(U//FOUO) DHS-FBI-NCTC Bulletin: Tactics, Techniques, and Procedures Used in March 2016 Brussels Attacks

The following document was obtained from the public website of a prominent disaster recovery network.

Tactics, Techniques, and Procedures Used in the 22 March 2016 Brussels Attacks

Page Count: 9 pages
Date: April 12, 2016
Restriction: For Official Use Only
Originating Organization: Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center
File Type: pdf
File Size: 254,019 bytes
File Hash (SHA-256): 5840AF768DA275DAA059648BFFF85B2E314544AA07F275459392D11BD4CF6602


Download File

(U//FOUO) This Joint Intelligence Bulletin (JIB) is intended to provide a review of the tactics, techniques, and procedures demonstrated by the perpetrators of the 22 March 2016 attacks in Brussels, Belgium. The analysis in this JIB is based on statements by European government and law enforcement officials cited in media reporting and is subject to change with the release of official details from post-incident investigations. This JIB is provided by DHS, FBI, and NCTC to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials, first responders and private sector partners in deterring, preventing, preempting, or disrupting terrorist attacks against the United States.

(U//FOUO) Attacks in Brussels Reaffirm ISIL’s Ability to Conduct Complex Attacks in Europe

(U//FOUO) DHS, FBI, and NCTC assess the 22 March 2016 attacks in Brussels, Belgium targeting Zaventem International Airport and the Brussels Metro system—for which the Islamic State of Iraq and the Levant (ISIL) has claimed responsibility—demonstrate the group’s continued ability to conduct complex, coordinated attacks in Western Europe using multiple operatives and relatively simple tactics. We are not aware of any direct links to the Homeland; however, radicalized individuals inspired by ISIL operating alone or in small groups continue to have the ability to conduct relatively unsophisticated attacks with little to no warning in the United States.*

(U//FOUO) We judge the Brussels attackers probably conducted preoperational surveillance, did some level of tactical planning, and had familiarity with the targets prior to the attack, but may have expedited their plans after the arrest—several days prior in Belgium—of the sole surviving attacker involved in the November 2015 Paris attacks. We further assess the large amount of explosives used, willingness to operate despite well-publicized efforts by security officials to locate potential ISIL operatives, and the use of operational security to avoid law enforcement detection during the preoperational phase indicate some level of training. The attackers were part of an extensive support network and infrastructure in Belgium that also conducted the Paris attacks. This same network may have allowed the operatives to acquire materials and false documents, fabricate explosives, and may have facilitated connections with individuals based in Syria.

(U//FOUO) Attack Overview: On 22 March 2016, at least four and as many as five operatives divided into two teams that detonated homemade explosive devices estimated to contain between 30 and 60 pounds of triacetone triperoxide (TATP) at Brussels Zaventem International Airport and onboard a train in the Brussels subway, killing at least 32 and injuring over 300. Two operatives at the airport and one individual at the metro conducted suicide operations, which also resulted in over a dozen American casualties, including at least two deaths. Belgian authorities have arrested a man believed to be the third operative seen in CCTV footage at the airport and are investigating the possibility of an accomplice at the metro prior to the explosion.

(U) Airport Attack: At approximately 0758 local time, two improvised explosive devices (IEDs) believed to have been concealed in luggage detonated seconds apart in the passenger check-in area for several international airlines, including a US carrier. The attackers did not attempt to enter areas where their bags would be subject to security screening. Authorities later found a third viable device at the airport, which Belgian officials speculate might have been designed to target first responders, according to a statement from the Belgian federal prosecutor to the press. The device was later detonated by explosive ordnance disposal technicians. The third alleged operative at the airport was seen in security footage with the two suicide operatives in the moments prior to the attack, but he fled the scene and was arrested by Belgian authorities on 8 April.

(U) Subway Attack: Approximately 80 minutes after the airport explosions, at 0910 local time, an explosion occurred on a train as it departed the Maelbeek metro station, killing 13, according to the Brussels transit operator STIB. At least one operative, possibly aided by a second operative, entered the Maelbeek metro station and boarded the middle car of the three-car train, according to Belgian officials cited in media reporting., The blast occurred during morning rush hour near the European Union buildings, raising the possibility the operatives were targeting European government employees.

(U) Importance of Suspicious Activity Reporting

(U//FOUO) We encourage reporting of suspicious activity to appropriate authorities and encourage our homeland security, military, law enforcement, first responders, and private sector partners to remain vigilant. We face an increased challenge in detecting in-progress terrorist plots by individuals or small groups acting quickly and independently or with only tenuous ties to foreign handlers. Pre-operational indicators are likely to be difficult to detect; therefore, state, local, tribal, territorial, and private sector partners play a critical role in identifying and reporting suspicious activities and raising the awareness of federal counterterrorism officials.

(U//FOUO) The acquisition of materials for constructing an explosive device, a necessary stage in the execution of any IED attack, offers an opportunity for detection and disruption of plots. Thus, it is critical that point-of-sale employees understand how their products can be misused and are trained to recognize indicators of suspicious purchases and methods of reporting this information.

» (U//FOUO) In May 2015, a tip by a vigilant hardware store clerk to local police about a potentially suspicious purchase of an explosive precursor led German authorities to foil a possible attack against a major sporting event in the country after a couple purchased an unusually large amount of hydrogen peroxide. German authorities later discovered the couple presented fraudulent credentials and were associated with the local violent extremist community in Germany.

» (U//FOUO) The FBI arrested Saudi national Khalid Aldawsari in late February 2011 after he attempted to purchase a highly concentrated phenol solution—a precursor for the explosive trinitrophenol or picric acid—and raised suspicions of a freight company in Texas after the delivery of an unexpected package from a North Carolina chemical company. Aldawsari attempted to bypass the chemical company’s restriction on sending shipments to an individual or a residence, but he did not have permission from the freight company to have the package delivered. Aldawsari was sentenced to life in prison in June 2012 for attempted use of a weapon of mass destruction, according to a January 2014 FBI press release from the US Court of Appeals affirming his conviction.

Share this:

Facebooktwitterredditlinkedinmail