Confirmed: the Government Hid–and Is Still Hiding–Manssor Arbabsiar’s First Docket

/10 Comments/in , , , /by

I first raised questions of why the government had charged Manssor Arbabsiar–the Scary Iran Plotter–with an amended complaint almost two weeks ago. As I noted then, the obvious existence of an earlier sealed complaint might suggest the possibility that Arbabsiar was charged with something entirely different than the murder-for-hire charges he got charged with on October 11.

First (and this is what got me looking at the docket in the first place), the complaint is an amended complaint. That says there’s a previous complaint. But that complaint is not in the docket. Not only is it not in the docket, but the docket starts with the arrest on September 29 (notice the docket lists his arrest twice, on both September 29 and October 11), but the numbering starts with the amended complaint (normally, even if there were a sealed original complaint, it would be incorporated within the numbering, such that the docket might start with the amended complaint but start with number 8 or something).

Two things might explain this. First, that there was an earlier unrelated complaint–say on drug charges, but the charges are tied closely enough to this op such that this counts as an amended complaint. Alternately, that Arbabsiar was charged with a bunch of things when he was arrested on September 29, but then, after at least 12 days of cooperation (during which he waived Miranda rights each day), he was charged with something else and the new complaint incorporated Ali Gholam Shakuri’s involvement, based entirely on Arbabsiar’s confession and Shakuri’s coded conversations with Arbabsiar while the latter was in US custody. [emphasis original]

If Arbabsiar were originally charged with something different than he was charged with on October 11–for example, if he were charged with drug charges that might put him away for hard time–it might explain why he waived Miranda rights for 12 days in a row, when he had, on 5 different occasions in his past, hired lawyers to represent him when he got in legal trouble.

Well, this filing not only confirms that an earlier complaint exists–the earlier complaint is dated September 28–but it confirms my suspicion the complaint is in an different docket that is entirely sealed.

On September 28, 2011, Magistrate Judge James C. Francis IV authorized a complaint bearing docket number 11 Mag. 2534 (“Sealed Complaint”), charging the above-listed defendant. The Sealed Complaint is attached hereto as Exhibit A.

On October 11, 2011, Magistrate Judge Michael H. Dolinger authorized an Amended Complaint (11 Mag. 2617) charging the defendant and Gholam Shakuri (“Amended Complaint”). By order of the Honorable Loretta A. Preska, dated October 11, 2011, the Sealed Complaint was ordered to remain sealed. On October 11, 2011, the defendant was presented on only the Amended Complaint.

The Government respectfully requests that the Court enter a limited unsealing order permitting the Government to produce the Sealed Complaint in redacted form to defense counsel as part of the discovery process. The Sealed Complaint would otherwise remain sealed.

First, compare the docket numbers:

First Complaint: 11-mg-2534

Amended Complaint: 11-mg-2617

Criminal Indictment: 11-cr-897

These are three entirely different dockets.

A search for criminal magistrate docket 11-2534 returns nothing. Which means the docket–the entire docket–is and remains sealed.

This increases the likelihood that the first complaint charges entirely different charges–such as opium charges–than the amended complaint does.

Indeed, the language of this letter appears to suggest that only Arbabsiar was charged in the first complaint. Even if this earlier complaint pertained to murder-for-hire charges, this might make sense–as I have pointed out, most of the current charges are conspiracy charges that would involve at least two defendants. But the letter suggests–by stating only that “the defendant was presented on only the Amended Complaint”–that there may be charges unique to Arbabsiar, completely unrelated charges that hang over him still–that weren’t charged because of his 12-day cooperation to implicate Shakuri.

And here’s the kicker. The government isn’t even telling Arbabsiar’s defense counsel all of what was in that first complaint. They are asking that she receive the complaint in redacted form.

So not only are they hiding the original basis of his arrest from us–US citizens and the world community, to whom the government claimed this is an international incident. But they’re hiding parts of this earlier complaint even from the public defender tasked to actually represent this guy.

Why Does Duqu Matter?

/19 Comments/in , /by

The short answer is that if your PC got infected by Stuxnet last year, you were just collateral damage, unless you were operating a very specific set of uranium enrichment centrifuges. If you get Duqu this year, your network is under attack from a CIA/Mossad operation. They might seem a little outrageous, but bear with me while we get into the weeds of what Duqu is all about. I will lay out a set of assertions that lead to the conclusion that Duqu really is the “precursor to the next Stuxnet” as Symantec say in their whitepaper.

1. Stuxnet was created by the CIA and the Mossad

Although no one has officially claimed responsiblity for Stuxnet, both the U.S. and Israeli governments have done everything but take offical responsibility. Neither government has ever denied responsibilty, even when directly asked. In fact, officials in both governments have been reported as breaking out in big smiles when the subject comes up.

2. Duqu is from the same team that created Stuxnet.

The first clue that Duqu is from the Stuxnet team is the similarities between the rootkit components in both pieces of malware. The folks who have studied the two most closely are sure that Duqu is based on the Stuxnet component’s source code. Despite what you may have read on the internet, the actual source code to Stuxnet is not publicly available. Some folks have reverse-engineered some of the Stuxnet source code from the binaries that are available, for various technical reasons, I’m sure that these don’t serve as the basis for Duqu.

Duqu even has a fix for a bug in Stuxnet. Also, the only two pieces of malware in history to install themselves with as Windows device drivers with legitimate, but stolen, digital certificates are Stuxnet and Duqu. Both Stuxnet and Duqu were active in the wild and managed to evade detection for many months. While that’s not unheard of for malware, it is another point of similarity.

Stuxnet targeted a specific industrial control system (ICS) installation (the Siemens PLCs that were used to control the centrifuges at Natanz). Here’s the lastest on what Duqu targets:

Some of the companies affected or targeted by Duqu include the actual equipment that an ICS would control such as motors, pipes, valves and switches. To date, the vendors that make the PLC, controllers and systems/applications found in control centers are not yet affected, although this information could change as more variants are identified and these vendors look more closely at their systems.

There are no other instances of computer malware that target these sorts of installations.

 

3. Stuxnet was a worm, Duqu is not.

Stuxnet was a very aggressive computer worm. It had to be to jump the “air gap” that protects a secure ICS such as the system that ran the Natanz installation. When Stuxnet was discovered, the A-V vendors quickly discovered millions of computers had been (benignly) infected with Stuxnet. Duqu, on the other hand, has been found on only a handful of computers. Interestingly, no one has yet discovered the dropper, that is, the program used to place the Duqu rootkit on the infected machines. This is almost certainly because Duqu is being placed on these machines via a spear phishing attack. In spear phishing, specific targets are chosen and the attack is customized to the target.

4. Duqu is being used to download a RAT (Remote Access Trojan)

The rootkit component was used to download a standalone program designed to steal information from the computer that it has infected (including screenshots, keystrokes, lists of files on all drives, and names of open windows). Duqu is doing computer network reconnaissance. The information gathered by Duqu is very useful for planning future attacks. Before the command and control server was taken off-line, Symantec observed Duqu downloading three additional files to an infected machine.   The first was a module that could be injected into other processes running on the machine to gather some process-specific information as well as the computer’s local and system times (including time zone and daylight savings time bias). Another downloaded module was used to extend the normal 36-day limitation on Duqu installations. The last downloaded module was a stripped down version of the standalone RAT, lacking the key logging and file exploration functionality.

5. Put it all together and it adds up to a well-executed, highly targeted covert operation

For the last ten months, Duqu has been quietly stalking a small number of industrial manufacturers. No one even noticed before early September and it wasn’t until last week that the nature of the threat was clear to anyone. Duqu is spying on a handful of companies, gathering data that will be used for the design and development of the true Stuxnet 2.0. One thing we don’t know is who the target of Stuxnet 2.0 will be. But I have a suspicion. Nothing indicates that the ultimate target (i.e., Iran) of the Stuxnet team has changed. In August of this year, Iran announced that it had activated its first pre-production set of his newer IR-2m and IR-4 centrifuges. These are the successors to the centrifuges that Stuxnet attacked. If you wanted to do these centrifuges what Stuxnet did to the earlier IR-1 centrifuges, you would need a lot of specific data about the safe operating specs of the various components that go into making advanced centrifuges. If you knew or suspected who was supplying Iran with these components, you might want to gather some data from the internal networks of those suppliers. That’s what I think the point of Duqu really is.

The OTHER Saudi Assassination Plotter Got a Reduced Sentence in July

/2 Comments/in , , , /by

This post from Cannonfire reminded me how convenient for our country it is that Moammar Qaddafi was executed rather than captured alive and tried: he will not be able to tell anyone, now that he’s dead, how Ibn Sheikh al-Libi, who under torture provided one of the casus belli for the Iraq war, came to be suicided in a Libyan prison just as Americans started focusing on torture in 2009.

That, plus the death of the Saudi Crown Prince Sultan bin Abdul-Aziz al Saud, made me think of another plot Qaddafi brings to his grave: that he had purportedly arranged to assassinate then Crown Prince now King Abdullah. The evidence to support that plot mostly came from Abdulrahman Alamoudi, a prominent American Muslim who was arrested in 2003 on charges he violated trade sanctions against Libya.

Tell me if this sounds familiar. A naturalized American citizen is arrested upon re-entry to the country and charged with a bunch of crimes. After a period of no bail, he confesses to participation in the assassination plot of a top Saudi.

Court documents said the assassination plot arose from a March 2003 conference at which Libyan leader Moammar Gaddafi and Prince Abdullah had a heated exchange. Angered at how Gaddafi was treated, Libyan officials recruited Alamoudi.

Even after he learned that the target was Abdullah, Alamoudi shuttled money and messages between Libyan officials and the two Saudi dissidents in London, the documents said. Although Gaddafi is not named as a planner, sources familiar with the case have said he appears in the documents as “Libyan government official #5,” who met personally with Alamoudi.

Mind you, though the judge considered the assassination plot in Alamoudi’s sentence, he plead guilty not to murder-for-hire, but to prohibited financial transactions with Libya (the kind of thing JPMC just got its wrist slapped for), unlawful procurement of naturalization, and tax evasion.

Anyway, thinking about the similarities between that case and the Scary Iran Plot led me to consult Alamoudi’s docket (most of which is not available online). What happens to a guy convicted in connection with plotting with a nasty African dictator as we launch the war to finally kill that dictator?

Well, it turns out that at about the time it was clear we’d stick around to ensure Qaddafi died in this kinetic action, a sealed document got filed in Alamoudi’s case. And, on July 20, 2011, Alamoudi got about 30% knocked off his sentence, from 276 months to 197.

Mind you, no one was hiding the fact that Alamoudi would continue to cooperate with authorities while in prison–so it’s no surprise his sentence got lowered. Nor does Alamoudi’s sentence reduction necessarily have anything to do with Alamoudi’s testimony in the assassination plot.

But I do expect, a decade from now, that’s what’s going to happen to Manssor Arbabsiar’s docket.

Scary Iran Plot: FBI Had No Need to Investigate Arbabsiar’s Corpus Christi Past

/17 Comments/in , , , /by

So imagine this scenario.

A DEA informant calls up his handler out of the blue and says,

Omigod! Some crazy Iranian just approached me to arrange some kind of hit on behalf of this Iranian terror organization. He asked about explosives (I bragged about my C4 expertise.) He found me through my aunt in Corpus Christi. She says she knows him from when he used to be a used car salesman.

The DEA calls the FBI. What’s one of the first things the FBI would do?

Maybe look him up in the FBI’s own files (they find he doesn’t have a federal record). And just after that, you’d think they’d start investigating him in Corpus Christi, where Narc knew him to have connections. Maybe call the cops there and see if they knew this crazy Iranian. Which, since Arbabsiar has a pretty consistent record of petty arrests and lawsuits, they do.

Which is why it’s sort of odd that the FBI never contacted the Corpus Christi cops–they first talked to them the day after Arbabsiar was charged.

Arbabsiar had previous arrests in Nueces County during nearly 20 years living in the area.

That meant arrest records and personal details were on file in the county’s warehouse. But no one from any federal agency ever asked for the folder, Kaelin said.

“From an intelligence-gathering standpoint, even the tiniest bits of information could have a connection to something bigger,” he said. “They never asked to see it.”

In fact, FBI agents never contacted the sheriff’s office or the police department about their investigation into Arbabsiar.

That’s all the more weird given that some of the criminal files on Arbabsiar were on dead tree files in a warehouse from back in the day when the FBI itself didn’t really use computers (you know, like last year).

Now, my scenario sounds weird, almost impossible, particularly in the age of information sharing between local cops and national counterterrorism investigators.  Even if they were worried about keeping Narc’s identity secret–which I’m sure is particularly critical so close to the border in South Texas–you’d think they’d at least go and make discreet investigations about Arbabsiar (particularly given the claims that, by the end of the investigation, FBI officers seemed to be going out of their way to make their presence known.

Neighbors, however, said it had been years since Arbabsiar lived in the stucco house he once shared with his wife on a suburban cul-de-sac. They said it appeared that as many as 10 people were living in the house, and lately there had been some signs of suspicious activity: When residents looked for available Wi-Fi networks, networks with names like “FBI Van 1” would pop up.l

Unless …

Unless they didn’t need to do that background research on Arbabsiar when Narc purportedly came to them out of the blue to tell them about this crazy Iranian seeking an assassin purportedly out of the blue.

The FBI’s seeming disinterest in learning about Arbabsiar from the law enforcement officials who ostensibly knew him best suggests they already knew about him when he approached Narc.

(As a number of media outlets have reported, the Grand Jury has indicted the plotters, a mere nine days after the Administration started making an international incident about this. I’ll update or do a post once the indictment is in the docket.)

Did Duqu fix the bug that revealed Stuxnet?

/36 Comments/in , /by

 
Count DookuDuqu isn’t Christopher Lee in Attack of the Clones, but it is the newest computer malware to hit mainstream consciousness. It’s attracting attention mainly because it is based on the same software source code base as the Windows portion of Stuxnet. If you haven’t heard about Duqu, check out the Wired article that first alerted me to its existence. If you are interested in the technical details, you need to read the excellent write-up by Symantec (pdf link).
Unfortunately, the twitterverse, blogosphere, and the computer security profession all seem to be caught up in a hype/debunking/speculation cycle that is spreading more heat than light. The primary significance of Duqu is what it tells us about the operation behind Stuxnet and Duqu, i.e. that it is an on-going enterprise conducting computer espionage and sabotage around the world. The fact that it is rather obviously (though not publicly) run by the U.S. intelligence community should concern everyone.
I’ll put up a more extensive post later (including a timeline!) detailing what the Duqu phase of the Stuxnet operation tells us about the cyberwarfare strategy of the U.S. and how it is endangering the safety and security of the U.S. and the whole industrialized world. But first, I want to remind everyone how Stuxnet was originally discovered:

… the VirusBlokAda security firm in Minsk, received what seemed to be a relatively mundane email on June 17, 2010. An Iranian firm was complaining that its computers were behaving strangely, shutting themselves down and then rebooting. Ulasen and a colleague spent a week examining the machines. Then they found Stuxnet. VirusBlokAda notified other companies in the industry, including Symantec.
 
 

This incident became curiouser and curiouser as Symantec, Langner, and others took apart Stuxnet. There wasn’t any obvious reason that Stuxnet would have caused that sort of behavior on an infected computer. I even wondered at the time whether or not Stuxnet’s cover was blown intentionally since the perpetrators moved quickly to call further attention to themselves. But, thanks to the good work of the Symantec team, we can surmise something quite revealing about the initial discovery of Stuxnet.
 
The rootkit component of Duqu is quite similar to, but not exactly the same as, the one in Stuxnet. In both cases, if the infected computer gets rebooted while it is infected, the rootkit wants to make sure that it is running before the operating system is fully loaded. That’s why this rootkit (both flavors, Stuxnet and Duqu) is packaged as a hardware device driver. Here’s a feature of Duqu’s driver that wasn’t present in Stuxnet (as described by Symantec on page 4 of the pdf linked above):

The driver then registers a DriverReinitializationRoutine and calls itself (up to 200 times) until it is able to detect the presence of the HAL.DLL file. This ensures the system has been initialized to a point where it can begin injecting the main DLL.

The bolded portion is the new functionality that wasn’t present in Stuxnet. As a software developer, this detail tells me a lot. The driver is checking to make sure that the hardware abstraction layer (HAL.DLL) of Windows is loaded before it proceeds with the re-infection routine. The HAL is a portion of the Windows OS that really needs to be loaded before device drivers can function properly. Between the time that Stuxnet was deployed and this later version was compiled, the Stuxnet team identified a problem (a race condition) with their software being loaded before the HAL, probably only under the rarest of circumstances. So they modified their program to take this possible condition into account.
As I thought about this, I realized that the likely impact of the Stuxnet device driver being loaded before the HAL was properly initialized would almost certainly be that the machine would continuously crash and reboot. Look again at how Stuxnet was first discovered (remember it was in the wild for at least a full year before it was noticed by any anti-virus vendor):

… the VirusBlokAda security firm in Minsk, received what seemed to be a relatively mundane email on June 17, 2010. An Iranian firm was complaining that its computers were behaving strangely, shutting themselves down and then rebooting. Ulasen and a colleague spent a week examining the machines. Then they found Stuxnet. VirusBlokAda notified other companies in the industry, including Symantec.

By November 3, 2010 (the compile date of the Duqu component), the Stuxnet team had fixed the bug that led to the discovery of Stuxnet last year. And then went almost another full year without being discovered by the anti-virus vendors. It is likely to be a lot harder to reconstruct what the Stuxnet team has been up to this time around, but it is clear that the operation is on-going and we can assume (unless specific information turns up pointing in a different direction) that the primary target is still the Iranian nuclear program.

Spy v. Spy, Terrorist v. Terrorist: All the Usual Suspects Now Implicated in Scary Iran Plot

/16 Comments/in , , /by

Here in the Midwest, we’ve got lions and tigers and bears running around today, and even other animals, like monkeys, that aren’t members of the NFC North.

In the Middle East, it seems everyone’s rolling out the usual suspects to impugn in the Scary Iran Plot. The most humorous is Bahrain’s use of David Ignatius to send Obama a message. Not only did Bahrain’s Foreign Minister Sheikh Khalid Al-Khalifa warn that, “This is really serious. It’s coming to your shores now” and repeat Saudi allegations that Gholam Shakuri had a role in opposition to the Bahraini King (though, in calling Shakuri only an “important ‘Iranian interlocutor’,” the Foreign Minister actually sounded more measured than the Saudis).

But then the Foreign Minister throws in a jab at Ahmad Chalabi.

Khalifa mentioned one more name of interest to American observers of the Middle East — the Iraqi Shiite politician Ahmed Chalabi. Lobbying by Chalabi played an important role in mobilizing the Bush administration to invade Iraq in 2003; since then he’s been jockeying for power in Baghdad and, increasingly, tilting toward Iran on regional issues.

The peripatetic Chalabi has now taken up the cause of Bahrain’s Shiite community, pressuring the government in Manama and even, at one point last spring when the political confrontation was intense there, proposing to organize a rescue “flotilla” to deliver aid, on the model of the Turkish flotilla that tried to enter Gaza last year.

“We would regard him as an Iranian agent, no doubt,” said Khalifa.

To be fair, this sounded like a throwaway, not a direct response to Scary Iran Plot. Except to the extent that Scary Iran Plot is about the Sunni-Shiite fight for hegemony in the Middle East, the one we first disturbed by going to war on Chalabi’s say-so.

Still, I was waiting for someone like Chalabi or Manucher Ghorbanifar or Michael Ledeen to show up in this tale, so I’m please to find Chalabi here, like an old friend.

The far more interesting development–as MadDog and lysias pointed out here–is the Iranian propaganda announcement that Gholam Shakuri is actually an MEK member.

Interpol has found new evidence showing that the number two suspect in connection with the alleged Iranian government’s involvement in a plot to assassinate the Saudi ambassador to Washington is a key member of the terrorist Mojahedin Khalq Organization (MKO), the Mehr News Agency has learnt.

Gholam Shakuri was last seen in Washington and Camp Ashraf in Iraq where MKO members are based.

The person in question has been travelling to different countries under the names of Ali Shakuri/Gholam Shakuri/Gholam-Hossein Shakuri by using fake passports including forged Iranian passports. One passport used by the person was issued on 30/11/2006 in Washington. The passport number was K10295631.

The accusation got picked up by the NYT, which in turn got a denial from the MEK.

The opposition group itself dismissed the Mehr report as nonsense. Shahin Gobadi, a spokesman, said in an e-mailed response that “this is a well-known tactic that has been used by the mullahs in the past 30 years where they blame their crimes on their opposition for double gains.”

So after we had the United States lecturing other countries about illegal assassinations and rule of law, we’ve got one terrorist organization (albeit one whose material supporters in the US rather remarkably aren’t treated like the material supporters of other terrorist organizations) accusing another terrorist organization of crimes.

There are times I’m really comforted that my neighborhood has nothing but Lions and Tigers and Bears running around.

Why Did the Scary Iran Plotter Speak Directly from a Contested Treasury Department Script?

/29 Comments/in , , , /by

As I noted on Friday, Manssor Arbabsiar’s cousin, Abdul Reza Shahlai, who purportedly directed him to arrange a plot with Los Zetas, was sanctioned by the Treasury Department in 2008, in part for involvement in an attack in Karbala.

Iran-based Abdul Reza Shahlai–a deputy commander in the IRGC–Qods Force–threatens the peace and stability of Iraq by planning Jaysh al-Mahdi (JAM) Special Groups attacks against Coalition Forces in Iraq.  Shahlai has also provided material and logistical support to Shia extremist groups–to include JAM Special Groups–that conduct attacks against U.S. and Coalition Forces.  In one instance, Shahlai planned the January 20, 2007 attack by JAM Special Groups against U.S. soldiers stationed at the Provincial Joint Coordination Center in Karbala, Iraq.  Five U.S. soldiers were killed and three were wounded during the attack.

But as Gareth Porter pointed out yesterday, there are reasons to doubt the US has proof of Shahlai’s role in that attack. Porter’s original report on this from 2007 describes Michael Gordon trying, unsuccessfully, to get Brigidier General Kevin Bergner to provide real evidence of Iranian involvement in the plot. And he describes David Petraeus specifically denying the claim.

Another indication that the command had no evidence of Iranian involvement in the attack was the statements of the top commander in Iraq, Gen. David Petraeus, on the issue in an April 26 press briefing. Petraeus had referred to a 22-page memorandum captured with the Shiite prisoners that he said “detailed the planning, preparation, approval process and conduct of the operation that resulted in five of our soldiers being killed in Karbala.” But he did not claim that either the document or the interrogation of Khazali had suggested any Iranian or Hezbollah participation in, much less direction of the planning of the Karbala assault.

Later in that briefing, a reporter asked whether Petraeus was “saying that there was evidence of Iranian involvement in that [Karbala] operation?” Petraeus responded, “No. No. No. That—first of all, that was the operation that you mentioned, and we do not have a direct link to Iranian involvement in that particular case.”

At the time Petraeus made this statement, Khazali, the chief of the militia group that had carried out the attack, had been in U.S. custody for more than a month. Despite nearly five weeks of intensive interrogation of Khazali, Petraeus’s comments would indicate that U.S. officials had not learned anything that implicated Iran or Hezbollah in the planning or execution of the Karbala attack

Porter’s post yesterday describes officers subsequently reiterating that the Iraqis, not the Iranians, launched this plot.

In a news briefing in Baghdad Jul. 2, 2007, Gen. Kevin Bergner confirmed that the attack in Karbala had been authorised by the Iraqi chief of the militia in question, Kais Khazali, not by any Iranian official.

Col. Michael X. Garrett, who had been commander of the U.S. Fourth Brigade combat team in Karbala, confirmed to this writer in December 2008 that the Karbala attack “was definitely an inside job”.

Now, perhaps Treasury had additional evidence by the time it sanctioned Shahlai, perhaps not. But suffice it to say the claim that Shahlai had a role in that plot is at least contested, and there is reason to believe it is outright false.

Which is why I find it so interesting that, among the other things Manssor Arbabsiar repeats to Narc about Shahlai, is that he had ties to a bombing in Iraq.

ARBABSIAR further explained that his cousin was “wanted in America,” had been “on the CNN,” and was a “big general in [the] army.” ARBABSIAR further explained that there were a number of parts to the army of Iran and that his cousin “work[s] in outside, in other countries for the Iranian government[.]” ARBABSIAR further explained that his cousin did not wear a uniform or carry a gun, and had taken certain unspecified actions related to a bombing in Iraq. Compare supra ¶ 17. [my emphasis]

That reference back to paragraph 17? It’s a reference to the complaint’s background on the Quds Force. Note the content carefully:

[T]he IGRC is composed of a number of branches, one of which is the Qods Force. The Qods Force conducts sensitive covert operations abroad, including terrorist attacks, assassinations, and kidnappings, and provides weapons and training to Iran’s terrorist and militant allies. Among many other things, the Qods Force is believed to sponsor attacks against Coalition Forces in Iraq, and in October 2007, the United States Treasury Department designated the Qods Force, pursuant to Executive Order 13224, for providing material support to the Taliban and other terrorist organizations.

Note, the Treasury designation the FBI Agent refers to is not the 2008 designation naming Shahlai directly in connection to the Karbala plot, but instead an earlier one first designating Quds Force for material support to the Taliban. Read more

Telling Stories about What Iran Is Capable Of

/9 Comments/in , , , /by

As I’ve mused on twitter and in comment threads, I’ve started wondering who paid more for Scary Iran Plot, the US Government or (allegedly) Quds Force?

After all, it’s clear that Narc offered up the idea to attack Adel al-Jubeir at a restaurant with explosives rather than, say, shooting him or poisoning him. Narc invented the fictional 150 civilians who would be at the restaurant. Narc invented the fictional Senators who might be killed in the blast. Narc said he could, “blow him up or shoot him,” and Arbabsiar said, “how is possible for you.” When Narc warned about those fictional casualties, Arbabsiar said, “if you can do it outside, do it” (though he clearly okayed collateral damage if necessary). Thus, even assuming there is nothing else funny about the plot, it’s clear that Narc authored the most spectacular details of it, the ones that resulted in a terrorism and WMD charges rather than just murder-for-hire, and quite possibly the ones that made this an alleged act of war against the US, rather than just an attack on Saudi Arabia.

Even assuming the Iranians dreamt up this plot, the US wrote the screenplay for it.

So how much did each side pay to create this plot?

I’d put the Quds force tab at $175,000. They allegedly advanced $100,000 for some kind of plot–but refused to send any more money. And on July 17, Arbabsiar describes asking Shahlai for “another $15.” Given that that happened in month 6 of a 9 month plot, I think it fair to estimate he was paid three installments of $15,000, or $45,000. Add in $30,000 for Shukari’s time, and you’ve got $175,000. (It’s not clear whether Arbabsiar paid for his international flights out of his advance, but I’ll also leave out the much greater travel costs on the American side. Further, all this assumes we haven’t paid in the past or agreed to pay Arbabsiar in the future for his part in the plot.)

The government, for its part, paid Narc to work Arbabsiar for at least four months. They paid Craig Monteilh $11,800 a month to run around safe mosques to try to entrap aspirational terrorists in LA; I presume they’d pay more for an actual cartel member to risk his life as an informant in Mexico. But let’s assume they paid the same rate they paid Monteilh, which would work out to $47,200, remarkably, about what Quds Force allegedly seems to have paid Arbabsiar. In addition, we’ve got at least the time of Robert Woloszyn, the FBI Agent who wrote the complaint. He doesn’t seem to have been Narc’s handler, so you’ve got Narc’s handler working long hours. In the press conference rolling out this case, Preet Bharara said two prosecutors, their two supervisors, the Deputy US Attorney, and the Acting Criminal head in NY “have [not] gotten much sleep lately.” In addition to SDNY, there was involvement from the Houston US Attorney and FBI offices, Houston DEA (which may be where Narc’s handler worked), NY’s JTTF. And all those intelligence personnel who played a critical role that we can’t discuss (except in anonymous leaks to journalists). Now clearly, many of these people were probably not personally involved in the crafting of a story that took alleged Quds Force intent to attack Saudi Arabia and turned it into the spectacular attack on a fictional restaurant in DC. But it’s probably safe to say that the US Government paid as much to craft this plot as the Quds Force allegedly did, even before you account for the money spent surveilling Arbabsiar, Shahlai, and Shakuri before the plot as well as the money spent stopping it.

With that in mind, check out the language State Department Spokesperson Victoria Nuland uses to describe how other countries are receiving the State Department’s efforts to persuade them to treat this plot as real.

Other countries are buying the basic idea of the plot, Nuland said, despite fairly widespread skepticism among Iran watchers about the likelihood the Quds Force would put such a clumsy plan into place.

“Countries may find it quite a story, but they’re not surprised that Iran would be capable of something like this,” she said.

It seems that our allies may be just as skeptical as many American observers that the Quds Force planned the precise plot that–it is clear–Narc’s handlers wrote the screenplay for. But, Nuland says, they buy the basic idea of it–“they’re not surprised that Iran would be capable of something like this.”

We had to invent this entire screenplay–perhaps investing as much money or more as Quds Force allegedly did–to get our allies to agree that the Quds Force might engage in terrorism? Didn’t they already know that?

(I sort of wonder whether our representatives are also asking our allies whether they think we’re capable of assassinating nuclear scientists?)

Therein lies the problem with the American practice of using stings to craft the scariest terror story possible. If the sheer improbability of it makes the story less credible, if all it does is reinforce a widely held belief, then doesn’t the theatricality of it work against the government?

The Missing Dirty Bomb that Set Off the Chain of Death

/9 Comments/in , /by

Several days ago, I finished listening to Joby Warrick’s The Triple Agent. It’s quite good, both in terms of readability and news value. But since I have the Audible, not the dead tree, version I wasn’t able to transcribe what I found to be one of the most interesting passages in it.

Luckily, that incident is precisely what he told Tom Ricks he wished people had noticed, so now Ricks has basically transcribed it for me!

BD: What is the one question you’d like to answer about the book that nobody has asked you?

JW: Some of the events in the book have never been described elsewhere, and I’ve been surprised that few reviewers or interviewers have asked about them. One favorite: a description in the book of a dirty-bomb threat that emanated from Pakistan mid-2009 and raised alarms at the highest levels of the U.S. government. Information gleaned through SIGINT intercepts suggested strongly that the Pakistani Taliban (TTP) had acquired “nuclear” material-presumably radioactive sources useable in a dirty bomb–and were trying to decide what to do with it. Concerns over a possible dirty-bomb attack directly factored into the decision to take out TTP leader Baitullah Mehsud, who was killed in a drone strike on Aug. 5 of that year. No radioactive material was subsequently found, and to this day, no one knows what happened to it, or indeed, whether it ever existed.

As Warrick revealed, the reason we were so intent on taking out Mehsud is because of intelligence that he might have the radioactive material for a dirty bomb (IIRC, the CIA was responding to SIGINT they deemed to be code). As tends to happen when we use uranium to justify war, no nukes were found.

A pity for Mehsud’s young wife, who also died in that attack (Warrick describes how they died on their rooftop in some detail).

I raise this not just to recommend Warrick’s book. But to remind you how our government decided to claim the retaliation for this drone strike by Mehsud’s brother was a crime, presumably because the escalating series of revenge ended in Humam al-Bawali’s Khost attack.

But the mention of CIA’s drone campaign in Pakistan raises a bunch more problems with DOJ’s charges. For starters, Mehsud’s wife–a civilian–was reportedly killed in that January drone strike too. Both the uncertainty the CIA has about its purportedly scalpel-like use of drones and the civilian deaths they’ve caused illustrate the problem with drones in the first place. Civilians–CIA officers–are using them in circumstances with significant collateral damage. It would be generous to call the use of drones in such situations an act of war; some legal experts have said the CIA officers targeting the drones are as much illegal combatants as al Qaeda fighters themselves.

The affidavit describing the evidence to charge Mehsud doesn’t say it, but underlying his alleged crime is the potential US crime of having civilians target non-combatants in situations that cannot be described as imminently defensive.

Charging someone for revenge on CIA’s illegal killing

Which leads us to the crimes for which they’re charging Mehsud: conspiracy to murder and conspiracy to use a WMD (bombs) against a US national while outside of the United States. Basically, DOJ is charging Mehsud with conspiring with Humam Khalil Mulal al-Balawi, the Jordanian doctor who committed the suicide bombing at Khost that killed 7 CIA officers and contractors.

Now, there’s not much doubt that Mehsud did conspire with al-Balawi. I just doubt whether it could be fairly called a crime. The affidavit describes two videos in which Mehsud stands side by side with al-Bawali. In one, both al-Balawi and Mehsud describe the upcoming attack as revenge for killings in the drone program–most importantly, of Mehsud’s brother Baitullah Mehsud from a CIA drone strike in August 2009.

Al-Balawi then continues alone: “This itishhadi [martyrdom-seeking attack] will be the first of the revenge against the Americans.” After additional declarations of revenge by al-Balawi, MEHSUD resumes speaking in Pashtu, explaining the motive for the upcoming suicide attack by al-Balawi, that is the death of the former emir of the TTP, Baitullah Meshud [sic] which MESHUD [sic] attributes to the Americans.

Remember, too, that al-Balawi was a double agent. The Americans believed he was helping them target people, people just like Mehsud. That means al-Balawi (and presumably through him, Mehsud) knew he was specifically targeting those behind the earlier killings in Pakistan when he killed them.

So al-Balawi successfully killed people who were either civilians, in which case their own strikes at Baitullah Mehsud and others may be illegal, or people who were acting as soldiers, in which case the attack on their base was presumably legal under the law of war. And for helping al-Balawi, DOJ is now charging Mehsud with conspiracy.

The affidavit, of course, neglects to mention any of these details.

Let me be clear: the Administration’s stupid attempt to apply this double standard doesn’t make the Khost bombing any less tragic. But it did strike me as a pathetic attempt to cloak a disastrous blood feud, for all sides, in legal niceties to somehow make it seem like something else.

But I find it all the more ironic that the whole blood feud was triggered with yet another nuke claim that may have been wrong.

Scary Iran Plot: Follow the Money

/39 Comments/in , , , , /by

A number of people–from MadDog to the Administration–have claimed that the money trail in the Scary Iran Plot is what makes it credible.

I’d like to lay out what the Administration showed in the complaint–as opposed to in its predictable trail of anonymous leaks that the Administration apparently believes can replace actual evidence–regarding the money trail. I actually find their anonymous claims that the money trail shows more damning details to be more believable than some of the other things they’ve said about this. But the most solid evidence described in the complaint–as I described here–shows money being delivered with no explanation into the hands of a person, Individual #1, and from there being sent to the US. Yet Individual #1 doesn’t even appear to be Quds Force and was neither charged in the complaint nor sanctioned by Treasury.

Money was exchanged, but for what?

Before I lay out what the money details show, though, let’s lay out the many possible operations the money paid for. According to Manssor Arbabsiar’s confession, his cousin Abdul Reza Shahlai told him to go get drug traffickers to kidnap the Saudi Ambassador. Arbabsiar’s confession says it evolved into a capture or kill deal (though says it did so in conversations with Gholam Shakuri and Hamed Abdollahi, not Shahlai). The complaint also mentions plans of “attacking an embassy of Saudi Arabia” (Narc’s account of the May 24 meeting with Arbabsiar), for “a number of violent missions” (Narc’s account of purportedly unrecorded June-July meetings), “the murder of the Ambassador” (Narc’s account of purportedly unrecorded June-July meetings), and targeting foreign government facilities located outside of the United States, associated with Saudi Arabia and with another country [reported to be Israel]” (footnote 6 describing what Narc reported from these earlier meetings). The quotes from July 14 are ambiguous whether they refer to kidnapping or assassination of al-Jubeir. The quotes from July 17 include clear reference to killing what is presumably (thought not specified as) al-Jubeir. And note what the complaint rather damningly doesn’t mention, though Administration leakers admit?

The plotters also discussed a side deal between the Quds Force, part of Iran’s Islamic Revolutionary Guards Corps, and Los Zetas to funnel tons of opium from the Middle East to Mexico, the official said.

In other words, several things were being negotiated: the kidnapping and/or assassination of al-Jubeir, hits on embassies in Argentina, possibly some other horrible things, and drug deals. So we need to be careful to tie any payments to specific ops.

The use of two different codes in the taped conversations doesn’t make tying payments to specific ops any easier–the complaint mentions “painting,” or “doing” a building (September 2, 20, and October 4), which the FBI Agent interprets without stated confirmation in Arbabsiar’s confession as the murder, as well as the “Chevrolet” (October 5 and 7), which Arbabsiar’s confession says also referred to the murder (syntactically, though, the Chevrolet sounds like a drug deal, while the building seems more closely connected to the murder).

Finally, a conversation on September 12 seems to suggest (though the FBI Agent doesn’t interpret it this way) that Arbabsiar had presented Narc several choices of operations, and the plotters just wanted them to pick one to carry out. After insisting the price would be “one point five,” Arbabsiar told Narc, for example, that he could “prepare for those too [two] … but we need at least one of them” [ellipsis original]. He went on to say that if Narc did “at least one … I’ll send the balance for you” [ellipsis original]. Particularly given the two different codes–building and Chevrolet–it seems possible there were still at least two different operations (both Arbabsiar and Shakuri offer up the building, not the Chevrolet, when they are not being coached as the operation they’re most anxious about). At the very least, this means that two months after the two meetings supposedly finalizing the plan for the assassination, both the price and the objective remained unclear.

No quoted passage ties the $100,000, the $1.5 million, and the assassination

Those two meetings–which do tie money to an attack on the Saudis–took place on July 14 and July 17. Before those meetings even started, however, the $100,000 that was purportedly the down-payment for the al-Jubeir assassination had already been transferred to a middleman; Arbabsiar tells Narc that Individual #1 (who is not described in the same way the Quds officers are, and appears not to have been sanctioned with everyone else) got the “money at nine in the morning.” The quoted passages definitely tie what appears to be the $1.5 million to doing something with Saudi Arabia. “Take the one point five for the Saudi Arabia.” That might be doing something with the Saudi embassy, though later in the same conversation Arbabsiar does confirm Narc’s question that “you just want the main guy.” Given the number of plots they were discussing, that’s not definitive that the $100,000 was tied to the al-Jubeir plot at all, nor is it definitive that the “one point five” was the agreed upon payment for assassinating–as opposed to kidnapping–al-Jubeir. There is no quote that ties all these things together; but assuming the FBI Agent’s interpretation is not really wacko, it does seem this conversation ties the money to some kind of attack on al-Jubeir.

The July 17 conversation–which with the July 14 conversation, includes one of two discussions of bank account numbers for the transfer–makes the focus on assassination much more clear. Narc pretends his guys are in Washington (meaning there’s no doubt the attack in discussion was al-Jubeir rather than the Saudi Embasy in Argentina). And–in the sole quotations in the entire complaint that make it clear Arbabsiar was talking about assassination–in response to Narc’s cue, “I don’t know what exactly your cousin wants me to do,” Arbabsiar says his cousin “wants you to kill this guy” and goes on to say that if necessary, collateral damage of citizens is acceptable.

Consider how laughable this deal-making is. On July 14, Narc gives his price for the job. Then on July 17, he’s still looking for clarification about what the task really is! Read more