Exclusive

Found: The Islamic State's Terror Laptop of Doom

Buried in a Dell computer captured in Syria are lessons for making bubonic plague bombs and missives on using weapons of mass destruction.

ANTAKYA, Turkey — Abu Ali, a commander of a moderate Syrian rebel group in northern Syria, proudly shows a black laptop partly covered in dust. "We took it this year from an ISIS hideout," he says.

Abu Ali says the fighters from the Islamic State of Iraq and al-Sham (ISIS), which have since rebranded themselves as the Islamic State, all fled before he and his men attacked the building. The attack occurred in January in a village in the Syrian province of Idlib, close to the border with Turkey, as part of a larger anti-ISIS offensive occurring at the time. "We found the laptop and the power cord in a room," he continued, "I took it with me. But I have no clue if it still works or if it contains anything interesting."


Read more from FP on the Islamic State


As we switched on the Dell laptop, it indeed still worked. Nor was it password-protected. But then came a huge disappointment: After we clicked on "My Computer," all the drives appeared empty.

Appearances, however, can be deceiving. Upon closer inspection, the ISIS laptop wasn't empty at all: Buried in the "hidden files" section of the computer were 146 gigabytes of material, containing a total of 35,347 files in 2,367 folders. Abu Ali allowed us to copy all these files -- which included documents in French, English, and Arabic -- onto an external hard drive.

A screenshot of material found on the computer. The files appear to be videos of speeches by jihadist clerics. (Click to enlarge.)

The laptop's contents turn out to be a treasure trove of documents that provide ideological justifications for jihadi organizations -- and practical training on how to carry out the Islamic State's deadly campaigns. They include videos of Osama bin Laden, manuals on how to make bombs, instructions for stealing cars, and lessons on how to use disguises in order to avoid getting arrested while traveling from one jihadi hot spot to another.

But after hours upon hours of scrolling through the documents, it became clear that the ISIS laptop contains more than the typical propaganda and instruction manuals used by jihadists. The documents also suggest that the laptop's owner was teaching himself about the use of biological weaponry, in preparation for a potential attack that would have shocked the world.

The information on the laptop makes clear that its owner is a Tunisian national named Muhammed S. who joined ISIS in Syria and who studied chemistry and physics at two universities in Tunisia's northeast. Even more disturbing is how he planned to use that education: The ISIS laptop contains a 19-page document in Arabic on how to develop biological weapons and how to weaponize the bubonic plague from infected animals.

"The advantage of biological weapons is that they do not cost a lot of money, while the human casualties can be huge," the document states.

The document includes instructions for how to test the weaponized disease safely, before it is used in a terrorist attack. "When the microbe is injected in small mice, the symptoms of the disease should start to appear within 24 hours," the document says.

The laptop also includes a 26-page fatwa, or Islamic ruling, on the usage of weapons of mass destruction. "If Muslims cannot defeat the kafir [unbelievers] in a different way, it is permissible to use weapons of mass destruction," states the fatwa by Saudi jihadi cleric Nasir al-Fahd, who is currently imprisoned in Saudi Arabia. "Even if it kills all of them and wipes them and their descendants off the face of the Earth."

When contacted by phone, a staff member at a Tunisian university listed on Muhammed's exam papers confirmed that he indeed studied chemistry and physics there. She said the university lost track of him after 2011, however.

Out of the blue, she asked: "Did you find his papers inside Syria?" Asked why she would think that Muhammed's belongings would have ended up in Syria, she answered, "For further questions about him, you better ask state security."

An astonishing number of Tunisians have flocked to the Syrian battlefield since the revolt began. In June, Tunisia's interior minister

A photo of Muhammed S. found on his laptop. This image has been digitally altered. 

Out of the blue, she asked: “Did you find his papers inside Syria?” Asked why she would think that Muhammed’s belongings would have ended up in Syria, she answered, “For further questions about him, you better ask state security.”

An astonishing number of Tunisians have flocked to the Syrian battlefield since the revolt began. In June, Tunisia’s interior minister estimated that at least 2,400 Tunisians were fighting in the country, mostly as members of the Islamic State.

This isn't the first time that jihadists have attempted to acquire weapons of mass destruction. Even before the 9/11 attacks, al Qaeda had experimented with a chemical weapons program in Afghanistan. In 2002, CNN obtained a tape showing al Qaeda members testing poison gas on three dogs, all of which died.

Nothing on the ISIS laptop, of course, suggests that the jihadists already possess these dangerous weapons. And any jihadi organization contemplating a bioterrorist attack will face many difficulties: Al Qaeda tried unsuccessfully for years to get its hands on such weapons, and the United States has devoted massive resources to preventing terrorists from making just this sort of breakthrough. The material on this laptop, however, is a reminder that jihadists are also hard at work at acquiring the weapons that could allow them to kill thousands of people with one blow.

"The real difficulty in all of these weapons ... [is] to actually have a workable distribution system that will kill a lot of people," said Magnus Ranstorp, research director of the Center for Asymmetric Threat Studies at the Swedish National Defence College. "But to produce quite scary weapons is certainly within [the Islamic State's] capabilities."

The Islamic State's sweeping gains in recent months may have provided it with the capacity to develop such new and dangerous weapons. Members of the jihadi group are not solely fighting on the front lines these days -- they also control substantial parts of Syria and Iraq. The fear now is that men like Muhammed could be quietly working behind the front lines -- for instance, in the Islamic State-controlled University of Mosul or in some laboratory in the Syrian city of Raqqa, the group's de facto capital -- to develop chemical or biological weapons.

In short, the longer the caliphate exists, the more likely it is that members with a science background will come up with something horrible. The documents found on the laptop of the Tunisian jihadist, meanwhile, leave no room for doubt about the group's deadly ambitions.

"Use small grenades with the virus, and throw them in closed areas like metros, soccer stadiums, or entertainment centers," the 19-page document on biological weapons advises. "Best to do it next to the air-conditioning. It also can be used during suicide operations."

Photoillustration by FP/Image by Jenan Moussa and Harald Doornbos

Exclusive

The NSA's Cyber-King Goes Corporate

Here's why Keith Alexander thinks he's worth a million dollars a month.

Keith Alexander, the recently retired director of the National Security Agency, left many in Washington slack-jawed when it was reported that he might charge companies up to $1 million a month to help them protect their computer networks from hackers. What insights or expertise about cybersecurity could possibly justify such a sky-high fee, some wondered, even for a man as well-connected in the military-industrial complex as the former head of the nation's largest intelligence agency?

The answer, Alexander said in an interview Monday, is a new technology, based on a patented and "unique" approach to detecting malicious hackers and cyber-intruders that the retired Army general said he has invented, along with his business partners at IronNet Cybersecurity Inc., the company he co-founded after leaving the government and retiring from military service in March. But the technology is also directly informed by the years of experience Alexander has had tracking hackers, and the insights he gained from classified operations as the director of the NSA, which give him a rare competitive advantage over the many firms competing for a share of the cybersecurity market.

The fact that Alexander is building what he believes is a new kind of technology for countering hackers hasn't been previously reported. And it helps to explain why he feels confident in charging banks, trade associations, and large corporations millions of dollars a year to keep their networks safe. Alexander said he'll file at least nine patents, and possibly more, for a system to detect so-called advanced persistent threats, or hackers who clandestinely burrow into a computer network in order to steal secrets or damage the network itself. It was those kinds of hackers who Alexander, when he was running the NSA, said were responsible for "the greatest transfer of wealth in American history" because they were routinely stealing trade secrets and competitive information from U.S. companies and giving it to their competitors, often in China.

Alexander is believed to be the first ex-director of the NSA to file patents on technology that's directly related to the job he had in government. He said that he had spoken to lawyers at the NSA, and privately, to ensure that his new patents were "ironclad" and didn't rely on any work that he'd done for the agency -- which still holds the intellectual property rights to other technology Alexander invented while he ran the agency.

Alexander is on firm legal ground so long as he can demonstrate that his invention is original and sufficiently distinct from any other patented technologies. Government employees are allowed to retain the patents for technology they invent while working in public service, but only under certain conditions, patent lawyers said. If an NSA employee's job, for instance, is to research and develop new cybersecurity technologies or techniques, then the government would likely retain any patent, because the invention was directly related to the employee's job. However, if the employee invented the technology on his own time and separate from his core duties, he might have a stronger argument to retain the exclusive rights to the patent.

"There is no easy black-and-white answer to this," said Scott Felder, a partner with the law firm Wiley Rein LLP in Washington, adding that it's not uncommon for government employees to be granted patents to their inventions.

A source familiar with Alexander's situation, who asked not to be identified, said that the former director developed this new technology on his private time, and that he addressed any potential infractions before deciding to seek his patents.

But Alexander started his company almost immediately after stepping down from the NSA. As for how much the highly classified knowledge in his head influenced his latest creation, only Alexander knows.

In the interview, Alexander insisted that the cybersecurity technology he's inventing now is distinct enough from his work at the NSA that he can file for new patents -- and reap all the benefits that come with them. A patent prohibits any other individual, company, or government agency from using the underlying invention without a license from the patent holder.

But even if Alexander's new technology is legally unique, it is shaped by the nearly nine years he spent running an intelligence colossus. He was the longest-serving director in the history of the NSA and the first commander of the U.S. Cyber Command, responsible for all cybersecurity personnel -- defensive and offensive -- in the military and the Defense Department. From those two perches, Alexander had access to the government's most highly classified intelligence about hackers trying to steal U.S. secrets and disable critical infrastructure, such as the electrical power grid. Indeed, he helped to invent new techniques for finding those hackers and filed seven patents on cybersecurity technologies while working for the NSA.

Alexander used his influence to warn companies that they were blind to cyberthreats that only the NSA could see, and that unless they accepted his help, they risked devastating losses. Alexander wanted to install monitoring equipment on financial companies' websites, but he was rebuffed, according to financial executives who took part in the discussions. His attempts to make the NSA a cyber-watchdog on corporate networks were seen as a significant intrusion by government into private business.

Few, if any, independent inventors have seen such detailed, classified information about the way hackers work and what classified means the government has developed to fight them, all of which gives Alexander a competitive advantage in his new life as a businessman. That insider knowledge has raised eyebrows on Capitol Hill, where Rep. Alan Grayson (D-Fla.) has publicly questioned whether Alexander is effectively selling classified information in exchange for his huge consulting fee. (Bloomberg reported that the figure dropped to $600,000 after the $1 million figure raised hackles in Washington and among computer-security experts.)

Alexander said that his new approach is different than anything that's been done before because it uses "behavioral models" to help predict what a hacker is likely to do. Rather than relying on analysis of malicious software to try to catch a hacker in the act, Alexander aims to spot them early on in their plots. Only the market will tell whether his approach is as novel as he claims. (One former national security official with decades of experience in security technology, and who asked to remain anonymous, said the behavioral-model approach is highly speculative and has never been used successfully.)

The former NSA chief said that IronNet has already signed contracts with three companies -- which he declined to name -- and that he hopes to finish testing the system by the end of September.

"We've got a great solution. We've got to prove that it works," Alexander said. "It will be another way of looking at cybersecurity that gives us greater capabilities than we've had in the past."

Asked why he didn't share this new approach with the federal government when he was in charge of protecting its most important computer systems, Alexander said the key insight about using behavior models came from one of his business partners, whom he also declined to name, and that it takes an approach that the government hadn't considered. It's these methods that Alexander said he will seek to patent.

Alexander said that if he determines that he needs to use technology or methods that the NSA has patented, he will pay for a license, including for anything he helped to invent while he was in office and for which he doesn't own the rights. During his time at the NSA, Alexander said he filed seven patents, four of which are still pending, that relate to an "end-to-end cybersecurity solution." Alexander said his co-inventor on the patents was Patrick Dowd, the chief technical officer and chief architect of the NSA. Alexander said the patented solution, which he wouldn't describe in detail given the sensitive nature of the work, involved "a line of thought about how you'd systematically do cybersecurity in a network."

That sounds hard to distinguish from Alexander's new venture. But, he insisted, the behavior modeling and other key characteristics represent a fundamentally new approach that will "jump" ahead of the technology that's now being used in government and in the private sector.

Alexander said he was persuaded to start a security business and apply for patents after hearing from potential customers, including company executives, who said they were worried about hackers who could steal or even erase the proprietary data on their companies' computers. Alexander said they were particularly worried about threats like the Wiper virus, a malicious computer program that targeted the Iranian Oil Ministry in April 2012, erasing files and data.

That will come as a supreme irony to many computer security experts, who say that Wiper is a cousin of the notorious Stuxnet virus, which was built by the NSA -- while Alexander was in charge -- in cooperation with Israeli intelligence. The program disabled centrifuges in a nuclear plant in Iran in a classified operation known as Olympic Games. The United States has never acknowledged its involvement.

The United States isn't the only government capable of building data-erasing malware. Iran is building a formidable cyber-army, U.S. intelligence officials say, and is believed to be behind a 2012 attack on an oil company in Saudi Arabia that erased data from more than 30,000 computers. Iranian hackers also launched a series of cyberattacks on major U.S. bank websites the same year, intelligence officials say. The strike took Washington by surprise because it was so sophisticated and aggressive. The hackers hijacked data centers consisting of thousands of computers each and used them to flood the bank websites with digital traffic, causing them to crash.

Brendan Smialowski / AFP