In 2008 Mumbai Attacks, Piles of Spy Data, but an Uncompleted Puzzle

Indian and British intelligence agencies monitored the online activities of a key plotter but couldn't connect the dots.
December 27, 2014 Updated: December 28, 2014

This story was co-published with the New York Times and Frontline.

In the fall of 2008, a 30-year-old computer expert named Zarrar Shah roamed from outposts in the northern mountains of Pakistan to safe houses near the Arabian Sea, plotting mayhem in Mumbai, India’s commercial gem. 

Mr. Shah, the technology chief of Lashkar-e-Taiba, the Pakistani terror group, and fellow conspirators used Google Earth to show militants the routes to their targets in the city. He set up an Internet phone system to disguise his location by routing his calls through New Jersey. Shortly before an assault that would kill 166 people, including six Americans, Mr. Shah searched online for a Jewish hostel and two luxury hotels, all sites of the eventual carnage.

But he did not know that by September, the British were spying on many of his online activities, tracking his Internet searches and messages, according to former American and Indian officials and classified documents disclosed by Edward J. Snowden, the former National Security Agency contractor.

They were not the only spies watching. Mr. Shah drew similar scrutiny from an Indian intelligence agency, according to a former official who was briefed on the operation. The United States was unaware of the two agencies’ efforts, American officials say, but had picked up signs of a plot through other electronic and human sources, and warned Indian security officials several times in the months before the attack.

An Indian soldier runs for cover outside the Taj Mahal Palace & Tower Hotel during an armed siege  in Mumbai, India, on Nov. 28, 2008. (Uriel Sinai/Getty Images)
An Indian soldier runs for cover outside the Taj Mahal Palace & Tower Hotel during an armed siege in Mumbai, India, on Nov. 28, 2008. (Uriel Sinai/Getty Images)

What happened next may rank among the most devastating near-misses in the history of spycraft. The intelligence agencies of the three nations did not pull together all the strands gathered by their high-tech surveillance and other tools, which might have allowed them to disrupt a terror strike so scarring that it is often called India’s 9/11.

“No one put together the whole picture,” said Shivshankar Menon, who was India’s foreign secretary at the time of the attacks and later became the national security adviser. “Not the Americans, not the Brits, not the Indians.”

Mr. Menon, now retired, recalled that “only once the shooting started did everyone share” what they had, largely in meetings between British and Indian officials, and then “the picture instantly came into focus.”

The British had access to a trove of data from Mr. Shah’s communications, but contend that the information was not specific enough to detect the threat. The Indians did not home in on the plot even with the alerts from the United States.

Clues slipped by the Americans as well. David Coleman Headley, a Pakistani-American who scouted targets in Mumbai, exchanged incriminating emails with plotters that went unnoticed until shortly before his arrest in Chicago in late 2009. United States counterterrorism agencies did not pursue reports from his unhappy wife, who told American officials long before the killings began that he was a Pakistani terrorist conducting mysterious missions in Mumbai.

That hidden history of the Mumbai attacks reveals the vulnerability as well as the strengths of computer surveillance and intercepts as a counterterrorism weapon, an investigation by The New York Times, ProPublica and the PBS series “Frontline” has found.

Although electronic eavesdropping often yields valuable data, even tantalizing clues can be missed if the technology is not closely monitored, the intelligence gleaned from it is not linked with other information, or analysis does not sift incriminating activity from the ocean of digital data.

Security officials survey a destroyed room inside the Taj Mahal Palace & Tower Hotel on Nov. 29, 2008, in Mumbai, India, after the armed siege. (Julian Herbert/Getty Images)
Security officials survey a destroyed room inside the Taj Mahal Palace & Tower Hotel on Nov. 29, 2008, in Mumbai, India, after the armed siege. (Julian Herbert/Getty Images)

This account has been pieced together from classified documents, court files and dozens of interviews with current and former Indian, British and American officials. While telephone intercepts of the assault team’s phone calls and other intelligence work during the three-day siege have been reported, the extensive espionage that took place before the attacks has not previously been disclosed. Some details of the operations were withheld at the request of the intelligence agencies, citing national security concerns.

“We didn’t see it coming,” a former senior United States intelligence official said. “We were focused on many other things — Al Qaeda, the Taliban, Pakistan’s nuclear weapons, the Iranians. It’s not that things were missed — they were never put together.”

After the assault began, the countries quickly disclosed their intelligence to one another. They monitored a Lashkar control room in Pakistan where the terror chiefs directed their men, hunkered down in the Taj and Oberoi hotels and the Jewish hostel, according to current and former American, British and Indian officials.

That cooperation among the spy agencies helped analysts retrospectively piece together “a complete operations plan for the attacks,” a top-secret N.S.A. document said.

The Indian government did not respond to several requests for official comment, but a former Indian intelligence official acknowledged that Indian spies had tracked Mr. Shah’s laptop communications. It is unclear what data the Indians gleaned from their monitoring.

Neeta, the sister of Harish Gohil, a bystander who was shot dead by militants, mourns over the body of her brother during a funeral procession in Mumbai on Nov. 29, 2008. (Indranil Mukherjee/AFP/Getty Images)
Neeta, the sister of Harish Gohil, a bystander who was shot dead by militants, mourns over the body of her brother during a funeral procession in Mumbai on Nov. 29, 2008. (Indranil Mukherjee/AFP/Getty Images)

Asked if Government Communications Headquarters, or GCHQ, Britain’s eavesdropping agency, should have had strong suspicions of a looming attack, a government official responded in a statement: “We do not comment on intelligence matters. But if we had had critical information about an imminent act of terrorism in a situation like this we would have shared it with the Indian government. So the central allegation of this story is completely untrue.”

The attacks still resonate in India, and are a continuing source of tension with Pakistan. Last week, a Pakistani court granted bail to a militant commander, Zaki-ur-Rehman Lakhvi, accused of being an orchestrator of the attacks. He has not been freed, pending an appeal. India protested his release, arguing it was part of a Pakistani effort to avoid prosecution of terror suspects.

The story of the Mumbai killings has urgent implications for the West’s duel with the Islamic State and other groups. Like Lashkar, the Islamic State’s stealthy communications and slick propaganda make it one of the world’s most technologically sophisticated terror organizations. Al Qaeda, which recently announced the creation of an affiliate in India, uses similar tools.

Although the United States computer arsenal plays a vital role against targets ranging from North Korea’s suspected assault on Sony to Russian cyberthieves and Chinese military hacking units, counterterrorism requires a complex mix of human and technical resources. Some former counterterrorism officials warn against promoting billion-dollar surveillance programs with the narrow argument that they stop attacks.

That monitoring collects valuable information, but large amounts of it are “never meaningfully reviewed or analyzed,” said Charles (Sam) Faddis, a retired C.I.A. counterterrorism chief. “I cannot remember a single instance in my career when we ever stopped a plot based purely on signals intelligence.”

The targeting of Mr. Shah’s communications also failed to detect Mr. Headley’s role in the Mumbai attacks, and National Security Agency officials did not see for months that he was pursuing a new attack in Denmark.

Indian leprosy patients light candles in remembrance of police officials who died in the Mumbai terror attacks, in Mumbai on Dec. 26, 2008. (Pal Pillai/AFP/Getty Images)
Indian leprosy patients light candles in remembrance of police officials who died in the Mumbai terror attacks, in Mumbai on Dec. 26, 2008. (Pal Pillai/AFP/Getty Images)

 

Indian Christians offer prayers for those killed in the Nov. 26 Mumbai attacks in Mumbai on Dec. 14, 2008. (Sajjad Hussain/AFP/Getty Images)
Indian Christians offer prayers for those killed in the Nov. 26 Mumbai attacks in Mumbai on Dec. 14, 2008. (Sajjad Hussain/AFP/Getty Images)

“There are small successes in all of this that don’t make up for all the deaths,” said Tricia Bacon, a former State Department intelligence analyst, referring to intelligence and broader efforts to counter Lashkar. “It’s a massive failure and some small successes.”

Lashkar’s Computer Chief

Zarrar Shah was a digitally savvy operative, a man with a bushy beard, a pronounced limp, strong ties to Pakistani intelligence and an intense hatred for India, according to Western and Indian officials and court files. The spy agencies of Britain, the United States and India considered him the technology and communications chief for Lashkar, a group dedicated to attacking India. His fascination with jihad established him as something of a pioneer for a generation of Islamic extremists who use the Internet as a weapon.

According to Indian court records and interviews with intelligence officials, Mr. Shah was in his late 20s when he became the “emir,” or chief, of the Lashkar media unit. Because of his role, Mr. Shah, together with another young Lashkar chief named Sajid Mir, became an intelligence target for the British, Indians and Americans.

Lashkar-e-Taiba, which translates as “the Army of the Pure,” grew rapidly in the 1990s thanks to a powerful patron: the Inter-Services Intelligence Directorate (ISI), the Pakistani spy agency that the C.I.A. has worked with uneasily for years. Lashkar conducted a proxy war for Pakistan in return for arms, funds, intelligence, and training in combat tactics and communications technology. Initially, Lashkar’s focus was India and Kashmir, the mountainous region claimed by both India and Pakistan.

But Lashkar became increasingly interested in the West. A Qaeda figure involved in the Sept. 11, 2001, attacks on the World Trade Center was arrested in a Lashkar safe house in 2002. Investigators dismantled a Lashkar network as it plotted a bombing in Australia in 2003 while recruiting, buying equipment and raising funds in North America and Europe. In 2007, a French court convicted in absentia the ringleader, Mr. Mir. He remained at large in Pakistan under ISI protection, investigators say.

Lashkar’s alliance with the ISI came under strain as some of the militants pushed for a Qaeda-style war on the West. As a result, some ISI officers and terror chiefs decided that a spectacular strike was needed to restore Lashkar’s cohesion and burnish its image, according to interviews and court files. The plan called for a commando-style assault in India that could also hit Americans, Britons and Jews there.

The target was the centerpiece of Indian prosperity: Mumbai.

Hatching a Plot

Lashkar’s chiefs developed a plot that would dwarf previous operations.

The lead conspirators were alleged to be Mr. Mir and Mr. Lakhvi, according to interviews and Indian court files, with Mr. Shah acting as a technical wingman, running the communications and setting up the hardware.

In early 2008, Indian and Western counterterrorism agencies began to pick up chatter about a potential attack on Mumbai. Indian spy agencies and police forces gathered periodic leads from their own sources about a Lashkar threat to the city. Starting in the spring, C.I.A. warnings singled out the iconic Taj Mahal Palace Hotel and other sites frequented by Westerners, according to American and Indian officials. Those warnings came from electronic and human sources, not from tracking Mr. Shah, other officials said.

Indian police officers stand guard at the Mumbai police headquarters where the only surviving Mumbai attacker, Mohammed Ajmal Amir Iman, was being held in Mumbai on Dec. 24, 2008. (Sajjad Hussain/AFP/Getty Images)
Indian police officers stand guard at the Mumbai police headquarters where the only surviving Mumbai attacker, Mohammed Ajmal Amir Iman, was being held in Mumbai on Dec. 24, 2008. (Sajjad Hussain/AFP/Getty Images)

“The U.S. intelligence community — on multiple occasions between June and November 2008 — warned the Indian government about Lashkar threats in Mumbai,” said Brian Hale, a spokesman for the director of the Office of National Intelligence. “The information identified several potential targets in the city, but we did not have specific information about the timing or the method of attack.”

A redacted document contained an analysis of intelligence from Zarrar Shah's online activities.
A redacted document contained an analysis of intelligence from Zarrar Shah’s online activities.

United States spy agencies also alerted their British counterparts, according to a senior American intelligence official. It is unclear if the warnings led to the targeting of Mr. Shah’s communications, but by the fall of 2008, the British had found a way to monitor Lashkar’s digital networks.

So had the Indians. But until the attacks, one Indian official said, there was no communication between the two countries on the matter.

Western spy agencies routinely share significant or “actionable” intelligence involving threats with allies, but sometimes do not pass on less important information. Even friendly agencies are typically reluctant to disclose their sources of intelligence. Britain and India, while cooperative, were not nearly as close as the United States and Britain. And India is not included in the tightest intelligence-sharing circles of international, eavesdropping agencies that the two countries anchor.

Intelligence officials say that terror plots are often discernible only in hindsight, when a pattern suddenly emerges from what had been just bits of information. Whatever the reason, no one fully grasped the developing Mumbai conspiracy. “They either weren’t looking or didn’t understand what it all meant,” said one former American official who had access to the intelligence and would speak only on the condition of anonymity. “There was a lot more noise than signal. There usually is.”

Flooded with Clues

Not long after the British gained access to his communications, Mr. Shah contacted a New Jersey company posing online as an Indian reseller of telephone services named Kharak Singh, purporting to be based in Mumbai. His Indian persona started haggling over the price of a voice-over-Internet phone service — also known as VoIP — that had been chosen because it would make calls between Pakistan and the terrorists in Mumbai appear as if they were originating in Austria and New Jersey.

“its not first time in my life i am perchasing in this VOIP business,” Mr. Shah wrote in shaky English, to an official with the New Jersey-based company when he thought the asking price was too high, the GCHQ documents show. “i am using these services from 2 years.”

Mr. Shah had begun researching the VoIP systems, online security, and ways to hide his communications as early as mid-September, according to the documents. As he made his plan, he searched on his laptop for weak communication security in Europe, spent time on a site designed to conceal browsing history, and searched Google News for “indian american naval exercises” — presumably so the seagoing attackers would not blunder into an overwhelming force.

Ajmal Kasab, the only terrorist who would survive the Mumbai attacks, watched Mr. Shah display some of his technical prowess. In mid-September, Mr. Shah and fellow plotters used Google Earth and other material to show Mr. Kasab and nine other young Pakistani terrorists their targets in Mumbai, according to court testimony.