meeting and exchanging emails with its advertising staff, according to his later testimony and court records. He sent messages to his fellow conspirators and emailed himself a reconnaissance checklist of sorts, with terms like “Counter-Surveillance,” “Security (Armed?)” and “King’s Square” — the site of the newspaper.

Those emails capped a series of missed signals involving Mr. Headley. The F.B.I. conducted at least four inquiries into allegations about his extremist activity between 2001 and 2008. Ms. Outalha had visited the United States Embassy in Islamabad three times between December 2007 and April 2008, according to interviews and court documents, claiming that he was a terrorist carrying out missions in India.

Mr. Headley also exchanged highly suspicious emails with his Lashkar and ISI handlers before and after the Mumbai attacks, according to court records and American counterterrorism officials. The N.S.A. collected some of his emails, but did not realize he was involved in terrorist plotting until he became the target of an F.B.I. investigation, officials said.

That inquiry began in July 2009 when a British tip landed on the desk of a rookie F.B.I. counterterrorism agent in Chicago. Someone named “David” at a Chicago pay phone had called two suspects under surveillance in Britain, planning to visit.

A rabbi pauses inside a room at the Nariman Chabad House in Mumbai, which for years remained in the same state as it was after the November 2008 attacks. (Indranil Mukherjee/AFP/Getty Images)

He had contacted the Britons for help with the plot, according to testimony. Customs and Border Protection used his flight itinerary to identify him while en route, and after further investigation, the F.B.I. arrested him at Chicago O’Hare Airport that October, as he was preparing to fly to Pakistan. For his role in the Mumbai attacks, he pleaded guilty to 12 counts and was sentenced to 35 years in prison.

After disclosures last year of widespread N.S.A. surveillance, American officials claimed that bulk collection of electronic communications led to Mr. Headley’s eventual arrest. But a government oversight panel rejected claims giving credit to the N.S.A.’s program to collect Americans’ domestic phone call records. Case files and interviews with law enforcement officials show that the N.S.A. played only a support role in the F.B.I. investigation that finally identified Mr. Headley as a terrorist and disrupted the Danish plot.

The sole surviving attacker of the Mumbai attack, Mr. Kasab, was executed in India after a trial. Although Pakistan denies any role in the attacks, it has failed to charge an ISI officer and Mr. Mir, who were indicted by American prosecutors. Though Mr. Shah and other Lashkar chiefs had been arrested, their trial remains stalled six years after the attack.

Mr. Menon, the former Indian foreign minister, said that a lesson that emerged from the tragedy in Mumbai was that “computer traffic only tells you so much. It’s only a thin slice.” The key is the analysis, he said, and “we didn’t have it.”

Sebastian Rotella, of ProPublica, reported from Chicago, India, New York and Washington; Jeff Larson of ProPublica, and Tom Jennings and Anna Belle Peevey of PBS’s “Frontline” contributed reporting from New York. New York Times journalists James Glanz reported from India, New York and Washington; David E. Sanger reported from Washington; Andrew W. Lehren contributed reporting from New York; and Declan Walsh from London.

Portrait of Sebastian Rotella

Sebastian Rotella

Sebastian Rotella is a reporter at ProPublica. An award-winning foreign correspondent and investigative reporter, Sebastian's coverage includes terrorism, intelligence and organized crime.

Latest Stories from ProPublica

Current site Current page