UNC L A S S I F I E D / / F O R O F F I C I A L US E O NL Y
IA-0 -15
(U) Warning: This document is UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid need to know without prior approval of an authorized DHS official. State and local homeland security officials may share this document with authorized critical infrastructure and key resource personnel and private sector security officials without further approval from DHS.
(U) Warning: This document is UNCLASSIFIED//FOR OFFICIAL USE ONLY (U//FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid need to know without prior approval of an authorized DHS official. State and local homeland security officials may share this document with authorized critical infrastructure and key resource personnel and private sector security officials without further approval from DHS.
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
13 May 2015
(U//FOUO) Future ISIL Operations in West Could Resemble Disrupted Belgian Plot
(U//FOUO) Future ISIL Operations in West Could Resemble Disrupted Belgian Plot
(U//FOUO) Prepared by the Office of Intelligence and Analysis (I&A). Coordinated with NPPD, the FBI, and NCTC.
(U) Key Judgments
(U//FOUO) I&A assesses that the plot disrupted by Belgian authorities in January 2015 is the first instance in which a large group of terrorists possibly operating under ISIL direction has been discovered and may indicate the group has developed the capability to launch more complex operations in the West. We differentiate the complex, centrally planned plotting in Belgium from other, more-simplistic attacks by ISIL-inspired or directed individuals, which could occur with little
(U//FOUO) I&A assesses that the plot disrupted by Belgian authorities in January 2015 is the first instance in which a large group of terrorists possibly operating under ISIL direction has been discovered and may indicate the group has developed the capability to launch more complex operations in the West. We differentiate the complex, centrally planned plotting in Belgium from other, more-simplistic attacks by ISIL-inspired or directed individuals, which could occur with little
to no warning.
(U//FOUO) I&A assesses the group’s choice to operate across several countries highlights both the significant challenges for law enforcement to detect and investigate multi-jurisdictional threats and the necessity of interagency information sharing about emerging and ongoing threats.
(U//FOUO) I&A assesses that items recovered by Belgian authorities suggest the group’s plotting may
have included the use of small arms, improvised explosive devices, and the impersonation of police officers and underscores the role of the public and private sector in alerting law enforcement of potential terrorist activity through suspicious activity reporting (SAR). (See Appendix A for details on the importance of SAR reporting.)
(U//FOUO) I&A assesses the group’s choice to operate across several countries highlights both the significant challenges for law enforcement to detect and investigate multi-jurisdictional threats and the necessity of interagency information sharing about emerging and ongoing threats.
(U//FOUO) I&A assesses that items recovered by Belgian authorities suggest the group’s plotting may
have included the use of small arms, improvised explosive devices, and the impersonation of police officers and underscores the role of the public and private sector in alerting law enforcement of potential terrorist activity through suspicious activity reporting (SAR). (See Appendix A for details on the importance of SAR reporting.)
(U//FOUO) I&A assesses that the security measures used by this group to avoid physical and technical collection highlight how knowledge of law enforcement tactics can help subjects adapt their behavior and the need for investigators to consider whether subjects may be using countermeasures to deflect scrutiny.
(U//FOUO) I&A assesses that facilitation efforts by
the group were likely aided by members’ criminal
background and possible access to criminal groups underscoring the potential for operatives to bypass traditional tripwires and obscure operational planning efforts.
(U//FOUO) Awareness of some of the tactics and tradecraft used by the group in Belgium could assist with identifying and disrupting potential plots in the United States.
(U//FOUO) I&A assesses that facilitation efforts by
the group were likely aided by members’ criminal
background and possible access to criminal groups underscoring the potential for operatives to bypass traditional tripwires and obscure operational planning efforts.
(U//FOUO) Awareness of some of the tactics and tradecraft used by the group in Belgium could assist with identifying and disrupting potential plots in the United States.
(U//FOUO) Belgian Plot Signals ISIL’s Interest
in Complex Plots Against the West
(U//FOUO) The plot disrupted by Belgian authorities in January 2015 is the first instance in which a large group of terrorists possibly operating under ISIL direction has been discovered and may indicate the group has developed the capability to launch more sophisticated
in Complex Plots Against the West
(U//FOUO) The plot disrupted by Belgian authorities in January 2015 is the first instance in which a large group of terrorists possibly operating under ISIL direction has been discovered and may indicate the group has developed the capability to launch more sophisticated
(U) Scope
(U//FOUO) This Assessment highlights the tactics, targets, and tradecraft allegedly used in a plot disrupted by Belgian authorities in January 2015 that potentially could be used in the Homeland by individuals associated with or inspired by the Islamic State of Iraq and the Levant (ISIL). This Assessment is intended to support the DHS activities to assist federal, state, and local government counterterrorism and law enforcement officials, first responders, and private sector security partners in effectively deterring, preventing, preempting, or responding to terrorist attacks against the United States.
(U//FOUO) This Assessment highlights the tactics, targets, and tradecraft allegedly used in a plot disrupted by Belgian authorities in January 2015 that potentially could be used in the Homeland by individuals associated with or inspired by the Islamic State of Iraq and the Levant (ISIL). This Assessment is intended to support the DHS activities to assist federal, state, and local government counterterrorism and law enforcement officials, first responders, and private sector security partners in effectively deterring, preventing, preempting, or responding to terrorist attacks against the United States.
(U) Background
(U) On 15 January 2015, Belgian authorities raided multiple locations including a safe house in Verviers, a suburb of Brussels, where a firefight ended in the deaths of two individuals and the arrest of a third suspect. The raids disrupted an alleged plot involving an Islamic State of Iraq and the Levant (ISIL) group with at least ten operatives—some of whom were returning foreign fighters—possibly targeting police or the public. The group may have been acting under the direction of a member(s) of ISIL. There is no publically available information as to whether a specific target was selected. Since the initial raids, multiple individuals in several European countries have been arrested and charged in connection with the group’s activities. The investigation into this plot remains ongoing.1,2
(U) On 15 January 2015, Belgian authorities raided multiple locations including a safe house in Verviers, a suburb of Brussels, where a firefight ended in the deaths of two individuals and the arrest of a third suspect. The raids disrupted an alleged plot involving an Islamic State of Iraq and the Levant (ISIL) group with at least ten operatives—some of whom were returning foreign fighters—possibly targeting police or the public. The group may have been acting under the direction of a member(s) of ISIL. There is no publically available information as to whether a specific target was selected. Since the initial raids, multiple individuals in several European countries have been arrested and charged in connection with the group’s activities. The investigation into this plot remains ongoing.1,2
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
Page 2 of 8
operations in the West. I&A judges that the threat from ISIL plots involving multiple operatives may grow, but are more likely to occur in Europe—where several recruitment networks have been disrupted, and several returning fighters have already demonstrated the ability to conduct attacks—than in the United States given the different operating environments, number of European foreign fighters currently in theater, and Europe’s
geographic proximity to the conflicts in Syria and Iraq.3,4 While we assess the threat is more likely to manifest in Europe, we cannot discount the possibility for potential complex attacks here in the Homeland. I&A notes that small-scale attacks using comparatively less sophisticated tactics—such as the 3 May attempted attack against a
“Draw the Prophet” event in Garland, Texas by
individuals inspired to act by ISIL-linked messaging, or by individuals taking direction from an oversea plotter after connecting through social media—could proceed with little to no warning.
(U//FOUO) Dispersed Activities and Remote Leadership Possibly Intended to Conceal
geographic proximity to the conflicts in Syria and Iraq.3,4 While we assess the threat is more likely to manifest in Europe, we cannot discount the possibility for potential complex attacks here in the Homeland. I&A notes that small-scale attacks using comparatively less sophisticated tactics—such as the 3 May attempted attack against a
“Draw the Prophet” event in Garland, Texas by
individuals inspired to act by ISIL-linked messaging, or by individuals taking direction from an oversea plotter after connecting through social media—could proceed with little to no warning.
(U//FOUO) Dispersed Activities and Remote Leadership Possibly Intended to Conceal
Activities
(U//FOUO) The group’s choice to operate across several countries highlights both the significant challenges for law enforcement to detect and investigate multi-jurisdictional threats and the necessity of interagency sharing information about emerging and ongoing threats. Even though the group likely planned to attack targets in Belgium, the
investigation into the group’s activities spans several
European countries, including France, Greece, Spain, and the Netherlands, as well countries where there is limited- to-no counterterrorism cooperation with the United States,
(U//FOUO) The group’s choice to operate across several countries highlights both the significant challenges for law enforcement to detect and investigate multi-jurisdictional threats and the necessity of interagency sharing information about emerging and ongoing threats. Even though the group likely planned to attack targets in Belgium, the
investigation into the group’s activities spans several
European countries, including France, Greece, Spain, and the Netherlands, as well countries where there is limited- to-no counterterrorism cooperation with the United States,
such as Syria.
» (U) The purported leader of the group, Abdelhamid Abaaoud, directed the operation from a safe house in Athens, Greece using a cell phone, while other group members operated in several other European countries, according to European media reporting citing a senior Belgian counterterrorism official.5,6
» (U) In addition to the 13 arrests made throughout Belgium, two operatives were arrested in France and police apprehended a cell member in Greece after tracing links to a second safe house in Athens, according to a Belgian news conference and Greek media reporting citing senior police officers.7,8,9
» (U) Multiple members of the cell appear to have been able to communicate and travel unimpeded across borders to facilitate attack planning. In addition to directing operatives from the safe house in Athens, Abaaoud boasted he was able to return to
» (U) The purported leader of the group, Abdelhamid Abaaoud, directed the operation from a safe house in Athens, Greece using a cell phone, while other group members operated in several other European countries, according to European media reporting citing a senior Belgian counterterrorism official.5,6
» (U) In addition to the 13 arrests made throughout Belgium, two operatives were arrested in France and police apprehended a cell member in Greece after tracing links to a second safe house in Athens, according to a Belgian news conference and Greek media reporting citing senior police officers.7,8,9
» (U) Multiple members of the cell appear to have been able to communicate and travel unimpeded across borders to facilitate attack planning. In addition to directing operatives from the safe house in Athens, Abaaoud boasted he was able to return to
Syria after the Verviers raid despite having international warrants for his arrest, according to an interview featured in the February release of ISIL’s
Dabiq magazine.10
» (U) The passport of an identified Dutch national—
possibly associated with the group—who likely traveled to Syria in late 2014 was found at the Verviers safe house, according to Dutch media reporting.11 Dutch officials conducted a search of his parents’ home and confiscated laptops and other media. As of early April, he was reportedly killed while fighting in Syria, according to unconfirmed Dutch media reporting.12
» (U) The passport of an identified Dutch national—
possibly associated with the group—who likely traveled to Syria in late 2014 was found at the Verviers safe house, according to Dutch media reporting.11 Dutch officials conducted a search of his parents’ home and confiscated laptops and other media. As of early April, he was reportedly killed while fighting in Syria, according to unconfirmed Dutch media reporting.12
(U//FOUO) Material Acquisition Suggests Attacker’s Potential Tactics and Targets
(U//FOUO) Items recovered during searches of
residences affiliated with the cell suggest the group’s
plotting may have included the use of small arms, improvised explosive devices, and the impersonation of police officers. There is no publicly available information about the acquisition of these items, but the amounts and types of materials acquired by the group highlights the role of the public and private sector in alerting law enforcement through SARs of attempts to acquire or store a large cache of equipment or chemicals needed to support larger operations.
» (U) Belgian law enforcement discovered automatic firearms, precursors for the explosive triacetone triperoxide (TATP), a body camera, multiple cell phones, handheld radios, police uniforms, fraudulent identification documents, and a large quantity of cash during the raid in Verviers, according to statements made by Belgian government officials.14,15,16 At the time
(U//FOUO) Items recovered during searches of
residences affiliated with the cell suggest the group’s
plotting may have included the use of small arms, improvised explosive devices, and the impersonation of police officers. There is no publicly available information about the acquisition of these items, but the amounts and types of materials acquired by the group highlights the role of the public and private sector in alerting law enforcement through SARs of attempts to acquire or store a large cache of equipment or chemicals needed to support larger operations.
» (U) Belgian law enforcement discovered automatic firearms, precursors for the explosive triacetone triperoxide (TATP), a body camera, multiple cell phones, handheld radios, police uniforms, fraudulent identification documents, and a large quantity of cash during the raid in Verviers, according to statements made by Belgian government officials.14,15,16 At the time
UNCLASSIFIED
(U) A picture, from ISIL’s Dabiq magazine, of Abdelhmaid Abaaoud (far right) with the two alleged cell members killed during the January 2015 raid in
Verviers, Belgium.13
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
Page 3 of 8
of the raid, the members of this cell were also searching for an ice machine to cool and transport the TATP, according to European press reporting.17
» (U) Belgian officials were reportedly concerned that the acquisition of police uniforms and discussion by group members of a Molenbeek police station—where members of the group had reportedly spent time—
suggests that they may have intended to target a police station or to impersonate officers to potentially gain access to a sensitive site. 18,19,20 While there is no confirmation the group was actually going to target police, such an attack would have been consistent with media reports about recent ISIL-linked plots in the West directed at law enforcement and ongoing messaging by ISIL since September 2014.21
» (U) Belgian officials were reportedly concerned that the acquisition of police uniforms and discussion by group members of a Molenbeek police station—where members of the group had reportedly spent time—
suggests that they may have intended to target a police station or to impersonate officers to potentially gain access to a sensitive site. 18,19,20 While there is no confirmation the group was actually going to target police, such an attack would have been consistent with media reports about recent ISIL-linked plots in the West directed at law enforcement and ongoing messaging by ISIL since September 2014.21
(U//FOUO) Alleged Operational Security Measures Suggest Knowledge of Law Enforcement Methods
(U//FOUO) The steps group members reportedly took to avoid physical and technical collection of their preoperational activities suggest members were likely cognizant of the potential for scrutiny by Belgian authorities given their status as returning foreign fighters and had at least a rudimentary knowledge of law enforcement efforts to monitor social media and other communications. The countermeasures used by this group underscore how knowledge of law enforcement tactics can help subjects adapt their patterns of behavior and highlight the need for investigators to consider whether subjects may be using countermeasures to
(U//FOUO) The steps group members reportedly took to avoid physical and technical collection of their preoperational activities suggest members were likely cognizant of the potential for scrutiny by Belgian authorities given their status as returning foreign fighters and had at least a rudimentary knowledge of law enforcement efforts to monitor social media and other communications. The countermeasures used by this group underscore how knowledge of law enforcement tactics can help subjects adapt their patterns of behavior and highlight the need for investigators to consider whether subjects may be using countermeasures to
deflect scrutiny.
(U//FOUO) Communications Security. The group made extensive efforts to prevent or limit law enforcement’s ability to conduct technical surveillance.
» (U) A group member reportedly changed his cell phone five times and urged operatives to change vehicles often and to search the vehicles for
(U//FOUO) Communications Security. The group made extensive efforts to prevent or limit law enforcement’s ability to conduct technical surveillance.
» (U) A group member reportedly changed his cell phone five times and urged operatives to change vehicles often and to search the vehicles for
microphones in an effort to thwart potential surveillance by police and intelligence officials, according to Belgian media reporting citing police
officials.23
» (U) According to an unverified Belgian media report, intercepted communications between cell members were conducted in French, Arabic, and a Moroccan dialect, and frequently used coded language to discuss attack planning to make translation problematic for law enforcement and intelligence services.24
» (U) Belgian authorities discovered that the incarcerated brother of one of the cell members may have acted as an intermediary to facilitate communications between Greece- and Belgian-based members after officials at a prison in Belgium notified law enforcement of the brother’s suspicious
communications, according to Belgian media reporting.25
(U//FOUO) Physical Security. The group attempted to obscure their operational travel and material acquisition from Belgian officials.
» (U//FOUO) According to several media reports, the family of Abaaoud received a call in late 2014 that he had been killed while fighting in Syria. However, Abaaoud’s probable involvement in this plot implies this may have been done intentionally to deter efforts by Belgian officials to track his activities.26
» (U//FOUO) Belgian and Greek authorities recovered multiple identification documents, some of which may have been fraudulent, at safe houses reportedly used by the group, according to media reports. 27,28,29 Moreover, the use of false identity documents may have led to the misidentification of the two operatives killed during the raid in Verviers, according to a European media report, suggesting the group may have used fraudulent documents to conceal travel from Syria to Europe and to facilitate their attack planning. 30
» (U//FOUO) The large amount of cash recovered by Belgian authorities at the safe house in Verviers was likely intended to fund some of the group’s
procurement activities and to conceal purchasing patterns.31 Activities such as these highlight the importance of scrutinizing suspicious purchases of bulk quantities of precursor chemicals where individuals insist on paying only in cash.
» (U) According to an unverified Belgian media report, intercepted communications between cell members were conducted in French, Arabic, and a Moroccan dialect, and frequently used coded language to discuss attack planning to make translation problematic for law enforcement and intelligence services.24
» (U) Belgian authorities discovered that the incarcerated brother of one of the cell members may have acted as an intermediary to facilitate communications between Greece- and Belgian-based members after officials at a prison in Belgium notified law enforcement of the brother’s suspicious
communications, according to Belgian media reporting.25
(U//FOUO) Physical Security. The group attempted to obscure their operational travel and material acquisition from Belgian officials.
» (U//FOUO) According to several media reports, the family of Abaaoud received a call in late 2014 that he had been killed while fighting in Syria. However, Abaaoud’s probable involvement in this plot implies this may have been done intentionally to deter efforts by Belgian officials to track his activities.26
» (U//FOUO) Belgian and Greek authorities recovered multiple identification documents, some of which may have been fraudulent, at safe houses reportedly used by the group, according to media reports. 27,28,29 Moreover, the use of false identity documents may have led to the misidentification of the two operatives killed during the raid in Verviers, according to a European media report, suggesting the group may have used fraudulent documents to conceal travel from Syria to Europe and to facilitate their attack planning. 30
» (U//FOUO) The large amount of cash recovered by Belgian authorities at the safe house in Verviers was likely intended to fund some of the group’s
procurement activities and to conceal purchasing patterns.31 Activities such as these highlight the importance of scrutinizing suspicious purchases of bulk quantities of precursor chemicals where individuals insist on paying only in cash.
UNCLASSIFIED
(U) Belgium investigators at scene following the raid in Verviers, Belgium on 15 January 2015.22
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
Page 4 of 8
UNCLASSIFIED
(U) Figure 1. Map of Group Activities
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
Page 5 of 8
(U//FOUO) Member’s Criminal Background Likely Aided Planning and Facilitation
(U//FOUO) Facilitation efforts by the group were likely aided by members’ criminal background and possible access to criminal groups, underscoring the potential for operatives to bypass traditional tripwires and obscure operational planning efforts. The nexus between terrorist preoperational planning and criminal activities may offer law enforcement opportunities to detect ongoing plotting, as investigations of intercepted illegal activities may present indicators of other nefarious
(U//FOUO) Facilitation efforts by the group were likely aided by members’ criminal background and possible access to criminal groups, underscoring the potential for operatives to bypass traditional tripwires and obscure operational planning efforts. The nexus between terrorist preoperational planning and criminal activities may offer law enforcement opportunities to detect ongoing plotting, as investigations of intercepted illegal activities may present indicators of other nefarious
intentions.
» (U) At least one alleged cell member, Souhaib el Abdi, had previous experience with trafficking forged documents, according to comments from his lawyer reported in open source media.32 The groups’ purported leader Abaaoud spent time in prison for theft before departing Belgium for Syria, according to a US press report.33
» (U) The Belgian police uniforms, large cache of illegal weapons—including Kalashnikov rifles, handguns, ammunition, and materials to make explosives—that were seized by police during the raids, were likely acquired illegally, according to a media reporting coverage of Belgian police news conference.34 Cell members have subsequently been charged with violating Belgian weapons laws, according to statements made by Belgian officials.35
» (U) At least one alleged cell member, Souhaib el Abdi, had previous experience with trafficking forged documents, according to comments from his lawyer reported in open source media.32 The groups’ purported leader Abaaoud spent time in prison for theft before departing Belgium for Syria, according to a US press report.33
» (U) The Belgian police uniforms, large cache of illegal weapons—including Kalashnikov rifles, handguns, ammunition, and materials to make explosives—that were seized by police during the raids, were likely acquired illegally, according to a media reporting coverage of Belgian police news conference.34 Cell members have subsequently been charged with violating Belgian weapons laws, according to statements made by Belgian officials.35
(U) Implications
(U//FOUO) I&A assesses that future Western complex attacks and plots could resemble the size and capabilities of this group and awareness of the tactics and tradecraft used by this group could assist with identifying and disrupting potential complex plots in the United States. Prior to the disruption of this plot, nearly all of the approximately one dozen ISIL-linked plots and attacks in the West to date involved lone offenders or small
groups of individuals, raising I&A’s concern that the
involvement of a large number of operatives and group leaders based in multiple countries in future ISIL-linked plotting could create significant obstacles in the detection and disruption of preoperational activities.*
* (U//FOUO) DHS defines a lone offender as an individual motivated by one or more violent extremist ideologies who, operating alone, supports or engages in acts of unlawful violence in furtherance of that ideology or ideologies that may involve direction, assistance, or influence from a larger terrorist organization or foreign actor.
(U//FOUO) I&A assesses that future Western complex attacks and plots could resemble the size and capabilities of this group and awareness of the tactics and tradecraft used by this group could assist with identifying and disrupting potential complex plots in the United States. Prior to the disruption of this plot, nearly all of the approximately one dozen ISIL-linked plots and attacks in the West to date involved lone offenders or small
groups of individuals, raising I&A’s concern that the
involvement of a large number of operatives and group leaders based in multiple countries in future ISIL-linked plotting could create significant obstacles in the detection and disruption of preoperational activities.*
* (U//FOUO) DHS defines a lone offender as an individual motivated by one or more violent extremist ideologies who, operating alone, supports or engages in acts of unlawful violence in furtherance of that ideology or ideologies that may involve direction, assistance, or influence from a larger terrorist organization or foreign actor.
(U//FOUO) We assess that plots involving foreign fighters, who have returned from conflict zones, or foreign fighters based overseas, who have the ability to leverage violent extremists in their home countries, are more likely to plot an attack on this scale than are their less-experienced counterparts. While we assess that the threat of such an attack is more likely to manifest in Europe, we cannot discount the possibility for potential complex attacks here in the Homeland.
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
Page 6 of 8
(U//FOUO) Appendix A: Importance of Suspicious Activity Reporting
(U//FOUO) Given the range of targets and tactics of ISIL-associated plots since last year, we encourage reporting of suspicious activity to appropriate government authorities and encourage our security, military, and law enforcement partners to remain vigilant. We face an increased challenge in detecting terrorist plots underway by individuals or small groups acting quickly and independently or with only tenuous ties to foreign-based terrorists. Pre-operational indicators are likely to be difficult to detect; as such, state, local, tribal, territorial, and private sector partners play a critical role in identifying and reporting suspicious activities and raising the awareness of federal counterterrorism officials.
(U//FOUO) Given the range of targets and tactics of ISIL-associated plots since last year, we encourage reporting of suspicious activity to appropriate government authorities and encourage our security, military, and law enforcement partners to remain vigilant. We face an increased challenge in detecting terrorist plots underway by individuals or small groups acting quickly and independently or with only tenuous ties to foreign-based terrorists. Pre-operational indicators are likely to be difficult to detect; as such, state, local, tribal, territorial, and private sector partners play a critical role in identifying and reporting suspicious activities and raising the awareness of federal counterterrorism officials.
(U) Indicators
(U//FOUO) DHS encourages federal, state, local, tribal, and territorial counterterrorism officials, as well as first responders and private sector security partners, to remain alert and immediately report suspicious activity and potential behavioral indicators of pre-operational terrorism planning activities, to include suspicious acquisition of materials and construction of explosive devices. Some observed activities that may be suspicious include constitutionally protected activity. These activities should not be reported absent articulable facts and circumstances that support the source agency’s suspicion that
the observed behavior is not innocent, but rather reasonably indicative of criminal activity associated with terrorism. No single behavioral indicator should be the sole basis for law enforcement action. The totality of behavioral indicators and other relevant circumstances should be evaluated when considering any law enforcement response or action.
» (U//FOUO) New or increased advocacy of violence, including providing material support or recruiting others to commit criminal acts;
» (U//FOUO) Reports to law enforcement that a community member has adopted a new name, style of dress or speech, and/or other significant changes in presentation to others in association with advocacy of violence;
» (U//FOUO) Communicating with known or suspected homegrown or foreign-based violent extremists using e-mail or social media platforms;
» (U//FOUO) Photography or videography focused on security features, including cameras, security personnel, gates, or barriers;
» (U//FOUO) Attempts to purchase all available stock of explosives precursors or to acquire materials in bulk without explanation or justification or making numerous smaller purchases of the same products at different locations within a short period of time—a possible sign of covert stockpiling;
» (U//FOUO) Theft of chemicals, hazardous substances, weapons, pre-cursor materials, or items that could compromise facility security, such as uniforms, identification, blueprints, vehicles (or components), technology, or access keys or cards;
» (U//FOUO) Internet research for target selection, acquisition of technical capabilities, planning, or logistics; » (U//FOUO) Insisting on paying in cash or using a credit card in another person’s name; » (U//FOUO) Participation in weapons training, paramilitary exercises, and reconnaissance and surveillance activities in
a manner that is reasonably indicative of pre-operational planning related to terrorism, particularly in conjunction with advocacy of violence;
» (U//FOUO) Use of cover terms to mask the true meaning of events or nefarious activities combined with active advocacy of violence;
» (U//FOUO) Acquisition of suspicious quantities of weapons and ammunition, or materials that could be used to produce explosives, such as hydrogen peroxide, acetone, gasoline, propane, or fertilizer; and
» (U//FOUO) Activities that a reasonable person would deem as suspicious, indicating a storage facility or other areas are being used to construct an explosive device.
(U//FOUO) DHS encourages federal, state, local, tribal, and territorial counterterrorism officials, as well as first responders and private sector security partners, to remain alert and immediately report suspicious activity and potential behavioral indicators of pre-operational terrorism planning activities, to include suspicious acquisition of materials and construction of explosive devices. Some observed activities that may be suspicious include constitutionally protected activity. These activities should not be reported absent articulable facts and circumstances that support the source agency’s suspicion that
the observed behavior is not innocent, but rather reasonably indicative of criminal activity associated with terrorism. No single behavioral indicator should be the sole basis for law enforcement action. The totality of behavioral indicators and other relevant circumstances should be evaluated when considering any law enforcement response or action.
» (U//FOUO) New or increased advocacy of violence, including providing material support or recruiting others to commit criminal acts;
» (U//FOUO) Reports to law enforcement that a community member has adopted a new name, style of dress or speech, and/or other significant changes in presentation to others in association with advocacy of violence;
» (U//FOUO) Communicating with known or suspected homegrown or foreign-based violent extremists using e-mail or social media platforms;
» (U//FOUO) Photography or videography focused on security features, including cameras, security personnel, gates, or barriers;
» (U//FOUO) Attempts to purchase all available stock of explosives precursors or to acquire materials in bulk without explanation or justification or making numerous smaller purchases of the same products at different locations within a short period of time—a possible sign of covert stockpiling;
» (U//FOUO) Theft of chemicals, hazardous substances, weapons, pre-cursor materials, or items that could compromise facility security, such as uniforms, identification, blueprints, vehicles (or components), technology, or access keys or cards;
» (U//FOUO) Internet research for target selection, acquisition of technical capabilities, planning, or logistics; » (U//FOUO) Insisting on paying in cash or using a credit card in another person’s name; » (U//FOUO) Participation in weapons training, paramilitary exercises, and reconnaissance and surveillance activities in
a manner that is reasonably indicative of pre-operational planning related to terrorism, particularly in conjunction with advocacy of violence;
» (U//FOUO) Use of cover terms to mask the true meaning of events or nefarious activities combined with active advocacy of violence;
» (U//FOUO) Acquisition of suspicious quantities of weapons and ammunition, or materials that could be used to produce explosives, such as hydrogen peroxide, acetone, gasoline, propane, or fertilizer; and
» (U//FOUO) Activities that a reasonable person would deem as suspicious, indicating a storage facility or other areas are being used to construct an explosive device.
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
Page 7 of 8
(U) Tracked by: HSEC-8.1, HSEC-8.2, HSEC-8.3, HSEC-8.5, HSEC-8.8
(U) Source Summary Statement
(U//FOUO) This Assessment is based on information drawn from a body of unclassified reporting, including open source media reports, public statements of senior foreign government officials, and public accounts of foreign law enforcement investigations from multiple law enforcement agencies. We have medium confidence in the press reports used in this product, some of which have been corroborated by public statements made by senior foreign law enforcement officials.
(U//FOUO) This Assessment is based on information drawn from a body of unclassified reporting, including open source media reports, public statements of senior foreign government officials, and public accounts of foreign law enforcement investigations from multiple law enforcement agencies. We have medium confidence in the press reports used in this product, some of which have been corroborated by public statements made by senior foreign law enforcement officials.
(U) Report Suspicious Activity
(U) To report suspicious activity, law enforcement, Fire-EMS, private security personnel, and emergency managers should follow established protocols; all other personnel should call 911 or contact local law enforcement. Suspicious activity reports (SARs) will be forwarded to the appropriate fusion center and FBI Joint Terrorism Task Force for further action. For more information on the Nationwide
(U) To report suspicious activity, law enforcement, Fire-EMS, private security personnel, and emergency managers should follow established protocols; all other personnel should call 911 or contact local law enforcement. Suspicious activity reports (SARs) will be forwarded to the appropriate fusion center and FBI Joint Terrorism Task Force for further action. For more information on the Nationwide
SAR Initiative, visit http://nsi.ncirc.gov/resources.aspx.
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
UN C L A S S I F I E D / / F O R O F F I C I A L US E O N L Y
Page 8 of 8
1 (U); “Inside the ISIS Plot to Attack the Heart of Europe”; http://www.cnn.com/2015/02/13/europe/europe-belgium-
isis-plot/; accessed 20 March 2015.
2 (U); OSC; EUL2015041773002595; 17 April 2015. 3 (U); OSC; EUL2015021166933318; 11 February 2015. 4 (U); OSC; EUR2015022528575929; 24 February 2015.
5 (U); OSC; EUN2015020948731295; 31 January 2015. 6 (U); OSC; EUL2015020274740312; 1 February 2015. 7 (U); OSC: EUN2015020947629159; 30 January 2015. 8 (U); OSC; EUL2015011674541100; 16 January 2015. 9 (U); OSC; EUL2015021764970267; 17 February 2015. 10 (U); DHS-OS-0316-15; 12 February 2015. 11 (U); OSC; EUL2015012065248183; 19 January 2015.
2 (U); OSC; EUL2015041773002595; 17 April 2015. 3 (U); OSC; EUL2015021166933318; 11 February 2015. 4 (U); OSC; EUR2015022528575929; 24 February 2015.
5 (U); OSC; EUN2015020948731295; 31 January 2015. 6 (U); OSC; EUL2015020274740312; 1 February 2015. 7 (U); OSC: EUN2015020947629159; 30 January 2015. 8 (U); OSC; EUL2015011674541100; 16 January 2015. 9 (U); OSC; EUL2015021764970267; 17 February 2015. 10 (U); DHS-OS-0316-15; 12 February 2015. 11 (U); OSC; EUL2015012065248183; 19 January 2015.
12 (U); Teen with Connection to Verviers Deceased in Syria; http://www.nieuwsblad.be/cnt/dmf20150403_01614138;
accessed 9 April 2015.
13 (U); DHS-OS-0316-15; 12 February 2015. 14 (U); OSC; EUL2015011674541100; 16 January 2015. 15 (U); “Inside the ISIS Plot to Attack the Heart of Europe”; http://www.cnn.com/2015/02/13/europe/europe-
13 (U); DHS-OS-0316-15; 12 February 2015. 14 (U); OSC; EUL2015011674541100; 16 January 2015. 15 (U); “Inside the ISIS Plot to Attack the Heart of Europe”; http://www.cnn.com/2015/02/13/europe/europe-
belgium-isis-plot/; accessed 20 March 2015.
16 (U); “Belgium Terror Group Planned to Kill Police Officers”; http://www.telegraph.co.uk/news/worldnews/europe/
belgium/11349805/Belgium-terror-suspects-planned-to-seize-passenger-bus.html; accessed 3 April 2015.
17 (U); Belgium Terror Group Planned to Kill Police Officers; http://www.telegraph.co.uk/news/worldnews/europe/
belgium/11349805/Belgium-terror-suspects-planned-to-seize-passenger-bus.html; accessed 3 April 2015.
18 (U); Verviers: What the Terrorist Suspects under Surveillance Were Saying;
http://www.rtl.be/info/belgique/societe/verviers-voici-ce-que-les-terroristes-presume; accessed 6 April 2015.
16 (U); “Belgium Terror Group Planned to Kill Police Officers”; http://www.telegraph.co.uk/news/worldnews/europe/
belgium/11349805/Belgium-terror-suspects-planned-to-seize-passenger-bus.html; accessed 3 April 2015.
17 (U); Belgium Terror Group Planned to Kill Police Officers; http://www.telegraph.co.uk/news/worldnews/europe/
belgium/11349805/Belgium-terror-suspects-planned-to-seize-passenger-bus.html; accessed 3 April 2015.
18 (U); Verviers: What the Terrorist Suspects under Surveillance Were Saying;
http://www.rtl.be/info/belgique/societe/verviers-voici-ce-que-les-terroristes-presume; accessed 6 April 2015.
19 (U); OSC; EUL2015021764970267; 17 February 2015. 20 (U); Inside the ISIS Plot to Attack the Heart of Europe; http://www.cnn.com/2015/02/13/europe/europe-belgium-
isis-plot/; accessed 20 March 2015.
21 (U); OSC; TRR2014092201178788; 22 September 2014. 22 (U); Belgian Operation Thwarted ‘Major Terrorist Attacks,’ Kills 2 Suspects; http://www.cnn.com/2015/01/15/
world/belgium-anti-terror-operation/; accessed 13 April 2014.
23 (U); Verviers: What the Terrorist Suspects under Surveillance Were Saying; http://www.rtl.be/info/belgique/societe/
verviers-voici-ce-que-les-terroristes-presumes-sous-ecoute-se-disaient-693909.aspx; accessed 18 March 2015.
24 (U); Verviers: What the Terrorist Suspects under Surveillance Were Saying; http://www.rtl.be/info/belgique/
societe/verviers-voici-ce-que-les-terroristes-presumes-sous-ecoute-se-disaient-693909.aspx; accessed 18 March 2015.
21 (U); OSC; TRR2014092201178788; 22 September 2014. 22 (U); Belgian Operation Thwarted ‘Major Terrorist Attacks,’ Kills 2 Suspects; http://www.cnn.com/2015/01/15/
world/belgium-anti-terror-operation/; accessed 13 April 2014.
23 (U); Verviers: What the Terrorist Suspects under Surveillance Were Saying; http://www.rtl.be/info/belgique/societe/
verviers-voici-ce-que-les-terroristes-presumes-sous-ecoute-se-disaient-693909.aspx; accessed 18 March 2015.
24 (U); Verviers: What the Terrorist Suspects under Surveillance Were Saying; http://www.rtl.be/info/belgique/
societe/verviers-voici-ce-que-les-terroristes-presumes-sous-ecoute-se-disaient-693909.aspx; accessed 18 March 2015.
25 (U); OSC; EUL2015012064970018; 20 January 2015. 26 (U); Belgium Confronts the Jihadist Danger Within; http://www.nytimes.com/2015/01/25/world/europe/belgium-
confronts-the-jihadist-danger-within.html; accessed 3 April 2015.
27 (U); Inside the ISIS Plot to Attack the Heart of Europe; http://www.cnn.com/2015/02/13/europe/europe-belgium-
confronts-the-jihadist-danger-within.html; accessed 3 April 2015.
27 (U); Inside the ISIS Plot to Attack the Heart of Europe; http://www.cnn.com/2015/02/13/europe/europe-belgium-
isis-plot/; accessed 20 March 2015.
28 (U); Belgium Terror Group Planned to Kill Police Officers; http://www.telegraph.co.uk/news/worldnews/europe/
belgium/11349805/Belgium-terror-suspects-planned-to-seize-passenger-bus.html; accessed 3 April 2015.
28 (U); Belgium Terror Group Planned to Kill Police Officers; http://www.telegraph.co.uk/news/worldnews/europe/
belgium/11349805/Belgium-terror-suspects-planned-to-seize-passenger-bus.html; accessed 3 April 2015.
29 (U); OSC; EUN201502094762159; 31 January 2015. 30 (U); Belgian Police Admit Seeking Wrong Man as Vervier Shooutout Jihadists Named; http://www.telegraph.co.uk/
news/worldnews/europe/belgium/11362093/Belgian-police-admit-seeking-wrong-man-as-Vervier-shooutout-jihadists-named.html; accessed 13 April 2015.
news/worldnews/europe/belgium/11362093/Belgian-police-admit-seeking-wrong-man-as-Vervier-shooutout-jihadists-named.html; accessed 13 April 2015.
31 (U); OSC; EUN201502094762159; 31 January 2015. 32 (U); Terrorist Threat – Dismantled Verviers Terrorist Cell: 4 Suspects Face Council Chamber;
http://www.thebrusselstimes.com/belgium/terrorist-threat-dismantled-verviers-terrorist-cell-4-suspects-face-
council-chamber/; accessed 1 April 2015.
33 (U); Belgium Confronts the Jihadist Danger Within; http://www.nytimes.com/2015/01/25/world/europe/belgium-
confronts-the-jihadist-danger-within.html; accessed 3 April 2015.
http://www.thebrusselstimes.com/belgium/terrorist-threat-dismantled-verviers-terrorist-cell-4-suspects-face-
council-chamber/; accessed 1 April 2015.
33 (U); Belgium Confronts the Jihadist Danger Within; http://www.nytimes.com/2015/01/25/world/europe/belgium-
confronts-the-jihadist-danger-within.html; accessed 3 April 2015.
34 (U); OSC; EUL2015011674541100; 16 January 2015. 35 (U); OSC; EUR2015012167949567; 21 January 2015.
Images of the moment suspect in Paris attacks was captured.