WHAT WE KNOW
As stated by the FBI in an official press release dated on May 14th, 2025, the day before the Bureau’s Joint Terrorism Task Force (JTTF) arrested Ammar Abdulmajid-Mohamed Said, 19 from Melvindale Michigan, a former member of the Michigan Army National Guard, after he attempted to carry out a plan to conduct a mass-shooting at a U.S. military base on behalf of the Islamic State (IS). The defendant is charged in a criminal complaint with attempting to “provide material support to a foreign terrorist organization and distributing information related to a destructive device”. Based on the report, Mr. Said informed two undercover law enforcement officers of a plan he had devised and formulated to conduct a mass-shooting at the U.S. Army’s Tank-Automotive & Armaments Command (TACOM) facility at the Detroit Arsenal in Warren, Michigan. The sting investigation started off in April 2025 when the two undercover officers indicated they intended to carry out Said’s plan at the direction of ISIS. In response, Said offered material assistance to the attack plan, including providing armor-piercing ammunition and magazines for the attack, flying his drone over TACOM to conduct operational reconnaissance, training the undercover employees on firearms and the construction of Molotov cocktails for use during the attack, and planning numerous details of the attack including how to enter TACOM and which building to target.
WHAT WE DO NOT KNOW
Even though the reported accounts are still sketchy, the following unknowns – which are information requirements that need to get collected and analyzed – can be hitherto identified:
Recruitment path. How has the recruitment process developed? What was the venue that got the perp inserted into the ISIS-inspired reseau? Are there any travels to sensitive locations in the past?
Logistical supply chain. Where, when and how the defendant was able to procure the surveillance and the offensive equipment he then employed for preparing the execution of the offensive plan?
Organizational guidance and timing. Is there any organizational guidance? Is the plot a singleton action or is it part of a broader scheme to be carried out in other places in the US? Was it a pre-planned trigger activity to test the response of the concerned authorities? Has the timing of the execution been randomly determined or has it been ordered to the defendant?
Operational knowledge. How did Mr. Said collect the information in order to assemble and subsequently employ the offensive equipment? Was any training session executed? If yes, where and when?
Targeting process. What was the targeting process – the find (target selection), fix (target monitoring) and fortunately not finish (target attack) phases –Mr. Said utilized? Was it a spontaneous action or was it based off an other-directed recommendation?
WHAT WE THINK
The method
The incident highlights one of the main concerns revolving around the organizational internal measures pertaining to the military recruitment system (vetting) and the constant behavioral monitoring measures (counterintelligence) if/when red-flags might be emerging.
In the event under scrutiny, even though the perpetrator, as young as a 19 years old[1], was discharge from active duty in the National Guard in 2024, just after a couple of years of service, he was likely able to get the operational planning started – like the target identification and surveillance and/or a segment of the logistical procurement – during his time in the military.
The insider threat/risk assessment is one of the most sensitive internal protection measures, especially in its preventive and pre-emptive dimension, that the counterintelligence function – in its mainly human-threat counterintelligence (HTCI) sphere of knowledge and understanding – needs to be covering. Either the person of interest (PoI) is proved to be connected to a foreign Hostile Intelligence Service (HIS) or affiliated with a terrorist or violent extremist organization, the activation of the process is the only option at hand. In NATO jargon, the range of threats that HTCI is supposed to be challenging are synthetized by the acronym TESSOC, which stands for terrorism, espionage, sabotage, subversion and organized crime.
With this regard, the chain of events that opposes this human-related type of threat entails:
- an informative approach, meaning that firstly information are to be gleaned against the PoI himself and those indicators pointing towards him for being an asset of HIS or other enemy entities (intelligence-led);
- as a consequence and once the collected leads possess the strength of being sustainable sources of evidence, the activity should be shifting towards an investigative approach (evidence-based) in connection with the judiciary with the further aim of arresting the suspect.
One specific consideration is to be mentioned with regard to the penetration scheme planned and executed by the opposing entity, which might be applied to the case in discussion: by doctrine, a penetration is an enemy asset – already spotted, selected and recruited – that is injected inside the target-organization way ahead of his effective activation. This is the essence of the insider threat given that the asset enters the and thrive within the target system, with the goal of disrupting the internal organizational consistency with the effect of sowing distrust amongst its members. The case of the PoI showcases that the active duty period, despite limited, was used even just retrospectively by IS with the goal of better exploiting the proxy in light of his knowledge and understanding of the internal dynamics of the would-be objective: a back-to-the-future kind of penetration resource.
The target
Regardless of the modalities adopted by the PoI (or the delegating terrorism structure), what is relevant is the selection of the objective of the violent action. The US military has always been a target of opportunity due to the iconic value and the possible disruptive effects of an attack, be it against the human capital, the equipment or the infrastructure.
Even though incidents of this type are rare, the effects against the defense enterprise are quite serious.
Historical kinetic[2] significant activities against this category of targets are just two:
- the 2009 Fort Hood attack, executed by the al-Qaida in the Arabian Peninsula (AQAP)-affiliated US Army Major Nidal Hasan, who fatally shot 13 people, 1 civilian and 12 military personnel, and injured more than 32 others, all of them service members;
- the 2019 Naval Air Station Pensacola shooting, when Mohammed Saeed Alshamrani, an Air Force aviation student from Saudi Arabia, who was participating in a training program sponsored by the Department of Defense as part of a security cooperation agreement with the Kingdom, shot and killed 3 U.S. Navy sailors, and injured 8 others.
Nevertheless and referring to the case of the former Michigan Army National Guardsman, as commented by the Commanding General of Army Counterintelligence Command “the arrest of this former soldier is a sobering reminder of the importance of our counterintelligence efforts to identify and disrupt those who would seek to harm our nation … We urge all soldiers to remain vigilant and report any suspicious activity to their chain of command, as the safety and security of our Army and our nation depends on our collective efforts to prevent insider threats”.
[1] The details of the actor’s age and the period of active duty are quite interesting due to the fact that the minimum required period of service is 4 years. So an alternative explanation for the timeline is still to be grasped: perhaps he had already been spotted as an insider threat and then dismissed by the Army because of this finding.
[2] Despite more frequent in terms of events, no cyber or information attacks – other manifestations of the threat – are being considered in the present article.