(U//FOUO) DHS Report: Small Unit Tactics in Terrorist Attacks

TRIPwire Information Product – Small Unit Tactics and the Implications for the Homeland

  • 6 pages
  • For Official Use Only
  • September 1, 2010


Small Unit Tactics in Prominent Terrorist Attacks
26-29 November 2008: Mumbai, India

  • On 26 November 2008 ten terrorists from the radical Islamic group Lashkar-e-Taiba (LET) carried out a large-scale coordinated attack against multiple targets in downtown Mumbai, India. The attacks on Mumbai lasted for over 24 hours.
  • The attackers conducted preoperational surveillance to aid in the execution of their attacks. The terrorists involved in the attacks arrived via a hijacked boat which allowed them to transport a large amount of weapons and operatives intothe city avoiding security checkpoints. The attackers were clean shaven, wearing Western style clothes to blend in with the local community, and utilized back alleys or rear entrances to facilities to avoid armed security guards.
  • The terrorists broke into five teams of two and utilized five taxis to transport them to their targets. Two of the groups emplaced an improvised explosive device (IED) in two different taxis. The devices detonated after the terrorists left the vehicles later that evening. Upon arriving at their targets the terrorists opened fire indiscriminately at anyone in the area. The attacks were synchronized and coordinated, suggesting a high level of sophistication in training, planning, and execution.
  • Each terrorist was armed with small arms (assault rifles) and grenades or other explosives. Additionally, they carried backpacks with extra ammunition magazines, snacks, credit cards, cash, and satellite and cell phones.
  • The small units attacked soft targets with minimal security measures and large concentrations of people. They attacked a crowded train station, a restaurant, two hotels, a gas station, and a Jewish community center, among other targets.
  • While attacking the three main targets, two hotels and the Jewish community center, the terrorists moved throughout the facilities continuously making it difficult for law enforcement and security personnel to track them and stop the attack. According to government reports, the attackers created defensive positions, turned off lights, started fires, and emplaced several IEDs in an effort to disrupt rescue operations.v
  • The terrorists used satellite phones, cell phones, and voice over internet protocol (VOIP) technologies to remain in constant contact with their handlers in Pakistan throughout the attacks, who were monitoring the attack through open source media outlets in near real time.
  • Terrorists fought to the death and were not open to negotiations, nor did they present a list of demands.
  • At the conclusion of the attacks, 188 people were killed, including 9 of the terrorists, and 372 were injured. The Mumbai 2008 attack is the most successful terrorist attack utilizing small unit tactics in recent history.

Domestic Use of Small Unit Tactics

To date, the United States has not witnessed a successful terrorist attack utilizing small unit tactics. Migration of TTPs related to the use of explosives have been seen in examples such as the World Trade Center bombing in 1993, the 2009 plot to detonate IEDs within the New York subway system, and the attempted Christmas Day airline bombing in 2009. Therefore, the same TTPs proven successful overseas such as in Mumbai or in Afghanistan could be adopted for use in the United States.

Fort Dix Plot (2007)

  • In 2007, six men were arrested for planning to carry out attacks against the Fort Dix military base in New Jersey. The men intended to utilize small arms, rocket propelled grenades, and explosives to kill as many soldiers as possible at Fort Dix, utilizing smallunit tactics.
  • The men conducted preoperational surveillance, using jobs for pizza delivery services as cover, which provided access to the facility. They trained with small arms in remote areas of the Poconos Mountains in Pennsylvania.
  • The plot was uncovered when the men brought a video of themselves training with weapons to a Circuit City store for conversion and an alert clerk notified authorities.

Terrorist Training Material on the Internet

Various small cells and individuals planning terrorist attacks have been known to communicate and view radical Islamic forums over the Internet. Numerous al-Qaeda training manuals and terrorist websites discuss the use of small unit tactics in a variety of languages on the Internet for inspiration and widespread dissemination. Several documents and forum posts were produced before and in the aftermath of the Mumbai attacks calling for small-unit tactics to be used by Islamic extremist terrorists throughout the world.

Some examples of translated Arabic-language material from extremist websites include:

  • “The officer warned of what he described as a ‘Judgment Day Scenario’ represented by numerous, mobile incidents carried out by ‘armed suicide terrorists’ who possess the capability – with lightning speed – to kill many souls before anyone is able to specify the threat and to respond effectively.”
  • In a document describing “Special Forces” a commenter provides the following advice on the size of attacking groups: “A unit might be composed of five people at the most, and the number may be as low as two or, in some cases, the execution team for the operation might consist of a sniper alone.”

According to a DHS and FBI Note, a compact disc (CD) was seized by European authorities in 2008 that discussed tactics taught in al-Qaeda training camps for attacking publicly accessible buildings and called for similar tactics used in Mumbai and other small-unit terrorist attacks. The CD recommended terrorists to assemble a team of 12 individuals, each armed with an assault rifle and grenades and carrying approximately 40 pounds of explosives. The CD also discusses the tactic of storming a building, sealing off escape and access points, and occupying it long enough to set and detonate explosives before law enforcement can respond.

Recommended Protective Measures Against Small-Unit Attacks

Private sector security and law enforcement agencies can utilize protective measures to help disrupt, or mitigate a terrorist attack in multiple phases. The various phases of a terrorist attack
include surveillance, target selection, infiltration, accessing the target, and engagement with
security forces.


  • Train staff to be aware of unusual events or activities (e.g. individuals loitering for no apparent reason, sketching, pace counting).
  • Report any individual taking photographs or video-taping venues, in particular those focused on access routes or paths into the venues (e.g. alleys, trails, etc.) obstructed to local law enforcement or facility security personnel.
  • Install and monitor closed circuit television (CCTV) cameras at all venues covering multiple angles and access points.
  • Develop a process for capturing images from CCTV photographs and video for comparison against Terrorist Watch Lists, and for further distribution to established command posts.
  • When possible, establish random security patrols to disrupt potential surveillance efforts.
  • If possible, establish or enhance Business Neighborhood Watch Programs.

Target Selection:

  • Establish security at venue access points and potential approach routes.
  • If possible, randomly alter delivery entrances to venues to avoid developing discernable patterns.
  • Avoid widely distributing site blueprints or schematics and ensure those documents are kept secured.
  • Prepare for upcoming facility or area special events and dignitary visits.
  • Know your facilities’ vendors.


  • If a maritime approach is a feasible method of attack, deploy adequate harbor patrols and increase awareness.
  • Establish or reinforce surveillance detection and awareness programs for waterfront businesses and residents to identify and report unusual activity.
  • Encourage local population to increase vigilance and report unusual behavior.
  • When a maritime threat exists, establish check points or other access control measures for all vessels.
  • Require all vessels to positively identify themselves prior to entering the port area.
  • Increase planning, exercises, and coordination between the Captain of the Port and

Federal, State and local law enforcement agencies.
Accessing the Target:

  • Establish an outer perimeter at target sites to deny access or intercept potential assailants.
  • Establish a credentialing process for facilities.
  • Conduct background checks on all employees, if possible.
  • Ensure security personnel and security measures are in place at all access points.
  • Develop an emergency lock down procedure to critical parts of the facility (e.g. automatic locking mechanisms of access doors and windows to critical sites).
  • Establish safe rooms within the confines of the venue/facility.
  • Establish communication messages to be broadcast over intercoms to instruct personnel on immediate actions.

Engagement with Security Forces:

  • Encourage local law enforcement to meet with key staff at venues to assist in the development of emergency evacuation and lock down procedures.
  • Ensure personnel are familiar with emergency evacuation and emergency lock down procedures.

Share this: