How Terrorists Encrypt 7: Peculiarities of Encryption Using Tadpole

Duncan Campbell dedicates the final part largely to Tadpole software which is used by jihadis to encrypt their communication while making terror plots.

Operation CLUTCH (2010)

Islamists involved in the CLUTCH plot

Islamists involved in the CLUTCH plot

The man named Anwar Al-Awlaki, was the head of al-Qaeda in the Arabian Peninsula until his demise. Based in Yemen, he was at the beginning of this year the effective leader of al-Qaeda, given Osama bin Laden’s silence. Rajib Karim was an IT engineer living and working in Newcastle, he worked for British Airways, his family came from Bangladesh, and he and his family members supported the resistance organization “Jamaat-ul-Mujahideen Bangladesh”, or JMB.

He was an avowed Islamist who sought to overthrow the despotic current rulers of Bangladesh, and he was prepared to do hijra, or to die, in context for that cause. The senior members of JMP communicated using something they called “Tadpole”, they’d invented it themselves. And through his brother, Karim (the IT worker) was put in direct contact with the al-Qaeda leader he revered, Sheikh Al-Awlaki, and they communicated using Tadpole.

Our highest priority is the U.S., it’s much more important.

Tadpole encryption system opening page

Tadpole encryption system opening page

Karim wanted to be sent to fight in Bangladesh, and Al-Awlaki personally urged him to stay patient and aim higher. This, by the way, is the Tadpole encryption system opening page (see image). Al-Awlaki went back to him and said: “Our highest priority is the U.S., it’s much more important. Is it possible to get a package, or a person with a package on board a flight?”

So, you have here, effectively the boss of al-Qaeda talking to somebody who might help him arrange a new transatlantic bombing plot. Al-Awlaki also urged the British air engineer to use the “Mujahideen Secrets” programme we’ve seen – “Asrar;” he said, “Please, use Asrar”. But Karim (the IT worker) was reluctant to reply, and he said this: “I have a slight concern regarding Asrar. It was released in the jihadi forums, and the kuffs” – us – “have access to it as well. I don’t think it would be too difficult for IT experts to crack the software. And I don’t think it’s wise to leave encrypted texts in email, it just draws more attention. I feel our process” – that’s Tadpole – “is a lot better, where we paste encrypted text into a .doc file…”

Tadpole communications protocol

Tadpole communications protocol

So, Tadpole is better. They had a communication protocol for using Tadpole which was an extended cloud version of what had been going on. Take the cleartext, use some code book substitutions, apply punctuation editing, and then encrypt using Tadpole, rename the TXT file deceptively (not really convincingly) as DLL, PDF or something like that, and then upload it to a cloud sharing site, they used SpeedyShare, they used 2shared, they used others. Once you’ve got the path to the cloud sharing site, they created a short URL using Notlong in particular, and other services, and then you’re left with the very short alphanumeric string on the particular site, so there’s a shared secret that when you send a message which is in fact a short alphanumeric string, it is the name of a short URL on the Notlong site. So they used that and then they used also, or tried to use, I think, Torpark with the Firefox browser to anonymize some of their activities. So, a number of things going on there.

Tadpole appears to be XLSM spreadsheet with some macros

Tadpole appears to be XLSM spreadsheet with some macros

Now we should look at Tadpole as we come to the end here. So Tadpole, the JMBs-invented encryption system, is an Excel spreadsheet, although it takes a mighty long time to load; it’s an XLSM sheet, and it has plenty of macros loaded into it, so they are going to be the engine of this system. The front page (Sheet 1, A1) is a deceptive one, but if you jump right over, you’ll notice I’ve taken out most of the columns, so we’re over to column GZ where you have macro buttons marked “Encrypt” and “Decrypt”, and then some code structures just over to the right there. All of this was hidden on the top-level pictures and so on, and if I just unhide between these two cells here (see image to the left) we will find the directory and instructions for encrypting and decrypting, you just simply drop onto these spaces, to encrypt dropper or pull off the decryption from this one using a specific directory, so they have specific communication keys assigned to each pair of communicating parties.

So what are they actually using? What is Tadpole? A little look at the code in some of the boxes reveals what Tadpole is, you can see it just appear there: it’s simply the HLookup function of Excel, that is to say a simple one column lookup vector.

Tables of Tadpole values

Tables of Tadpole values

Another column in this thing points to tables of values which are located on Sheet 2 (see screenshot). If you go to Sheet 2 there, you can actually find the lookup tables, here they are, encryption and decryption – single-column, fixed monoalphabetic substitutions. Okay, one alphabet per communicating pair. Well done, guys! You have re-invented the ciphers from about 4 centuries before Christ, as first used by Julius Caesar in the alphabetic shift cipher – 55 years before Christ, “De Bello Gallico”. Furthermore, an Arabic mathematician is credited with the first break of monoalphabetic substitution ciphers about 1200 years ago.

So you see the comic genius of this situation, which an IT worker, who’s competent, says: “Let’s not use the Asrar, that’s kuffar stuff; let’s start and re-invent the wheel by going back to millennia”.

Tadpole was so insecure that message traffic was being read almost immediately.

Tadpole was so secure (read ‘insecure’), that you can assure the message traffic was being read almost immediately. So when on the 10th of February, 2010 a message came from Sheikh Al-Awlaki specifically talking about targeting, and Karim replied saying: “We would like to choose some better targets, we should choose better targets, I agree the blood and wealth is halal, and we should think about targeting planes and passengers there”. So they moved in and arrested him. Now, Karim also used PGP Desk, his computers were found to hold several PGP Desk encrypted volumes disguised as RAR compressed files, and inside them he had the Tadpole program that you’ve seen and other Tadpole encryption.

That’s actually all from me today, thanks, and draw your conclusions.

Like This Article? Let Others Know!
Related Articles:

One comment

  1. Scott says:

    How can the average American protect against meta – data collection ?

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: