Turkish intelligence unveils secret codes used before coup attempt

In the days after the bloody coup attempt of July 15, the wife of a childhood friend of this minister called him up to say her husband had been taken into custody over alleged links to Fethullah Gülen, the U.S.-resident Islamist preacher who the government holds responsible for masterminding the plot.

The childhood friend was a ranking provincial official and the minister could not imagine that he could possibly have links to Gülen. Promising that he would get back to his friend’s wife, the minister asked security officials a few questions about to case. 

His friend had no obvious link to any Gülenists and there was not a single Gülenist with whom he socializes. He had not sent his children to Gülen-linked schools, had no Bank Asya bank account, and did not subscribe to the Zaman newspaper. But the minister’s eyebrows were raised when security people showed him a document from the National Intelligence Organization (MİT). The document said his friend was a user of ByLock and had communicated with only one person via that instant messaging service 109 times over the past year. It also said that person was actually the “imam” - or, in their own terminology, the “political commissar” - of the military network in his province. 

What the minister described actually fits the typology of what Deputy Prime Minister Numan Kurtulmuş describes as “crypto” Gülenists, or members of the “Fethullahist Terror Organizayion (FETÖ)” as the government and prosecutors denounce them.

“I decided not to touch the issue after seeing the document,” the minister said. The way that ByLock had been used by his old friend was enough to convince him.

MİT officials believe the plotters of Turkey’s July 15 coup attempt used the ByLock messaging service for secret communications among themselves, and the app might even have been produced in the first place for this purpose.

A former executive of Turkey’s Science and Technology Research Board (TÜBİTAK), who was arrested on Sept. 11 over links to Gülen, is accused of being among the group that wrote the ByLock software.

MİT officials talking to the Hürriyet Daily News on condition of anonymity said 99 percent of the messages and e-mails sent via ByLock were in Turkish, which is quite unusual for a site registered in the United States with a server in Lithuania. The intel officials also point to the fact that 98 percent of the IPs signed up to the site are from Turkey and almost all user names were in Turkish, raising suspicions that Gülenists might have established the company in the U.S., borrowing some local names, in order not to appear Turkish.

ByLock is actually a simple example of messaging service software. But it is designed in such a way that you do not simply browse through your telephone book or search for a certain name in order to communicate. Instead, a multi-digit code is given when you sign up. In order to call you another user must know your numerical code (and vice versa).

The MİT got to work on ByLock as soon as it found out that the Gülenists had stopped all telephone, SMS and Whatsapp communications among themselves. Such a move could be an indication that they found a secret alternative communications method. The MİT then found out that many of the people arrested over alleged links to Gülen had ByLock downloaded on their phones.

The timing was interesting. Conventional communication among key Gülen members ceased after the corruption allegation probes of Dec. 17 and 25, 2013 targeting members of the cabinet of then prime minister (now president) Tayyip Erdoğan as well as top bureaucrats and even Erdoğan’s family members. Erdoğan was quick to denounce the corruption probe as an attempt by his former ally, now archenemy Gülen, to undermine his government.

The first steps to clear the security apparatus of suspected Gülenists had actually started before the graft investigations. Basri Aktepe - a police-intelligence origin eavesdropping wizard who was transferred to the MİT after Hakan Fidan was appointed as MİT head - was removed from his Electronic and Technical Intelligence chief position to a passive post some months before the alleged graft probes, amid suspicion that he had links to Gülenists.

On Dec. 23, 2013 the government also removed Osman Nihat Şen as the head of the Internet desk of the Telecommunications Board (TİB), where he was also the acting head. Şen was a close colleague of Aktepe. (Six police intelligence officers had established the street-camera system called MOBESE, inspired by the first letters of their names: “S” was for Sabri and “O” was for Osman.) A trusted colleague of Fidan, Cemalettin Çelik, who had replaced Aktepe in the MİT a few months before, was appointed as the new head of the TİB on Jan. 18, 2014. (A day before that, MİT trucks were stopped by the gendarmerie for a weapons check on the Syria border, triggering a major scandal.)

As this all happened at a time when the conventional communications among key Gülenists were cut, prompting analysts to claim that they had abandoned conventional communication after they understood that they had lost control over telephone traffic. Shortly after Çelik was appointed as the head of the TİB, cyber experts found out a spy program inserted into 14,000 lines of software, which had been copying to an address located in the U.S. all documents sent by MİT, the police, and the gendarmerie to the TİB. It was then that the government decided to stop all TİB activities, believing that the entire institution was infected. Şen and 21 colleagues are now in jail and being tried over illegal eavesdropping, including through official phones encrypted by TÜBİTAK against eavesdropping from outside. 

The cyber team of the MİT then hacked the server in Lithuania and transferred all signed-up IP’s to the headquarters in Ankara. There were a total of 215,920 registrars, and intelligence officers were able to name 165,178 of them by the beginning of September. Sources say that it is getting difficult because some of them - suspected of being higher up in the hierarchy - were using SIM cards and ADSL lines registered under other names. 

Sources told the HDN that by May 2016 they had unveiled the names of around 40,000 people, most of them in public services, and transferred them to related government departments. But an engineer working for the Gülenist network in the police intelligence also obtained the list and gave it to his superior, an alleged Mustafa Koçyiğit, then the Intelligence Chief of the Data Collection Center of the prime minister’s office. This information also contained the names of 600 officers in the Turkish military. Through the leak provided by Koçyiğit, the Gülenist network came to believe that those military officers on the list would be sacked during the Supreme Military Council (YAŞ) at the end of July. As a result, analysts suggest that the plotters may have brought their original coup plan forward - before the members of the network lost their influential positions.

But why was the MİT unable to stop the coup attempt if it was able to crack the ByLock application? One source said the Gülenists might at one point have realized their Lithuania server had been compromised. They therefore stopped registrars from the Middle East by November 2015, diverting their users in Turkey to use identity protection methods like alternative VPNs and proxy servers. The MİT had finalized its operation in December 2015 and January 2016, before ByLock has ceased its operation.

Turkish intelligence then noticed that the network had shifted its secret communications over to another application, Eagle, which is believed to have been used for the coup preparations. But before the MİT was able to crack the Eagle codes, the July 15 coup attempt took place.