on security

Protective Intelligence Lessons From a White Supremacist Attack in Germany

Scott Stewart
VP of Tactical Analysis, Stratfor
9 MINS READOct 15, 2019 | 09:30 GMT
Mourners place flowers at a makeshift memorial on Oct. 10, 2019, at the market square in Halle, Germany, one day after a deadly anti-Semitic shooting.

Mourners place flowers at a makeshift memorial on Oct. 10, 2019, at the market square in Halle, Germany, one day after a deadly anti-Semitic shooting.

  • Like many jihadists, the white supremacist who attacked a German synagogue on Yom Kippur was radicalized online and had no known connection to far-right extremist groups. 
  • Even so, several points existed during his attack cycle where he would have been vulnerable to detection had someone been paying attention.
  • Locked doors and the congregation's alertness prevented an even larger tragedy in this case, but it would have been better to detect and prevent the attack during the planning phase.

Far more people are alive in Halle, Germany, thanks to a locked door and a shooter's amateurishness. On Oct. 9, a heavily armed white supremacist (whom we decline to identify) attacked a synagogue in the eastern German city, first opening fire with a homemade Luty submachine gun in an attempt to breach a door in a wall that led to a small cemetery behind the synagogue. Failing that, he appears to have tossed an improvised grenade over the wall into the cemetery, where it detonated without causing much damage.
Frustrated at his inability to get inside the synagogue, he turned his attention elsewhere. He shot a pedestrian dead on the street, but his gun jammed before he could kill a second. He next drove to a nearby kebab shop, where he tried to throw an improvised grenade inside, but the grenade bounced back and exploded outside. He then entered the shop and opened fire, killing one person and wounding several others. One of the two homemade Luty submachine guns jammed while he was inside the restaurant, and the killer abandoned it there, turning to his backup gun, a homemade 12-gauge slamfire shotgun. He then drove to Wiedersdorf, where he entered a vehicle repair garage and demanded a vehicle. When the garage owner and an electrician defied him, he shot and seriously wounded the electrician and left the dealership in a stolen taxi. After a high-speed chase over around 80 kilometers (50 miles), the attacker finally crashed the taxi, allowing pursuing police to arrest him.

The Big Picture

Terrorism remains a persistent and deadly threat, but it is not something that people have to just fatalistically accept. Studying attacks and understanding the attack cycle can help people and organizations adopt measures to mitigate the impact of an attack — or better yet, to recognize attack planning as it's occurring and prevent attacks altogether.

Like several other recent white supremacist attackers, the Halle killer left a written document outlining his preparation and motivation. He also used a camera mounted to his helmet to livestream his attack on a streaming platform called Twitch frequently used by gamers. While this documentation of the attack was intended to serve as a propaganda vehicle to promote the killer's ideology and inspire more attacks, it also provides an excellent view into his attack cycle. This incident offers several important lessons for preventing similar attacks — at a far earlier stage.

Lone Attackers Provide No Warning?

One of the narratives that has emerged from this case is that the attacker was a lone attacker who came from nowhere and because of this, there was no way to detect or prevent his attack. This is utter bunk.
The suspect was radicalized and mobilized via online propaganda. He also obtained the instructions to manufacture his firearms and explosives from online sources. He also did not have any known association with German far-right groups or any previous criminal record. 

To deal with such suspects, focusing on the attack cycle is critical, something I wrote a decade ago during an era of simple attacks using readily available weapons conducted by people with little to no known association with militant groups. Attacks conducted by a lone assailant do not simply appear out of the ether, and even lone attackers are bound by the constraints of the attack cycle. I'd even argue that a lone attacker is at a disadvantage because he must conduct all the phases of the attack cycle alone, increasing the chances of detection. In truth, numerous opportunities to detect the Halle killer existed as he progressed through the stages of his attack cycle. Let's look at some examples.

This graphic shows the stages of the attack cycle.

First, it undoubtedly took him many weeks, if not months, to research and then manufacture the homemade guns and explosive devices he used in this attack. In his writings, he noted that the Luty submachine guns tended to jam and that he had been forced to manufacture a tool to extract jammed empty shell casings from the gun. This clearly indicates that he test-fired the guns to discover this problem. Automatic weapons fire, even if only 9 mm ammunition is used, should draw attention. Furthermore, the suspect also tested his improvised grenades and pipe bombs — again, someone likely heard those explosions. The suspect also reportedly lived with his mother, and it is hard to believe that he could have manufactured such a large arsenal of firearms, ammunition and explosives without arousing her suspicions.
In his written statement, the killer stated that at least a portion of the funding for his operation came from someone he met online who gave him some bitcoin. The killer mockingly stated that he misled the donor, whom he purports was a former board owner on a chan site called Vichan, in that he stated he wanted to attack Muslims. Despite saying he would not identify the donor, who was Jewish, he proceeded to do so in his screed. If the investigation into this attack proves that such a fund transfer did indeed occur, it was yet another point in the arms acquisition phase of the killer's attack cycle in which he was vulnerable to detection. It also demonstrates that while the killer was operating alone in the physical world, he was part of an online community and that others were aware of his intent to conduct an attack.
The attacker was also vulnerable to detection while conducting pre-operational surveillance of potential targets. He noted that in addition to casing the synagogue prior to the attack, he also conducted surveillance on at least one mosque and an antifa cultural center. He noted that the mosque and the antifa center had less security than the synagogue, but that he decided to attack the synagogue anyway because he viewed Jews as the primary enemy. In his written document, the attacker stated that he felt very uncomfortable while surveilling the synagogue because he felt out of place, while he also noted it had CCTV cameras covering the street. The attacker wrote: "Intel is the most important aspect of an operation, and my capabilities are rather limited." He clearly had very little experience in conducting surveillance and had little to no concept of using cover for action and cover for status to facilitate his surveillance efforts. This is in keeping with past lone attackers, who have typically possessed terrible surveillance tradecraft.

I believe we will see future white supremacist attackers attempt to obtain more reliable weapons, something that will make them more vulnerable to detection during the weapons acquisition phases of their attack cycles.

I am certain that someone somewhere saw or heard the Halle attacker as he was making and testing his guns and explosives or conducting surveillance on his prospective targets, but for some reason did not report what they saw. I expect that German police will uncover several such witnesses as they complete their investigation of this case.
The attacker noted that he had hoped that his attack would prove that homemade weapons could be effective in helping other white supremacists conduct similar terrorist attacks. The actual performance of his weapons, however, seems to prove the opposite, something he acknowledged in his video. "Sorry guys," he told his audience as he drove away from the synagogue, "one time a loser, always a loser." He clearly failed to generate the "high kill score" he had aspired to, in stark contrast to other recent white supremacist shooters such as those in Pittsburgh and Christchurch who used commercially manufactured firearms. 

Because of this, I believe we will see future white supremacist attackers attempt to obtain more reliable weapons, something that will make them more vulnerable to detection during the weapons acquisition phases of their attack cycles. For example, the Norway bomber and shooter — considered something of a saint by the white supremacist community — traveled to Prague before his attack and unsuccessfully attempted to buy a fully automatic AK-47 and hand grenades to smuggle back to Norway. In the end, however, he settled on a semi-automatic rifle and pistol he could legally purchase in Norway. Even though he was not detected, this effort to buy military-grade weaponry made him very vulnerable to detection during the weapons acquisition phase of his attack cycle.

Prior Proper Planning Prevents Painfully Poor Performance

The truth of this military adage was proved by this attacker's failed attempt to get into the synagogue. He recognized that the synagogue was a harder target than some of the others he had contemplated attacking, but decided to wing it without a clearly articulated plan on how he was going to get inside. This haphazard tactical planning stands in stark contrast to the extensive time and excruciating detail he paid to manufacturing his weapons during the weapons-acquisition phase of his attack cycle.
Once he committed to attacking the synagogue, he recognized it would be packed on Yom Kippur, a day when even nonregular members attend. Indeed, a synagogue leader later noted that 51 people were inside the building at the time of the attack. In his written statement, the attacker went through options for getting inside the synagogue in a stream-of-consciousness style narrative, discussing possible options, dismissing them before finally concluding, "I prepare for all of the above and decide onsite." His snap decision to attempt to shoot his way through the cemetery gate door was obviously flawed. Not only did he not manage to shoot his way through the door, but the shots provided a warning to the congregants, who quickly used furniture to barricade the exterior synagogue door leading to the cemetery. The external CCTV cameras also allowed them to monitor the gunman's activities as they sheltered inside the building. As an aside, this move by the congregation to deny the gunman access to their location, the first D in the ADD — avoid, deny, defend — reaction to an active shooter, was well executed.
Also I've noted before, adequate access controls are not a total solution in and of themselves, but they have been very effective at stopping or mitigating the impact of active shooter events in the past — and they certainly saved lives in this case. From photos of the cemetery gate door, the lock appears to have been robust, and upgraded in the not-too-distant past. Unfortunately, terrorist attacks targeting houses of worship are a continuing threat, even in countries considered relatively safe like Germany. Because of this, houses of worship should review their security policies and procedures and prepare their congregations to take action in case of an attack on their facility. 
However, while locks, cameras and reactive measures are good, proactive, preventative measures are even better and I encourage those responsible for security at houses of worship to consider developing and deploying programs to identify, investigate and analyze threats against their people and facilities. Detecting and interdicting the attack cycle to prevent an incident is always better than reacting to an attack in progress.

Connected Content

Regions & Countries

Article Search

Copyright © Stratfor Enterprises, LLC. All rights reserved.

Stratfor Worldview


To empower members to confidently understand and navigate a continuously changing and complex global environment.