You are on page 1of 112

FOR OFFICIAL USE ONLY/ Version 17.

3DRAFT
LAW ENFORCEMENT SENSITIVE

NATIONAL PLANNING SCENARIOS:


Attack Timelines
Created for Use in National, Federal, State,
and Local Homeland Security Preparedness Activities

February 2006
This page intentionally left blank.
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Contents

Introduction................................................................................................................................ ii
Scenario 1: Nuclear Detonation – 10-kiloton Improvised Nuclear Device................................ 1-1
Scenario 2: Biological Attack – Aerosol Anthrax..................................................................... 2-1
Scenario 3: Biological Disease Outbreak – Pandemic Influenza............................................... 3-1
Scenario 4: Biological Attack – Plague.................................................................................... 4-1
Scenario 5: Chemical Attack – Blister Agent ........................................................................... 5-1
Scenario 6: Chemical Attack – Toxic Industrial Chemicals...................................................... 6-1
Scenario 7: Chemical Attack – Nerve Agent............................................................................ 7-1
Scenario 8: Chemical Attack – Chlorine Tank Explosion......................................................... 8-1
Scenario 9: Natural Disaster – Major Earthquake..................................................................... 9-1
Scenario 10: Natural Disaster – Major Hurricane................................................................... 10-1
Scenario 11: Radiological Attack – Radiological Dispersal Devices ...................................... 11-1
Scenario 12: Explosives Attack – Bombing Using Improvised Explosive Devices................. 12-1
Scenario 13: Biological Attack – Food Contamination........................................................... 13-1
Scenario 14: Biological Attack – Foreign Animal Disease (Foot-and-Mouth Disease) ........... 14-1
Scenario 15: Cyber Attack..................................................................................................... 15-1
Appendix: Scenario Working Group Members ....................................................................... A-1

Contents i
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Introduction
The Federal interagency community has developed 15 all-hazards National Planning
Scenarios for use in national, Federal, State, and local homeland security preparedness
activities. The scenarios are planning tools and represent the range of potential terrorist
attacks and natural disasters and the related impacts that face our Nation. The objective
was to develop a minimum number of credible scenarios to establish the range of
response requirements to facilitate preparedness planning.

Value of the Scenarios to State and Local Leaders


The scenarios were designed to help state and local leaders further develop their capacity
to prevent acts of terrorism within their communities and to prepare response capabilities
to an event should it occur.

These scenarios reflect a rigorous analytical effort by Federal homeland security experts,
with reviews by State and local homeland security representatives. However, refinement
and revision will be necessary over time to ensure that the scenarios remain accurate,
represent the evolving all-hazards threat picture, and embody the capabilities necessary to
respond to domestic incidents. In keeping with the congressional mandate that terrorist
threats must be “current and real”, the Department of Homeland Security (DHS) is
developing a Universal Adversary (UA) database to host and maintain terrorist threat
models. At present, the UA database contains six distinct categories of terrorist threats,
fifteen specific terrorist group profiles, dossiers on key terrorist actors, in-depth
descriptions of tactics employed by each group, and sufficient background information
for the generation of exercise related intelligence.

The National Planning Scenarios and the Universal Adversary


(UA) as Tools in the Capabilities-Based Planning Process

Capabilities-Based Planning
In seeking to prepare the Nation for terrorist attacks, major disasters, and other
emergencies, it is impossible to maintain the highest level of preparedness for all
possibilities all of the time. Given limited resources, managing the risk posed by major
events is imperative. In an atmosphere of changing and evolving threats, it is vital to
build flexible capabilities that will enable the Nation to prevent, respond to, and recover
from a range of major events. To address this challenge, DHS employs a capabilities-
based planning process that occurs under uncertainty to identify capabilities suitable for a
wide range of challenges and circumstances. The process also works within an economic
framework that necessitates prioritization and choice. As one of the principal tools in the
capabilities-based planning process, the National Planning Scenarios provide a bounded
threat universe to address the question: “How prepared do we need to be?” Figure 1
depicts the relationship between the scenarios and the other capabilities-based planning
tools. As a first step in the capabilities-based planning process, the scenarios, while not
exhaustive, provide an illustration of the potential threats for which we must be prepared.
The scenarios and the UA database will be used to assess relative risk for the capabilities-
Introduction ii
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

based planning process and provide a framework for appropriately designing and scaling
exercises specific to location and population characteristics.

NATIONAL LEVEL POLICY & PLANNING GUIDANCE

NATIONAL UNIVERSAL TARGET


PLANNING TASK LIST CAPABILITIES
LESSONS SCENARIO LIST
LEARNED With UA Detail
INFORMATION What Capabilities are
How Prepared do we What are the Critical
SYSTEM need to be? Tasks?
needed to perform
DATABASE Critical Tasks?

Figure 1. Tools for the Capabilities-Based Planning Process

HSPD-8 Implementation
The scenarios and the UA database will be used in the implementation of Homeland
Security Presidential Directive (HSPD)-8 “National Preparedness,” including the
development of the National Preparedness Goal and National Exercise Program. In
helping to develop the National Preparedness Goal, the scenarios and the UA database
provide the foundation for identifying the capabilities across all mission areas and the
target levels of those capabilities needed for effective prevention of, response to, and
recovery from major events. Figure 2 illustrates how the scenarios, UA, Target
Capabilities List (TCL) and the Universal Task List (UTL) leads planners at all
jurisdictional levels to identify common tasks and capabilities for a given mission area,
in this instance the Prevention Mission .

LOCALIZED THREAT, STATE, LOCAL & TRIBAL


TARGET CAPABILITIES & CRITICAL TASKS
NPS
PREQUEL CRITICAL TARGET
WITH TASKS CAPABILITIES
UA DETAIL

PREVENTION MISSION AREAS


INFO GATHERING & INTELLIGENCE INTELLIGENCE/INFO CBRNE LAW ENFORCEMENT
RECOGNITION OF ANALYSIS AND SHARING AND DETECTION INVESTIGATION &
I&W PRODUCTION DISSEMINATION OPERATIONS

Figure 2. Capabilities-Based Planning and the Prevention Mission

Introduction iii
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

National Planning Scenarios, UA, Red Teams in the National Exercise


Program
In addition to their use as tools in the capabilities-based planning process, the scenarios
and the supporting UA also provide the design basis for exercises in the National
Exercise Program (NEP). Used as a common foundation for exercise development, the
scenarios complemented by current threat information from the UA database ensures
exercise participants focus on performing the appropriate critical tasks and will assess
capabilities linked to specific homeland security mission areas. The UA detail provided
in the following scenarios provides examples of how terrorist groups (or individuals)
having the capability, motivation and intent could execute an attack to achieve the
outcomes described at the beginning of each scenario. To address exercise design
requirements specific to an individual exercise or exercise series, scenario threat models
can be modified using current threat information from the UA database. There may be
instances when assessing mission critical tasks and capabilities requires employment of
analytical or operational Red Teams. The use of Red Teams is prescribed by the
National Strategy for Homeland Security. Through the application of homeland security
intelligence and information, Red Teams view the United States from the perspective of
terrorists to discern and predict the methods, means, and targets of potential attackers
during government sponsored exercises.1 Red Teams are comprised of individuals
selected for their special subject-matter expertise, perspective (professional, cultural),
imagination, and penchant for critical analysis. Red Team members have access to
terrorism subject matter experts, intelligence and law enforcement professionals
throughout the world, and receive extensive cultural and tactical training in preparation
for each exercise event.

Employing the Scenarios, UA and Red Team in Prevention Exercises


Figure 3 provides an example of how the scenarios and the UA are related to the
capabilities-based planning process; how the scenarios and UA are used in conjunction
with the capabilities-based planning tools to assist state, local and tribal government
planning and exercise design and; how the scenarios, the UA and Red Teams are used
during the exercise lifecycle of a Prevention Exercise.

1
Office of Homeland Security. National Strategy for Homeland Security. July 2002.

Introduction iv
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

NATIONAL LEVEL POLICY & PLANNING GUIDANCE

NATIONAL UNIVERSAL TARGET


PLANNING TASK LIST CAPABILITIES
SCENARIO LIST
with UA Detail

What Capabilities are


How Prepared do we What are the Critical
LESSONS needed to perform
need to be? Tasks?
LEARNED Critical Tasks?
INFORMATION
SYSTEM
DATABASE LOCALIZED THREAT, STATE, LOCAL & TRIBAL
TARGET CAPABILITIES & CRITICAL TASKS
NPS
PREQUEL CRITICAL TARGET
WITH TASKS CAPABILITIES
UA DETAIL

PREVENTION MISSION AREAS


INFO GATHERING & INTELLIGENCE INTELLIGENCE/INFO CBRNE LAW ENFORCEMENT
RECOGNITION OF ANALYSIS AND SHARING AND DETECTION INVESTIGATION &
I&W PRODUCTION DISSEMINATION OPERATIONS

- Exercise
Goals & Objectives
- Participant Lists
- Defined Levels of Play
- Planning Teams And
Work Group Roles &
Responsibilities

PREVENTION EXERCISE
REQUIREMENTS
- DHS Liaison with State, Local ,
Tribal Jurisdictions
- Concept Development Conferences
- Universal Adversary (UA), Red
Team (RT) & Red Team Operations
REPORT Center (RTOC) Orientation Briefs PLAN
- Draft Scenario
- After Action - Initial Planning Conference
- Exercise Intelligence
Report - Reconstruct Exercise Events & - Mid-Planning Conference
Sharing Environment
- Lessons Learned Intel/Info Flow - Final Planning Conference
- UA Threat Models
- Recommended - Analyze Raw Exercise Data PLANNING CONSIDERATIONS - Intel Working Group
- Red Team CONOPS
Changes to TCL & - Compile Red Team Post-Operation - Regional Threat Assessments - Scenario Working Group
- MOAs
UTL Reports - Regional Intel/Info Sharing Plans - Logistics Planning Team
and Systems - Control/Evaluation Planning Team
- Target Capabilities
- Critical Tasks
- Lessons Learned
- Possible Red Team Activities

EXERCISE TOOLS
- RTOC - EXPLAN
ASSESS - UA Database - Final Scenario
PREPARE
- Critical Task - Compare Exercise Outcomes with - On-line, Distributed MSEL Tool - RT Target Intelligence
- Final Logistics Coordination
Performance Exercise Goals and Objectives - SIMCELL Packages, Operations
- Red Team Preparation
Analysis - Employ UTL to Assess - VNN and VNN.com Orders & Rules of
- Populate HSIN UA Database
- Capabilities Performance of Critical Tasks - Train Controller/Observers Data Exercise Play
Assessment - Employ TCL Performance Collectors - Exercise Intel Injects
Objectives and Measures to Assess CONDUCT - Test RTOC Connectivity with & Products
Capabilities - Move, Counter-move Prevention Regional Fusion Centers - MSEL
Exercise (TTX, CPX and/or FSE)

- Red Team Operations (Analytical or


Tactical Depending on Type of
Exercise

- Controller, Data
Collector, Observer
Forms
- HSEEP Exercise
Evalution Guides
- Annotated MSEL

PREVENTION EXERCISE LIFECYCLE


Figure 3. Capabilities-Based Planning and Prevention Exercise Lifecycle
Introduction v
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Considerations

Although not meant to be all-inclusive, the scenarios provide a basic set of common
homeland security events and their related impacts that can be employed at the national
level or by state, local and tribal jurisdictional authorities. Employing up-to-date
information from the UA database, the scenarios have been developed so that they can be
adapted to local conditions. Agencies will not be limited to this set of scenarios, and they
can exercise scenarios that are not included in the planning set. However, the scenarios
provide a mutual starting point for agencies that exercise the basic events included in this
set.

Intelligence Disclaimer
Although the scenarios generally reflect possible terrorist capabilities and known
tradecraft, neither the intelligence community nor the law enforcement community is
aware of any credible specific intelligence that indicates that such an attack is being
planned, or that the agents or devices in question are in possession of any known terrorist
group.

Relative Grouping of Scenarios


Various schemes have been used to rank scenarios based on probability, number of
casualties, extent of property damage, economic impact, and social disruption. Because
the scenarios in this set were developed to test the full range of response capabilities and
resources—and to assist Federal, State, and local governments as well as the private
sector in preparing for such events—they have not been ranked.

The groupings of UA elements with specific scenarios are not intended to isolate
potential terrorist threats to an individual type or class of terrorist element. Instead, the
use of different UA elements is intended to illustrate the many types of capabilities and
motivations that might exist.

Multiple Events
In preparedness planning efforts, organizations should always consider the need to
respond to multiple incidents of the same type and multiple incidents of different types, at
either the same or other geographic locations. These incidents will invariably require the
coordination and cooperation of homeland security response organizations across
multiple regional, State, and local jurisdictions.

Introduction vi
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 1:

Nuclear Detonation ―
10-kiloton Improvised
Nuclear Device
Casualties Hundreds of thousands
Infrastructure Damage Total within radius of 0.5 to 3 miles
Evacuations/Displaced Persons 100,000 in affected area seek shelter in safe areas
(decontamination required for all before entering
shelters)
250,000 instructed to shelter in place as plume
moves across region(s)
1 million+ self-evacuate from major urban areas
Contamination Approximately 3,000 square miles
Economic Impact Hundreds of billions of dollars
Potential for Multiple Events No
Recovery Timeline Years

Scenario General Description

In this scenario, terrorist members of the UA group—represented by two radical Sunni


groups: the core group El-Zahir (EZ) and the affiliated group Al Munsha’a Al Islamia
(AMAI)—plan to assemble a gun-type nuclear device using Highly Enriched Uranium
(HEU) stolen from a nuclear facility located in Pakistan. The nuclear device components
will be smuggled into the United States. The device will be assembled near a major
metropolitan center. Using a delivery van, terrorists plan to transport the device to the
business district of a large city and detonate it.

UA Operatives and Group Profiles

UA Group Profiles

For detailed profiles of EZ and AMAI, please see the Global Salafist Jihad (GSJ) group
profiles section in the UA Threat Category package (pages 1-22, 23-37, 60-66).

UA Operatives
Adil Abu Wajid: Somail EZ cell leader
Rhanjeev Khan: Pakistani weapons engineer
Technician 1: Pakistani assist weapons engineer
Technician 2: Pakistani assist weapons engineer

Scenario 1: Nuclear Detonation – 10-kiloton Improvised Nuclear Device 1-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Jose Ebrahim: Mexican-American EZ cell leader of Lebanese descent


Tasos Thanasopoulos: Greek freighter captain, smuggler, truck driver
Abbas Fahim: Saudi Arabian suicide bomber, EZ
Badi Al Tayyib: Saudi Arabian suicide bomber, EZ
EZ Central Command: N/A (assume Al Zaman and his lieutenants)

Detailed Attack Scenario

Current intelligence suggests that EZ may be working with AMAI to develop an


Improvised Nuclear Device (IND). It is suspected that special training camps in the
Middle East have been established for IND training. Some IND manuals have also been
confiscated from suspected EZ operatives. The volume of communications between EZ
and AMAI operatives has increased significantly in past 2 weeks.

EZ operatives have spent 10 years acquiring small amounts of HEU. Operatives acquired
the material by posing as legitimate businessmen and by using ties to ideologically
sympathetic Pakistani nuclear scientists. EZ plans to construct a simple gun-type nuclear
device and detonate the weapon at a symbolic American location.

EZ Central Command initiates the operation. To preserve operational effectiveness at all


levels, compartmentalization and secrecy are required. Due to fears of penetration, EZ
has become increasingly discreet in its decision-making process, with few operatives
informed of the next target. Target selection, preparation, and acquisition are confined to
a small number of terrorist operatives.

UA Execution Timeline

D-Day Minus 365 (D-365)


Adil Abu Wajid is the cell leader designated by EZ Central Command to oversee the
collection of HEU and the construction and assembly of the weapon components.
Additionally, Wajid will be responsible for shipping components and key personnel to
North America.

D-355
Wajid contacts AMAI operatives in Somalia. The AMAI group has training facilities
located near Ras Kambonmi in Southern Somalia. Fears of a U.S. strike compelled the
group to operate in newer and more covert locations than previously used.
1
AMAI provides Wajid access to underground facilities in Somalia. The EZ cell will
build and assemble its IND in this facility with the help of Rhanjeev Khan, a Pakistani
nuclear weapons engineer. AMAI also provides assistance from its financial network to
funnel funds and uses legitimate business contacts to transport weapon components to
Mexico or the United States.

1
This symbol denotes an I&W opportunity.

Scenario 1: Nuclear Detonation – 10-kiloton Improvised Nuclear Device 1-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Wajid oversees the creation of an assembly and test operation center in the underground
bunker, which is staffed by Khan and two technicians.

D-320
*
EZ has acquired three polonium-beryllium neutron generators, chemical high-explosive
propellants, several solid surrounding shells (tampers), detonation electronics, timers,
shielding material (2-inch thick lead canisters), and other hardware and test equipment
necessary for the assembly, integration, and testing of at least two gun-type nuclear
devices. The equipment is transported to the Somali bunker.

EZ Central Command decides on ground zero: the center of a U.S. city.

D-260
The Somalia team begins assembly of two nearly complete weapons systems, each
tailored to house 25 kilograms of enriched HEU.

Wajid begins developing plans to ship components and personnel to Mexico and the
United States.

D-230
EZ Central Command contacts Jose Ebrahim, a Mexican-American, who will execute the
operations in the United States and Mexico. Ebrahim has been living in the target city’s
suburbs for several years. He will provide a safe house and means of transportation. He
will also transport weapons and key personnel to the safe house, assemble the weapons,
and execute the attack. EZ Central Command directs Ebrahim to acquire a safe house in a
rural area within 2 hours driving time to the center of the city and to rent a warehouse in
an industrial area.

D-215
*
Ebrahim makes contact with a Mexican friend who is involved in regional drug
distribution. Ebrahim arranges to assist in local distribution for a limited amount of time
to secure operational funds. Ebrahim keeps his friend isolated from the operation and
simply states that he is in need of additional money due to personal financial hardship.

D-180
*
Ebrahim purchases a used delivery van with the funds accrued through narcotics
distribution and registers the car in his own name.

D-120
*
EZ operatives coordinate with the two Pakistani scientists to steal the last required 5
kilograms of HEU from the Pakistani nuclear facility. They also consolidate all of the
HEU, which now totals 25 kilograms, and carefully shield and package it for shipping.
The HEU is then transported to the bunker in Somalia.

The Somali team continues to work on the weapon components.

Scenario 1: Nuclear Detonation – 10-kiloton Improvised Nuclear Device 1-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-60
The Somali team builds two nearly complete device systems with enough HEU for one
functioning device. As a final test of the components, Khan assembles the complete
device to check the fit of the components. He then disassembles it and reassembles the
device with the second set of components. He disassembles that device and carefully
cleans all of the electronics, hardware, and HEU to remove any trace of chemical
propellant contamination.

Through the use of a Hotmail “draft e-mail folder,” Wajid reports to the EZ Central
Command that the nuclear device is ready.

D-59
*
Wajid and AMAI operatives finalize plans to transport the material and key personnel to
the United States. The equipment will be broken down into eight different packages: two
sets of hardware, two sets of electronics, two separate packages of propellant (enough for
two nuclear devices), a neutron source, and the HEU. The four packages of hardware and
electronics will be labeled as “electronic equipment” and shipped to businesses operated
by EZ sleeper cells in the United States. The other four packages will be shipped to
Mexico to members of an EZ sleeper cell. They will transfer the packages to appropriate
contacts for smuggling into the United States. Khan will fly to Mexico and cross the
border into the United States with a group of illegal immigrants.

EZ Central Command notifies Ebrahim of the plan to ship weapons components and key
personnel, and informed him about the final operation. Ebrahim provides information to
EZ Central Command about appropriate sleeper personnel who will receive the packages
in the United States and Mexico. Members of the sleeper cell in Mexico will accept
delivery of the four packages being shipped to Tampico and then transfer the three
packages of propellant and neutron source to a designated trucker. The HEU package will
be transferred to Ebrahim for transport into the United States. Ebrahim also provides the
contact information for the appropriate person running illegal border crossing operations
in Mexico. This person will smuggle Khan across the border to a designated pickup
location near Laredo, Texas. Ebrahim will meet Khan there and take him to Virginia.

D-50
*
Ebrahim coordinates arrangements to have the Mexican members of EZ to pick up the
packages from a Greek freighter and deliver them to a specific location. He also makes a
payment to the smuggler who will transport Khan across the border.

D-40
*
Wajid oversees the operation to break down the device components and package them
for shipping to the United States and Mexico. The HEU is encased in a 2-inch thick
depleted uranium canister.

The four packages containing the propellant, neutron source, and HEU are shipped via a
bribed Greek freighter captain, Tasos Thanasopoulos, to Tampico, Mexico.

Scenario 1: Nuclear Detonation – 10-kiloton Improvised Nuclear Device 1-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

The four packages containing the device electronics and hardware, falsely labeled as
various items of electronic equipment, are shipped through legitimate AMAI business
channels to several small, legitimate businesses operated by members of a U.S. EZ
sleeper cell who are identified by Ebrahim as points of receipt.

D-37
*
Khan, using his real name, departs on a plane with reservations to attend a technical
conference in Mexico City. He is informed to contact a specific smuggler who will
arrange a border crossing, and he will meet another EZ operative on the U.S. side.

D-36
*
Ebrahim arrives in Mexico to confirm arrangements and the final payment with the
human smuggler. He finds a commercial truck driver who routinely transports goods
across the U.S.-Mexican border and bribes him to pick up the packages from Ebrahim’s
sleeper agents and transport them to a warehouse in Northern Virginia.

D-35
*
Khan arrives in Mexico and contacts the smuggler. He will cross the U.S. border near
Laredo, Texas, with a group of illegal immigrants.

D-31
*
EZ sleeper cell operatives meet the Greek freighter in Tampico and pick up the
packages. They take the packages to the designated location for transfer to Ebrahim and
the truck driver.

Ebrahim picks up the HEU encased in a 2-inch thick depleted uranium canister and hides
it in the rear of his delivery van. He claims to be returning from a visit with relatives in
Mexico and successfully smuggles the HEU into the United States. He drives to Laredo,
Texas, to wait for Khan.

D-30
*
Khan successfully crosses the Mexican border near Laredo with a group of illegal
immigrants and is picked up by Ebrahim. They begin their 1,800-mile drive to Virginia.

D-29
*
The driver of the 18-wheeler successfully crosses the U.S. border at Laredo without any
challenges.

D-27
Ebrahim and Khan arrive at the safe house in rural Virginia.

Ebrahim uses the van he purchased to make several trips to pick up the weapons
components that were shipped to EZ sleeper cell businesses.
*
Ebrahim and Khan shave their beards and adopt casual, local apparel.

Scenario 1: Nuclear Detonation – 10-kiloton Improvised Nuclear Device 1-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-26
The 18-wheeler arrives at the warehouse and is met by Ebrahim. They unload the
packages, and the trucker departs. Ebrahim takes the components to the safe house.

D-15
*
Abbas Fahim and Badi Al Tayyib arrive in the United States on student visas. They are
EZ recruits from Saudi Arabia and have no trouble entering the country—one enters via
France, the other via Germany. They make their way to the safe house in Virginia.

D-14
The two EZ martyrs arrive at the safe house. These two young men were singled out and
recruited into the EZ martyr brigade many months ago. The martyrs are unaware of the
exact nature of the attack; however, they understand that their role is a suicide mission.

D-13
*
Pakistan discovers that 25 kilograms of HEU is missing and reports the loss to the
International Atomic Energy Agency (IAEA).

Integration of the two weapon systems is underway at the safe house.

D-12
*
The Secretary of Homeland Security—after consulting with the Secretary of Energy,
Attorney General, and Homeland Security Advisor—directs the Coast Guard and Bureau
of Customs and Border Protection (BCBP) to increase vigilance at the borders. State and
local homeland security officials are also notified of the potential threat.

D-11
Ebrahim contracts a sign vendor to produce a magnetic copier service logo, which will be
placed on the outside of the van.

D-10
Integration and test of the baseline device is complete. The three ignition circuits—the
built-in timer, a manually activated detonator, and a booby-trap device—undergo further
testing. The van is wired from the device area to the passenger seat to look like a cell
phone with a power cord. EZ Central Command begins monitoring the internet to
determine when the President will be in the White House.

D-09
The magnetic copier service logo is picked up.

D-08
Ebrahim finalizes the approach route to the target destination.

Scenario 1: Nuclear Detonation – 10-kiloton Improvised Nuclear Device 1-6


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-05
Khan disassembles the nuclear device; cleans all the electronics, hardware, and
components of the HEU; and reassembles the complete weapon. He uses a coded e-mail
message to notify EZ Central Command that the system is ready.

D-4
EZ Central Command uses the internet to comb regularly scheduled White House press
conferences and learns that the President will hold a Cabinet meeting on the budget in 4
days. A coded e-mail message is sent from the EZ Central Command to the safe house,
setting the detonation time as 1015 Eastern Daylight Time (EDT) on that day and
confirming the target location.

D-1
The two suicide bombers make a dry run during morning rush hour. They are instructed
to detonate a large vehicle-borne explosive in the center of the city.

D-Day 0700 EDT


The copying service logo is affixed to the outside of the van. The IND, with its shielding,
is carefully loaded into the van, and the manually activated detonator is connected. The
timer is set for 1020 EDT and will detonate regardless of the actions of either suicide
bomber.

D-Day 0725 EDT


The loaded van with the two suicide bombers heads toward downtown. Khan and
Ebrahim depart the safe house for the Canadian border. Ebrahim destroys any relevant
information or documentation related to the operation under his command and control,
and disposes of the unused equipment.

D-Day 0900 EDT


As the van approaches the downtown area, the first suicide bomber arms the detonator’s
dead-man switch.

D-Day 1015 EDT


As the target becomes visible, the suicide bombers detonate the 10-kiloton nuclear
device. Most buildings within 1,000 meters (~ 3,200 feet) of the detonation are severely
damaged. Injuries from flying debris (missiles) may occur out to 6 kilometers (~ 3.7
miles). An Electro-Magnetic Pulse (EMP) damages many electronic devices within 5
kilometers (~ 3 miles). A mushroom cloud rises above the city and begins to drift east-
northeast.

D+1
Khan and Ebrahim reach an un-patrolled section of the U.S.-Canadian border.

Scenario 1: Nuclear Detonation – 10-kiloton Improvised Nuclear Device 1-7


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 2:

Biological Attack ―
Aerosol Anthrax
Casualties 13,000 fatalities and injuries
Infrastructure Damage Minimal, other than contamination
Evacuations/Displaced Persons 25,000 seek shelter (decontamination required)
10,000 instructed to shelter-in-place in each city
100,000+ self-evacuate out of affected cities
Contamination Extensive
Economic Impact Billions of dollars
Potential for Multiple Events Yes
Recovery Timeline Months

Scenario General Description


Anthrax is a disease caused by Bacillus anthracis. There are three types of this disease:
cutaneous anthrax, gastrointestinal anthrax, and inhalational anthrax. Anthrax spores
delivered by aerosol spray result in inhalational anthrax, which develops when the
bacterial spores are inhaled into the lungs. A progressive infection follows. This scenario
describes a single aerosol anthrax attack in one city, but does not exclude the possibility
of multiple attacks in disparate cities or time-phased attacks (i.e., “reload”).

This scenario is similar to one used by the Anthrax Modeling Working Group convened
by the Department of Health and Human Services (HHS). It is based on findings from the
N-Process Project conducted under an interagency agreement between the Centers for
Disease Control and Prevention (CDC) including the Strategic National Stockpile (SNS);
and Sandia National Laboratory (SNL), Albuquerque, New Mexico.

UA Operatives and Group Profile

UA Group Profile

For a detailed profile of the Texas Independent Movement, please see the Domestic Right
Wing group profiles package in the UA threat category package (pages 120-121, 130-
134).

Texas Independence Movement (TIM)

UA Operatives
Stan Holton: operation leader, Command Cell
Steve Jenkins: leader, Cell One, targeting, reconnaissance, surveillance

Scenario 2: Biological Attack – Aerosol Anthrax 2-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Joe Nieder: Cell One, targeting, reconnaissance, surveillance


Robert Leddel: Cell One, targeting, reconnaissance, surveillance
Matt Detmer: leader, Cell Two, device construction and delivery
Shawn Peterson: Cell Two, device construction and delivery
Patrick O’Hare: Cell Two, device construction and delivery
Al Destra: Cell Two, biochemist
Ted Nicholas: leader, Cell Three, logistics
Bob Levee: Cell Two, logistics
Mark Bennett: Cell Two, logistics

Detailed Attack Scenario

After a 1998 plot to conduct biological weapons attacks was foiled, TIM’s main faction
publicly renounced the attackers to deflect criticism and openly focused on pursuing its
aims through political means. The group’s effort to generate a popular referendum for
independence failed to gain much attention. After years of trying, TIM’s leadership
concluded that the group’s political campaign had failed because the U.S. Government
and the State of Texas had used their powers to manipulate the people and the press
against them. Rather than admit defeat, the failure of the political campaign led TIM to
conclude that it could only succeed in liberating Texas if it bloodied the Federal
government, demonstrating to the people of Texas that the U.S. Government cannot
protect them from attacks.

TIM leader Dave Miles turned to Stan Holton, a former U.S. Special Forces officer who
had been developing potential attack plans for future use, to prepare to “shake up the
status quo.” Holton, who had little confidence in TIM efforts to achieve its aims through
the political process, had informally established and developed a team of trusted TIM
members, including several former members of the U.S. Armed Forces, to help him to
plan and, if ordered, conduct attacks. The group agrees to continue its overt political
campaign to ward off potential law enforcement attention.

Fascinated by the other TIM faction’s failed effort to develop a biological warfare
capability, Holton had established a relationship with Texas native Al Destra, a brilliant
but somewhat mentally unstable biochemist who quit his research position at the U.S.
Army Medical Research Institute for Infectious Diseases (USAMRIID) in Frederick,
Maryland, rather than be fired in the face of sexual harassment complaints filed against
him by two former co-workers. Holton helped Destra get back on his feet financially after
he returned to Texas, and—playing on Destra’s latent paranoia and anti-authoritarian
tendencies—helped Destra convince himself that his forced resignation from USAMRIID
was a result of a U.S. Government conspiracy against him.

After studying the impact of the terrorist attacks of September 11, 2001 (9-11) and the
successful anthrax-mailing terror campaign in the United States in late 2001, the TIM’s
leadership agreed to a plan put forward by Holton to use dried, powdered anthrax spores
in a delivery system using a modified hopper and fan mounted in the back of a specially
fitted flatbed truck. Holton’s plan was designed to take advantage of the biochemical

Scenario 2: Biological Attack – Aerosol Anthrax 2-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

skills of Destra. Although a few senior TIM officials were troubled by the indiscriminate
nature of the planned attack, Miles and most were convinced that an attack using
biological weapons of mass destruction would create the environment necessary to
undermine public confidence in and support for the U.S. Government. Miles directed
Holton to lead the operation, using his team and available resources to prepare the
ground.

The operational cells for this attack were formed from the most trusted and capable
members of Holton’s informal operations teams. Cell One, led by a former special forces
reconnaissance expert, Steve Jenkins, was responsible for target selection (with Holton’s
approval) and initial and ongoing surveillance and reconnaissance. Cell Two, led by Matt
Detmer, was assigned the task of building the anthrax dispersal device and launching the
attack. Destra, the biochemist, is also a member of Cell Two. Cell Three, led by Ted
Nicholas, is responsible for logistics, including the purchase of the equipment and
materials needed to prepare the attack device.

UA Execution Timeline
D-Day Minus 365 (D-365)
Cell One begins remote targeting to identify the target venues.

D-340
Cell Two operatives begin to design, develop, and train to employ the anthrax delivery
device during the operation. Destra and Holton begin working with contacts to obtain the
powdered anthrax necessary for the operation.

D-200
Cell Two operatives design, test, and refine their plans for building a dispersal
mechanism until they have a design that produces a steady stream of fine aerosol powder
for the anthrax spore release. The mechanism is designed to look like a small, domestic
chipper/shredder and will use components from other readily available farm and
household equipment that can be easily purchased and assembled in the United States.

D-187
Cell Two completes the dispersal mechanism design and passes requirements for
components to Holton, who passes them to Cell Three.

D-185
Cell Three begins acquiring equipment and components needed for the anthrax
development lab and the dispersal device.

D-175
\Jenkins, Joe Nieder, and Robert Leddel from Cell One complete their remote targeting
on U.S. cities, primarily using internet research. They have looked for areas with high
population density, low-rise buildings, and major road arteries. They also researched
prevalent wind directions and speed, rainfall patterns, and other natural barriers that will

Scenario 2: Biological Attack – Aerosol Anthrax 2-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

help or hinder a successful delivery. They identified five locations that met the criteria
and then passed their findings on to Holton.

D-160
After consulting with TIM leader Miles, Holton approves one of the locations and directs
Cell One to conduct onsite reconnaissance and surveillance.

D-145
1
Based on the targeting conducted by Cell One, and approved by Holton, Cell Three
locates and leases a safe workshop located near the selected location. Cell Three then
outfits the workshop with equipment and materials requested by Cell Two.

D-130
Cell Three operatives Nicholas, Bob Levee, and Mark Bennett return to their respective
originating points.

D-90
*
Destra, with assistance from international black market contacts developed by Holton,
identifies a potential source for the purchase of a large quantity of powdered anthrax.

D-60
*
Destra coordinates the shipment of 100 liters (approximately 6105 cubic inches) of
powdered anthrax purchased through a black market cut out from a military source in the
former Soviet Union. The anthrax is smuggled out of this area and into Western Europe
via Albanian human smuggling routes. Once in Western Europe, the anthrax is packed
into four separate heat-sealed, 4-millimeter plastic bags that are covered with carpet
remnants to form a cushion that exactly fits the anthrax bag. The packages appear to be
upholstered pillows that are part of a furniture set. The furniture set is part of an entire
household’s worth of goods that is sealed in a shipping container and sent by boat to the
U.S. port of Miami.

D-43
*
Destra takes delivery of the container contents and removes the “pillows,” transferring
them to the secure workshop and storing the vacuum-sealed anthrax in a refrigerator.

Destra also secures a sufficient supply of Cipro antibiotic to protect him and his three
teammates against anthrax exposure for the duration of the operation.

D-37
Jenkins, Nieder, and Leddel drive around City 1 (their chosen target location) at various
times of day to study traffic flow on road arteries upwind of the city center. Their
reconnaissance reveals that the ideal time to deliver the agent is just before the morning
rush hour, given lower traffic volumes and the fact that commuters will be arriving at the

1
This symbol denotes an I&W opportunity.

Scenario 2: Biological Attack – Aerosol Anthrax 2-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

city into the freshly released anthrax plume. They also monitor long-range weather
forecasts and study wind patterns over the planned release area.

D-31
Cell Two operatives—Matt Detmer, Patrick O’Hare, Shawn Peterson, and Destra—are
now in place and familiarizing themselves with the area. O’Hare and Peterson receive an
orientation briefing from Cell One.

D-30
Cell One operatives return to their respective points of origination, while O’Hare and
Peterson begin constructing the delivery mechanism using the materials acquired by Cell
Three.

D-25
O’Hare and Peterson drive the designated route at the target time of day in order to
understand and monitor traffic and weather patterns.

D-7
With a week to go, O’Hare and Peterson bolt the delivery mechanism (the disguised
chipper/shredder) onto the bed of a specially fitted tractor trailer that was acquired by
Cell Three. The mechanism comprises an enclosed hopper that feeds the anthrax at a
steady rate into a chamber that produces a vortex that vents out of a long, wide chute at
the top. Via a wire threaded through the truck, the device can be turned on from inside
the vehicle’s cab.

Hour Minus 4 (H-4)


O’Hare and Peterson wait until the weather forecast predicts winds of the right speed and
direction for maximum effect. On the first day that the forecast is favorable, the Cell Two
leader, Detmer, reconfirms with Holton that the operation is a go, and the team makes its
final preparations.

H-1
All four team members ride in the truck, with Detmer driving. O’Hare and Peterson
watch for law enforcement or other interference, and Destra mans the dispersal device.

Attack
Detmer drives the truck onto the designated route. O’Hare, Peterson, and Destra turn off
the air in the truck’s cab, close the windows, and turn on the delivery mechanism,
releasing enough anthrax to potentially, under perfect conditions, contaminate as many as
50 million people.

Scenario 2: Biological Attack – Aerosol Anthrax 2-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 3:

Biological Disease Outbreak —


Pandemic Influenza
Due to the fact that this scenario is a naturally occurring disease pandemic rather than a
terrorist attack, there is no additional detailed UA material. Refer to the National
Planning Scenarios core document for scenario detail.

Scenario 3: Biological Disease Outbreak – Pandemic Influenza 3-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 4:

Biological Attack ―
Plague
Casualties 9,553 fatalities; 28,383 illnesses; 37, 936
cumulative cases (fatalities and illnesses)
Infrastructure Damage None
Evacuations/Displaced Persons No evacuation required
Shelter in place
Quarantine given to certain highly affected areas
Possible large-scale self-evacuation from affected
communities
Contamination Lasts for hours
Economic Impact Millions of dollars
Potential for Multiple Events Yes
Recovery Timeline Weeks

Scenario General Description


After the terrorist attacks of 9-11, oil supply disruptions in Venezuela in 2002 and 2003,
and the U.S. armed intervention in Iraq in 2003, U.S. policy has increasingly emphasized
diversification of U.S. energy supplies, especially from sources outside the Persian Gulf.
According to Cambridge Energy Research Associates, between 2004 and 2010, West and
Central Africa (far closer to U.S. refining centers than the Middle East) will add 2 to 3
million barrels per day to world oil production. This will account for one in five new
barrels of oil-----i.e., fully 20% of new production capacity worldwide. This oil will be the
low sculpture, light product that U.S. refiners require. To meet projected rising U.S.
demand for natural gas, ample new and reliable external sources will also be required. If
projects currently under evaluation and development in Nigeria, Angola, and Equatorial
Guinea are brought to fruition in the next decade, they will increase West Africa’s
liquefaction capacity from 9 million to 30---40 million tons annually. (Current worldwide
capacity is 115 million tons annually.) The United States will also increasingly rely on
imports of refined products, such as gasoline, as U.S. refinery capacity fails to meet
1
growing demand. West and Central African refiners can help to fulfill these needs.

Since 9-11, U.S. counterterrorism concerns in West and Central Africa have jumped
significantly, resulting in heightened, evolving engagement in the region by U.S.
intelligence and military personnel. This shift has dramatically reversed the calculation
that was born in the immediate aftermath of the Cold War in the early 1990s in which
West and Central Africa mattered minimally to U.S. global security interests. Indeed,

1
Goldwyn, David L., and Morrison, J. Stephen, “Promoting Transparency in the African Oil Sector: A
Report of the CSIS Task Force on Rising U.S. Energy Stakes in Africa”, Center for Strategic and
International Studies, March 2004, p 4.

Scenario 4: Biological Attack – Plague 4-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

these venues are becoming priority zones in global counterterrorism efforts, as evidenced
most overtly by the recent, sudden projection south of the U.S. European Command.
Current threats and vulnerabilities in this region include: (1) indigenous militant Islamic
groups that are concentrated in Nigeria and neighboring states that are linked to
externally supported local madrassas (religious school); (2) the southern migration (from
Algeria and other North African venues) of terrorist movements, most notably the
Algerian Salafist Movement, which reportedly has established training bases in Mali and
Niger; (3) Lebanese trading communities, long-standing support networks for Hezbollah,
some of which are reportedly engaged in illicit diamond trafficking, money laundering,
and the movement of lethal material; and (4) a rising number of minimally protected
economic installations, especially in the energy sector, that are overtly tied to Western
2
corporate interests.

Just as it does in the Middle East, it is possible that oil will form the bedrock of the politics
of West Africa over the next few decades as the United States develops the region as an
alternative source to the Gulf. A key objective of a global insurgency inspired by the
radical Islamist group EZ is to deny the United States secure supplies of energy, thereby
posing a risk to the U.S. economy.

The expanding threat of international terrorism continues to affect U.S. foreign and
domestic security. Timing and target selection by terrorists can affect U.S. interests in
areas ranging from preservation of commerce to nuclear non-proliferation to the Middle
East peace process. Complex terrorist networks have developed their own sources of
financing, which range from Nongovernmental Organizations (NGOs) and charities to
illegal enterprises such as narcotics, extortion, and kidnapping. To challenge the West’s
conventional military superiority, there is an inexorable trend toward proliferation of
Weapons of Mass Destruction (WMDs) or the means to make them. There is concern
among policy makers that states designated by the U. S. State Department as sponsors of
terrorism—Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria—may have supplied
terrorists with WMD capability. Although there is a degree of uncertainty, the possibility
of covert transfers or leakages clearly exists.3

EZ, first designated a Foreign Terrorist Organization (FTO) by the U.S. State Department
in October 1999, is the inspiration for an increasingly violent global insurgency. EZ was
established by Yemen-born Alim Badi Al Zaman in the late 1980s. Al Zaman's
worldview was influenced by several renowned radical Islamist scholars who taught in
the Gulf States. His worldview was also significantly shaped by his experiences in
Afghanistan at the end of the Soviet-Afghan campaign. Al Zaman returned to
Afghanistan in the 1990s to manipulate civil disorder and establish a string of militant
training camps.

The infrastructure that EZ established during this time, which was primarily to recruit
Muslims to create Islamist states throughout the world, resulted in the growth of a global
movement that currently extends directly and indirectly into the following countries:

2
Ibid., p. 14.
3
Perl, Raphael, Congressional Research Service, “Terrorism and National Security: Issues and Trends,
Updated July 6, 2004.

Scenario 4: Biological Attack – Plague 4-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Algeria, Egypt, Turkey, Syria, Pakistan, Malaysia, Indonesia, Saudi Arabia, Yemen,
Chechnya, Somalia, Kashmir, Sudan, and Eritrea.

In addition to its core membership, EZ has successfully attracted the support of three
other groups of militant Islamists, including: groups fighting Islamic rulers believed to
have compromised Islamic ideals and interests; groups fighting against oppression and
repression of the Muslim population; and groups fighting regimes to establish their own
Islamic state. This wide-ranging support structure has enabled EZ to execute a terrorist
campaign on several fronts and inspire other militants to execute a terrorist campaign.
Furthermore, it allows the “network of networks” to employ a wide range of tactics, from
kidnapping and conventional attacks using Improvised Explosive Devices (IEDs) and
suicide bombers to unconventional attacks using chemical and biological weapons.

UA Operatives and Group Profiles

UA Group Profiles

For a detailed profile Mutaki’oun, Front Salafiste Pour La Liberation Des Terres Etranges
(FSLTE) and EZ, please see the GSJ group profiles package in the UA threat category
package (pages 1-22, 67-74, 52-59, 23-37).

Mutaki’oun
FSLTE
EZ

UA Operatives
Fatima Barakah: FSLTE biological weapons expert
Faisal Diya Amid “Al Hakam”: FSLTE chief of operations
Khatib ‘Adli: EZ operations coordinator
Ismail Al Muhaat: a local imam
Ali Waddab Bishr: Mutaki’oun communications
Zafir Hamal: Mutaki’oun tactical leader
Shihad bin Zaki: Mutaki’oun security
Yasir Raja Abdul: Mutaki’oun logistics

Detailed Attack Scenario


In response to increased U.S. military presence in Central and West Africa, EZ and
several of its African-based affiliated and inspired groups have developed a plan to
retaliate against the United States.

The scale of the attacks is planned to surpass that of 9-11. EZ will provide mission
support that will include: limited financial capital for weaponry, support networks in
place in the West, access to front companies, and recruitment of skilled weapons
technicians.

Scenario 4: Biological Attack – Plague 4-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

FSLTE, an Algerian-based terrorist organization loosely affiliated with EZ, will provide
tactical forces and weapons expertise for this operation. Under the leadership of Ahmed
Abdul Aziz (aka “Al Jundi”), the group aims to overthrow the secular government of
Algeria and establish an Islamist caliphate that adheres to the Salafist interpretation of
Islam. Although the group has denied issuing statements threatening attacks on U.S.
assets in Algeria, they are opposed to the U.S. presence in North and West Africa.
FSLTE was first designated an FTO by the U.S. State Department in March 2002.

FSLTE has recruited operatives among the disenfranchised and embittered. FSLTE has
particularly concentrated on recruiting from the criminal fraternity in prisons who have
turned to Islam through the work of radical Muslim clerics who are not necessarily
associated with FSLTE or any other noted militant group. Most of the funding for the
group's activities is acquired via criminal activities.

To successfully conduct clandestine operations in the West, EZ and FSLTE will rely on
Mutaki'oun, a loose network of American Islamic radical converts. These operatives were
largely recruited from the U.S. prison population through the work of radical clerics.
These individuals were almost all born in the United States, but many have traveled
extensively throughout the Middle East and Caucasus. Although they maintain a Western
lifestyle, they attend mosques where they have developed close relationships with other
militant Islamists. Most have undergone paramilitary training at camps overseas or at
“warrior training” camps in the United States.

Mutaki’oun operational cells—called Sutra teams—are oriented around protecting radical


clerics at the mosques frequented by these converts. Their training has made them highly
capable facilitators of terrorist operations through activities such as intelligence
collection, counter-surveillance expertise, weapons acquisition, money laundering, and
credit card fraud. However, their tactical skills are largely unproved.

Plague is a bacterium that causes a high mortality rate in untreated cases and has
epidemic potential. It is best known as the cause of Justinian’s plague (in the mid-6th
century) and the Black Death (in the mid-14th century), two pandemics that killed
millions. A third, lesser-known pandemic began in China in the late 1800s and spread to
all inhabited continents, causing nearly 30 million cases and more than 12 million deaths
from 1896 to 1930. This Modern Pandemic prompted an intensive multinational research
effort that resulted in the identification of the causative agent of plague (Yersinia pestis
[Y. pestis], a gram-negative bacterium) and conclusive evidence that rat fleas transmit the
disease to humans during epidemics. Later studies indicated that smaller numbers of
cases also arise as a result of persons being bitten by wild rodent fleas, handling infected
animals, or inhaling infectious respiratory droplets coughed by persons with plague
pneumonia. Others demonstrated that plague bacteria are maintained in nature through
transmission cycles involving wild rodent hosts and flea vectors. Armed with this
knowledge, public health workers designed and implemented prevention measures that
reduced the incidence and spread of plague in many regions.

Scenario 4: Biological Attack – Plague 4-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

UA Execution Timeline

D-Day Minus 400 (D-400)


Tribal areas, Pakistan
EZ releases a statement via its propaganda channels (including the magazine Al Battar,
which that receives wide distribution in North Africa and Western Europe). The
statement discusses the need to bring jihad to the door of coalition members of the U.S.-
led “War on Terrorism” as retribution for their continued abuses against Islam.

D-380
Mauritania, Africa
FSLTE command conducts initial attack planning with Faisal Diya Amid “Al Hakam”
(FSLTE chief of operations) present. Faced with increased counterterrorism activity in
Algeria, the command group meets in Mauritania.

D-375
Mauritania, Africa
FSLTE uses EZ communications channels to request operational support. Khatib ‘Adli
(EZ operations coordinator) returns a secure message to FSLTE to meet for further
discussion. In anticipation of receiving support from EZ to procure biological agents, Al
Hakam uses secure internal group communications to activate Fatima Barakah (FSLTE
biological weapons expert).

D-370
Johannesburg, South Africa
‘Adli and Al Hakam discuss operational details and how EZ could support the FSLTE-
initiated attacks. EZ agrees to facilitate access to biological agents.

D-362
Algiers, Algeria
1
FSLTE releases a statement via its new globally distributed internet publication. The
statement discusses the need to bring jihad to the doorsteps of the coalition members as
retribution for their continued abuses against Islam.

D-355
Mauritania, Africa (Wahhabi madrassa)
FSLTE decides to activate U.S.-based support cells to conduct local target surveys. Using
an encrypted message, the cells are given a timeline of operations and details for secure
communications channels to be used for this operation.

D-350
Karachi, Pakistan
Barakah receives Y. pestis seed stock from Europe and South America via airmail and
begins production.

1
This symbol denotes an I&W opportunity.

Scenario 4: Biological Attack – Plague 4-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-340
Al Hakam activates the Mutaki’oun support cell located in a large metropolitan city. Al
Hakam has established a relationship with the local radical imam Ismail Al Muhaat, who
preaches at a closed study group. Al Hakam asks Al Muhaat to deliver a message to Ali
Waddab Bishr (Mutaki’oun communications). The Mutaki’oun support cell is given
limited information apart from the type of support that is needed (e.g., rent a house,
obtain specific supplies, etc.).

Al Hakam also directly activates the operational cell of Mutaki’oun through his personal
ties to Zafir Hamal (Mutaki’oun tactical leader). The operational cell is given a targeting
package but no dates. Dates will be provided closer to D-Day.

D-310
*
Al Hakam forwards the targeting package to Hamal by posting it to a covert website.
After receiving the targeting package, Hamal is ordered to conduct more detailed
reconnaissance and surveillance and choose the most vulnerable symbolic targets. The
final list of targets will be re-posted on the covert website for Al Hakam to retrieve.

D-280
Karachi, Pakistan
*
Barakah completes production of the Y. pestis, freezes the culture, and departs Karachi
for Beirut, Lebanon, where she undergoes plastic surgery to alter her appearance.

D-212
Beirut, Lebanon
After successful plastic surgery, Barakah departs Beirut for a major U.S. airport, via
Madrid, Spain, using a commercial airline.

D-210
Barakah arrives at the airport, where she is met by Shihad bin Zaki (Mutaki’oun
security). Barakah is escorted to a safe house.

D-207
An FSLTE messenger arrives at the airport from Karachi, Pakistan via Madrid, where he
is met by bin Zaki. The messenger delivers 50% of the Y. pestis seed stock concealed in
the battery compartment of a cellular telephone.

D-200
Yasir Raja Abdul (Mutaki’oun logistics) and Barakah coordinate acquisition of lab
equipment.

D-182
An FSLTE messenger arrives at the airport from Karachi, Pakistan via Athens, Greece,
where he is met by bin Zaki. The messenger delivers the remaining 50% of the Y. pestis
seed stock concealed in the battery compartment of a second cellular telephone.

Scenario 4: Biological Attack – Plague 4-6


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-181
Barakah begins full-scale production of the Y. pestis culture.

D-180
Al Hakam arrives in the United States from London to oversee final production of Y.
pestis, and other operational preparations.

D-121
*
Abdul orders agricultural sprayers.

D-49
*
Abdul purchases three used Sport Utility Vehicles (SUVs) from private citizens, with
cash, at three different locations. They are stored in a warehouse until the agent is ready.

D-30
*
Mutaki’oun operatives begin rehearsing driving routes in their personal vehicles.

D-13
Barakah completes production of Y. pestis, and weaponization begins.

D-3
Barakah boards a commercial flight to Miami, Florida. Her plan is to leave Miami for
Brazil on a connecting flight.

Mutaki’oun operatives load the Y. pestis cultures into the sprayers and prepare for
deployment as planned.

D-2
Hamal, Fatih Yaman Ihsan, and Jibran Al Mash’al drive the three SUVs outfitted with the
dissemination devices toward the city and execute their mission.

D-1
The first victim of the biological attack, a 14-month-old girl, is admitted to a local
hospital.

D-Day
Three victims are admitted to area hospitals. One victim arrives by Emergency Medical
Services (EMS) and is coughing up blood.

One of the abandoned SUVs is discovered by local security in a local parking lot and is
reported to police. The agricultural sprayer is still in the SUV. The police quickly
determine that this vehicle is the same one involved in the earlier traffic stop and send
investigators to the scene.

A presumptive diagnosis of Y. pestis is established based on patient epidemiology,


laboratory results, and a laboratory analysis of a swab taken from the abandoned SUV.

Scenario 4: Biological Attack – Plague 4-7


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D+1
Investigation of the SUV leads to the discovery of the location of the biological weapon
production facility used by FSLTE and Mutaki’oun.

Investigation of the SUV leads to the discovery of the location of the Mutaki’oun safe
house.

A second abandoned SUV is discovered near the local airport.

D+1 to D+7
The first cases arrive in Emergency Rooms (ERs) approximately 36 hours after the release,
with rapid progression of symptoms and fatalities in untreated (or inappropriately treated)
patients. The rapidly escalating number of previously healthy persons with severe
respiratory symptoms quickly triggers alerts within hospitals and at the Department of
Public Health (DPH). Observed incubation periods vary significantly between individuals,
ranging from 1 to 6 days after exposure. It is estimated that the approximately 80 hospitals
in the major metropolitan area can make room for as many as 3,000 additional patients on
fairly short notice, with total capacity in the State exceeding 8,000 beds. It is not precisely
known how many patients requiring intensive care could be absorbed, but the number
would be significantly less than 3,000, possibly on the order of a couple of hundred. Bed
capacity in intensive care units could be increased fairly rapidly by temporarily lodging
patients with pneumonic plague in post-anesthesia care units.

The situation in the hospitals is complicated by the fact that the prodromal symptoms of
pneumonic plague are relatively non-specific and by the necessity of initiating
antimicrobial therapy rapidly once symptoms begin. It is expected that large numbers of
worried patients, including many with fever and upper respiratory symptoms, will crowd
ERs. Discriminating patients with pneumonic plague from those with more benign illnesses
requires the promulgation of clear-case definitions and guidance. Physician uncertainty
results in low thresholds for admission and administration of available countermeasures,
producing severe strains on commercially available supplies of Cipro and Doxycycline
(among other medications) and exacerbating the surge-capacity problem.

Pneumonic plague is transmissible from person-to-person, and the public wants to know
quickly if it is safe to remain in the city and surrounding regions. Given the large number of
persons initially exposed and the escalating nature of the epidemic, it is likely that Federal,
State and local public health officials will recommend a modified form of sheltering-in-
place or voluntary “snow day” restrictions as a self-protective measure for the general
public and as a way of facilitating the delivery of medical countermeasures and prophylaxis
to those at risk of contracting pneumonic plague. Some people may flee regardless of the
public health guidance provided. Support of critical infrastructure and the maintenance of
supply chains during this period pose significant logistical and human resource challenges.
The public may place pressure on pharmacies to dispense medical countermeasures
directly, particularly if there are delays in setting up official points of distribution. Public
health guidance must be provided in several languages. The number of visitors and
commuters at or passing through the metropolitan area’s airports, sports arena, and train
station on the morning of the attack complicates the identification of patients and
distribution of antibiotics. Cases present over a wide geographic area, and the timing of the

Scenario 4: Biological Attack – Plague 4-8


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

attacks is not discovered within a timeframe relevant to the provision of post-exposure


prophylaxis.

Scenario 4: Biological Attack – Plague 4-9


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 5:

Chemical Attack ―
Blister Agent
Casualties 150 fatalities; 70,000 hospitalizations
Infrastructure Damage Minimal
Evacuations/Displaced Persons More than 100,000 evacuated
15,000 seek shelter in immediate area
(decontamination required)
Contamination Structures affected
Economic Impact $500 million
Potential for Multiple Events Yes
Recovery Timeline Weeks; many long-term health affects

Scenario General Description


Agent Yellow, which is a mixture of the blister agents sulfur mustard and lewisite, is a
liquid with a garlic-like odor. Individuals who breathe this mixture may experience
damage to the respiratory system. Contact with the skin or eye can result in serious burns.
Lewisite or mustard-lewisite also can cause damage to bone marrow and blood vessels.
Exposure to high levels may be fatal.

In this scenario, the UA—represented by EZ, the Harakat Al Jihad Al Telameeth (HJT),
and an American Radical Islamic Convert (ARIC)—uses a light aircraft to spray
chemical agent Yellow into a packed college football stadium. The agent directly
contaminates the stadium and the immediate surrounding area and generates a downwind
vapor hazard. The attack causes a large number of casualties that require urgent and long-
term medical treatment, but few immediate fatalities occur.

UA Operatives and Group Profiles

UA Group Profiles

For detailed profiles of EZ and HJT please see the Global Salafist Jihad (GSJ) group
profiles section in the UA Threat Category package (pages 1-22, 23-37, 38-51).

UA Operatives
Mahmud bin Jihad: EZ, Central Command liaison
Azzem Houlam: EZ, intelligence and security, Operations Control Cell
Omar al Makh’un: EZ, operational planner and communications control, Operations
Control Cell
Salim Al Hakam: EZ, logistics, administration, finance

Scenario 5: Chemical Attack – Blister Agent 5-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Muhameed Al Fash: EZ, Tactical and Reconnaissance Cell


Mustafa Qawi: EZ, Tactical and Reconnaissance Cell, will construct and release weapon
Mohammed Abdul Nasser: ARIC, the pilot recruited for the attack
Dr. Nik Wal Husin: HJT, Indonesian cell weapons expert

Detailed Attack Scenario

In this scenario, EZ acquires the capabilities to coordinate and conduct a chemical attack
against the U.S. homeland with the help of an affiliated group, the HJT. The HJT is
geographically rooted in Southeast Asia. It shares EZ’s worldview and is focusing on the
establishment of a regional caliphate and the alleviation of local Muslim grievances.
Linked not only by an ideological compatibility, many social network links were
established through personal relationships in combat or training camps around the Islamic
world. HJT operatives are thought to have aided in the development of EZ’s bio-chemical
weapons program in Afghanistan.

Intelligence suggests that HJT is seeking to establish a more international presence and to
develop a repertoire outside Southeast Asia by intensifying cooperation with other
Islamic groups in other regions. Recent internal divisions and cellular degradation due to
critical arrests has prompted remaining HJT leadership to demonstrate the organization’s
continued lethality and relevance through its involvement in a “spectacular” attack.

After EZ seeks the organization’s assistance, HJT acquires the precursors for agent
Yellow (a 50/50 mixture of mustard and lewisite) from overseas sources. Dr. Nik Wal
Husin, an HJT chemical weapons specialist, mixes the agent and transfers it into a 55-
gallon stainless steel drum. The drum is over-packed into a 75-gallon drum partially filled
with absorbent material. The weapons expert tests the agent on several rats and concludes
that it is viable for use in future operations. The HJT agents transport the drum to a safe
house approximately 10 miles south of Jakarta, Indonesia.

EZ plans to use a light aircraft to spray agent Yellow into a large public event, one
preferably televised in the United States.

UA Execution Timeline

D-Day Minus 450 (D-450)


EZ members Azzem Houlam and Omar al Makh’un, based in Karachi, express their
desire to further participate in the jihad by attacking the far enemy at its core. Contacting
a known EZ Central Command liaison, Mahmud bin Jihad, Houlam and Makh’un seek
blessing for an “unconventional” operation on American soil.

Approval is given for a chemical attack against a large gathering. EZ Central Command
contacts an HJT chemical weapons expert to aid the operational cell in acquiring and
transporting the material. Operatives within the HJT have been involved in the research
and production of chemical weapons in EZ training camps in Afghanistan. Through their

Scenario 5: Chemical Attack – Blister Agent 5-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

network of contacts, the operatives will seek the precursor chemicals required to produce
a blister agent.

A chemical attack within the Continental United States (CONUS) is in-line with EZ and
HJT’s strategy, ideology, and philosophy of action. The EZ commander’s fatwa in 1996
underscores the fact that apostate regimes exist as a result of American support, and any
chance of toppling the “near-enemy” begins with the destruction of the “far-enemy.” The
selection of chemical weapons for the attack mode is indicative of a desire for a trend of
tactical progression, the dissemination of abject fear within American society, and pursuit
of high casualty figures.

D-440
Houlam and Makh’un travel to Central Sulawesi, via Jakarta, to meet with Husin. The
two EZ operatives discuss the operation. Husin suggests the use of agent Yellow due to
its lethality and his ability to acquire and ship the agent with minimal risk. The EZ cell
posits that Husin ship the chemical to a destination in America’s northwest, because the
two plan on entering CONUS via Canada with the assistance of a Canadian-based EZ
cell.

D-435
Makh’un and Houlam travel back to Pakistan to arrange travel to Canada.

Husin procures lewisite and mustard agents through contacts in the Philippines. He
locates a little more than 25-gallons of each and has the agents transferred via small boat
from Mindanao, through the Sulu Archipelago, to a HJT safe house in Sulawesi.

D-420
Husin fully develops and tests the 55-gallon batch of agent Yellow. He arranges for trans-
shipment across Kalimantan to Jakarta, where an HJT operative will transfer the chemical
into a legitimate shipment bound for the United States.
1
Using false Pakistani documentation and aliases, Makh’un and Houlam procure
legitimate visas to travel to Canada as tourists.

D-365
HJT arranges to ship the agent Yellow to the United States using a legitimate carrier and
a legitimate business source. Husin plans on including the agent Yellow in a larger
chemical shipment sent to a Philippine diaspora business with ties and sympathies to
HJT. The EZ operations cell in the United States will meet the shipment at the company’s
holding facility and remove the one barrel. The remainder of the legitimate shipment will
be distributed to actual clients to avoid suspicion.

D-320

1
This symbol denotes an I&W opportunity.

Scenario 5: Chemical Attack – Blister Agent 5-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

*
The Jakarta-based HJT operative, using shipping-industry contacts in Singapore,
includes a large shipment of chemicals—one drum of which includes the agent Yellow—
inside a crate en route to the United States and the HJT-linked distribution company.

Makh’un and Houlam leave Pakistan en route to Canada via London. Prior to their
departure, the two arrange the Operational Security (OPSEC) procedures for further
communication with EZ Central Command via bin Jihad in Karachi.

D-310
Two EZ operatives, Houlam and Makh’un, provide operation control for the attack. They
possess counterfeit passports, driver’s licenses (along with international driver’s permits),
and tourist visas. Houlam possesses a counterfeit Canadian passport, a driver’s license,
and a legitimate international driver’s permit, all of which use his alias and were obtained
through a Canadian-based EZ logistics cell. Makh’un possesses a counterfeit foreign
passport with a counterfeit temporary visa for pleasure (B-2, non-machine readable) and
a counterfeit Canadian driver’s license, all of which use his alias and were provided by a
Canadian-based EZ logistics cell.
*
Houlam and Makh’un enter the United States across the Canadian border in Port
Angeles, Washington, in a used sedan they purchased with cash in Canada. Houlam is the
intelligence and security agent for EZ in the United States, and Makh’un is the
operational planner and communications controller. They move from hotel to hotel,
paying with cash provided by the Canada-based logistics cell and smuggled into the
United States. They report via surreptitious communication channels to EZ Central
Command members in Pakistan.
*
Muhammed Al Fash, an EZ operative who is part of the tactical cell, is smuggled into
the United States. Once in the United States, a U.S.-based EZ logistics cell provides him
with a counterfeit foreign passport, academic student visa (F-1, non-machine readable,
for use in obtaining flight training), foreign driver’s license, and international driver’s
permit, all of which use his alias.
*
The EZ operative Mustafa Qawi comes into the United States legitimately on an
academic student visa (F-1, non-machine readable) to study chemistry at a local college.
He attends a few weeks of class. Shortly after his arrival, Qawi is provided with a
counterfeit passport and academic student visa (F-1, machine readable) from the U.S.-
based EZ logistics cell. He then obtains a State driver’s license from a State Department
of Motor Vehicles clerk who is sympathetic to EZ. Qawi is directed by Makh’un to
depart the college, and he joins the tactical cell.
*
With logistics cell help, tactical cell members rendezvous with Salim Al Hakam, an EZ
facilitator who has entered the United States on a legitimate immigrant visa. Al Hakam
holds a legitimate foreign passport and foreign driver’s license with an international
driver’s permit. He also possesses a counterfeit passport under an alias. He has rented a
house 40 miles from a municipal airpark, opened several checking accounts with funds
provided by a U.S.-based EZ logistics cell, obtained a State driver’s license, and

Scenario 5: Chemical Attack – Blister Agent 5-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

purchased a used minivan. The tactical cell bases its operations out of Al Hakam’s rented
house.

D-308
Operational control provides direction through the “draft messages” folder in a shared
commercial e-mail account. Houlam and Makh’un compose e-mail messages and save it
to the draft folder without sending the message. The team members sign into the account
and open the draft message, thereby avoiding actually sending the message and possibly
having it intercepted.

Using this dedicated e-mail account, Houlam directs Qawi to use his alias, Alif al Khan,
and go to a city 40 miles from the rental house to purchase a used sedan with cash
obtained from Al Hakam. In preparation for the operation, Al Hakam has been
withdrawing $300 from each of his accounts each week for the past 2 months. As al
Khan, Qawi registers the automobile using his counterfeit documents. Al Hakam deposits
$3,000 into his bank accounts once or twice each month with funds provided by the U.S.-
based logistics cell.

D-300
The tactical cell, under a directive from operational control, begins surveillance of
potential-target football stadiums in the region. Houlam provides a Global Positioning
System (GPS) device and targeting criteria to be followed during this phase. Tactical cell
members visit the home games of local-area university football teams over a period of 1
month, assessing security operations at each stadium.

D-270
Houlam selects specific targets for focused surveillance based on information from the
tactical cell on the size and number of home game fans for these facilities.
*
Canadian authorities place Houlam and Makh’un’s original aliases on a watch-list after
the expiration of their tourist visas. The Canadians notify the Americans.

D-265
*
University campus police become suspicious and stop Qawi and Al Fash after they
observe Al Fash taking digital photos of the empty football stadium. Both men have
counterfeit documents, and the car is registered to match Qawi’s alias. After questioning
the men, the police allow them to depart the campus.

D-260
*
The drum containing agent Yellow arrives at Port Angeles. The container, which was
shipped from a legitimate source and is one of more than 6,000 drums arriving in the
United States daily, passes easily through customs. Houlam contacts tactical cell
members to retrieve the container.

Houlam requests that Al Hakam, using his alias, purchase some basic safety equipment
for the tactical cell members to use during their handling of agent Yellow. The equipment
is purchased from a Hazardous Materials (HAZMAT) safety product wholesaler.

Scenario 5: Chemical Attack – Blister Agent 5-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-259
Qawi and Al Fash obtain the drum from the storage facility at the HJT-associated
business and transport the drum to Al Hakam’s house using Al Hakam’s van.

D-255
Qawi and Al Fash decide upon a target roughly 300 miles from the airpark—a large
college football stadium that seats up to 100,000 fans.

D-250
Houlam instructs Al Fash to identify an airstrip 300 miles northwest of their target
stadium for possible use after the attack. They plan to land at this airstrip after the attack.

D-200
Al Fash visits several mosques to recruit a pilot for the mission. He takes several
sightseeing tours in an attempt to recruit these pilots. Several candidates are identified
and placed under surveillance. Al Fash schedules regular sessions to determine a mission
pilot.

D-120
Al Fash successfully recruits a pilot, Mohammed Abdul Nasser, to fly the mission. The
pilot will not be provided all of the attack details until the flight takes off on the day of
the attack. However, from the time of recruitment onwards, Al Fash will handle Nasser,
further indoctrinating him to the Salafist philosophy of action necessary to carry out the
attack.

D-100
*
The local community college registrar reports to the Immigration and Naturalization
Service (INS) that Qawi has failed to remain on active status and is no longer enrolled in
classes. Qawi has been absent from coursework for 2 months. This triggers INS to put
Qawi on its watch list.

D-90
Dr. Husin has provided detailed weapon specifications and dispersal directions to
Makh’un. Makh’un provides Qawi with the necessary information he needs to carry out
his part of the attack.

D-80
*
Al Hakam purchases a Cessna 182S Skywagon and leases a hanger at an airpark.

D-60
*
Al Fash and Qawi search for an adequate aerosol spraying system at a local crop-dusting
operation 60 miles from their safe house. The business proprietor becomes very
inquisitive, and Al Fash and Qawi abruptly end the conversation and leave the business.
The proprietor contacts his county sheriff to report the contact, but does not have names
to provide to the sheriff officer.

Scenario 5: Chemical Attack – Blister Agent 5-6


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-56
As an alternative, Qawi identifies and purchases with cash an electrical, high-pressure
water sprayer, a mesh-covered hose, and quick connections for the hoses.

D-40
Al Fash conducts another reconnaissance operation at the target stadium. Once again, a
university campus police officer pulls him over after stadium maintenance workers report
a suspicious person walking around the empty stadium with what looked like a camera
and GPS device. Although this is not the same officer who stopped the EZ operative
months before, this officer also questions his interest in the stadium area. As before, Al
Fash provides counterfeit documents, and the car is registered to match Qawi’s alias.

D-30
Qawi conducts a midnight test of agent Yellow on two hairless rats he picked up at a pet
shop the previous day. He tests 25 milliliters on the rats with a handheld spray bottle.

D-29
*
Despite the use of some basic safety equipment, Qawi discovers blisters and intense
burning irritation on both forearms. The rats had died earlier in the morning, showing
obvious blistering and skin necrosis. Qawi, using his alias, looks for over-the-counter
burn ointment at a local pharmacy. The pharmacist notices the burns and blisters on
Qawi’s forearms and inquires as to what caused the burns. Qawi’s answer is inconsistent
with the injury type and location. The pharmacist gives Qawi a tube of over-the-counter
aloe lotion.

D-21
*
Nasser, at Al Fash’s request, flies the Cessna near the target stadium. Stadium
maintenance workers notify the campus police that a plane flew very close to the
stadium. Campus police contact the Federal Aviation Administration (FAA) and report
that a small plane seemed to make two passes close to the empty stadium—once over the
east section and once over the west section at 1300. EDT The stadium maintenance staff
did not see the aircraft’s identification number.

D-14
Al Fash and Qawi attend the season’s first home game and conduct a final reconnaissance
operation to assess updated security procedures, personnel, and equipment.

D-13
Makh’un, via Al Fash, directs Nasser to file a flight plan that will bring him within 10
miles of the stadium during the first half of the next home game (D-Day).

D-11
Al Hakam begins emptying his bank accounts and prepares to leave the country.

Scenario 5: Chemical Attack – Blister Agent 5-7


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-5
Al Fash prepositions a car at the landing airstrip that was chosen for the escape.

D-4
*
Local police check an abandoned car at the airpark (300 miles northwest of the target
stadium). The tags and registration are not wanted or stolen, and the car has a current,
valid listing in the State of its origin and is registered to al Khan, Qawi’s alias.

D-3
Makh’un provides the group with encrypted phones.

D-2
*
Al Hakam’s employer reports his unexplained absence from work to the INS. The INS
begins the process of investigating Al Hakam, which will likely lead to his placement on
its watch list.

D-1
Houlam provides the final mission plan, and briefs are conducted that detail everyone’s
roles.

D-Day 0430 Eastern Daylight Time (EDT)


With the help of Al Fash, Qawi installs the aerosol sprayer and loads the agent Yellow
onto the plane. Nasser is fully briefed as to the attack mode being used and is told that
Qawi will accompany him on the flight plan to release the agent Yellow over the target.

D-Day 1100
Qawi and Nasser take off from the airstrip. Al Fash begins his exfiltration in-line with the
cell’s plans.

D-Day 1300
Qawi releases the agent Yellow over the target.

D-Day 1500
Qawi and Nasser land at the pre-determined airstrip and get into the car to leave the
country.

Scenario 5: Chemical Attack – Blister Agent 5-8


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 6:

Chemical Attack ―
Toxic Industrial Chemicals
Casualties 350 fatalities; 1,000 hospitalizations
Infrastructure Damage 50% of structures in area of explosion
Evacuations/Displaced Persons 10,000 evacuated
1,000 seek shelter in safe areas
25,000 instructed to temporarily shelter-in-place as
plume moves across region
100,000 self-evacuate out of region
Contamination Yes
Economic Impact Billions of dollars
Potential for Multiple Events Yes
Recovery Timeline Months

Scenario General Description


In this scenario, terrorists from the UA represented by Fariqallah, a radical Shi’ite
Muslim group, conduct a standoff weapon attack on a POL refinery. At the same time,
multiple Vehicle-Borne Improvised Explosive Devices (VBIEDs) are detonated in a local
port, targeting the Coast Guard station, and two merchant vessels unloading at pier side.
Two of the ships contain flammable liquids or solids. Cobalt, nickel, molybdenum,
cadmium, mercury, vanadium, platinum, and other metals will be released in plumes
from their burning cargoes. One of the burning ships contains industrial chemicals
including isocyanides, nitrides, and epoxy resins. Casualties occur onsite due to explosive
blast and fragmentation, fire, and vapor/liquid exposure to Toxic Industrial Chemicals
(TICs). Downwind casualties occur due to vapor exposure.

UA Operatives and Group Profile

UA Group Profiles

For detailed profile of Fariqallah, please see the Global Salafist Jihad (GSJ) group
profiles section in the UA Threat Category package (pages 1-22, 181-186).

UA Operatives
Hassan Im Saheed: Fariqallah coordinator
Aziz Rahim: Operational Commander, VBIED driver #1
Sami Al Jijani: VBIED driver #2
Latif Mahdi: VBIED driver #3
Bilal Diya Khalil: VBIED, IED weaponeer; VBIED target spotter

Scenario 6: Chemical Attack – Toxic Industrial Chemicals 6-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Mahmud Nusrah: leader, rocket launch team


Rafiq Sumrah: driver, rocket launch team
Abdul Id Sabur: explosives technician, rocket team forward observer
Nur Al Hasan: Logistics Support Cell, rocket team forward observer

UA Group Profile

Fariqallah—please see Group Profiles Annex.

Detailed Attack Scenario

Fariqallah has indicated that they are interested in attacking the United States, given the
political environment in the Middle East. Fariqallah does not see itself as an enemy of the
United States proper, but rather of U.S. policy in the Middle East. The group intends to
advance the Islamic Revolution and to destabilize the West through the promotion and
coordination of terrorist activities around the world. Fariqallah’s rhetoric suggests that
unconventional weapons might be used, even though the group’s tactical successes
continue to be achieved by conventional weapons.

Traveling undercover as a legitimate businessman, Hassan Im Saheed, a senior member


of Fariqallah’s Jihad Council, makes contact with several Fariqallah cells in Mexico and
the United States. Saheed visits cells in four cities, meets with each of their leaders,
provides funding, and establishes a communication plans with Fariqallah. In each city,
Saheed establishes a front company (Levant Imports, LLC); he puts the cell leaders on
payroll to launder operational funds and import weapons and IED components.

For nearly two years, these operational cells conduct surveillance of security in and
around ports and refineries. Target folders are updated and posted to covert Fariqallah
websites.

UA Execution Timeline

D-Day Minus 365 (D-365)


A 122-mm BM-21 multiple rocket launcher abandoned by the Iraqi Army is retrieved by
Fariqallah operatives. Working in a safe house in Syria, Abdul Id Sabur, a Fariqallah
explosives technician, separates the rockets and launching tubes from the ZIL truck on
which they were mounted. The multiple launch components are cut in half, making two
“pods” of 20 rockets and launch tubes. The resulting components, each weighing 3,850
pounds, are then placed in specially designed crates and labeled as an antique automobile
and a consignment of carved fireplace mantles.

Scenario 6: Chemical Attack – Toxic Industrial Chemicals 6-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

*
The crates are forwarded to Fariqallah front companies in Tunisia and Morocco. From
Tunis and Morocco, the rocket pods are concealed within standard shipping containers
and forwarded to the Levant Import, LLC offices in City One and City Two.

D-330
The logistics support cell in City One leases a secluded ranch property that is a 1-hour
drive from the port of City One and its refinery facilities.

D-300
Fariqallah leadership identifies four operatives with clean records and legitimate traveling
documents. These four men then undergo artillery training in the Bekaa Valley. Working
on Fariqallah-controlled BM-21 Katyusha Rocket Launchers, the group practices welding
the rocket launch tubes onto the bed of a commercially purchased 1995 Ford F700 dump
truck. Live fire practice is undertaken to make sure the team can acquire and engage area
targets at the maximum range of the weapon, approximately 15,000 meters (9 statute
miles). Their practice includes the deployment of a forward observer and communication
between spotters and shooters so that fire may be adjusted on target.

D-270
The logistics support cell in City One leases a suitable safe house for the rocket launch
crew and the forward spotters.

D-270 to D-265
Launch crew and spotters arrive separately in the United States and travel to the safe
house.

D-260 to D-240
Fariqallah’s Jihad Council identifies four tactical teams, each consisting of three men, all
of whom have had extensive weapons training in overseas camps. Team members travel
separately to City One. The logistics support cell leases four separate houses, one for
each three-man team.

D-230 to D-200
*
The tactical teams arrange for firearms training in the United States following guidance
from a terrorist pamphlet titled Train Yourself for Jihad. The teams identify gun clubs,
paintball camps, and shooting ranges for training exercises. All weapons are purchased
legitimately at gun shows.
*
They also begin constructing IEDs for use in the attack. The explosives for the IEDs are
bought legitimately and shipped from South America via the Levant Imports, LLC,
warehouse in City Two. Levant Imports, LLC, uses cash to purchase a 1999 Toyota
Corolla, a 2000 Chevy Impala, and a 1996 Chevy Tahoe.

D-225

*
This symbol denotes and I&W opportunity.

Scenario 6: Chemical Attack – Toxic Industrial Chemicals 6-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

The logistics support cell in City One identifies a truck dealership that will lease a used
1998 Ford F-700 dump truck. The truck is leased by Levant Imports, LLC. Also
purchased with cash are a 1992 International dump truck and a 1999 Peterbilt dump
truck. These vehicles are driven to the ranch adjacent to City One.

The logistics support cell in City Two leases a warehouse for receiving and storage of
weapons. It will hold weapons until delivery to the tactical team in City One. Cell
members also purchase the welding supplies needed to reassemble the rocket launchers.

D-223
*
The cargo containers concealing the rocket components arrive in City One. They are
transported by truck to the ranch/safe house outside City One.

D-200
*
The tactical teams train for the attack. They also travel to sites in Connecticut and
Pennsylvania for training. Members of the rocket launch teams enroll in driving courses
that will allow them to attain the Class Two driver’s licenses needed to drive the dump
trucks on public roads.

D-210
*
Tactical Teams in City One and City Two post their target reconnaissance packages on
the Fariqallah covert website.

D-190
Fariqallah Jihad Council approves attack plans against an oil refinery in City One, with a
nearly simultaneous VBIED attack against ships docked at City One’s port. D-Day is
established, and the tactical cells are authorized to proceed with the construction of three
large VBIEDs and the assembly and attachment of the Katyusha launchers to the F-700
dump truck.

D-180
*
The City Two warehouse receives a 1,000-pound shipment of military grade C-4,
blasting caps, and detonation cord from South America. As one of more than 6,000 cargo
containers arriving in the United States daily, the container passes easily through
customs.

D-90
*
Making small purchases of less than 200 pounds, tactical team members begin to
purchase high nitrate fertilizer and diesel fuel to formulate 1,000 pounds of Ammonium
Nitrate with Fuel Oil (ANFO). The ANFO is concocted and stored at the ranch in 55-
gallon plastic drums.

D-60
Working at the ranch, team members construct three dump truck VBIEDs, each
containing a 1,500-pound ANFO+C-4 shaped charge. The VBIEDs will be detonated pier

Scenario 6: Chemical Attack – Toxic Industrial Chemicals 6-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

side against the hulls of merchant ships in City One’s port. Fabrication also continues on
the installation of the rocket launch tubes in the third dump truck. This completed
weapon will be able to fire 440 122-mm artillery rockets at a range of almost 9 statute
miles.

D-59
*
Aziz Rahim, the tactical leader, engages a sightseeing helicopter. He flies over an area
near the POL refinery in City One and takes numerous photos. He also photographs
parking lots, vacant lots, and building sites from which the rockets might be fired.

D-45 to D-39
The tactical teams begin arriving at the ranch near City One. The team members travel
alone or in pairs via roundtrip tickets purchased through an internet-based travel agency.
On arrival, they are met by Nur Al Hasan, a member of the logistics support cell in City
One, and driven directly to the ranch.
*
Rocket spotter teams identify two locations within sight of the POL refinery. They also
photograph the refinery from these spotting positions and assign code names to various
targets within the plant. Special attention is given to gasoline storage tanks and hydro
cracking towers.

D-35
Using the civilian vehicles, the rocket launch team members and VBIED drivers conduct
practice driving runs between the ranch and their operational areas.

D-27
The City Two logistics cell ships the weapons to the ranch outside City One via a
commercial rented truck.

D-20
Rahim makes final operational assignments:

Port attack:
VBIED driver #1: Aziz Rahim
VBIED driver #2: Sami Al Jijani
VBIED driver #3: Latif Mahdi
VBIED attack spotter: Bilal Diya Khalil

Rocket attack on POL Refinery:


Leader, rocket launch team: Mahmud Nusrah
Rocket launch vehicle driver: Rafiq Sumrah
Rocket team forward observer: Abdul Id Sabur
Rocket team forward observer: Nur Al Hasan

Rahim posts an operational update on a covert website, reporting that all is ready.

D-10

Scenario 6: Chemical Attack – Toxic Industrial Chemicals 6-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Experts from the four assault teams test the initiation systems and timers for the VBIEDs.
Each vehicle bomb will be initiated by a command switch in the cab. An additional
detonator will be fixed to a cell phone and can be initiated by a spotter assigned to
witness the attack.

D-8
Using civilian vehicles, VBIED drivers and target spotters assigned to the port operation
practice driving routes and communication during dry runs. Practice runs are made
against two ship berths and the Port One City Coast Guard Station.

Using civilian vehicles, rocket launch team members and forward observers practice
deployment and test communications.

D-6
*
The support cell rents four SUVs, each from a different franchise, using fraudulent
identification and credit cards obtained from an out-of-State logistics support cell.

D-5
By encrypted e-mail, Saheed communicates to Rahim that Fariqallah Jihad Council has
approved attack plans. The operation is set to commence at 0800 EDT on D-Day. Saheed
provides target updates on port operation. Two merchant vessels, M/V Richard B Taylor
and M/V Pacific Conveyor, are identified for attack.

VBIEDs are checked, and a canvas tarp is fitted over the rocket launchers.

D-1
Al Hasan, along with the other spotters and observers, loads the rented SUVs with the
baggage and some supplies for the exfiltration of rocket launch teams, observers, and
spotters. Keys are distributed. The SUVs are parked adjacent to forward observer
positions and the position to be taken by the pier attack spotter.

D-Day 0800 EDT


The rocket launch team, forward observers, and VBIED drivers and spotters meet at the
ranch for final briefing.

D-Day 0900 EDT


The logistics support cell sanitizes the ranch, removing all information regarding the
attack.

D-Day 0910 EDT


Rahim drives VBIED #1, Al Jijani drives VBIED #2, and Mahdi drives VBIED #3.
Spotter Kalil follows in the Chevy Tahoe. The four vehicles drive toward the port of City
One.

D-Day 0950 EDT

Scenario 6: Chemical Attack – Toxic Industrial Chemicals 6-6


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Sumrah and Nusrah drive the rocket launcher vehicle (camouflaged dump truck) toward a
firing position, a vacant lot 8 miles north of the City One POL refinery.

Sabur drives the Chevy Impala to a forward observer position a half mile east of the POL
facility. Al Hassan drives the Toyota Corolla to a second forward observer position half a
mile south of the POL refinery.

D-Day 1045 EDT


*
Sumrah and Nusrah arrive at the vacant lot and align the vehicle toward the refinery, 8
miles distant. Using binoculars, a compass, and a surveyor’s level, they take aim and
establish communication with the forward observers. Concealing the launch tubes under
the canvass tarp, they elevate them using the dump bed of the truck.

D-Day 1056 EDT


Using a cell phone walkie-talkie, Khalil, the VBIED spotter announces that he is in
position.

The rocket team forward observers, Sabur and Al Hasan, announce that they are in
position.

VBIED drivers #1, #2, and #3 announce their position one block away from the main
entrance to the port.

D-Day 1100 EDT


Rahim instructs all operatives to initiate the attack.

D-Day 1102 EDT


VBIED drivers #1, #2, and #3 break through the main gate of the port and head for their
specific targets. All reach their destinations with 3 minutes.

D-Day 1103 EDT


VBIED #1 detonates pier side of the M/V Richard B Taylor. The explosion smashes the
superstructure of the ship and sets its cargo afire.

D-Day 1104 EDT


VBIED #2 detonates pier side of the M/V Pacific Conveyor. The explosion creates a 10
by 20-foot hole in the ship’s hull and starts a major fire.

D-Day 1105 EDT


VBIED #3 is driven into the Coast Guard Station and detonated, destroying the building
and killing the 35 people inside.

The VBIEDs cause severe damage. Secondary explosions and fires occur onboard vessels
docked nearby and in containers stacked along the piers. The resulting plumes contain
HAZMAT, including cobalt, nickel, molybdenum, cadmium, mercury, vanadium, and
platinum.

Scenario 6: Chemical Attack – Toxic Industrial Chemicals 6-7


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-Day 1106 EDT


Nusrah and Sumrah remove the tarp from the rocket tubes and fire two rockets toward the
POL refinery. The rockets’ impact at the north end of the refinery complex causes no
damage.

Forward observers Sabur and Hasan report the fall of the rounds. Sumrah adjusts the
elevation and fires two more rockets.

D-Day 1110 EDT


Two rockets strike near the center of the refinery, damaging a hydro cracking tower and
setting a gasoline storage tank on fire.

The forward observers report the fall of shot and order Nusrah to fire for effect. Nusrah
fires the truck’s remaining 36 rockets. They straddle the refinery, starting numerous fires
and damaging acres worth of equipment. The effect is cataclysmic. Refinery hydro
cracking and catalytic systems also catch fire.

Nusrah and Sumraah then depart from the vacant lot, head through a wooded area, and
climb into one of the prepositioned SUVs. They drive away from the city.

D-Day 1145 EDT


The spotters remain in position to observe the damage. At 1059 EDT, they abandon their
vehicles and meet at a prepositioned SUV. Sabur and Hasan drive from the city.

D-Day 1150 EDT


Kahlil watches the ships burning in port and then drives his car to the last prepositioned
SUV. He trades vehicles and drives from the city.

D-Day 1155 EDT to 1107 EDT


There is a large, heavy plume of smoke over most of the port area, including the
convention center and downtown business area. Casualties occur onsite due to explosive
blast and fragmentation, fire, and vapor/liquid exposure to the TICs. Downwind
casualties occur due to vapor exposure.

D-Day 1200 EDT


All operatives leave the city—Nusrah and Sumraah in SUV #1, Sabur and Hasan in SUV
#2, and Kahlil in SUV #3.

Scenario 6: Chemical Attack – Toxic Industrial Chemicals 6-8


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 7:

Chemical Attack ―
Nerve Agent
Casualties 5,700 fatalities (95% of building
occupants); 300 injuries
Infrastructure Damage Minimal, other than contamination
Evacuations/Displaced Persons Temporary shelter in place instructions
are given for 50,000 people in adjacent
buildings
Contamination Extensive
Economic Impact $300 million
Potential for Multiple Events Extensive
Recovery Timeline 3 to 4 months

Scenario General Description

Sarin is a human-made chemical warfare agent that is classified as a nerve agent. Nerve
agents are the most toxic and rapidly acting of the known chemical warfare agents. They
are similar to the pesticides called organophosphates (insect killers) in terms of how they
work and what kind of harmful effects they cause. However, nerve agents are much more
potent than organophosphate pesticides. Sarin is a clear, colorless, odorless, and tasteless
liquid in its pure form. However, it can evaporate into a vapor and spread into the
environment. Sarin is also known as GB.

In this scenario, the UA—represented primarily by HJT, as well as EZ and FSLTE—


releases sarin vapor into the ventilation systems of a large commercial office building in a
metropolitan area. The agent kills 95% of the people in the building and kills or sickens
many of the first responders. In addition, some of the agent exits through rooftop
ventilation stacks, creating a downwind hazard.

For a detailed profile of the relevant groups operating in this profile, please see the GSJ
Group Profiles in the UA Threat Category package.

UA Operatives and Group Profiles

UA Group Profiles

For detailed profiles of HJT, FSLTE and EZ, please see the Global Salafist Jihad (GSJ)
group profiles section in the UA Threat Category package (pages 1-22, 38-51, 52-59, 23-
37).

Scenario 7: Chemical Attack – Nerve Agent 7-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

HJT
FSLTE
EZ

UA Operatives
Dr. Nik Wal Husin: HJT, Indonesian cell weapons expert
Bucat Dunglao: HJT, Indonesian cell operations commander
Abidin Ujeng: HJT operative
Zubil Rahmat Sobari: HJT operative
Omar Musa Lee: HJT operative
Muhktar Kudama: HJT operative (Central Sulawesi commander)
Tariq Abu Raheem: FSLTE, chemical weapons expert (Libyan)
Azeem al-Mahdi: EZ operative
Azzam al-Husseini: FSLTE operative, U.S. cell operations commander/handler
Abdul al-Khataoui: imam, New York City mosque, HJT contact at the
Technical Institute of Malaysia (TIM)
Omar Sheikh Mohammed al-Mohammud: ideological leader, FSLTE

Detailed Attack Scenario

Increased military activity in the Near East and Southwest Asia, coupled with a perceived
cultural penetration into Muslim lands, has heightened Salafist Jihadi animosity toward
the United States. Concurrently, the unique regional grievances of the different
networks/organizations that comprise GSJ are driving suspicions that symbolic targets
will be attacked in the near future. Significant evidence indicates that EZ and several
affiliated groups may be planning attacks within or against the United States and its
interests. Operatives from EZ and affiliated groups have been involved in multiple,
worldwide terrorist attacks in response to the U.S.-led “War on Terrorism,” Middle East
policies, and perceived persecution of Muslims.

U.S. intelligence sources, in conjunction with friendly foreign governments, have noticed
increased communications between suspected HJT, FSLTE, and EZ operatives operating
in their respective regions. Additionally, the FBI New York office has been monitoring a
local mosque whose imam, Abdul al-Khataoui, is known for his radical preaching. The
FBI office was aware that al-Khataoui spent time in Europe prior to coming to the United
States and released a red flag through the Europol system. The French authorities
responded with information that al-Khataoui was a member of the student group La
Liberation de Chechnya (LLC) at the University of Louvain. The LLC was the same
group that FSLTE ideological leader Omar Sheikh Mohammed al-Mohammud led. This
group is known to the authorities for its vehement anti-American/Western outlook and
strong ties to EZ.

Recently, Indonesian authorities detained members of an HJT cell suspected of


committing the bombing of a Western embassy in Jakarta less than 1 year ago. The cell
leaders—Dr. Nik Wal Husin and Bucat Dunglao—remain at large, but intense
interrogation of captured cell members indicates HJT’s interest in WMD tactics and Dr.

Scenario 7: Chemical Attack – Nerve Agent 7-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Husin’s involvement in former EZ advanced weapons development in Afghanistan. Prior


to the arrests in Indonesia, Sudanese authorities detained five FSLTE operatives after
local authorities discovered they had produced a mustard agent derivative in a local
chemical manufacturing facility. The entire chemical agent was recovered and destroyed;
however, several operatives associated with the cell escaped. These individuals have
since been identified and are currently being monitored.

In this scenario, the UA as represented by HJT (with EZ and FSLTE operatives in


support) use sarin gas to attack a large metropolitan office building in the United States.
The chosen building is the global Headquarters (HQ) of MNC, a corporation with
extensive oversees operations in Muslim countries, particularly two industrial
mining/manufacturing complexes in the Southern Philippines and Indonesia. HJT
coordinates financing and tactical expertise via EZ intermediaries and FSLTE weapons
experts, respectively. HJT recruits three tactical operatives, two from a Malaysian
university and the third from a religious college in Indonesia. HJT, with assistance from
FSLTE, assembles dissemination devices; synthesizes the precursor chemicals in
Indonesia; tests the sarin gas; and transports the dispersion devices and the sarin
separately to EZ, HJT, and FSLTE operatives in the United States. The recruited HJT
operatives will infiltrate the United States. With operational Command and Control (C2)
from an EZ operative linked to the New York mosque, they execute the operation.

UA Execution Timeline

D-Day Minus 365 (D-365)


Since the re-eruption of inter-communal violence in Eastern Indonesia, HJT’s continuity
of operations has been disrupted. HJT members who view the targeting of Western
interests and non-combatants as detrimental to the creation of an Indonesian Islamic state
have focused their attention on local jihads and the Islamization of civil society.
Meanwhile, the established cells that targeted Western interests with large-scale terrorist
bombings (based predominantly in Malaysia, Singapore, and the Philippines) have been
degenerated due to arrests and a restrictive security environment in Malaysia and
Singapore. Husin and Dunglao, who fall in the latter category of HJT terrorists, decide to
form an ad-hoc network—drawing upon HJT contacts within EZ and the recruitment of
ideologically sympathetic operatives—to carry out a chemical attack against the United
States. They believe that HJT must reassert its commitment to the EZ targeting strategy
during this period of organizational chaos, re-constituting its support base within the
region by demonstrating that internal strategic divisions are not undermining the HJT’s
overall lethality and capability.

At this time, Husin and Dunglao contact Azeem al-Mahdi, an EZ operative of Yemeni
descent who is operating out of Peshawar and who Husin had met while working on EZ’s
weapons program in Afghanistan. Using a public telephone and an encoded language, the
HJT operatives indicate that they want al-Mahdi to travel to Central Sulawesi (Indonesia)
to meet with Husin and Dunglao to discuss a future operation.

Scenario 7: Chemical Attack – Nerve Agent 7-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Husin and Dunglao travel from Java to Central Sulawesi. The two remain relatively
inconspicuous considering the numerous jihadis traveling to the region to defend
Muslims during the recent spate of inter-communal violence.

D-360
Al-Mahdi arrives in Central Sulawesi and travels to the HJT safe house, where Husin and
Dunglao reside. Husin and Dunglao inform al-Mahdi of their desire to attack a Western
target in CONUS that is also a symbol of Western penetration into Southeast Asia. Husin
and Dunglao explain how HJT has not truly “internationalized” its struggle due to its
focus on Western targets of close geographic proximity in Indonesia, Malaysia, and
Singapore. The two HJT operatives desire an attack against the “far enemy” upon its own
soil. Toward this end, Husin and Dunglao wish to elicit the support of EZ via al-Mahdi.
The HJT leaders express their desire to execute a “spectacular” attack that will “strike
fear into the core of the American jahili (ignorant ones) society.”

It is decided that al-Mahdi will return to Pakistan to make arrangements with his EZ
commanders to channel funds to Indonesia and begin the planning phase of the operation.
He instructs Husin and Dunglao to locate a suitable facility within 100 miles of a major
metropolitan area (e.g., Jakarta) for the production and testing of chemical weapons and
the training of operatives in the use of the dissemination devices.

D-355
Husin and Dunglao travel via boat from Central Sulawesi to Tuban (Javanese coastal
town). They take a public bus to Jakarta, where they begin reconnaissance to find
possible safe house/warehouse facilities in the surrounding areas.

D-350
Using coded language decided upon during their last meeting, Dunglao contacts al-Mahdi
via public phone and transmits the coordinates of their warehouse, which is on the
outskirts of Bogor. Al-Mahdi indicates that his commanders have approved the transfer
of $50,000 to Husin and Dunglao. The money will be transferred via two channels so as
to hedge against the risk of interception. A total of $25,000 will be transferred from
Peshawar to Jakarta via the hawala (Islamic financial exchange) system, and the other
$25,000 will be couriered by a young Javanese student who has been on a 6-month
exchange at a madrassas in Peshawar. The student had been radicalized by EZ elements
while studying and is eager to assist in jihadi activities. He is instructed to leave the
money at a HJT-affiliated pesantren near Bogor and is kept in the dark regarding the
operation.

D-345
The first $25,000 arrives at the Jakarta hawala institution. Dunglao, using falsified
Indonesian identity documents, rents a warehouse outside Bogor and a safe house
(apartment) in Bogor. Al-Mahdi contacts FSLTE weapons expert Tariq Abu Raheem, an
EZ contact of Libyan descent and former scientist linked to Libyan military weapons
development. Al-Mahdi requests Raheem’s expertise regarding a large-scale operation

Scenario 7: Chemical Attack – Nerve Agent 7-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

involving chemical weapons and asks that he make immediate arrangements to travel to
Bogor and contact Husin and Dunglao.

D-335
1
After encoding the necessary research documents relating to the chemical synthesis and
dispersion devices, Raheem mails the documents to Jakarta so as not to risk their
interception during travel. He exists Libya across the Sudanese border and uses false
documentation to fly on a commercial airline to Ethiopia and then to Jakarta via
Bangkok.

D-331
Raheem arrives in Jakarta and collects his airmail documents from the person to whom he
mailed them.
*
Egyptian intelligence services contact Western intelligence services regarding the
disappearance of a Libyan chemical weapons expert who they were tracking and who
they believed was involved in jihadi activity.

Using virtual reconnaissance (e.g., the internet), Dunglao selects the MNC’s New York
HQ as a suitable target, because it serves as a symbol of American corporate power and
resides in an urban location. Attacking a building in this location will result in the high
death toll that HJT seeks. Furthermore, MNC has extensive operations in Southeast Asia
and is viewed with disdain by the Muslim communities in which MNC operates. In this
regard, a successful attack will serve the HJT’s local and global aims.

D-330
Raheem makes contact with Husin and Dunglao.

Dunglao briefs Raheem on the target, desired tactic, and justification for the attack.

Raheem indicates that he possesses a contact, al-Khataoui, who is a radical imam in New
York with ties to the FSLTE and who has sympathies to the wider Salafist Jihadi
ideology. Considering the difficulty the three will have entering the United States, they
decide that al-Khataoui should be able to provide the cell with an operative already based
in the New York area who can aid with logistics and oversee planning/operations once
the HJT operatives, who have yet to be recruited, infiltrate the United States.

Husin and Raheem begin to share ideas regarding the type of chemical agent and
dispersal method to be used. Raheem decodes his documents and shares his expertise
with Husin.

D-325

1
This symbol denotes an I&W opportunity.

Scenario 7: Chemical Attack – Nerve Agent 7-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

*
Husin makes contact with an HJT front company to begin procuring the precursor
chemicals for sarin gas.

Dunglao begins the process of recruiting three operatives to execute the mission.
Working in conjunction with the FSLTE contact already in the United States, these three
men will be responsible for the weapons’ dispersal. As such, Husin and Raheem instruct
Dunglao to concentrate his recruiting efforts at the region’s technical schools to ensure
that at least two of the operatives can reassemble the dispersal device from its component
parts. Furthermore, it is decided that the three operatives should not be members of HJT
or any other jihadi organizations, as they must have clean records to ensure their entry
into the United States.

D-320
Dunglao attends the usroh (informal Islamic teaching) session of an HJT-affiliated kyai
(religious teacher) outside of Solo.

D-318
Dunglao re-attends that same usroh group and, in consultation with the HJT-affiliated
kyai, selects Abidin Ujeng as a potential operative for the New York attack. The kyai
suggests that Ujeng meet privately with Dunglao to pursue more advanced Islamic
studies.
*
Husin and Raheem are informed that five of the six pre-cursor chemicals (alcohol,
isopropyl amine, thionyl chloride, hydrogen fluoride, and pyridine) can be procured
through an HJT front company, but the remaining chemical (dimethyl
methylphosphonate) cannot. Husin instructs the HJT operative to purchase the available
chemicals and additional laboratory hardware, including an air-tight testing hood and
chemical safety equipment.
*
Raheem decides to use his remaining contacts in the Libyan military to procure the
dimethyl methylphosphonate, shipping it in a secure container via maritime freight from
Libya to Jakarta.

D-300
After a few weeks of regular meetings, Dunglao decides that Ujeng is an ideal candidate
for incorporation into the operation and is in no doubt of his devotion to Islam. Dunglao
invites Ujeng to study at a pesantren in Central Sulawesi with an HJT member and local
inter-communal insurgent leader Muhktar Kudama. Kudama is instructed to slowly
expose Ujeng to more radical teachings and train Ujeng alongside the insurgent factions
already engaged in the anti-Christian violence in Sulawesi.
*
The first five pre-cursor chemicals arrive at the HJT front company. Husin transports
them back to the cell’s warehouse/laboratory.

D-290
By boat, Dunglao crosses into Malaysia and contacts Husin’s former colleague who is a
professor at TIM. He articulates his need for two graduate students who have expressed

Scenario 7: Chemical Attack – Nerve Agent 7-6


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

interest in the jihad and who exhibit ideological sympathies to organizations such as HJT
and EZ. The professor names Zubil Rahmat Sobari and Omar Musa Lee as potential
candidates. Lee is pursuing his master’s degree in chemical engineering. Both Lee and
Sobari are members of the local Malaysian Islamic Youth Party (ISM) organization and
attend daily prayers at an ISM-affiliated mosque in Kuala Lumpur.

D-285
After an ISM meeting, Dunglao approaches Lee and Sobari portraying himself as a
recruiter for one of the many Islamic charity organizations engaged in Jihadist support
activities in Ambon and Poso (Sulawesi, Indonesia). He arranges for them to travel to
Central Sulawesi to the same pesantren where Dunglao had sent Ujeng to partake in
advanced Islamic study courses and aid the Muslim communities engaged in the
violence.

D-270
The remaining pre-cursor chemical arrives from Raheem’s military contact in Libya. The
six chemicals are divided, secured, and stored. Husin and Raheem begin the synthesis
process by first creating the dichloromethylphosphonate to later be added with hydrogen
fluoride to create DF.

D-250
A month after the arrival of Lee and Sobari, Dunglao instructs Kudama to expose the
three HJT operatives to low-level conflict situations and task them to carry out courier
and reconnaissance missions. These tests will assess their ability to cope with stress and
teach them to better understand the focus necessary to operate in a hostile environment.
*
Dunglao begins to make preparations for the operatives’ infiltration into the United
States by inquiring about student visas for the two TIM students and an Islamic education
exchange for Ujeng. With assistance from Husin’s former colleague, Dunglao arranges
for Lee and Sobari to further their graduate research at a university in the target city.
Dunglao makes sure that Ujeng applies for temporary worker status so that he can
financially support his Islamic exchange; however, Dunglao’s true motivation is to ensure
that one cell member can gain employment legally in the United States if the operational
need arises.

D-235
Husin and Raheem successfully test a very small amount of the nerve agent with the
dispersion device created by Raheem.

D-230
The three HJT operatives are brought to the safe house in Indonesia. They are fully
briefed on the identity of Dunglao and Husin, and the two are asked to swear bayat
(allegiance) to HJT, its principles, and its imprisoned leader Agus Kasan.

Raheem, via his imam contact al-Khataoui, contacts Azzam al-Husseini (FSLTE U.S.
operative) and briefs him regarding the operational necessities for the housing, securing,
and storing of the sarin once it has been transported into the United States. Al-Husseini is

Scenario 7: Chemical Attack – Nerve Agent 7-7


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

instructed to obtain false identification, rent a safe house, secure transportation, and
procure any additional materials that may be needed. Al-Husseini uses his real identity to
rent the safe house but uses his false identity to procure a vehicle.
*
Using the network of ideologically sympathetic members of al-Khataoui’s mosque, al-
Husseini makes contact with an employee of the Department of Motor Vehicles who
provides al-Husseini with an in-State driver’s license using falsified information.

D-170
Sobari and Lee are taught how to assemble and disassemble the dispersion devices.

D-165
Sobari and Lee are instructed how to secure, transport, and load the sarin into the
dispersion devices.

D-150
Considering that sarin is of a comparable weight to textile dye, the cell opts to ship the
sarin on a cargo vessel packed inside a container that is supposedly comprised of 40
airtight 10-gallon canisters of dye, one of which will be substituted with a drum of sarin.
This methodology will defend against weight discrepancy interdiction methods.
*
Dunglao travels via boat to Malaysia with the sarin in tow. Through the use of an HJT-
affiliated company near the Malaysian/Singaporean border, he includes the sarin in a
textile dye container (drum) within a larger, legitimate cargo shipment bound for New
York via a Singaporean shipping company. The container’s destination is “Global
Petrochemicals Incorporated (GPI),” a chemical distribution company which is in fact a
nascent EZ front company based in New Jersey. Dunglao arranges for the container to be
met by al-Husseini at its destination point in New York after it has cleared customs but
prior to distribution. Once the sarin canister is removed, the remaining dye will be
distributed to commercial vendors so as not to arouse any suspicions.

D-145
Sobari and Lee return home to Malaysia and make final arrangements with their
professor (Husin’s former colleague) to travel to the United States on student visas under
the auspices of continuing their graduate research at a U.S. institution.

D-135
The dispersion device is disassembled into three, seemingly innocuous component parts
that are shipped via private-sector airmail to a P.O. box established by al-Husseini using
false documentation. The dispersion device will be attached to an 8-gallon container yet
to be procured in the United States by the HJT cell.

D-125
Sobari and Lee arrive in the United States using their student visas. They use their real
identities to secure a 1-year lease on an apartment that is outside the city in northern New
Jersey and has access to public transportation to the city and the MNC corporate HQ.

Scenario 7: Chemical Attack – Nerve Agent 7-8


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-123
Two of the three airmail packages arrive at the P.O. box. The third package is apparently
lost—potentially intercepted—making it impossible to assemble the dispersion device.
As a precaution, al-Husseini cancels his P.O. box account and destroys his fake driver’s
license used to establish the account. He ditches his vehicle and purchases another using
his real identity.

Al-Husseini begins to search for alternative dispersion options.

Al-Husseini purchases four pay-as-you-go cell phones to allow for intra-cell


communication.

D-122
Sobari and Lee register with their host academic institution. They provide their accurate
names and address. The two “students” register for the minimum number of credits and
make no attempt to socialize with people in their exchange program.

D-120
*
The sarin gas arrives at New York’s main port, inside one of thousands of containers
entering the port each day. Not showing any discrepancy when weighed, the container
and its contents bypass customs without a problem. Al-Husseini retrieves the canister of
sarin from the EZ front company’s storage facility in New Jersey in a van purchased by
al-Husseini. Al-Husseini drives the sarin to the safe house that he has rented in a
moderately remote section of southern New Jersey.

D-115
*
Al-Husseini picks up Ujeng, who has arrived in New York under the auspices of an
Islamic education exchange with a New York mosque. He has obtained a 6-month visa
with temporary worker status, thus allowing him to pursue part-time employment. Ujeng
rents an apartment (using his real name) in downtown New York with money provided
by the HJT cell in Indonesia.

D-110 to D -100
*
Sobari and Lee travel into the city to engage in initial Reconnaissance and Surveillance
(R&S) of the MNC HQ. The cell members record basic perimeter guard information,
exterior access points with security protocols, the names of companies that provide
various services the building (e.g., cleaning or catering services), etc.
*
Al-Husseini, dressed in business casual attire, further probes the security procedures and
layout of the building. After walking into the lobby as if he were an employee, al-
Husseini uses a stairwell access door (visible from the lobby) to walk to the building’s
basement level (one flight above the underground parking garage) where he notices a
large, locked maintenance room. Al-Husseini is approached by a building security guard.
In response to questioning, he tells the guard that he is lost and is looking for a public
bathroom.

Scenario 7: Chemical Attack – Nerve Agent 7-9


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-105
After the R&S is conducted, al-Husseini determines that access to the building’s central
ventilation system, believed to be in the locked maintenance room, will not be possible
without placing an operative on the inside. Ujeng, using his temporary worker status,
applies for a part-time job with the cleaning company used by the MNC HQ. He uses his
valid documentation and provides his recently rented apartment as his address.

D-80
Ujeng gains employment with the cleaning company. He requests two graveyard shifts
per week, each of which ends roughly around the same time that most MNC employees
enter the building. His job provides him with access to almost all areas of the building,
including all exterior entrances, exits, and maintenance rooms (which include the
ventilation system).

D-60
*
Lee, using his educational exchange with the New York institution, orders eight 1-gallon
commercially available dispersion devices (e.g., “Sure Shot” aerosol canisters) under the
auspices of the institution’s chemistry department. The cell plans to use these devices as
an alternative to the dispersion device developed by Raheem.

D-50
*
Records of Lee’s procurement raise flags within the university. Because of Lee’s
procurement, combined with fact that he has attended so few classes, the university sends
a letter to Lee and Sobari’s apartment indicating that the administration has contacted the
students’ host institution due to Lee’s attendance record and lack of demonstrated
research.

D-40
*
The dispersion devices arrive at the university chemistry lab. Lee transfers the dispersion
devices to the southern New Jersey safe house. Lee and Sobari test the dispersion devices
under the chemical hood.

In the wake of increased questioning on the part of the university, Lee and Sobari
abandon their apartment and reside with al-Husseini in southern New Jersey.

D-30
In accordance with Raheem’s training in Indonesia, Lee and Sobari develop time-delay
mechanisms for the commercial dispersion devices.

D-7
*
The cell attempts a rehearsal of the attack. Without loading the sarin into the dispersion
devices, al-Husseini drives Sobari and Lee from the southern New Jersey safe house at
0500 EDT (to account for traffic) and drops them off at the back entrance of the MNC
HQ. Ujeng will meet them that at this location at the end of his shift (0800 EDT). Ujeng
ensures that he will be able to pass Sobari and Lee through a backdoor entrance without
being noticed.

Scenario 7: Chemical Attack – Nerve Agent 7-10


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-1
Sobari and Lee undergo a final test of the sarin dispersion devices and the timers. They
transfer the sarin into the eight dispersion devices. The cell uses an excessive number of
devices in case one or many of the dispersion devices are not effective.

Hour Minus 4 (H-4)


The morning of the attack, al-Husseini, Sobari, and Lee load the dispersion devices into
three large backpacks and drive from the New Jersey safe house to the MNC HQ.

H-1
Sobari and Lee arrive at the back entrance of the building, where Ujeng meets them and
walks them to the maintenance room where the ventilation system is housed. The three
carry the dispersion devices into the building’s maintenance room. Sobari and Lee set the
timer delays for one-half hour later. They then leave the building, meet al-Husseini
around the block, and head back to the safe house.

Attack
The time-delay devices work effectively, and the sarin gas is dispersed into the building’s
ventilation system over a 15-minute period.

Scenario 7: Chemical Attack – Nerve Agent 7-11


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 8:

Chemical Attack ―
Chlorine Tank Explosion
Casualties 17,500 fatalities; 10,000 severe injuries; 100,000
hospitalizations
Infrastructure Damage In immediate explosions areas and metal corrosion
in areas of heavy exposure
Evacuations/Displaced Persons 100,000 instructed to temporarily shelter-in-place
as plume moves across region
50,000 evacuated to shelters in safe areas
500,000 self-evacuate out of region
Contamination Primarily at explosion site and if waterways are
impacted
Economic Impact Millions of dollars
Potential for Multiple Events Yes
Recovery Timeline Weeks

Scenario General Description


Chlorine gas is poisonous and can be pressurized and cooled to change it into a liquid
form so that it can be shipped and stored. When released, it quickly turns into a gas and
stays close to the ground and spreads rapidly. Chlorine gas is yellow-green in color and
although not flammable alone, it can react explosively or form explosive compounds with
other chemicals such as turpentine or ammonia.

In this scenario, the UA―represented by the Texas Independence Movement (TIM), a


white supremacy organization―infiltrates an industrial facility that stores a large quantity
of chlorine gas (liquefied under pressure). Using a homemade high explosive, UA
ruptures a storage tank manway, releasing a large quantity of chlorine gas downwind of
the site. Secondary devices are set to impact first responders.

UA Operatives and Group Profile

UA Group Profile

For a detailed profile of TIM, please see the group profiles section in the UA Threat
Category package (pages 120-129).

TIM

Scenario 8: Chemical Attack – Chlorine Tank Explosion 8-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

UA Operatives
Thomas Jameson: commander, local TIM unit
Kevin Wilkins: intelligence officer, local TIM unit
John Simpson: pilot, logistics, local TIM unit
Jim Miller: weapons, IEDs, TIM
Jeff Crichton: tactics, TIM
Scott Anderson: tactics, TIM
Rob Harrison: tactics, TIM
Steve Rodgers: tactics, TIM

Detailed Attack Scenario

TIM leadership, incensed by what it perceives as the increasing political influence of


non-white minorities in the United States, has increased its rhetoric and encouraged its
units to undertake direct action. DHS and Department of Justice (DOJ) officials are
presently focused on Muslim terrorists, allowing domestic right-wing radicals to
consolidate their activity free from focused counterterrorism efforts. Over the past 3
years, there has been a noticeable increase in membership in such groups nationwide.

Under the charismatic leadership of former attorney Bruce Nellville, the TIM has
emerged as the most dynamic organization on the radical right. Preaching a combination
of “citizens’ rights” and white supremacy, Neville advocates “phantom cells” as the best
organizational structure for domestic right-wing groups. The phantom cells, with 1 to 12
members, are encouraged to act alone, with no communication with the movement
leadership or other cells. The phantom cells operate independently of each other and
never report to a central leadership for direction or instruction.

Inspired by Neville’s rhetoric, Thomas Jameson, the leader of a local TIM unit, begins to
plan a “spectacular operation,” intended to spark a “Race War” and an apocalyptic
confrontation with the U.S. Government.

UA Execution Timeline

D-Day Minus 365 (D-365)


Jameson, the leader of a local TIM unit, and Kevin Wilkins, the TIM unit’s intelligence
officer, begin to research the companies in their city that use chlorine in their
manufacturing. They focus on locations near residential areas heavily populated with
minorities and narrow the search to two companies that use chlorine to produce their
products. Both production facilities are near minority residential areas.

D-360
1
Jameson and Wilkins conduct preliminary surveillance on the potential target
companies. They determine that Powell Industries, a manufacturing plant, would be the
optimal target because Powell stores chlorine in a 60,000-gallon tank next to the plant.

1
This symbol denotes an I&W opportunity.

Scenario 8: Chemical Attack – Chlorine Tank Explosion 8-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

The tank has very little security, and, although it is located in an industrial area, it is very
near a number of large, low-income, minority neighborhoods.

D-330
*
Jameson opens a bank account with deposited money orders received from TIM national
leadership.

D-300
*
Wilkins, through TIM connections, acquires stolen identity documents, including a
social security number and a counterfeit driver’s license. Using his alias, Wilkins buys a
used car, paying in cash. He rents an apartment near the target company in his assumed
name.

D-270
Wilkins gains employment under his alias as an unskilled laborer at Powell Industries.
For the next several months, he becomes familiar with the company’s facilities and its
operating procedures. He learns the security guards’ routines and observes the relaxed
security procedures.

D-210
Jameson enlists the help of John Simpson, a fellow TIM member and pilot. They rent a
small aircraft to fly Jameson over the target location and the adjacent neighborhoods. He
takes numerous aerial photos during the flight.

Simpson also handles logistics for the attack planning. He buys a van and rents an old
house with a large, two-car garage in a rundown neighborhood near the target for use as a
safe house.

D-180
*
While working after normal business hours at the company, Wilkins enters the
administration office’s file room and removes facility and chlorine tank drawings. That
night, he takes the drawings to a business copy store and has copies made. The next
evening, he returns the original drawings to the file room.

D-150
Jim Miller, an TIM member trained in demolitions and the construction of IEDs, arrives
from out of State. Jameson meets him at the airport and delivers him to the safe house.
Miller provides Simpson with a list of supplies necessary for the construction of several
IEDs. Simpson directs Jeff Crichton, Scott Anderson, Rob Harrison, and Steve Rodgers
to identify places to acquire explosives and related items.

D-145 to D-110
*
Crichton, Anderson, Harrison, and Rodgers attempt to purchase explosives from various
vendors.

Scenario 8: Chemical Attack – Chlorine Tank Explosion 8-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-100
*
Unsuccessful in acquiring explosives through legitimate vendors, Jameson arranges for a
drilling company employee and TIM sympathizer to facilitate a burglary of the
company’s explosives storage magazine.
*
Crichton, Anderson, Harrison, and Rodgers steal approximately 100 feet of detonating
cord, electric and non-electric blasting caps, and approximately 100 pounds of
Pentaerythritol Tetranitrate (PETN). Miller meets the burglars at Jameson’s farm and
transfers the stolen explosives to his van. He then drives to the rented safe house and
stores the explosives in the garage. He purchases timers, wiring, and other supplies from
a local electronics store and also buys nails and bolts for fragmentation.

Over the next 3 weeks, Miller constructs two 30-pound, shaped-charge IEDs from the
purloined high explosive. He also produces three anti-personnel IEDs. All of the devices
would be initiated by electronic timers.

D-90
Jameson makes his first false alarm call to 911, telling the operator that he heard an
explosion at Powell Industries. He waits nearby and times the fire department’s arrival,
observing how the firefighters approach the facility.

D-90 to D-30
*
Jameson makes similar calls in order to learn the fire department’s response pattern to
the target location. Jameson makes all his calls in the late evening between 2000 and
2300 EDT, the targeted attack time.

D-60
In an effort to test his explosive charge calculations, Miller finds an empty tank car on a
railway spur track in a remote area near another industrial area. He intends to test the rail
tank car, because the target chlorine tank has a similar shape and the same size manway.
*
After dark, Miller parks his van a distance from the spur and walks over to the tank car.
He attaches the shaped charge and sets the timer for 30 minutes, giving him time to clear
the area before the explosion. The next day, he returns to the vicinity and observes that
the charge successfully opened the manway.

D-45
Crichton, Anderson, Harrison, and Rodgers meet with Jameson and Wilkins and are
briefed on the operation plan. The members study the photos and sketches of the Powell
Industries manufacturing plant.

D-30
*
Wilkins begins working late some nights to establish a pattern, noticeable to second shift
workers, supervisors, and security. He intends this pattern to explain his late presence at
work on the day of the upcoming attack.

Scenario 8: Chemical Attack – Chlorine Tank Explosion 8-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-12
Miller takes the tactical team to Jameson’s farm so they can practice setting the explosive
charges and conduct target practice in the event that firearms need to be used in the
operation.

D-10
*
Miller accompanies the tactical team to another remote railway spur where he had
previously located another empty tank car. He waits in his van some distance away while
two of the team members approach the tank car on foot. They practice attaching the
shaped charge on the tank car’s manway and setting the timer.

D-10 to D-3
*
The tactical team members make several surveillance runs to the target location over the
next 2 days to rehearse driving routes

D-7
In his garage, Miller works to perfect the shaped charge and secondary IEDs.

D-5
Jameson checks the weather forecast via the internet to verify suitable weather conditions
for D-Day before finalizing the plans.

D-2
TIM members meet at Jameson’s farm for final planning and rehearsal. They arrange to
meet at Miller’s safe house the night of the attack.

D-Day, 0200 EDT


All of the subjects meet to go over the attack and escape plans.

D-Day, 0700 EDT


Wilkins goes to work as usual at the target company.

D-Day, 1200 EDT


Jameson advises the tactical team via cell phone that the weather will be suitable and that
they should proceed as planned.

D-Day, 1700 EDT


Miller and the tactical team load the explosives and necessary tools into the stolen van
and drive to a lot adjacent to the facility.

D-Day, 1915 EDT


*
Wilkins, working late, engages the security guard in conversation on his way out of the
facility gate. Rogers remains in the van, and three others approach the back of the facility
along the railway spur. They cut the bottom of the fence and crawl into the facility.
Crichton and Anderson proceed to the chlorine tank and attach the shaped charge to the
manway and set the timer for 30 minutes. Meanwhile, Harrison places the three IEDs in

Scenario 8: Chemical Attack – Chlorine Tank Explosion 8-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

different inconspicuous spots some distance away from the tank and sets the timers to go
off in sequences of 20, 30, and 40 minutes after the tank explodes.

D-Day, 1945 EDT


Wilkins finishes his conversation with the gate guard and leaves the premises.

D-Day, 2000 EDT


The three tactical members rendezvous at the stolen van and leave the vicinity just as the
initial explosion occurs.

The initial blast opens a 16-inch hole in the chlorine tank manway. The liquefied chlorine
surges from the tank, freezing everything it touches and quickly generating a large vapor
cloud of greenish-yellow gas. The security guard immediately notifies the control room;
fumes overcome him and he dies.

Control room personnel immediately report the situation to 911, initiate the plant’s
emergency response procedures, and direct the on-duty outside operator to investigate.
Control room monitors indicate the sudden loss of pressure in the chlorine tank. In quick
succession, the plant’s air monitoring systems begin to alarm, and a perimeter guard
reports a strong odor of chlorine in the air. There is no further word from either the guard
or the outside operator. Plant personnel evacuate upwind of the leak, and the control
room buttons up.

D-Day, 2010 EDT


The city HAZMAT team arrives and begins to investigate.

D-Day, 2015 EDT


The tactical team abandons the van in a parking lot several miles upwind from the target
location. They return to Miller’s rented house and flee in their respective vehicles. They
leave town using different routes.

D-Day, 2020 EDT


A battalion fire chief begins to set up incident command at the site, and the first fire
department units arrive. Just as the HAZMAT team is reporting back to incident
command, an IED explodes 15 feet from it. Casualties occur onsite from the explosive
blast and fragmentation. The battalion fire chief decides to withdraw the team and await
assistance from the bomb squad.

While this is occurring, the city/county 911 system begins to light up with numerous
reports—first a strong smell of chlorine and then reports of burning skin, eyes, and
difficulty breathing. Many people begin to self-evacuate from the area. The combination
of the outward flow of workers and residents, and the possible presence of secondary
devices, slows the response.

D-Day, 2030 EDT

Scenario 8: Chemical Attack – Chlorine Tank Explosion 8-6


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

The next device explodes. Downwind casualties occur due to vapor exposure over a large
area. However, due to the time of day, most people are indoors and effectively sheltered-
in-place.

D-Day, 2040 EDT


The final device explodes. Meanwhile, the entire contents of the tank vaporize.

D-Day, 2100 EDT


Miller and Wilkins meet at Jameson’s farm and watch the evening news reports of the
explosion. Miller makes reservations for a flight out of town the next day.

D-Day, 2300 EDT


The terrorist attack leads the late evening newscasts, along with instructions from the
city/county officials to shelter-in-place. Most people heed the instructions, but 1/10th
(70,000 people in all) of the downwind population ignores the advice and self-evacuates.

Scenario 8: Chemical Attack – Chlorine Tank Explosion 8-7


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 9:

Natural Disaster —
Major Earthquake
Due to the fact that this scenario is a naturally occurring disaster rather than a terrorist
attack, there is no additional detailed UA material. Refer to the National Planning
Scenarios core document for scenario detail.

Scenario 9: Natural Disaster – Major Earthquake 9-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 10:

Natural Disaster —
Major Hurricane
Due to the fact that this scenario is a naturally occurring disaster rather than a terrorist
attack, there is no additional detailed UA material. Refer to the National Planning
Scenarios core document for scenario detail.

Scenario 10: Natural Disaster – Major Hurricane 10-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 11:

Radiological Attack ―
Radiological Dispersal Devices
Casualties 180 fatalities; 270 injuries; 20,000 detectible
contaminations (at each site)
Infrastructure Damage Near the explosion
Evacuations/Displaced Persons 10,000 evacuated to shelters in safe areas
(decontamination required prior to entering
shelters)
25,000 in each city are given shelter-in-place
instructions
Hundreds of thousands self-evacuate from major
urban areas in anticipation of future attacks
Contamination 36 city blocks (at each site)
Economic Impact Up to billions of dollars
Potential for Multiple Events Yes
Recovery Timeline Months to years

Scenario General Description

In this scenario, the UA purchases stolen Cesium Chloride (CsCl) to make a Radiological
Dispersal Device (RDD), or “dirty bomb.” The explosive and the shielded Cesium-137
(137Cs) sources are smuggled into the country. Detonator cord is stolen from a mining
operation, and all other materials are obtained legally in the United States. Devices are
detonated in three separate, but regionally close, moderate-to-large cities.
137
Cs is mostly used in the form of CsCl because it is easy to precipitate. CsCl is a fairly
fine, light powder with a typical median particle size of about 300 microns. Fractions
below 10 microns are typically less than 1%. In an RDD, most will fall out within
approximately 1,000 to 2,000 feet (although many variables exist), but a small amount
may be carried great distances, even hundreds of miles.

UA Operatives and Group Profiles

UA Group Profiles

For detailed profiles of EZ and Independent Chechnya Forces, please see the Global
Salafist Jihad (GSJ) group profiles section in the UA Threat Category package (pages 1-
22, 23-57, 87-99).

EZ

Scenario 11: Radiological Attack – Radiological Dispersal Devices 11-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Independent Chechnya Forces

UA Operatives
Abdul Fattah Sutri: EZ operational commander
Ahmed Rafi Nimr: EZ weapons technician
Tariq Shawqi: leader, EZ Tactical Team One
Wahab El Ziyad: leader, EZ Tactical Team Two
Youssef Al Muhammud: leader, EZ Tactical Team Three

Detailed Attack Scenario

EZ wants to strike the United States to force the withdrawal of U.S. troops from
Afghanistan, Iraq, and the Arabian Peninsula. The group aims to establish Islamist states
throughout the world, overthrow “un-Islamic regimes,” and expel U.S. soldiers and
Western influences in regions from the Gulf to Southeast Asia. With the aid of a
prominent Islamist scholar, EZ was recently able to ideologically justify an attack with a
“dirty bomb” on U.S. soil.

The structure of the EZ network is similar to a series of concentric rings. At the center are
approximately 300 members who comprise the EZ organization. The second ring consists
of EZ-trained individuals who have returned to their respective regions and started their
own militant Islamist organizations or joined in others’ organizations. The final ring is
comprised of individuals who are inspired by EZ’s ideology, but have few, if any, links to
the organization.

Qatal aims to secure permanent independence for Chechnya by inflicting unacceptable


losses on Russia. Qatalists fall within the second ring of EZ. Qatalists want to strike the
United States to limit its “War on Terrorism,” which not only labels Qatal as a terrorist
organization, but also helps drive Russian intervention in Chechnya.

Qatalist strategy has evolved in response to changing Russian counterterrorism tactics.


Since 9-11, militants have increasingly relied on carefully planned hit-and-run tactics and
suicide operations against both civilian and military targets. Qatalist operatives are well
versed in sabotage and other insurgent activity. Factions within the group have become
more criminal in nature and are increasingly involved in smuggling.

Qatal is currently supplying EZ with black market contacts, one of which provided EZ
with Soviet radiological materials. Given the ideological background of the Qatal, it is
apparent that the group is simultaneously involved in promoting an ideological struggle,
as well as securing access to criminal activities such as smuggling. Increasingly, leaders
of Chechen militant groups espousing radical Islamic principles have noted their support
for attacks against U.S. targets.

EZ has arranged to purchase approximately 6,900 curies of CsCl, which came from three
Soviet seed irradiators obtained by Qatal. EZ plans to use the 137Cs to manufacture and
detonate dirty bombs in three U.S. cities. EZ already has a sleeper cell in the United

Scenario 11: Radiological Attack – Radiological Dispersal Devices 11-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

States to facilitate the attack. The group’s goal is a highly visible attack that will create
fatalities, fear, and social and economic disruption.

Scenario 11: Radiological Attack – Radiological Dispersal Devices 11-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

UA Execution Timeline

D-Day Minus 365 (D-365)


EZ acquires radiological material and several kilograms of PETN high explosives from
Qatal.

D-310
Abdul Fattah Sutri, a member of the sleeper cell in the United States, is named overall
commander of the operation. Also in the cell is Ahmed Rafi Nimr, a weapons technician.
All members of the cell are Western-educated Arabs who are legal residents in the United
States.

D-305
1
The operational cell discusses dirty bomb design and delivery. They agree on using a
truck bomb of radioactive material surrounded by a fuel oil/ammonium nitrate bomb,
primed with a timing device, fuse wire, and high explosive, and enhanced by
oxyacetylene. Sutri conveys this design decision to EZ weapons experts and asks about
the availability of the ingredients.

The cell begins acquiring large amounts of prilled ammonium nitrate (NH4NO3) in small
increments.

D-280
*
Cell members obtain fake identification to establish bank accounts and credit cards.

D-270
*
The cell establishes a bank account under Sutri’s assumed name with a deposit of
$8,000. Sutri continues to receive regular, relatively small transfers of funds into this
account from an account overseas.

D-250
The cell conducts online target analyses and identifies three, medium-sized U.S. cities in
close proximity. Factors used in identifying the cities include press coverage of terrorism
preparedness measures, size of police force in relation to population, ease of entry into
and exit out of the city, and availability of parking facilities near local downtown high-
profile targets. The targets chosen are the HQ of the principal business employer located
in the financial district of City One, the State courthouse in City Two, and the major
regional hospital in City Three.

D-220
*
Sutri rents a farmhouse with five acres in the outskirts of a city that is equidistant to each
of the three target cities.

1
This symbol denotes an I&W opportunity.

Scenario 11: Radiological Attack – Radiological Dispersal Devices 11-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Sutri visits an internet café to e-mail his EZ contact outside of the United States about
sending 137Cs in lead-shielded containers to the safe house. All e-mail traffic is coded.
Sutri also arranges for smuggling of the PETN high explosive into the United States.

D-210
*
Sutri visits the same internet café to receive an e-mail from EZ with the arrival details of
the shipment of 137Cs and PETN high explosive.

D-190
*
Nine men, members of the three tactical teams, arrive in the United States on separate
flights using counterfeit passports. They have sufficient cash to get them to the farm
house, where the sleeper cell is based. Each team congregates in its predesignated hotel.

D-186
*
The leader of each team visits the internet café closest to his residence to contact Sutri
about the teams’ safe arrivals and to receive details about the first meeting. Everyone
uses the same internet café for all subsequent communications.

D-184
Sutri meets the team leaders, Tariq Shawqi, Wahab El Ziyad, and Youssef Al
Muhammud, at a local amusement park to give them their fake identification, driver’s
licenses, and fraudulent credit cards.

Sutri meets with each team leader separately to provide details of their respective targets.
He also commissions each leader with developing intelligence and a tactical plan for his
target.

D-180
*
Shawqi, El Ziyad, and Al Muhammud buy used cars for transport before the attack,
using their fake identification and cash. The three tactical teams depart for their
respective target cities.

D-165
*
Shawqi, El Ziyad, and Al Muhammud each set up a bank account using their false
identification. They then e-mail the account details to Sutri from the internet café.

Sutri transfers less than $5,000 into their accounts.

D-150
*
The tactical teams develop target intelligence and a tactical plan of attack through
passive observation of the site from public spaces, such as coffee shops and restaurants.
They conduct surveillance separately to ensure that no single member spends too much
time in the vicinity of the target. They note parking availability near the buildings for the
truck bomb and scout locations to combine optimal structural damage with a vast spread
of radioactive materials. Sutri has advised them that setting off the truck bomb in a
congested area might restrict the radioactive plume and minimize the spread of

Scenario 11: Radiological Attack – Radiological Dispersal Devices 11-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

radioactive materials, but parking it too far from the target building will result in too little
structural damage to the building. This could reduce the psychological impact, as well as
reduce the radioactive contamination of the interior of the target building.

D-135
*
Nimr builds a test bomb that consists of a timer, detonator cord, and PETN high
explosive primer. In an abandoned rural mine in a neighboring State, Nimr tests the timer
and bomb without 137Cs, fuel oil explosive, or oxyacetylene. He experiences no problems
with the design or the test. Given the proven nature of ammonium nitrate/fuel oil-bomb
technology and the use of oxyacetylene as an enhancer, Nimr decides that there is no
need to test those technologies.

D-120
*
Several coded e-mails from Shawqi, El Ziyad, and Al Muhammud sent to Sutri express
concerns over the availability of parking spaces near the target buildings. Sutri suggests
that each team develop a plan for abandoning the truck bomb directly in front of the
target with suitable camouflage to delay attention to the vehicle. Sutri suggests delivery
trucks.

The shipment of 137Cs arrives at the port. The lead shielding used for shipping is
successful because port employees wearing radiation-detecting pagers pick up no
radiation.

D-100
*
The 137Cs in lead shielding is delivered to the three cities.

D-100 to D-80
*
Shawqi, El Ziyad, and Al Muhammud plan to use a delivery truck for the truck bomb.
Over the next 3 weeks, each team steals a car and abandons it outside of its respective
target building to observe the responses of the police, security force, and the public. The
cars are removed from all three locations in less than 15 minutes. Shawqi, El Ziyad, and
Al Muhammud conclude that this approach will work if the detonator is set on a short
time delay.

D-90
*
The courier with the smuggled PETN high explosive arrives in the United States and
uses yet another internet café to inform Sutri. Sutri arranges to receive the package at a
local interstate rest area.

D-75 to D-15
*
Nimr travels to each cell’s safe house to manufacture the bombs and train the teams in
detonation and handling.

Scenario 11: Radiological Attack – Radiological Dispersal Devices 11-6


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-3
*
The tactical teams each rent a white van with false identification and fraudulent credit
cards. The vans are repainted at the safe houses as delivery vehicles. The tactical team in
City Three steals an EMS vehicle several miles from the target.

D-2
The tactical teams install the bombs in the vehicles.

D-1
*
Shawqi, El Ziyad, and Al Muhammud rent escape cars using false identification and
fraudulent credit cards.

D-Day 1115 EDT


Tactical Team One drives the 3,000-pound truck bomb containing the 2,300 curies of
137
Cs to the downtown business district of City One.

D-Day 1230 EDT


Tactical Team Two and Tactical Team Three are en route to City Two and City Three.

Scenario 11: Radiological Attack – Radiological Dispersal Devices 11-7


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 12:

Explosives Attack ―
Bombing Using Improvised
Explosive Devices
Casualties 100 fatalities; 450 hospitalizations
Infrastructure Damage Structures affected by blast and fire
Evacuations/Displaced Persons Evacuation of immediate area around each
explosion results in approximately 5,000 people
seeking shelter in safe areas
Contamination None
Economic Impact Millions of dollars
Potential for Multiple Events Yes
Recovery Timeline Weeks to months

Scenario General Description

In this scenario, agents of the UA—represented by Al-Muhajiroun As-Salafiyya


Jihadiyya of the United States (MSJ-US) and Mutaki’oun—detonate suicide bombs
inside a sports arena and create a VBIED to be detonated in the parking lot outside the
arena. They also detonate an IED in an underground transportation concourse close to the
arena and detonate another VBIED at a local hospital.

UA Operatives and Group Profile

UA Group Profiles

For detailed profiles of MSJ-US and Mutaki’oun, please see the Global Salafist Jihad
(GSJ) group profiles section in the UA Threat Category package (pages 1-22, 75-86, 67-
74).

UA Operatives
Masun El Salman: local imam, strategic leader, MSJ-US
Awad Ghassan: mission commander, MSJ-US
Mustafa Wakil: targeting, reconnaissance, finance, leader, MSJ-US
Amin Al Farhad: logistics and supply, intelligence officer, MSJ-US
Omar Taymullah: weapons expert, MSJ-US
Abu Miyaz: suicide bomber (arena), MSJ-US
Ali Khan Utbah: suicide bomber (arena), MSJ-US
Sulaiman Muhdi: suicide bomber (arena), MSJ-US

Scenario 12: Explosives Attack – Bombing Using Improvised Explosive Devices 12-1
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Abdul Fatih: tactical cell member (parking lot), MSJ-US


Basit Isa Mahir: tactical cell member (public transportation concourse), MSJ-US
Ghaffar al-Tijani: tactical cell member (ambulance), MSJ-US
Muhammed Alvarez: logistics assistance, Mutaki’oun

Detailed Attack Scenario

Al-Muhajiroun As-Salafiyya Jihadiyya (Salafi-Jihadi immigrants, abbreviated MSJ) is a


heterogeneous element of the GSJ comprised of Salafi Muslims who: (1) have relocated
to the West and advocate violent jihad against America and its Western allies, or Arab
regimes; and (2) sometimes seek to travel from the West to participate in combat against
“oppressors” of Muslims worldwide (e.g., countries such as India, Israel, Russia, etc.). In
so doing, they align themselves with Salafi-Jihadi networks that concomitantly purse
jihad against the United States and its allies. The MSJ-US cell is made up of Salafi
Muslims who have re-located to America and/or are the children of those immigrants.

The nature of the MSJ is concurrently domestic and international. This duality provides
synergy—whether logistical, operational, or ideological—for the multifaceted scope of
its ambitions and operations. MSJ operatives can make use of all of the advantages of
residency in the United States: knowledge of English and the American culture to create
operational space and protect against surveillance; the freedom of movement to travel and
train for jihad domestically; the ability to generate wealth (legally or illegally) to finance
operations; the freedom to travel overseas to liaise with international jihadi conspirators,
participate in combat, or receive religious instruction, often without obtaining visas; the
cover of the American legal system to protect against illegal searches; the ability to
recruit other American Muslims (immigrants or converts) for jihad inside and out of
CONUS; etc.

In this scenario, a tight-knit cell of 10 radical Muslim immigrants has coalesced around a
radical immigrant imam in a suburban community near a large urban center. Inspired by
his teachings and further radicalized by cell members with foreign jihad experience, the
MSJ-US cell embarks on an ambitious attack plan targeting a large sports complex in
addition to three other “secondary” targets designed to magnify the overall psychological
and physical impact. The attack is in-line with the cell’s philosophy of action, which
seeks high American casualty figures in accordance with the concept of strategic parity
and a desire to economically/psychically damage the United States to force its withdrawal
from the Muslim world, which would subsequently result in the toppling of apostate
Muslim regimes around the globe.

In addition to a complex logistical operation that includes the procurement of an


ambulance, safe house, storage facility, and large amounts of ammonium nitrate fertilizer,
the MSJ-US cell relies on a Mutaki’oun operative to procure the plastic explosives used
in the suicide vests and remotely detonated package bomb placed at the underground
public transportation concourse near the stadium. Mutaki’oun, as opposed to MSJ-US
operatives, are generally African or Hispanic Americans who convert to Islam and
become radicalized. Generally, Mutaki’oun operatives do not pursue jihad within the

Scenario 12: Explosives Attack – Bombing Using Improvised Explosive Devices 12-2
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

United States to the same extent; however, they are a subsection of the GSJ and can be
conceptualized as being motivated in a similar fashion to the MSJ-US. Mutaki’oun are
often converted in jail, and as such maintain a strong network of criminal contacts who
can be relied on to procure logistical needs (e.g., weapons).

Inspired by the teachings of the imam and the ongoing operations in places such as
Afghanistan and Iraq, the MSJ-US cell leader Awad Ghassan tells two close associates—
Mustafa Wakil and Amin Al Farhad—about the idea of engaging in a large, coordinated
IED attack. The three seek tacit religious approval from Masun el Salman and begin the
process of target selection, recruitment, and logistical preparation.

UA Execution Timeline

D-Day Minus 365 (D-365)


Under the direction of Ghassan, Wakil (a naturalized American citizen) opens a bank
account at the central, downtown branch of a regional bank. Wakil uses his real name and
information. With some small contributions from cell leadership, startup funds are placed
into the account.

Ghassan approaches an immigrant contact from Pakistan—Omar Taymullah—who had


gained significant weapons expertise in Afghanistan and the early campaigns in Kashmir.
Ghassan briefs Taymullah on the desire to execute a coordinated IED attack against a soft
target in the downtown area.

D-350
Ghassan, in coordination with Wakil, Al Farhad, and Taymullah, begin to evaluate
targeting options that meet their two primary strategic goals: a high death toll and a target
of symbolic value. Among the targets discussed is the downtown sports stadium in
coordination with “secondary” targets such as first responders and stadium exits.

D-345
1
Wakil travels to the stadium to engage in some preliminary R&S. Having received
additional seed money from a small business owned by Al Farhad, Wakil purchases a
digital video camera, laptop computer, photo printer, and basic photo editing software.
Wakil observes the basic routine of the security personnel and takes footage of potential
“secondary” targets near the stadium. On the second day of his R&S, Wakil is
approached by a stadium security guard who questions why Wakil is videotaping outside
the stadium. Wakil explains that he is a tourist and a fan of the team that plays at the
stadium.

D-340
Wakil, Ghassan, Taymullah, and Al Farhad review Wakil’s R&S intelligence and
determine the initial set of targets, which are the interior of the stadium during an event,
the main parking lot of the stadium (designed to target individuals fleeing the stadium),

1
This symbol denotes an I&W opportunity.

Scenario 12: Explosives Attack – Bombing Using Improvised Explosive Devices 12-3
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

and the EMS responder entrance/ambulance parking facility of the closest hospital. It is
decided that the attack mode will include two VBIEDs located at the hospital and the
parking lot in conjunction with three suicide attacks inside the stadium among the
crowds.

D-335
Al Farhad and Ghassan begin the process of recruiting the additional tactical cell
members among the MSJ-US network associated/connected to their mosque. Al Farhad
and Ghassan, after speaking with other radical mosque members and contacts, target
individuals who are known to have ideological sympathies with the GSJ.

D-300
Al Farhad approaches Muhammed Alvarez in an attempt to appeal to his radicalized
ideology in the procurement of between 40 and 50 pounds of plastic explosive (e.g., C4)
that will be used in the production of the suicide vests to be worn by the martyrdom
operatives. Al Farhad does not indicate what the explosives will be used for, saying only
that “with the grace of Allah, he [Al Farhad] will be able to resurrect the global ummah
[Muslim community] with his actions that are supported by Alvarez.” Al Farhad
convinces Alvarez to use his criminal contacts gained during his time in prison to procure
the necessary material.

D-270
Al Farhad and Ghassan finish recruiting of all of the cell members. However, the four
cell members aware of the entire plan do not mention the martyrdom component of the
operation until later. They will assess which tactical cell members would be most
willing/able to serve as martyrs; meanwhile, Ghassan further emboldens the new cell
members with tales of worldwide jihadist campaigns and the ongoing injustices
perpetrated by the United States and apostate regimes throughout the Muslim world.
Ghassan and the strategic-level cell members emphasize the honor and necessity of
martyrdom, emphasizing the teachings of traditional ideologues and their firebrand
imam’s statements.

D-250
*
Wakil and tactical cell member Basit Isa Mahir engage in further R&S of the target. The
two attend a sporting event at the stadium to gain intelligence on crowd patterns, areas of
congregation, visibility, internal security, etc. Virtual R&S on the stadium’s internet site
ensures that the pair needn’t take pictures inside the stadium. After leaving the game, the
pair notices the large number of fans who travel toward the underground Metro stop a
block and a half away. Following the crowd, the two take note of the train’s concourse
area and a series of locations where an IED might be placed and remotely detonated.

D-248
After discussing the matter with Ghassan, Wakil and Ghassan decide to add a target to
the coordinated attack. They plan on using a section of the plastic explosive (with added
shrapnel) acquired by Alvarez to place a backpack IED behind a ticket machine on the

Scenario 12: Explosives Attack – Bombing Using Improvised Explosive Devices 12-4
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Metro concourse, which will be detonated by Mahir when a large segment of the crowd
flees the stadium and heads toward the Metro.

D-200
Using his real identity, Al Farhad rents a small house roughly 1 hour outside the city,
close to a former textile industry town that has lost its economic dynamism and has
become socio-economically underdeveloped.

D-180
*
Al Farhad and Taymullah meet Alvarez, who has acquired roughly 50 pounds of C4. At
the meeting, they ask Alvarez to use his criminal contacts to procure a fake driver’s
license and supporting documentation for Al Farhad.

Al Farhad and Taymullah store the C4 in the basement of the rented house.

D-150
*
Alvarez provides Al Farhad with his false documentation and driver’s license. Using
these items, Al Farhad rents a small warehouse space in the impoverished former
industrial community near the house that is being rented under Al Farhad’s real identity.
The warehouses to either side of the MSJ-US’s warehouse are unoccupied.

D-148
Taymullah transfers the C4 from the safe house basement to the warehouse.

D-145
Ghaffar al-Tijani, using money provided by Al Farhad, is instructed to purchase an
unmarked utility van and register the vehicle under his name. Al-Tijani is instructed to
keep the vehicle at his home until the ammonium nitrate is procured and the VBIEDs are
ready to be constructed.

Taymullah procures the other requisite materials (caps, “dead-man” switches, etc.) for the
production of three suicide vests and one IED “backpack” bomb to be used at the Metro
concourse. He begins designing the four devices that will include the plastic explosive.

D-140
Ghassan describes full operational details to the tactical-level members of the MSJ-US
cell, particularly his desired use of a fidayeen squad. At this point, through the use of
consistent ideological indoctrination on the part of strategy-level cell leadership, stories
of former jihadis recounting the honor of their fallen colleagues, etc., Ghassan et al have
selected three willing suicide operatives (Ali Khan Utbah, Sulaiman Muhdi, and Abdul
Fatih).

D-135
Wakil instructs the three suicide operatives to apply for credit cards using their real
identities. These cards are used to purchase further equipment. Cash advances are taken
out on the cards.

Scenario 12: Explosives Attack – Bombing Using Improvised Explosive Devices 12-5
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-120
*
Wakil purchases a surplus ambulance at a vehicle auction in a city 10 miles away. He
stores it in the warehouse that has been rented by Al Farhad. He acquires markings and
decals to make the ambulance blend in with the other EMS vehicles at the hospital.

D-100
*
Ghassan instructs Al Farhad to test the three suicide operatives by having them transport
small illicit items (e.g., drugs, weapons) into the city and/or into semi-secure public
facilities.

D-85
*
Wakil surveys the parking arena outside the stadium to determine parking facility
security and optimal positioning to ensure high casualty figures among fleeing spectators.
Wakil, using the digital camera, approaches a delivery van that has an authentic stadium
parking pass and photographs it. Returning to the apartment, he uses commercially
available software, photo-quality printing paper, and adhesive to create a seemingly
identical parking pass to the ones used at the stadium. Using this pass on D-Day will
allow the operatives to place the parking-lot VBIED closer to the stadium without
garnering unnecessary attention.

D-75
*
Wakil and Al Farhad purchase 14 pay-as-you-go cell phones (seven each) to facilitate
intra-cellular communication, provide a remote detonation capability for the VBIEDs,
and allow for a detonation override capability for the strategic cell leaders in case any or
all of the martyrdom operatives decide not to detonate their vests inside the stadium.

D-50
Wakil purchases three tickets to a major sporting event in the arena for D-Day.

D-40
*
Al-Tijani is instructed to transfer the unmarked van from his apartment to the rented
warehouse in the industrial town. En route, al-Tijani is pulled over for making an illegal
turn. He shows the officer his driver’s license and receives a traffic citation.
*
He pays the fine at the courthouse the next day. He vacates his apartment and sells his
van. He mistakenly leaves behind some diagrams of the city sports arena and a list of
names. Al-Tijani moves into the safe house rented by Al Farhad outside the industrial
town.
*
Using the money from the sale of the first van and his false documentation, Al Farhad
purchases a second van and immediately transports it to the warehouse.

D-35
*
Using Alvarez’s contacts, Al Farhad pays two Mutaki’oun to hijack a truck filled with
ammonium nitrate fertilizer. Alvarez facilitates contact between Al Farhad and the two
operatives; he is not privy to their discussion or subsequent actions.

Scenario 12: Explosives Attack – Bombing Using Improvised Explosive Devices 12-6
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

*
Taymullah and Fatih, using Fatih’s valid driver’s license, rent a large U-Haul truck.
They arrange to meet the two Mutaki’oun near the rural agricultural supply company
from which they stole the truckload of fertilizer. After the Mutaki’oun leave, Taymullah
and Fatih transfer the fertilizer into the U-Haul truck and then burn the stolen truck to
minimize the amount of potential forensic evidence.

They drive the U-Haul truck back to the warehouse, clean it out, and return it to the rental
store the same evening, paying in cash.

D-30
Al Tijani uses cash to purchase an Emergency Medical Technician (EMT) uniform from
a uniform company.
*
Cell members who were members of el Salman’s mosque stop attending regular prayers.
Cell members are instructed to “Westernize” their appearance by changing their clothes,
shaving their beards, etc.

D-25
Taymullah begins to construct the ammonium nitrate fertilizer bombs.

D-23
Ghassan gathers the operational team at the warehouse to rehearse the D-Day operation.

The two vehicles are substituted for normal cars owned by the cell members. Meanwhile,
the three suicide bombers attend a basketball game and ensure that they are comfortable
with the placement and timing of their suicide-vest detonation.

At the time of the fidayeen’s insertion into the stadium, the three other operatives
commence their segment of the rehearsed attack. They park or drop their respective IEDs
and locate a safe location with a clear line of sight from which to remotely detonate their
devices without resulting in personal injury. Ghassan, Al Farhad, and Wakil oversee the
various phases of the attack from a distance. Each will be outfitted with a cell phone that
can remotely detonate the suicide vests if any of the fidayeen operatives do not follow
through with the execution by the agreed upon time.

Insertion, parking, walking past the drop point of the backpack bomb, etc., are all carried
out successfully.

D-8
Taymullah begins to transfer the ammonium nitrate bombs into the two vehicles.
*
Taymullah and Wakil test the various plastic explosive devices on a smaller scale in a
remote, rural area.

Scenario 12: Explosives Attack – Bombing Using Improvised Explosive Devices 12-7
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-Day 1300 EDT


The cell, excluding Ghassan, meets at the warehouse. The fidayeen are prepped with their
suicide devices, and final technical adjustments are made by Taymullah.

D-Day 1700
The suicide bombers (driven by Wakil and Al Farhad in two personal vehicles), the
explosive-laden ambulance, and the explosive-laden van all depart for the target.

D-Day 1900
*
The two vehicles park at their targets.
*
The fidayeen insert into the target.
*
The backpack explosive is dropped behind a ticket machine at the Metro concourse.

D-Day 1915
Operatives detonate the bombs at all four targets.

Scenario 12: Explosives Attack – Bombing Using Improvised Explosive Devices 12-8
National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 13:

Biological Attack ―
Food Contamination
Casualties 500 fatalities; 650 hospitalizations
Infrastructure Damage None
Evacuations/Displaced Persons None
Contamination Sites where contamination was dispersed
Economic Impact Millions of dollars
Potential for Multiple Events Yes
Recovery Timeline Weeks

Scenario General Description


The U.S. food industry has significantly increased its physical and personnel security
since 2001. A successful attack could still occur, however, if the UA was familiar with a
specific production site. In this scenario the UA—represented as a disgruntled
employee—uses his knowledge of the facility and careful planning to avoid apprehension
and conduct a serious attack on American citizens.

UA Profile

For a detailed profile of the lone actor operating in this scenario, please see the group
profiles section in the UA Threat Category package (pages148-151).

UA Operative

Name: Kevin Johnson


Alias: Kevin Kavanaugh
Date of Birth: May 27, 1974
Place of Birth: Sacramento, California
Nationality: American
Height: 5’ 8”
Weight: 160 pounds
Build: Thin
Hair: Black
Eyes: Blue
Complexion: Fair
Sex: Male

Scenario 13: Biological Attack – Food Contamination 13-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Occupation: Sanitation inspector at meat processing plant


Formal Education: High School Diploma
Military Training: U.S. Army, Bradley gunner
Background: Johnson was born in Sacramento, California, to native-born American
parents. He had two older sisters. His family was solid working class, living better
than paycheck to paycheck, but with little money for extras. His father often worked
double shifts, and his oldest sister often cared for Johnson until their mother got home
around dinnertime. His mother and father often argued about money.

Johnson performed adequately in school, although his teachers and neighbors thought
he was fairly bright. His maternal grandfather was an avid hunter and taught Johnson
how to shoot when he was 10. Johnson and several other boys started a rocket club
while in middle school, and would test launch their rockets in the California desert.
His resulting familiarity with chemicals and explosives proved useful in warning off
some of the bigger boys who picked on him by threatening to blow them up. Johnson
graduated from high school without distinction and enlisted in the Army right after
graduation, in 1992. By the time Johnson was 20, he had licenses for several firearms.

After he obtained his driver’s license, Johnson was often stopped for speeding. Other
than these citations, he had no record with law enforcement authorities in the several
States in which he is known to have lived.

Johnson took his basic training at Fort Jackson. He then moved on to Fort Riley for
specialized training as a Bradley gunner. He was an outstanding marksman, winning
national and international competitions. He was diligent in the care not only of his
Army weapons, but also his personnel armory, which continued to grow. While at
Fort Riley, he began frequenting gun shows during his time off and ultimately began
dealing in weapons under the alias Kevin Kavanaugh.

He also began to bring literature back from the gun shows to share with other
soldiers. Although much of it was about weaponry, Johnson was increasingly
enthralled with survivalism and fears that the Federal government was conspiring to
take away his right to own guns. Despite these views, Johnson desperately wanted to
join the Army’s Special Forces. After 36 months in the Army, he was invited to Fort
Bragg to try out.

His physical performance was impressive—he had spent weeks preparing himself—
but he fell short on the psychological tests and was rejected. Returning to Fort Riley,
Johnson’s attitude toward the Army became increasingly negative. He never
socialized much with other soldiers, but, as time went on, he became more sensitive
to slights and tended to isolate himself from personal contact. He was still an
outstanding gunner, but, at the end of his fourth year of service, he abruptly decided
to resign.

Returning to Sacramento, Johnson moved back in with his family and spent several
months focusing on his weapons collection and survival skills. Under pressure from

Scenario 13: Biological Attack – Food Contamination 13-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

his parents to contribute financially, he began looking for a job. Johnson believed that
his 4 years in the Army were the equivalent of a college degree, but potential
employers did not agree. From September 1996 to September 1997, he held a series
of intermittent menial jobs, and his discouragement and cynicism grew. In September
1997, he enrolled in a junior college, but dropped out after only a few weeks.

Throughout this period, Johnson was engrossed by the trial of John Kasich, the
Luddbomber. He was intrigued by Kasich’s expertise with explosives and his ability
to survive in rural Montana on only a few hundred dollars a year. Johnson also
incorporated elements of Kasich’s anti-industry views. Combined with his own
disappointments, these views fed Johnson’s growing sense that he was being treated
unfairly by the U.S. government and his fellow citizens.

Disillusioned with where his life was going, Johnson hit the road in 1998 for several
years as an itinerant low-level weapons dealer. There are a number of gaps in his
history during this period; he was traveling the gun show route and also engaging in
mail order sales, as both Kevin Johnson and Kevin Kavanaugh. He did not earn
much, and frequently relied on friends and acquaintances to provide living quarters or
meals.

In 2003, not long after he turned 30, Johnson returned to his family’s home, now
outside of Los Angeles. His parents were willing to put him up for a while, but made
it clear that they expected him first to contribute to the household’s upkeep, and
ultimately to move out. He took a job at Tucker Meat and appeared to be settling
down. After 6 months there, he applied for a job as a supervisor and was rejected in
favor of a Hispanic woman. Johnson decided to take action by threatening his own
supervisor and seeking radical ways to show his discontent with the way he was being
treated.

Scenario 13: Biological Attack – Food Contamination 13-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Detailed Attack Scenario

Johnson, increasingly frustrated with his circumstances and his inability to advance as he
believes he deserves, wants to conduct a strike against the society he holds responsible
for his alienation and mistreatment. Johnson believes American society has lost its
founding values of equality and freedom. He also believes that his actions need to have
more far-reaching impact than just against his company and co-workers.

Johnson is a slow-burning fuse based on a lifetime of disappointments. His parents came


to California from the Midwest to raise their family in a community with greater
opportunities. Both blue collar workers, they hoped their children would go to college
and become professionals. While his sisters followed this path, Johnson proved to be a
disinterested student with little ambition to continue beyond high school. He preferred his
car, his guns, and living by his wits to years of education. The Army enhanced many of
the skills he thought served him best. That belief was not borne out in his post-military
job hunt; few employers found his Army experience applicable to their needs.

Johnson was already involved with the gun and survivalist communities in the United
States; that involvement became more intense in the late 1990s and early 2000s. At the
same time, he incorporated elements of Kasich’s resentment of technology, industry, and
government to justify his own developing views. Although he depended on others at
various times for housing or food, he appears to have established no real continuous
interpersonal relationships.

He returned to California and took a sanitation job at a meat processing plant. Johnson
has been employed at the Tucker Meat Corporation in Los Angeles, California for the
past 18 months and is responsible for daily inspection of the main floor to ensure that the
sanitation process is maintained. He applied for a promotion after 6 months, but was
turned down. A Hispanic woman was given the job. He has tried to distribute anti-gun
control literature and other material from the gun circuit, but his co-workers have not
been receptive, so his relationship with them has been steadily deteriorating. Johnson met
inquiries into his proselytizing with angry mistrust. Johnson felt that he was being singled
out because of his commitment to freedom and because he was male and white. He now
finds himself increasingly alienated.

Johnson has been observing the facility to see where he could contaminate the meat to
have the greatest impact. He plans to contaminate the meat in order to infect as many
people as possible throughout the region.

UA Execution Timeline
D-Day Minus 365 (D-365)
Johnson and several of his co-workers at Tucker Meat Corporation become engaged in an
extremely disruptive and loud shouting match. When supervisors intervene, Johnson
states that he was defending himself against unprovoked harassment. He explains to his
supervisor the problem that he is faced with concerning his co-workers. Aware that there

Scenario 13: Biological Attack – Food Contamination 13-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

is tension resulting from their seemingly incompatible views, Johnson said that he tried to
explain what he believed and instead was faced with verbal abuse. He threatens to file an
official harassment complaint if such animosity continues.

Johnson becomes convinced that the people around him do not understand the threat to
their freedom and will not act by their own initiative; it will take an act of revolution to
inspire any changes within the current state of society. He believes that action needs to be
taken to alert the public to their danger and get American society back on course.

D-360
Johnson continues to bear the brunt of harassment from his co-workers. He is accused of
avoiding his duties, and he loudly complains that, as an American, he is entitled to free
speech and the right to bear arms. He becomes more convinced that only an act of revolt
can change the current social circles around him.

D-330
1
Johnson subscribes to a white supremacist newsletter that advocates direct action to
reestablish what it describes as the basic values of the original American patriots of 1775.

D-250
*
At work, Johnson is reprimanded again for arguing with co-workers, and he is
threatened with suspension. He files an official complaint against his co-workers and his
supervisor for their harassment, claiming his first amendment rights are being violated.
The supervisor notes that the complaint letter is emotional and angry, as well as vaguely
threatening.

D-245
Johnson writes to his oldest sister complaining of his treatment at work. Although more
successful than he, his sister shares many of his views about the government’s
suppression of freedom and the lack of opportunity for white men. Johnson tells her his
co-workers are becoming intolerable, and he asks for advice. She has little to offer
besides commiserating with him.

D-235
Johnson reads an article in the white supremacist newsletter about the 2001 anthrax
attacks and how many of the victims were African American.

D-215
*
Johnson contacts the author of the newsletter’s anthrax story, Ronald Butler, in search of
more information about how the attacks were carried out. In addition to information he
gleans from the conversation, Johnson is directed by Butler to a website that contains
every article written about the anthrax attacks, how they were perpetrated, and who might
have done it. He accesses the site at a local public library. Johnson is angry, but not yet
ready to act.

1
This symbol denotes an I&W opportunity.

Scenario 13: Biological Attack – Food Contamination 13-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-135
Johnson continues his contact with Butler and has also been reading about anthrax and
other potential biological weapons. Gradually, he is moving toward carrying out a pre-
planned act, rather than a hasty angry reaction. Johnson writes his sister that it will take a
crisis to force changes in the current state of society.

D-90
Johnson learns from a television report that a local university is participating in Bacillus
anthracis research.

D-80
As a result of his research, Johnson learns that there are three main routes of infection:
cutaneous, inhalation, and gastrointestinal, and that humans can become infected by
contact with contaminated animal products. He discovers that anthrax spores occur
naturally, but can also be grown in a laboratory. After spores were distributed through the
U.S. mail in 2001, people are afraid that the organism can be used as a bioterrorism
weapon. Johnson reads that it is even suspected that people are selling the substance on
the black market.

D-60
Johnson continues his research on the Internet. He finds the following on the CDC
website:

The intestinal disease form of anthrax may follow the consumption of


contaminated meat and is characterized by an acute inflammation of the intestinal
tract. Initial signs of nausea, loss of appetite, vomiting, and fever are followed by
abdominal pain, vomiting of blood, and severe diarrhea. Intestinal anthrax results
in death in 25% to 60% of cases.

Johnson decides that, if he is forced into a revolutionary act, meat infected with anthrax
would have the impact he wants. He finds articles about virulent strains that have been
produced by universities or nation-states; these substances are being studied as a
preventative measure against acts of bioterrorism.

D-45
Johnson begins to make observations about the plant’s security. The only requirement for
admission to the plant is a positive check of the photo identification card by a security
guard who knows every employee by face and does not seem to pay much attention to the
identification. Johnson believes that there is very inadequate surveillance of the “process
room” where ground meat is “chubbed” for retail packaging, as well as other areas of the
facility. He notes the lack of serious security personnel or adequate Closed Circuit
Television (CCTV) inside the plant’s processing areas. He knows that all of the other
workers have their meals together in the large break room. He is not invited or expected
in this room.

Scenario 13: Biological Attack – Food Contamination 13-6


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-30
Through a string of contacts provided by Butler, Johnson speaks with Charles Mathison,
a lab technician at the local university who shares Johnson’s views about the diminution
of freedom in the United States. The technician describes the labs and how he and his
colleagues handle the biological material they work with, including anthrax. He describes
the necessity of Personal Protective Equipment (PPE), such as a mask, goggles, butyl
gloves, and long clothing covered by a plastic rain suit, especially when the spores are
dry and readily aerosolized. He also describes the care necessary for handling the
substance when in liquid culture, and makes fun of other lab technicians who often prop
open lab doors in the winter when the heat is turned on too high.

D-25
Johnson walks around the university and tours the building where Mathison works. He
also notes the location of the lab and the lab’s security.

D-20
*
Johnson begins walking past the lab in the afternoons after work. He visits the university
bookstore and purchases items used by the lab technicians as described by Mathison. He
also purchases a spray mister.

D-10
*
Johnson and co-workers fight at work for the third time in a year. The supervisor
intervenes and tells Johnson to wait in his office while he talks to his co-workers. While
Johnson is waiting in the supervisor’s office, he grabs papers from the desk and shoves
them inside his shirt. When the supervisor returns and tells Johnson that he is to blame
for the disruption, Johnson pushes other papers from the desk so the supervisor won’t get
suspicious if he notices the missing documents. The supervisor feels threatened by
Johnson’s response and issues a 2-day suspension without pay. Johnson is furious. He
storms out of the plant and walks directly to the university to try to meet with Mathison.

Johnson tells him he is convinced that society is morally corrupt, and nothing will change
unless a revolutionary act forces people to pay attention to the damage that they are doing
to each other. He says he is going to find a way to make a difference. Mathison tells
Johnson to be patient and calm down.

D-9
*
Johnson’s regular visits near the lab concern one of the lab technicians. He confronts
Johnson, who explains that he walks the halls while waiting for his friend Mathison. He
then politely asks the technician about his classes and work. The technician, who is a
graduate student, explains that finals week is coming up, and people are frantically trying
to finish their work. The technician apologizes for stopping Johnson and tells him that he
and his colleagues are feeling stressed-out about finals.

D-8

Scenario 13: Biological Attack – Food Contamination 13-7


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Johnson continues his walks through the university and is becoming a familiar face in the
halls. He notices that the doors are propped open to the lab, but that there are several
technicians working in the room.

Johnson examines the papers he stole from the supervisor’s office. He finds among them
an order to have CCTV cameras installed throughout the facility and an upgrade to the
security monitoring system. The work is to begin in 10 days. Johnson believes that they
are installing the cameras to monitor his activities and decides to carry out his plan as
soon as possible.

D-7
Johnson returns to work and decides that he will conduct the attack as soon as he is able
to steal liquid anthrax from the university. He continues his daily walks through the
university, hoping for the lab door to be propped open so he will have an opportunity to
swipe the anthrax.

D-1
Johnson walks through the lab building and sees that the doors are propped open again.
He notes that most of the technicians, including Mathison and the technician who stopped
him a week ago, are down the hall in a classroom and seem to be in a group study
session. Taking advantage of the opportunity, Johnson enters the lab and steals
approximately 200 mL of liquid culture anthrax.

Johnson returns home and stashes the anthrax in the back of the family refrigerator.

D-Day 0600 Eastern Standard Time (EST)


Johnson arrives at work and shows his photo identification to the security guard. He is
carrying the tube with the liquid culture in his pocket. He goes to his locker and puts on
his work clothes, including his gloves and places the tube inside his work clothes

D-Day 1040 EST


As break time begins, Johnson is watching the floor preparing to determine the best time
to add the anthrax culture to his pre-determined sensitive point in the meat processing
facility.

D-Day 1045 EST


At the end of his shift most of the employees are out of the processing room for their
dinner break. When nobody is watching his actions, Johnson makes sure that his hands
are well covered by his hands and removes the tube and dumps the anthrax into the meat
being processed. From the point at which he adds the anthrax, the meat will be mixed,
packaged and boxed in master cartons for palletizing. That process is fully automated so
there is no human contact with the meat beyond this point. He is careful to make sure
that the liquid does not spill onto his person, closes the tube and carefully removes his
gloves turning them inside-out and putting the tube inside them. He puts on a clean pair
of gloves and leaves the floor to go to his locker.

D-Day 1046 EST

Scenario 13: Biological Attack – Food Contamination 13-8


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Johnson places the used gloves and the tube in a small, sealable plastic bag he brought
and throws it away in a dumpster outside. Johnson leaves the plant, hoping the effects
will be fully realized just prior to the upcoming holiday season.

Scenario 13: Biological Attack – Food Contamination 13-9


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 14:

Biological Attack ―
Foreign Animal Disease
(Foot-and-Mouth Disease)
Casualties None
Infrastructure Damage Huge loss of livestock
Evacuations/Displaced Persons None
Contamination None
Economic Impact Hundreds of millions of dollars
Potential for Multiple Events Yes
Recovery Timeline Months

Although this scenario depicts an intentional attack on the U.S. livestock industry, the
accidental importation of certain diseases is also a hazard.

Scenario General Description

Foot-and-Mouth Disease (FMD) is an acute infectious viral disease that causes blisters,
fever, and lameness in cloven-hoofed animals such as cattle and swine. Pregnant animals
often abort and dairy cattle may dry up. FMD spreads rapidly among such animals and
can be fatal in young animals. The disease is not considered a human threat.

In this scenario, European members of the UA—represented by Organization for Animal


Liberation (OAL), an extreme animal rights group—enter the United States and join
American members to survey large operations in the livestock industries. The UA targets
several locations for a coordinated bioterrorism attack on the agricultural industry.
Approximately 2 months later, UA teams enter the United States and infect farm animals
at specific locations.

UA Operatives and Group Profile

UA Group Profiles

For a detailed profile of OAL, please see the group profiles section in the UA Threat
Category package (pages 100-111).

UA Operatives
Chris Burke: operational coordinator, OAL
Michael Hudson: State laboratory worker, OAL Logistics Cell

Scenario 14: Biological Attack – Foreign Animal Disease 14-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Kate Wilson: leader, OAL Recon/Tactical Cell


Sam Thomkinson: veterinarian, OAL Recon/Tactical Cell
Christine Howard: State Department of Motor Vehicles employee, OAL Logistics Cell
Jim Thorton: OAL Recon/Tactical Cell

Detailed Attack Scenario

OAL is an extreme animal rights group with anarchist elements that advocates the
importance of nature regaining control of the economic and political order; therefore, it
concentrates on the importance of agricultural resources. The group has no specific
religious affiliation.

OAL has multiple stated objectives, which are as follows:

• Defend nature against the activities of the human race.


• Bring together all those fighting against the destruction of nature.
• Provide a united front against people’s efforts to control nature and its resources.
• Fight the new role of science in altering the natural process.

The group’s aim is to destroy various Genetically Modified (GM) crop fields and
livestock that are not allowed to breed naturally, but are enhanced artificially. OAL
considers weaponizing biological pathogens to destroy agricultural livestock a far easier
and more acceptable process than creating munitions to kill people.

Leading OAL figures in the United States have decided that it is the right time to
formulate plans to strike against the U.S. agricultural industry. After much internal debate
about the type of attack to conduct, they have decided on a biological attack against
livestock, in the form of FMD. Their rationale for selecting FMD stems from the very
clear economic and agricultural impact that the naturally occurring outbreak had in
Western Europe in 2002, along with the fact that FMD is not fatal to humans. The leaders
hope such an attack will have a multibillion dollar impact on the agricultural industry, as
well as negative economic effects on related industries, including transportation, food
preparation and packaging, restaurants, and grocery enterprises. FMD is extremely
contagious, so OAL leaders believe that an FMD attack against U.S. livestock will be
very easy to perpetrate. Having reached a consensus on conducting this type of attack,
U.S.-based OAL leaders have begun to plan the actual operation.

OAL is founded on a support and coordination network of largely autonomous cells,


using a variety of electronic communications. Its operations rely on local and regional
members’ initiatives. A core OAL group, led by Chris Burke, is always ready to provide
guidance and suggest potential targets, but all operations are conceived, planned,
organized, and conducted at the local level. This autonomy allows local cells to
potentially attract and retain large numbers of followers without other local cells knowing
about those operations or the relative cell size. Additionally, a centrally led operations

Scenario 14: Biological Attack – Foreign Animal Disease 14-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

unit is available to provide information, training, and methods of attack for local and
regional units.

For the planned attack, two U.S.-based OAL cells—one for reconnaissance and tactics
(Recon/Tactical Cell) and one for logistics (Log Cell)—have agreed to participate in this
action, under the direction and guidance of the central operations unit (Command Cell)
led by Burke. The Recon/Tactical Cell will initially conduct reconnaissance to determine
the best targets, and then it will convert into the Tactical Cell in order to conduct the
operation. One of the Log Cell members works at a State public health laboratory, and he
can easily get access to FMD virus samples. A Recon/Tactical Cell member is a certified
veterinarian who has become dissatisfied with the role that professionals in his field play
in perpetuating the imbalance between humans and nature. He has committed himself to
using his technical knowledge to help OAL restore a more natural order.

UA Execution Timeline

D-Day Minus 365 (D-365)


Michael Hudson, the Log Cell lab worker, harvests FMD from an infected sample and
stores it using refrigeration. Kate Wilson, the Recon/Tactical Cell leader, handpicks her
team (including the veterinarian), who will determine the greatest vulnerabilities within
the U.S. agricultural industry. The veterinarian, Sam Thomkinson, begins cultivating the
virus in a controlled lab setting with the intent of creating enough of the viral FMD to
aerosolize it in droplet form for the upcoming operations.

D-160
The Recon/Tactical Cell operatives are trained in reconnaissance techniques by the
Command Cell and are provided detailed information on the livestock industry by OAL
subject-matter experts.

D-80
The Recon/Tactical Cell’s mission is to survey large livestock operations and determine
vulnerabilities for a coordinated bioterrorism attack on the agricultural industry. Burke
guides the cell, and his operatives are based out of the United Kingdom. Communications
occur via shared access to the same e-mail address using a popular internet provider.

D-79
The Recon/Tactical Cell establishes joint checking accounts with two operatives sharing
signature authority on one account with an initial deposit of $3,000. Two other operatives
share signature authority on another account with an initial deposit of $5,000. The
Recon/Tactical Cell uses cash to pay for hotel rooms during its initial weeks of the
operation. They periodically change hotels.

D-72

Scenario 14: Biological Attack – Foreign Animal Disease 14-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

1
The Log Cell provides the Recon/Tactical Cell operatives with fraudulently obtained
U.S. driver’s licenses obtained through a Department of Motor Vehicles employee,
Christine Howard, who is also an OAL member.

D-71
The Recon/Tactical Cell begins to survey various components of the U.S. agricultural
(livestock) industry and monitors county and State fairs’ marshalling yards, sales barns,
and livestock chutes.

D-69
The Recon/Tactical Cell continues its survey of various livestock sales barns,
confinement barns, slaughterhouse facilities, feedlots, open ranches, and pastures. Cell
members look at both large and small establishments. They survey livestock
transportation options and follow a trailer carrying yearling heifers and steers from the
sale barn to the feedlot.

D-64
The Recon/Tactical Cell provides its initial report of findings to its Command Cell using
internet access at the local library. The Recon/Tactical Cell found the U.S. livestock
industry particularly vulnerable during the transportation of livestock in various stages of
the industry (e.g., sale barns to feedlots). During various stages, there are opportunities
for unobserved access to many animals. The Command Cell reports the Recon/Tactical
Cell’s findings to Burke.

D-58
The Command Cell provides guidance to the Recon/Tactical Cell to select specific target
locations.

D-44
Detailed surveys reveal three specific vulnerabilities identified within three separate
States. The first location is a truck stop called Happy Sam’s in State One, where truckers
hauling livestock routinely stop for their 8-hour, mandatory rest halt between a popular
livestock auction barn and a large, private cattle ranch. The second location is the chute
of a large, swine confinement barn in State Two that is downwind and downhill from a
concealed position that could act as a bio-aerosol release point. The third location is
another truck stop called Boswell’s Corner in State Three, where livestock transport
drivers rest and shower between a large, cattle sales barn and a feedlot-and-slaughter-
house operation complex. The Recon/Tactical Cell transmits information about these
locations to the Command Cell.

D-28
The Command Cell instructs the Recon/Tactical Cell to blend in near one of the targets
and prepare for tactical operations while waiting for further instructions.

D-20
1
This symbol denotes an I&W opportunity.

Scenario 14: Biological Attack – Foreign Animal Disease 14-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Thomkinson harvests the grown FMD and assembles three plastic tubes containing it. He
packs the tubes in airtight and watertight ice packs that contains dry ice. The cooler is
marked “Veterinary Samples” and is stored in Thomkinson’s hotel room until the time of
the operation.

D-10
The Recon/Tactical Cell receives instructions from the Command Cell to go to an OAL
safe house in the adjoining State in 5 days in order to conduct dry runs and to receive
detailed final instructions for their operation.

The Log Cell links up with the Recon/Tactical Cell, providing any necessary additional
operational funds. Thomkinson provides Wilson and Jim Thorton with FMD packets with
detailed instructions on how to disseminate the agent via garden aerosol misters. The
three of them transport their respective FMD packets in small drink coolers.

D-8
Thorton, Thomkinson, and Wilson travel to their respective target sites and await
execution orders for the operation. Each operative uses similar practices, staying in
different hotels periodically, paying cash for hotels and essentials, and rotating aliases
used on hotel contracts.

D-3
Thorton, Thomkinson, and Wilson receive their operation execution order from the
Command Cell through their shared e-mail account. They visit internet cafés to access e-
mail stored in the “draft messages” folder of their shared e-mail account. The team
members sign into the account and open the draft messages, thereby avoiding actually
sending the message and possibly having it intercepted. They are advised by the
Command Cell to conduct a final reconnaissance of their respective target and execute
the attack at a time deemed most effective based on their target’s activities (e.g., livestock
transport truck).

• Thorton will attack Happy Sam’s, the truck stop in State One.
• Thomkinson will attack the second location—the large, swine confinement barn
facility in State Two.
• Wilson will attack Boswell’s Corner, the truck stop in State Three.

The three operatives determine the most appropriate attack times to be between 1 a.m.
and 4 a.m. for the truck stops, and dusk for the pig farm.

Thomkinson conducts his final reconnaissance and rehearsal operation, including filming
the entrance to the large pork corporation’s operations center and swine barn.

D-2

Scenario 14: Biological Attack – Foreign Animal Disease 14-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

*
Wilson locates a loaded cattle truck at the targeted truck stop. She approaches the truck
in her minivan and, when alongside the truck, separated by only a few feet, she dons her
gloves and masks and approaches. She rolls down her window and activates the mister
upwind of the livestock trailer. The mister provides a fine spray that quickly reaches the
cattle in the trailer. After it is emptied, she quickly bags the mister and departs for her
hotel room. She packs her belongings and returns to her home base using a previously
determined Escape and Evasion (E&E) plan.

D-1
*
Thorton spots a cattle truck at the targeted truck stop. He approaches the truck in his car
and dons his gloves and mask once he is alongside the truck, separated by only a few
feet. He rolls down his window and activates the mister upwind of the livestock trailer.
The mister provides a fine spray that quickly reaches the cattle in the trailer. After it is
emptied, he quickly bags the mister and PPE and departs for his hotel room. He secures
his belongings from the hotel and executes his E&E plan.

Hour Minus 1 (H-1)


Thomkinson enters his concealed position uphill and upwind of the targeted swine barn,
approximately 50 meters from a large pen holding hundreds of pigs. He monitors the
wind direction and finds it to be ideal.

Attack
At dusk, he dons his gloves and mask and activates the mister. A fine spray of FMD is
released downwind across the fence and into the pigpen. Once the mister is emptied, he
places the mister container and his PPE back into a portable cooler and returns to his
vehicle, driving back to the hotel to secure his belongings before executing his E&E plan.

Scenario 14: Biological Attack – Foreign Animal Disease 14-6


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Scenario 15:

Cyber Attack
Casualties None directly
Infrastructure Damage Cyber
Evacuations/Displaced Persons None
Contamination None
Economic Impact Hundreds of millions of dollars
Potential for Multiple Events Yes
Recovery Timeline Months

Scenario General Description

In this scenario, the UA—represented by The Legion of Futurity, a left-wing Marxist


group with anarchist elements and a strong anti-capitalist stand—conducts cyber attacks
that affect several parts of the internet and the nation’s financial infrastructure over the
course of several weeks. Specifically, credit-card processing facilities are hacked and
numbers are released to the internet, causing 20 million cards to be cancelled; Automated
Teller Machines (ATMs) fail nearly simultaneously across the nation; major companies
report that payroll checks are not being received by workers; and several large pension
and mutual fund companies have computer malfunctions so severe that they are unable to
operate for more than a week. Individually, these attacks are not dangerous—but
combined, they shatter faith in the stability of the system. Underneath these more visible
attacks, a stream of direct attacks against Internet Service Providers (ISPs), Domain
Name Servers (DNSs), and trusted information providers plays out to further undermine
user confidence.

UA Operatives and Group Profile

UA Group Profiles

For a detailed profile of The Legion of Futurity, please see the group profiles section in
the UA Threat Category package (pages 135-147).

UA Operatives
Gerhardt “Annullierter” Steinmetz: A German representative of Future Perfect, black hat
hacker, and mastermind of U$ Phinance.

Yuri “The Penguin” Tarachenko: A Ukrainian hacker who feeds The Legion of Futurity
credit card numbers and personal identification information from phishing and database
hacking endeavors. Although U.S. authorities have identified him as the creator of
numerous phishing pop-up and spam messages, lack of cooperation from the international
authorities has stymied efforts to stop him. His efforts fund U$ Phinance. He sends

Scenario 15: Cyber Attack 15-1


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

money directly to The Legion of Futurity, and he sponsors a “Hack the Card” contest that
pays for legitimate credit card numbers.

Pandemonium Programmers: A group of Romanian hackers famous for a 1997 hack that
allowed the group to access Personal Computers (PCs) with Total Books personal
banking software and to view user bank account information. The group’s “malware”
used Total Books to transfer funds from one bank account to another the next time the
legitimate user logged into his or her bank account. They create a similar attack against
personal access to mutual funds, pension accounts, and corporate payroll services. They
also assist Hnik in the development of covert attacks against ISPs and DNSs.

Juao “Jigabyte” Barone: A Brazilian black hat hacker and worm writer. He and his
group steal and max out many credit cards. He creates a worm to steal login names and
passwords by recording keystrokes and posts them to the internet.

Kolya “SkalaVY” Hnik: A Czech malware writer who coordinates an attack against ATM
software using insiders and logic bombs to disrupt proper service. He also is the lead
developer for the final stealth attacks against ISPs and DNSs.

Jammar “JAM-Rx” Singh: An Indian hactivist and part of Hnik’s team suspected of
contributing to the 2003 worm that attacked Pakistani government sites, stock exchange,
and ISPs. He was hired at MaCBindi to help develop TekKar’s check imaging and
exchange software “Draft21.”

Sanjeev “Charming” Sharma: An Indian hactivist and part of Hnik’s team suspected of
contributing to the 2003 worm that attacked Pakistani government sites, stock exchange,
and ISPs. He obtains employment with Peerless Application Systems.

Greg Brandenhaus: A U.S. anti-globalization activist who worked for TekKar for several
years as a software engineer. He is the suspected webmaster for the Animal Liberation
Front and Environmental Liberation Front websites. He has been arrested for
involvement in anti-globalization rallies, but his company does not know about the
arrests. He creates the backdoor that allows Singh to execute the attack against the ATM
machines.

Detailed Attack Scenario

Desire for open access and easy use has left some aspects of the information and financial
infrastructures vulnerable to cyber attacks. Software programs are freely distributed and
easily installed, often including auto-update features that run largely invisibly to the user.
Trillions of financial transactions move through a complex infrastructure that is difficult
to consistently protect. Cyber attacks have been growing in sophistication and volume
over the past few years, and there are many known extremist and criminal groups with
demonstrated technological proficiency and cyber attack capabilities.

Scenario 15: Cyber Attack 15-2


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Over the past few years, anti-globalization activists have taken credit for several cyber
attacks targeting critical infrastructures, including an attack on a prominent telephone
company that allowed the attackers to tap phone lines, reroute calls, and pose as company
technicians to callers. Anti-globalization activists have also defaced several financial
services websites with their propaganda. Law enforcement agencies have tracked several
of the suspected perpetrators through their aliases and through lists of known hackers
associated with certain “hacktivist” groups and protest movements; however, no arrests
have been made. Several defaced sites refer to Future Perfect, which law enforcement
officers believe refers to a group and not to a hacker’s identity. This view was bolstered
by a magazine article in which known activist Greg Brandenhaus refers to Future Perfect
and The Legion of Futurity as key to the anti-globalization movement’s future.

Law enforcement organizations have determined that The Legion of Futurity is capable
and driven to commit cyber attacks. The Legion’s leadership is unidentified, and its
membership and depth of financial base is unknown; however, merchandise sales and
anonymous donations appear to finance the group. It is widely suspected that the group
also garners funds via hacking and regulated credit card fraud, specifically targeting
wealthy individuals or corporations. Decentralized cells seem to be located in cities with
large student populations. The Legion recruits and communicates with each other
primarily through the internet, but meetings are often held in coordination with
demonstrations.

One of the Legion’s main objectives is to create a network that will combat capitalism
and provide an alternative economic and political order. The group condemns the loss of
life but actively seeks to maximize economic damage to representative bodies of the
existing capitalist society. Its organized events have historically been loud and raucous
demonstrations, during which the participants have vandalized and destroyed
representative economic targets, such as merchandise, shops, and vehicles. The Legion
takes direct action to disrupt summits by causing economic damage through arson and
vandalism. Members have coordinated large demonstrations at World Bank, International
Monetary Fund (IMF), and World Trade Organization (WTO) meetings, as well as G-8
Summits. The group seems to have funds that enable the movement of numerous activists
from location to location to organize and participate in demonstrations.

Cyber attacks were not part of past Legion of Futurity’s mission operations, but the
possibility of a coordinated, complex cyber attack has not been discarded. The group’s
summit demonstrations have not been very successful in impacting the capitalist societies
it seeks to negatively influence. Legion regional representatives (reps) are beginning to
feel that a cyber attack, or series of attacks, could greatly damage the economic
infrastructure of a selected city, region, or country. The Legion wants to maximize
financial damage to capitalist societies, and the backbone of a capitalist society is the
steady flow of goods and capital. Most members believe that in the name of economic
globalization, the capitalists are deploying a new strategy to assert their power and
neutralize peoples’ resistance. The Legion seeks to prove that dependence on money is
evil.

Scenario 15: Cyber Attack 15-3


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Coordinated protests and recruitment are still extremely important to its mission;
membership has increased 150% since 2002. A large membership provides credibility to
the cause. Protests and active demonstrations, rather than covert operations, are the main
focus. However, the group seeks to complement these activities with active targeting of
the financial sector, as long as there is not a blatant connection made publicly between
the two activities.

UA Execution Timeline

D-Day Minus 730 (D-730)


The Legion of Futurity international and regional reps from the main cells in the United
Kingdom, France, Brazil, Germany, and the United States met after a G-8 Summit to
discuss channeling the movement’s technological abilities for their purposes. The turnout
for the G-8 Summit was much lower than expected. Regional reps believe poor weather
and logistical separation from G-8 participants by law enforcement was difficult to
overcome and limited the effectiveness and attention given to the group’s protestors.
Frustrated and disappointed by the lack of turnout and action at the summit, the group
focused on a new means to restructure existing economic order.

The German contingent pointed out that a set of skillful cyber attacks can be anonymous
and undetectable. A synchronized attack does not require that all participants be in the
same city or even the same country, and a large number of participants is not necessary.
The whole structure of the group is based on a support and coordination network that can
easily be tapped for a cyber attack. Largely autonomous cells can execute various aspects
of the coordinated attack. The Legion’s very loose organization provides protection
against infiltration, because one traitor or spy could not necessarily disclose the locations
or actions of any other groups.

Discussions range from hacking into corporate databases, web defacements, phishing for
corporate officers’ credit card information, and outright damage to the U.S. electronic
information system as a whole. Many members of the group believe that blind trust in the
information system of the rich and powerful needs to be exposed and that capitalist
domination needs to be extinguished. These members believe that any attacks against
U.S. systems would help eliminate the existing economic order.

Other members of the group believe that U.S. consumerist culture has been so ingrained
in individuals that only through a shattering of personal misconceptions will anyone be
prepared to loosen themselves from capitalism and governmental control. These members
believe that any cyber activity should focus on bringing this message home to every
individual. The main goal is “an international campaign to isolate, resist, and ultimately
overcome the U.S. position of dominance in the world.”

German Future Perfect leader and black hat hacker Gerhardt “Annullierter” Steinmetz
explains to the group that a range of cyber attacks against the internet sector could take
many forms, but severe disruptions could shatter the average citizen’s faith and trust in
the stability of the system and rock the confidence of the American people.

Scenario 15: Cyber Attack 15-4


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Annullierter recommends that he coordinate overall activities, handle funds distribution,


and allow activists from their cells or affiliated groups to conduct the cyber attack. Other
regional reps agree and suggest that a clear division between groups involved in the
public mission and those involved in coordinating attacks against the financial
infrastructure is also necessary.

Annullierter suggests that, regardless of the type of attack, an internal, untraceable


disruption to various institutions would significantly shake consumers’ trust in the
internet, and, indirectly, in the U.S. financial system. The representatives agree to find
out what kind of capabilities their groups and affiliated cells can offer and to begin
recruiting computer security professionals and/or computer programmers. It is agreed that
Annullierter will lead the effort.

D-675
Annullierter makes contact with former members of the Romanian hacker group
Pandemonium Programmers, which is famous for a 1997 hack that allowed the group to
access PCs with Total Books personal banking software and to see user bank account
information. The group’s “malware” used Total Books to transfer funds from one bank
account to another the next time the legitimate user logged into his or her bank account.
Annullierter asked the group to look into the possibility of using a similar attack against
personal access to mutual funds, pension accounts, or corporate payroll services.

Annullierter contacts Yuri “The Penguin” Tarachenko, a hacker from the Ukraine who is
sympathetic to the cause. Tarachenko has been feeding the Legion credit card numbers
and personal identification information from its phishing and database hacking
endeavors. Although U.S. authorities have identified Tarachenko as the creator of
numerous phishing pop-up and spam messages, lack of cooperation from the international
authorities has stymied efforts to stop him. Annullierter convinces Tarachenko to use his
efforts to fund the operation, dubbed U$ Phinance. Tarachenko will send money directly
to the Legion and sponsor a “Hack the Card” contest that would offer to pay for
legitimate credit card numbers.

D-640
Legion of Futurity reps meet in Las Vegas the same week at the DEFCON Conference.
This conference is held every year in Las Vegas and offers seminars on technological
innovations, malware, exploits, security breakthroughs, privacy issues, identify theft,
identity creation, fraud, credit card and financial instrument technologies, and many other
issues. It also is home to large-scale gaming and hacking contests.

The regional reps meet again to discuss the movement’s abilities and progress. Several
members caution others against creating or using “hackers for hire” with no ties to the
group’s ideas. The group agrees to come up with a plan of action, coordinate resources,
and recruit support throughout the worldwide anti-globalization movement.

Scenario 15: Cyber Attack 15-5


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Astonished regional reps find that Tarachenko’s phishing efforts have brought in
thousands of dollars. Tarachenko used pop-up ads to steal more than 100 legitimate credit
card numbers. It is agreed that this money will be used to fund the cyber attacks.

Annullierter believes that the most damaging cyber attack will be difficult to detect and to
recognize as more than a mechanical failure. To accomplish such an attack, he believes
that stealth and overt attacks need to be conducted concurrently. Annullierter
recommends that Tarachenko’s “Hack the Card” and phishing efforts can be used to
distract law enforcement and create fear among the public while the other cyber attacks
are conducted. Annullierter convinces the group that they can use the press to help panic
the public into flooding credit bureaus and credit card service centers. He recommends
posting as much legitimate credit card information as possible and informing the press
that hackers have the personal information of everyone subscribing to the New York
Inquirer. He hopes that people will panic and that, regardless of whether their
information was stolen, they will cancel their credit cards or check to make sure that no
one is trying to steal their identities, which will tie up processing centers for days.
Additionally, by spoofing trusted websites, such as news sites and government press
release sites, people will not know who to trust for accurate information, which will help
sow disorder and even chaos.

D-639
Legion of Futurity regional reps attend several DEFCON seminars and discuss activities
for examining potential targets. The group’s regional reps note the successful crack by
group members into a bank system that is used to secure customer’s personal
identification numbers and is also used by the U.S. Treasury Department to sell bonds
and treasury bills over the internet. Regional reps discussed successes of Eastern
European hacker groups in stealing credit card information from major e-commerce
websites and several extortion attempts of major Chief Executive Officers (CEOs).
Annullierter reveals the planned aspects of the multi-pronged cyber attack in operation
U$ Phinance to the other regional reps present. Communications are drafted to request
comments, ideas, and volunteers from the various groups and their cells and contacts.

Annullierter invites the hacker community to contribute to Legion of Futurity discussions


on acts against the current political order. Discussions center on the notion that
individuals are so inundated with Western consumerist culture that many cannot even
understand how deeply they are rooted in capitalism and governmental control. The
outspoken Brazilian Juao “Jigabyte” Barone, a known black hat hacker and worm writer,
states that people will need to be shown firsthand that they are under the control of an
unjust system. Barone proposes that the group steal and max-out as many credit cards as
it can access.

Barone describes a worm that steals login names and passwords by recording keystrokes
and convinces the group that he can create this worm. Plans are established to retrieve
information stolen by the worm and to forward the information to an anonymous e-mail
account for later use in the penetration of financial computer systems. Annullierter agrees

Scenario 15: Cyber Attack 15-6


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

to help fund Barone’s effort, but tells him that the timing and release of the malware will
be a part of a larger campaign and must be timed perfectly on his command.

Annullierter also meets with Czech malware-writer Kolya “SkalaVY” Hnik at the
conference. The two discuss the financial sector’s increased use of offshore software
subcontractors and the relative interdependency of the global banking network. Hnik
believes that if they can get people inside some of these companies, these insiders can get
source code for ATM software for him to examine for vulnerabilities. Annullierter will
fund Hnik and a small team to create a logic bomb that can be put into place and remain
undetected until the Legion wants to take ATM machines offline. Hnik agrees to put
together a team to find vulnerabilities in ATM software and develop the logic bomb. He
also offers to head development of additional attack means to create further chaos,
including creating a personal firewall program that hides the nodes of an enormous
botnet. His idea, which he details to Annullierter, is to work through sympathizers who
are employed by computer security providers to include the firewall in security programs
distributed by those providers. Thus, the security firms themselves will have
unknowingly contributed to the disruption of the very service they exist to protect. This
will take at least 6 months to develop, but the payoff should be high. Annullierter loves
this concept and approves the development of the clandestine attack network.

D-638
1
Flyers posted at rallies, mass e-mails, and bulletin board postings, along with
advertisements and articles on anti-globalization websites, rally technologically savvy
anti-globalists to probe the vulnerabilities of U.S. financial systems. The points of contact
are listed as Jammar “JAM-Rx” Singh, Sanjeev “Charming” Sharma, and Hnik.
Annullierter assumes that this level of activity and openness will draw attention away
from the real operations to disrupt the U.S. information and financial system.

Singh and Sharma are known Indian “hacktivists.” They are also suspected of being part
of the “Visha Kanya,” the group responsible for a version of the Yaha worm that attacked
Pakistani government sites, stock exchange, and ISPs in early 2003. Hnik is suspected of
involvement with several Eastern European hacker groups known for their malware
capabilities and for targeting financial institutions. Some of these groups are thought to
have ties to organized crime. Hnik was detained in the summer of 2003 due to his
relationship with a Ukrainian arrested in Asia for selling pirated software and his
relationship with a Romanian hacker arrested in September 2003 for distributing a
version of the Blaster virus.

D-620
Legion of Futurity websites and bulletin boards post papers promoting a new movement.
Secure chat rooms are filled with members offering to obtain jobs with U.S. banks or
companies with close ties and partnerships with banks, such as payroll service bureaus or
pension fund managers. The posted goal is to “grind the U.S. financial system to a halt.”
The members are asked to look for others in these sectors who are sympathetic to the
movement’s goals.
1
This symbol denotes an I&W opportunity.

Scenario 15: Cyber Attack 15-7


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

U.S. activist Brandenhaus offers his inside knowledge of the financial system.
Brandenhaus works for TekKar, a Dallas, Texas, company whose clients include the top
20 banks in the United States. Brandenhaus has been a software engineer at TekKar for
several years. He is also the suspected webmaster for the Organization for Eco-Liberation
(OEL) and OAL websites. He was arrested or detained in the Seattle and Washington,
DC, anti-globalization rallies. He was denied admittance to the Czech Republic for the
Prague rally. He is an active anti-globalization voice in the Dallas-Ft. Worth area and is
an avid gamer. His company knows nothing of the arrests, and he has had administrative
privileges in secure portions of the system for years. Colleagues believe him to be
extremely excitable on certain topics, but most think that he is a harmless computer
engineer.

D-600
Singh posts his resume online, attempting to gain employment with MaCBindi, a
Mumbai, India, Information Technology (IT) outsourcing company that has a partnership
with TekKar. He lists his desired occupation as “programmer” or “systems administrator”
and his experience with several finance companies in Mumbai. He also expresses his
desire to work in the United States.

Pandemonium Programmers report to Annullierter that they can use a very similar
method to the 1997 attack to access certain mutual-fund and pension-fund company
computers. Annullierter instructs the group to devise a denial-of-service attack that will
affect the networks of these companies. He also asks them to include corporate payroll
services, ISPs, and DNSs in the attack.

D-580
Sharma and Hnik post similar resumes. Hnik lists his experience in financial network
security and anti-virus programming. Sharma also targets Logic Application Systems, a
North Carolina company that manufactures and sells ATM software.

Brandenhaus, who has been following Visha Kanya exploits for years, suggests to
Annullierter that MaCBindi and Peerless are ATM software regional reps with pending
updates and explains that TekKar’s “Draft 21” software may also be exploitable.
Brandenhaus knows that software updates are scheduled to be released every few months.
Annullierter establishes contact between Brandenhaus, Singh, Sharma, and Hnik.

D-560
Under Barone’s direction, and with a good deal of funding from the Legion, worm coders
from several different countries begin working together to adapt and combine aspects of
several existing worms, including a modified variant of the encrypted BuffBabe worm,
W32.BuffBabe, and Horse.PSW.Hooker, making them virtually undetectable and
efficient. Barone convinces the group that it needs to write new code to slip the worm
past anti-virus software and that the worm needs to be able to spread more quickly than
efforts to stem its activity.

Scenario 15: Cyber Attack 15-8


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Barone directed his team to examine features of successful worms and attempt to create a
worm with the speed of Code Red and CodeRed2 and the multiple means of proliferation
Nimda used. He also told the team that the worm should incorporate other virus code to
be transported with the worm (as seen in variations of the Klez worm), have the ability to
access and send files from a hard drive (as seen with SirCam), and have the destructive
payload of Magistr.

The W32.BuffBabe worm will be used to send infected e-mail to addresses collected
from webpages and Windows-based e-mail address books. It will also drop
Horse.PSW.Hooker.b in PCs, allowing the malware author to steal usernames and
password details. Original infiltration will be gained through e-mail correspondence
between a call center representative and a member of The Legion of Futurity. The
W32.BuffBabe worm will use a double extension ruse to take advantage of
vulnerabilities in the default settings of Windows, a program used by the targeted facility.

D-520
*
Legion of Futurity members, working from within the United States and operating as the
PhreakerCell employ social engineering techniques to establish dialogues with prominent
credit card banking systems. Annullierter informs the cell that its primary target is
CityOne Bank, with a call center headquartered in San Antonio, Texas. Its secondary
target is Corporate Bank headquartered in Richmond, Virginia. The group’s goal is to
establish relationships with call center personnel at both credit card processing facilities
using e-mail to gain access into the systems.

D-500
Singh is hired at MaCBindi to work on the development and production of TekKar’s
check imaging and exchange software “Draft21.” This software allows bank account
holders to access images of cancelled checks over the web.

D-475
Anti-globalization websites and bulletin boards issue a request for prototype viruses,
worms, bots, and other malware that Annullierter plans to use in Operation U$ Phinance.
The point of contact is Hnik. Followers are also encouraged to send information on any
known vulnerabilities.

Annullierter also puts Hnik in contact with Pandemonium Programmers for access to
their malware, which they begin developing and modifying, as needed.

Brandenhaus supplies Hnik with a copy of the TekKar Draft21 software for reverse
engineering and vulnerability testing.

Sharma receives a H1-B visa as a result of employment with Peerless Application


Systems and moves to North Carolina. Peerless has two primary business lines: one is
software for ATMs, and the other is a development group focusing on personal firewall
solutions.

Scenario 15: Cyber Attack 15-9


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-425
Sharma supplies a piece of Peerless ATM software source code to Hnik. He also reports
that his company is in the final stages of its current update, but has experienced some
glitches in testing the software and has identified several issues with the code. Peerless
forms a task group to develop a patch for the faulty code, and Sharma is included in this
group. Sharma has also been engaged by the firewall development group at Peerless,
based on security programming expertise he has already demonstrated on the job.

Hnik and the Pandemonium Programmers finalize a logic bomb for insertion into the
targeted ATM software. When the bomb triggers on D-Day, all infected ATMs will be
disabled. He assumes that the bomb will also corrupt bank computer networks as the final
transmissions of the machines are conducted.

Hnik begins working on identifying a vulnerability in Draft21 that can be exploited and
used to deliver the logic bomb into the software. He notes that the planned upgrade could
create a security vulnerability that could be exploited to disable bank systems.

Finally, Hnik and a select group from the Pandemonium Programmers have been
developing the personal firewall software that masks the botnet. The botnet will be
deployed a few days prior to D-Day to maximize the chaos created by the credit card and
ATM attacks. The botnet will be used to launch DDoS attacks against ISPs and to poison
the DNS system. Attacks will also attempt to poison Address Resolution Protocol (ARP)
caches. The plan is to introduce the personal firewall software to the computer security
community, so that it will become incorporated into auto-update packages. At the time of
attack execution, the cell members will remotely disable the firewall capabilities through
a synchronized update, leaving behind forged logs and other indicators to make it appear
as if the firewall is still functioning.

D-425 to D-130
The various teams and developers spend nearly 10 months developing their programs,
malware, networks, and attacks, moving slowly and cautiously to avoid attracting
attention. They use the time to develop trusted relationships with the right people,
companies, and organizations. During this time, they also test their concepts and stay
current with the newest vulnerabilities and attack methods. They keep very low profiles
in the hacker community and maintain strict OPSEC procedures enforced by Annulierter,
who has studied military tactics. Annulierter finds particular irony in using the tactics of
his enemy to defeat his enemy.

D-115
Brandenhaus, Singh, and Sharma discuss a way to insert their logic bomb code into the
upgrades that are being developed for their respective companies. Sharma will insert the
malware into the patch being created for Peerless after initial code review. Brandenhaus
and Singh are working with Hnik to find a vulnerability that can be exploited to release
the logic bomb through Draft21. Hnik has determined that a vulnerability will be created
if MaCBindi’s current upgrade to the Draft21 software is deployed. Through this

Scenario 15: Cyber Attack 15-10


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

vulnerability, they will be able to deploy the malicious code into the system using
Brandenhaus’ privileges.

They agree that most of the work can be accomplished after-hours at their respective
offices.

D-80
Pandemonium Programmers report to Annullierter that they have identified
vulnerabilities in several networks for companies managing mutual and pension funds, as
well as a network for an offshore payroll service. Annullierter funds the development of
an internal denial-of-service mechanism and informs the group that the timing of the
release will be very specific and will correlate with several other efforts aimed at rocking
confidence in the financial sector and the internet.

Brandenhaus is administratively sanctioned for using his office and computer after-hours
and for making long-distance phone calls. He installs a “backdoor” to his account on the
TekKar network so that he can access his account and files remotely and continue his
activist work.

D-78
Singh and Sharma receive the logic bomb code from Hnik, are notified of the potential
target date, and begin final preparations. Annullierter instructs the group to set the clock
on the bomb for 7 days beyond the deadline for receipt of credit card numbers from the
“Hack the Card Contest.” Annullierter believes that the public’s panic over posting credit
card information will create a backlog of work in the financial sector and keep law
enforcement busy trying to find the perpetrators. Hnik finalized the exploit for Draft21,
but Brandenhaus will have to use his administrative privileges to upload the logic bomb
code.

D-75
*
Brandenhaus’s supervisor confronts him about his after-hours use of the office. A
security report noted that Brandenhaus has been coming into the office at odd times of
the night to work, even though he has received several previous warnings about this. The
supervisor demands an explanation for long-distance phone calls made from
Brandenhaus’s office, as well as for Brandenhaus’s prior request for a full copy of the
Draft21 software.

Brandenhaus is written up, and the supervisor schedules a review board meeting to
address Brandenhaus’s obvious disregard for company policy, accusing him of misuse of
company resources and possible software piracy or economic espionage. The supervisor
informs TekKar’s IT division of the suspension, and Brandenhaus’s account is
terminated. IT also makes arrangements to access Brandenhaus’s computer to prepare for
the review board meeting.

Scenario 15: Cyber Attack 15-11


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-65
*
A TekKar review board suspends Brandenhaus after an investigation finds that he has
obtained a copy of the software by false means and has been working on his activist
interests after-hours in the office, apparently coordinating a large, multi-city “action”
against financial institutions, due to take place in approximately 2 months. Although few
of Brandenhaus’ colleagues believe that he is capable of this action, the review board
notifies law enforcement of his activities. TekKar informs the FBI of the possibility that
Brandenhaus is committing copyright piracy, economic espionage, or some other theft of
proprietary software. The company continues examining his hard drive.

Singh reports that MaCBindi has finished testing the software patch and will begin the
upgrade at 2200 EDT.

D-64
Initial MaCBindi and TekKar reports find no glitches in the upgrade process.
Pandemonium Programmers reports completion of a network-specific denial-of-service
mechanism that they have designed to overwhelm network resources to the point of
failure.

D-60
Sharma has completed his portion of the malware for the financial attack and is working
with Singh to finalize plans to exploit the vulnerability in Draft21. They are concerned
about Brandenhaus’s suspension, and Singh fears that he will not be able to complete the
TekKar part of the operation from his position with MaCBindi in Mumbai due to the
level of his administrative privileges.

Brandenhaus sends Singh the information needs for Brandenhaus’ backdoor into the
TekKar service network. The backdoor will allow Singh to “talk” to all the ATMs using
TekKar software and allow him to exploit an existing vulnerability in Draft21. Singh will
use the backdoor to put his logic bomb into place now that the company’s upgrade has
taken place.

Sharma has lesser, but similar, access to Peerless’ service network because of his job
functions, but believes that he can place the code into the company’s upgrade prior to the
rollout on D-55. The plan is to deploy the logic bomb; leave their respective jobs to avoid
detection or detention; and rendezvous in Frankfurt, Germany, for debriefing and mission
funds reconciliation.

D-55
Peerless is set to rollout its ATM software upgrade at 2200 EST. Sharma notifies Singh
of the timing and begins to deploy his Trojan code. Sharma uploads at 2147 EST, and
Singh uploads at approximately the same time in Mumbai, 1854 Greenwich Mean Time
(GMT).

Peerless personnel are carefully monitoring the upgrade process and note Sharma’s
activity. Sharma is confronted and explains that he made a last-minute, minor adjustment

Scenario 15: Cyber Attack 15-12


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

to his patch prior to deployment. After the questioning, he walks off the job. Sharma goes
to his apartment, packs, closes his bank account, and drives to Charlotte/Douglas
International Airport. He gets a hotel room near the airport and purchases a one-way
ticket to Frankfurt.

Singh is unable to use his own privileges at MaCBindi and is unable to find a work-
around to gain access to TekKar’s network. He is forced to try Brandenhaus’ backdoor.
Singh gains access and uploads the logic bomb through the vulnerability in Draft21.
Singh leaves work at MaCBindi and moves out of his Mumbai apartment the next
morning. He gets a hotel room near the airport, closes his bank account, and purchases a
one-way ticket to Frankfurt.

D-54
TekKar logs show that someone accessed its network at approximately 2200 EST the
night before. Security officials read system logs to determine what activities occurred.

Peerless determines that Sharma, an Indian programmer who has been with the company
for a short time, made last-minute code changes prior to the rollout. Although there have
been no reported glitches in the upgrade, Peerless has programmers working through the
code to determine what changes were made. Company officials are unable to find
Sharma. Peerless is concerned because Sharma abruptly quit, but his direct supervisor
feels that the quiet Indian programmer was simply offended by the perceived accusation
from the previous day.

Sharma and Singh stay overnight at their respective hotels and fly to Frankfurt in the
morning.

Barone and his team complete the BuffBabe malware.

D-7
*
PhreakerCell members make contact with various financial services’ call center
personnel and request account application forms via e-mail. Annullierter is updated and
gives permission to release the worm. He also directs the Pandemonium Programmers to
activate the botnet by issuing an auto-update that disables the firewall capabilities.

D-6
*
PhreakerCell members send completed forms to Barone to attach the malware and send
back to the call centers. The BuffBabe malware spreads rapidly and without notice,
sending usable data to the anonymous e-mail account. Information gained includes
multiple user names and passwords to call center representative accounts. Barone’s team
begins penetration of call center computers and easily obtains approximately 700,000
account numbers.

The team holds these account numbers so that they can be released simultaneously with
the purchased and extorted accounts.

Scenario 15: Cyber Attack 15-13


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

Pandemonium releases the firewall update, which initiates the activation of the botnet.
Over the next few days, the botnet will unleash code that conducts DDoS attacks against
major ISPs, poisons DNS and ARP caches, and spoofs e-mails containing false
information coming from and going to key members of the computer security
community.

D-1
*
Tarachenko’s “Hack the Card” contest has come to an end, and he has purchased
hundreds of credit card numbers over the past few months. Although many of the cards
have been cancelled, politicians, corporate leaders, and banking officials put law
enforcement officials under a great deal of pressure to stop the heavily press-covered
contest dubbed the “most ruthless theft of credit card numbers ever seen.” Tarachenko
combines the remaining valid card numbers with those recently farmed from phishing
and database cracking efforts and sends the list to Annullierter. He also sends a list of
subscribers to the New York Inquirer.

Barone sends the nearly 1 million card numbers, as well as username and password
information, to Annullierter.

Peerless and TekKar have long since stopped any internal computer investigation and did
not report the odd network activity to the authorities, in part because their internal
computer forensic efforts could derail any law enforcement efforts, but mostly because
they feared negative publicity. Any network outage or downtime due to a law
enforcement investigation would be unacceptable. If word of the investigations were
revealed in the press, trust in the U.S. financial system could be severely damaged.

D-Day 0700 EDT


Annullierter takes the list of credit card numbers and personal information from Barone
and from Tarachenko’s “Hack the Card” contest and combines the list. He uses the stolen
information from the New York Inquirer database and prepares a mock Associated Press
(AP) article saying that the personal information of thousands of subscribers was stolen
and posted to hacker chat rooms.

D-Day 0900 EDT


The press releases word of the credit card numbers being posted to the web and the rumor
that the personal information of New York Inquirer subscribers has also been posted.

D-Day 1000 EDT


Many credit card holders call their credit card issuers to determine if they are among
those compromised and to see if they can be reissued a new card.

Fraudsters capture information and begin direct charging and manipulation of vendor
sites.

Scenario 15: Cyber Attack 15-14


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

D-Day 1200 EDT


Word of the crisis has spread to far more people than most bank and credit card centers
can handle. A backlog of requests for new cards forms.

D-Day 1400 EDT


Many cards are being used by multiple fraudsters and quickly reach their credit limits.
The press reports on the posting and advises cardholders to call their credit card issuers,
as well as the EgaliUnion, Traverse, and Extra credit bureaus.

D-Day 1800 EDT


Members of Pandemonium Programmers launch semantic hacks and spoofs against well-
known internet news and information providers, just in time for the evening news. They
place forged public bulletins about the credit card attack, which misdirect consumers
regarding what numbers to call for information, resulting in angry, frustrated citizens.
This confusion adds to the overwhelming of the processing centers.

D+7 0948 EDT


The logic bomb begins to work, taking down every ATM running on TekKar or Peerless
software. Complaints trickle in to banks on the East Coast throughout the morning.

D+14 0800 EDT


Pandemonium Programmers release their malware, dubbed Mola$sasNet, into the
networks of two large mutual fund and pension fund companies. They also gain
unauthorized access to the offshore payroll company and another such company based in
the United States servicing more than 10 million businesses with 100 or less employees.
The group releases Mola$sasNet into the networks.

D+14 0945 EDT


As more users log on to the affected networks, Mola$sasNet begins to overwhelm the
resources of the network, causing crashes and failures. Separately, the companies begin
to scramble to maintain the network and, thus, their service. None of the companies alert
the authorities, fearing the effect that recent bad publicity has had on banks and credit
companies. Instead, they tell their customers that they are experiencing a glitch and will
be online soon.

Scenario 15: Cyber Attack 15-15


National Planning Scenarios: FOR OFFICIAL USE ONLY/ Version 4DRAFT
Attack Timelines LAW ENFORCEMENT SENSITIVE

APPENDIX:
UA Development Members
The UA and associated scenario prequels were developed by Applied Marine
Technologies, Inc. (AMTI), principal contractor to OPIA, DHS. The AMTI team is
comprised of personnel from diverse backgrounds, including: special operations planning
and execution, intelligence collection and analysis, terrorism and insurgency studies,
information technology, Arabic language and culture, screenwriting, research, and
journalism.

APPENDIX: UA Development Members A-1