It was early-morning rush hour in London on Thursday, July 7, 2005, when a series of explosions shut down the city’s transport network. At first, the authorities suspected an electricity fault was to blame. But it soon emerged that four Islamist suicide attackers had detonated bombs on three underground trains and a bus, killing 52 people and injuring more than 700.
The incident, one of the worst terrorist atrocities in British history, resulted in a major overhaul of policing across the United Kingdom. The government beefed up security, introduced new counterterrorism measures, and retrained first-responders to handle major crises. The attack also reshaped British spy agencies’ tactics and led to a more aggressive use of electronic surveillance – details of which are revealed for the first time in classified documents published today by The Intercept.
The documents – from the National Security Agency and its British counterpart Government Communications Headquarters, or GCHQ – offer a unique insight into how U.K. and U.S. intelligence agencies responded in the aftermath of the London bombings. They reveal how the attackers may have been able to evade detection and disclose the existence of a secret intelligence-sharing agreement designed to enable “unfettered” sharing of phone and email records across the Five Eyes, an alliance of spy agencies from the U.K., the U.S., Australia, Canada, and New Zealand.
Immediately following the bombing, GCHQ developed a three-tiered strategy, according to the documents, which were obtained by The Intercept from the whistleblower Edward Snowden. The agency focused on providing operational support to the police and security services; worked on “target discovery,” sifting its databases in an effort to find information about the attackers or those connected to them; and formed a think tank called the “Blue Skies Team,” which developed new tools and techniques that could be used to identify people associated with the attackers.
A surveillance base in the north of England played a key role. Menwith Hill, located about 9 miles from the small town of Harrogate in North Yorkshire, began listening in on calls that were passing between the U.K. and foreign countries. The base – a “ground station” from which spy satellites are operated – used its surveillance technology to home in on calls associated with Thuraya satellite phones, which are often used in remote parts of the world where there is no access to conventional cellphone or landline networks.
“We worked with GCHQ’s International Terrorism Team to put coverage on nine U.K. cities, and compiled a list of U.K. cities and external locations (including Copenhagen, Brussels, and various locations in Spain, South Africa, and Morocco) requiring tighter focus,” explained an NSA employee who was working at Menwith Hill through the incident. “At GCHQ’s request, analysts examined calls from [Thuraya satellite] handsets that had dialed into London from Iraq.”
Analysts at Menwith Hill discovered that “high priority targets … had phoned specific areas in the U.K. from Pakistan, Afghanistan, Egypt, and Iraq.” They identified particular calls of interest that appeared to be coming from a compound in the self-governing Azad Kashmir region of northeastern Pakistan. The documents do not state whether a link was proven between these calls and the bombings. However, it was reported in 2012 that a British-born Al Qaeda operative named Rashid Rauf – who lived in Pakistan – helped direct the 2005 attack, which was carried out by four men, three of whom were born and raised in England, and one of whom was born in Jamaica and brought to England as a young child.
The NSA worked closely with GCHQ through the investigation, providing analysis and technical advice on surveillance methods. Twenty-two NSA employees were transferred to a specialist unit to help with the effort, alongside a department called the Counterterrorism Primary Production Center. After three months, the 22 analysts moved on to other operations. But the impact of the London attack continued to be felt across the Western intelligence community.
In June 2004, the Five Eyes had negotiated a secret treaty called the Alice Springs Resolution. The arrangement laid out plans for a single surveillance system that each of the five countries’ spies would be able to access. The system would be used to share metadata, which reveals information about a communication – such as the sender and recipient of an email, or the phone numbers someone called and at what time – but not the written content of the message or the audio of the call. Analysts would be able to search across all available metadata with a single query.
The aim of the Alice Springs Resolution was to “enable unfettered access to metadata repositories among our five agencies,” according to an NSA document. The agreement was personally signed off by the director of each agency, presumably during a meeting held in the Australian town of Alice Springs, which hosts a large surveillance facility. The text of the resolution stated that the new arrangement was necessary due to the “increasing importance of the analysis of metadata to the generation of intelligence, particularly against the terrorist target.” The NSA later cited the agreement as a “foundational document” for the agency.
The secret agreement aimed to “enable unfettered access to metadata repositories.”
When the London bombings occurred, the implementation of the agreement accelerated. According to an October 2006 document, following the attack there was “unprecedented metadata sharing” between the NSA and GCHQ and a “solid commitment to action” regarding the Alice Springs Resolution. The agencies developed a system called the “Sensitive Metadata Analytic Collaboration,” known as SMAC, through which the Five Eyes agencies planned to share their troves of metadata records, the October 2006 document reveals.
By October 2007, each of the partners had a representative participating in SMAC at NSA’s Fort Meade headquarters. The agency announced in a top-secret report that the mission to share the metadata had been “accomplished, just not as initially contemplated.” The NSA voiced displeasure that the Canadian and Australian participants, in particular, had “not taken full advantage” of the program, and complained that policy differences were among several “systemic barriers” to its progress. Three years later, in 2010, a GCHQ document seemed to declare the effort dead or supplanted, noting that “SMAC was an effective approach for a while, but is now no longer required.” A takeaway for GCHQ, the document added, was to look for “opportunities to circumvent policy challenges.”
GCHQ’s work related to the bombings was code-named OCTAMER. Working alongside the NSA, as well as the British domestic and foreign spy agencies MI5 and MI6, GCHQ sifted through troves of communication records in an effort to identify people associated with the attackers. The British eavesdropping agency developed a specialized tool that it called MOAG, which was used to carry out “contact chaining.” This involves an analyst looking at the phone number or email address of a target, and then reviewing all of the people the target had made or received calls or messages to or from. The aim of the method was to discover new, previously unknown individuals who may be of interest to investigators.
In the days and weeks after the bombings, the U.K.’s media and lawmakers questioned how the security services had failed to prevent the atrocity from taking place. Two of the four attackers had been under surveillance before they carried out their plot, but they had not been fully investigated due to a lack of resources, an inquiry later found.
GCHQ documents offer insight into another reason why the attackers may have managed to evade detection: At least three of them used cheap Nokia 1100 phones – probably “burner” devices that were not registered to them personally – and they communicated in what GCHQ called a “closed loop.” In other words, they only used their phones to talk to each other and did not make calls to anyone else, which appears to have thwarted the spy agency’s powerful surveillance apparatus.
GCHQ later began specifically seeking out closed loops. In an October 2011 document, the agency described how it had analyzed “anonymised metadata for bulk U.K.-U.K. mobile call records” in an effort to identify people who were communicating exclusively in small groups. They were a “rare phenomenon,” the agency concluded, but it added that among the few cases it did find, there were “possible target discovery opportunities.”
The NSA declined to comment for this story. GCHQ declined to comment on specifics and instead, issued a statement asserting that its work is “carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate, and that there is rigorous oversight.”
Documents published with this article:
- MHS lends a hand in the aftermath of the London bombings
- CT staff and augmentees focus on bombings in London
- The London bombings: an insider’s view
- Contact chaining – GCHQ
- Graph theory in the operational environment – GCHQ
- SMAC concept of operations
- Alice Springs Resolution
- Transnational DNI training