Al-Qaeda and Snowden: Correlation, Causation, and Temporal Analysis

Al-Qaeda and Snowden: Correlation, Causation, and Temporal Analysis

August 6, 2014 • Christopher Ahlberg

Our recent research on Al-Qaeda encryption again generated a tremendous amount of interest which we were thrilled to see, with stories in NPR, Wall Street Journal, Ars Technica, ABC News, Washington Post, etc. Much of the reaction was very positive and underscored the combined value of open source analysis and reverse engineering.

There was also critique in social media, some of it passionate. This is not surprising because former NSA contractor Edward Snowden’s actions raise political, ethical, and legal questions. Others critiqued our analytic approach and here we respond to those comments.

The critique falls in the post hoc ergo propter hoc camp, “Hey you’re claiming causality when you barely can see correlation,” and variations on that theme. We will use our response as an opportunity to reason about sequences of events, correlation, and causation which is very important to what we do as a company … so let’s dive in!

It’s worth observing upfront we’re obviously not performing a controlled experiment here. We can’t create two sub groups of Al-Qaeda, expose one of them to Snowden leaks — and one not — and study the effects. Likewise we’re inherently dealing with small numbers, so there’s no statistical significance to study.

When conducting analysis we have to be exact about the question we’re trying to analyze. Our hypothesis is the Snowden leaks influenced Al-Qaeda’s crypto product innovation.

Nothing else.

(Example: We’re not making any claims regarding their use of couriers which was very effective way before Snowden, and kept Osama bin Laden safe for a decade. That’s no small feat!)

Let’s study the hypothesis carefully.

We have two subjects here, so let’s examine and analyze each one.

  • (a) Al-Qaeda is a networked organization, so our hypothesis forces us to study data regarding an organization that’s distributed and decentralized, but with multiple distribution hub elements.
  • (b) The Al-Qaeda encryption platform is published and distributed publicly. It’s not a secret. We can easily visit the web pages of GIMF (gimfmedia[.]com/tech) and Al-Fajr Technical Committee (alfajrtaqni[.]net/english[.]html) and find information regarding these products. We can also observe the development of this platform over time which establishes a baseline of product releases (via product download pages and forum messages).

In 2007 Al-Qaeda (AQ) had one encryption product (Asrar) for one platform (PC) which has since been periodically updated (e.g., in 2008). In 2014 Al-Qaeda (and offshoots) has six products for three platforms: PC, chat, and mobile. See our analysis for complete timelines.

So, now we need to determine whether this platform upgrade:

  • Happened as AQ saw a threat to their current platform post Snowden leaks.
  • Happened organically as the technology landscape developed — any viable technology organization will upgrade their products, launch on new platforms, etc.
  • Happened due to other another independent factor.

To support (a) — our hypothesis — we establish the following:

  • (i) AQ observed the Snowden leaks and established intent to improve their platform.
  • (ii) AQ capabilities increased through a platform upgrade.
  • (iii) AQ timeline of actions in platform shift accelerated significantly compared to baseline, post Snowden — matching the timing in (i).
  • (iv) There has been ongoing and active developments in crypto technology and crypto products in the 2007 to 2013 time frame. In other words, the known robust products all had multiple, regular releases.

Let’s study (i) to (iv) one-by-one.

(i) AQ has stated that they’ve observed the news of Snowden and intelligence agencies monitoring telecommunications infrastructure, etc. The text below is from the GIMF Mobile Encryption for Android page: www.gimfmedia[.]com/tech/en/download-mobile-encryption.

With the increased spread and circulation of smartphones worldwide, especially phones running the Android operating system, users in the Arab and Muslim countries have become very reliant on them in their daily life. Smartphones are used for internet access, emails, and navigating news and social networking websites, and thousands are even using smartphones to follow the news of jihad in Islamic countries. This requires a degree of security precaution, in accordance with the words of Allah SWT: “Take your precautions, especially in the midst of the rapidly developing news about the cooperation of global companies with the international intelligence agencies, in the detection of data exchanged over smartphones.”

This leaves little room for argument. AQ/GIMF saw the Snowden leaks, established need of precaution, and established intent to improve security.

(ii) AQ has launched five new products/product upgrades that improves their capabilities, matching their intent. In fact, we can study this in open source and confirm it with reverse engineering techniques.

(iii) The increase in capability in (ii) timing wise falls post Snowden leaks with a significant uptick in activity post May 2013, compared to the baseline early 2007 to May 2013.

(iv) From 2007, the time of release of the original Mujahideen Secrets, there has been ongoing and varied development of crypto products and libraries. Some significant examples include the Bouncy Castle API with a very active release cycle, the CryptoSMS libraries, the anonymously developed TrueCrypt with very active release cycle, multiple OpenSSL major releases, etc. On top of this we also see Apple and Android completely disrupt mobile communications with no AQ software for mobile until the Snowden leaks. AQ did not follow this development cycle until the Snowden leaks.

In summary we can establish (i) intent followed by (ii) increase in capability with (iii) significant acceleration in timeline, after years of low activity in contrast to (iv) a backdrop of ongoing very active crypto development.

Further Analysis of Al-Qaeda Encryption Technology

As mentioned above, we recently released two reports related to Al-Qaeda encryption. Click either image below to review each analysis in further detail.

Hidden Lynx Analysis

Hidden Lynx Analysis

New call-to-action

Related Posts

How Agencies Can Refine Threat Intelligence Through Automation

How Agencies Can Refine Threat Intelligence Through Automation

September 16, 2021 • The Recorded Future Team

Editor’s Note: In this guest blog post, Federal News Network sits down with Stu Solomon,...

Stay Ahead of Global Uncertainty With Real-time Geopolitical Intelligence for Esri

Stay Ahead of Global Uncertainty With Real-time Geopolitical Intelligence for Esri

April 28, 2021 • Ellen Wilson

For a complete understanding of the threats to their organizations, all intelligence analysts must...

Security Intelligence Handbook Chapter 11: Geopolitical Intelligence Identifies IT Risks Across the Globe

Security Intelligence Handbook Chapter 11: Geopolitical Intelligence Identifies IT Risks Across the Globe

March 30, 2021 • The Recorded Future Team

Editor’s Note: We’re sharing excerpts from the third edition of our popular book, “The...