Objective Peckham

As he walked through the busy streets of London, Bilal el-Berjawi was glancing over his shoulder. Everywhere he went, he suspected he was being followed. Within a few years — 4,000 miles away in remote Somalia — he would be dead, killed by a secret U.S. drone strike.

A small and stocky British-Lebanese citizen with a head of thick dark hair, Berjawi had grown up much like any other young boy in the United Kingdom’s capital city, attending school during the day and playing soccer with friends in his free time. But by his early 20s he was leading no ordinary life. He was suspected of having cultivated ties with senior al Qaeda militants in East Africa, his British citizenship was abruptly revoked, and he was placed on a U.S. kill list.

In January 2012, Berjawi met his sudden end, about 10 miles northwest of Mogadishu, when a missile crashed into his white car and blasted it beyond recognition.

At the time of Berjawi’s death, the Associated Press reported that the missile strike targeting him had been carried out by a drone, citing an anonymous U.S. official. The Economist criticized the secrecy surrounding the attack and questioned whether it had amounted to a “very British execution.”

Now, a classified U.S. document obtained by The Intercept shines new light on the circumstances surrounding Berjawi’s death. It reveals that the U.S. government was monitoring him for at least five years as he traveled between London and Somalia; that he was targeted by a covert special operations unit running a fleet of more than two dozen drones, fighter jets, and other aircraft out of East Africa; and that cellphone surveillance facilitated the strike that killed him.

The document, a case study included in a secret 2013 report by the Pentagon’s Intelligence, Surveillance, and Reconnaissance Task Force, does not mention Berjawi by name, instead referring to a target code-named “Objective Peckham.” But it contains enough specific details about the target’s movements and the time and place of the attack that killed him to confirm his identity beyond doubt.

The Intercept has pieced together the final years of Berjawi’s life based on the Pentagon case study, public records, interviews with individuals who knew him, and a transcript of a long conversation Berjawi had in April 2009 with members of Cage, a London-based rights group, in which he discussed his encounters with security agencies in the U.K. and Kenya.

The story of Berjawi’s life and death raises new questions about the British government’s role in the targeted assassination of its own citizens — also providing unique insight into covert U.S. military actions in the Horn of Africa and their impact on al Qaeda and its affiliate in the region, al Shabaab.

Operation Socialist

When the incoming emails stopped arriving, it seemed innocuous at first. But it would eventually become clear that this was no routine technical problem. Inside a row of gray office buildings in Brussels, a major hacking attack was in progress. And the perpetrators were British government spies.

It was in the summer of 2012 that the anomalies were initially detected by employees at Belgium’s largest telecommunications provider, Belgacom. But it wasn’t until a year later, in June 2013, that the company’s security experts were able to figure out what was going on. The computer systems of Belgacom had been infected with a highly sophisticated malware, and it was disguising itself as legitimate Microsoft software while quietly stealing data.

Last year, documents from National Security Agency whistleblower Edward Snowden confirmed that British surveillance agency Government Communications Headquarters was behind the attack, codenamed Operation Socialist. And in November, The Intercept revealed that the malware found on Belgacom’s systems was one of the most advanced spy tools ever identified by security researchers, who named it “Regin.”

The full story about GCHQ’s infiltration of Belgacom, however, has never been told. Key details about the attack have remained shrouded in mystery—and the scope of the attack unclear.

Now, in partnership with Dutch and Belgian newspapers NRC Handelsblad and De Standaard, The Intercept has pieced together the first full reconstruction of events that took place before, during, and after the secret GCHQ hacking operation.

Based on new documents from the Snowden archive and interviews with sources familiar with the malware investigation at Belgacom, The Intercept and its partners have established that the attack on Belgacom was more aggressive and far-reaching than previously thought. It occurred in stages between 2010 and 2011, each time penetrating deeper into Belgacom’s systems, eventually compromising the very core of the company’s networks.

Snowden told The Intercept that the latest revelations amounted to unprecedented “smoking-gun attribution for a governmental cyber attack against critical infrastructure.”

The Belgacom hack, he said, is the “first documented example to show one EU member state mounting a cyber attack on another…a breathtaking example of the scale of the state-sponsored hacking problem.”

Publicly, Belgacom has played down the extent of the compromise, insisting that only its internal systems were breached and that customers’ data was never found to have been at risk. But secret GCHQ documents show the agency gained access far beyond Belgacom’s internal employee computers and was able to grab encrypted and unencrypted streams of private communications handled by the company.

Belgacom invested several million dollars in its efforts to clean-up its systems and beef-up its security after the attack. However, The Intercept has learned that sources familiar with the malware investigation at the company are uncomfortable with how the clean-up operation was handled—and they believe parts of the GCHQ malware were never fully removed.

The revelations about the scope of the hacking operation will likely alarm Belgacom’s customers across the world. The company operates a large number of data links internationally (see interactive map below), and it serves millions of people across Europe as well as officials from top institutions including the European Commission, the European Parliament, and the European Council. The new details will also be closely scrutinized by a federal prosecutor in Belgium, who is currently carrying out a criminal investigation into the attack on the company.

Sophia in ’t Veld, a Dutch politician who chaired the European Parliament’s recent inquiry into mass surveillance exposed by Snowden, told The Intercept that she believes the British government should face sanctions if the latest disclosures are proven.

“Compensating Belgacom should be the very least it should do,” in ’t Veld said. “But I am more concerned about accountability for breaking the law, violating fundamental rights, and eroding our democratic systems.”
Other similarly sophisticated state-sponsored malware attacks believed to have been perpetrated by Western countries have involved Stuxnet, a bug used to sabotage Iranian nuclear systems, and Flame, a spy malware that was found collecting data from systems predominantly in the Middle East.

What sets the secret British infiltration of Belgacom apart is that it was perpetrated against a close ally—and is backed up by a series of top-secret documents, which The Intercept is now publishing.
GCHQ declined to comment for this story, and insisted that its actions are “necessary legal, and proportionate.”