Public Intelligence

Terrorists and violent extremists have used—or considered using—diversionary tactics in terrorist attacks overseas. Diversionary tactics are often used to draw security forces and first responders away from the intended primary target of the attack and may be used as part of a complex or multi-pronged attack. Diverting first responders to a location other than the primary target of an attack delays the response and the provision of medical care to victims, and depletes first responder resources.

Terrorists and violent extremists could use unsuspecting civilians to transport improvised explosive devices (IEDs) artfully concealed in seemingly harmless items for use in attacks in the Homeland. Overseas attacks demonstrate that violent extremists have successfully used unsuspecting individuals to carry items containing IEDs to specific targets where the devices are then detonated remotely. This tactic enables terrorists and violent extremists to place IEDs in secure areas, among large gatherings of people, or at high profile events and detonate them from a standoff distance.

Multiple groups, and individual hacker handles have claimed their intent to attack U.S. websites as part of OpUSA. As seen in many hacktivist operations (Ops), willing participants have posted free tools to assist other like minded individuals in their attack efforts. Often, more coordinated attacks will name a specific tool, target, day and time for the attack. That has not been the case for OpUSA thus far. Individual hacker groups seem to be conducting attacks independently, each claiming responsibility for individual defacements and data breaches that have supposedly recently taken place. Below you will find some of the tools being posted in conversations about OpUSA and links to US-CERT sites which provide background on the vulnerabilities exploited by these tools as well as mitigation advice for computer network defense actions.

Websites and emails referencing the Boston Marathon bombing should be viewed with caution, as malicious actors are using the incident to disseminate malware and conduct fraud. While other agencies investigate the frauds, the NJ ROIC provides this information for situational awareness.

An “Active Shooter” is an individual actively engaging in killing or attempting to kill people in a confined and populated area; in most cases, active shooters use firearm(s) and there is no pattern or method to their selection of victims. Active Shooter situations are unpredictable and evolve quickly. Typically, the immediate deployment of Law Enforcement is required to stop the shooting and mitigate harm to victims. Because Active Shooter incidents are often over within 5-15 minutes, before Law Enforcement arrives on the scene, individuals must be prepared both mentally and physically to deal with an active shooter situation.

Approximately fifty million students attend nearly 100,000 public elementary and secondary schools throughout the Nation. Elementary and secondary schools are relatively open-access, limited egress congregation points for children, and have been successfully targeted by terrorists in the past.

Various cyber actors have engaged in malicious activity against Government and Private Sector entities. The apparent objective of this activity has been the theft of intellectual property, trade secrets, and other sensitive business information. To this end, the malicious actors have employed a variety of techniques in order to infiltrate targeted organizations, establish a foothold, move laterally through the targets’ networks, and exfiltrate confidential or proprietary data. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation and other partners, has created this Joint Indicator Bulletin, containing cyber indicators related to this activity. Organizations are advised to examine current and historical security logs for evidence of malicious activity related to the indicators in this bulletin and deploy additional protections as appropriate.

This Joint Intelligence Bulletin provides law enforcement and private sector safety officials with protective measures in light of the recent explosions that took place at the 2013 Boston Marathon in Boston, Massachusetts. The information is provided to support the activities of DHS and FBI and to assist federal, state, local, tribal, and territorial government counterterrorism and first responder officials and the private sector to deter, prevent, preempt, or respond to terrorist attacks in the United States.

This Joint Intelligence Bulletin provides information on the devices used in the 15 April 2013 Boston Marathon explosions. The information is intended to provide aid in identifying devices and to support the activities of DHS and FBI and to assist federal, state, local, tribal, and territorial government counterterrorism and first responder officials and the private sector to deter, prevent, preempt, or respond to terrorist attacks in the United States.

This is an update of an RCR published on 1 July 2010. Rudimentary improvised explosive devices (IEDs) using pressure cookers to contain the initiator, switch, and explosive charge frequently have been used in Afghanistan, India, Nepal, and Pakistan. Pressure cookers are common in these countries, and their presence probably would not seem out of place or suspicious to passersby or authorities. Presence in an unusual location—or if noticed in a contanier such as a backpack—should be treated as suspicious.

Expressed or implied threats by an individual or a group communicating intent to commit acts of terrorism or violence or advocating violence against a person, population, or to damage or destroy a facility can be an indicator of pre-operational attack planning. For example, in 2010 a Virginia-based US person pled guilty to communicating threats after he posted a video to the Internet encouraging violent extremists to attack the creators of a television show, including highlighting their residence and urging online readers to “pay them a visit.” He also admitted to soliciting others to desensitize law enforcement by placing suspicious looking but innocent packages in public places, which could then be followed up by real explosives.

Stolen, cloned, or repurposed commercial or official vehicles—such as police cars, ambulances, and public utility service trucks—have been used in terrorist attacks. These vehicles could facilitate terrorist access to restricted and hardened targets as well as to emergency scenes. The use of these vehicles can provide individuals the ability to approach targets to conduct pre-operational surveillance or carry out primary attacks or secondary attacks against first responders.

A DHS presentation from March 11, 2013 regarding the implementation of Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” authored by the Cyber-Dependent Infrastructure Identification Working Group (CDIIWG).

The Homeland Security Geospatial Concept of Operations (GeoCONOPS) provides an understanding of the current landscape for the coordination of disaster response geospatial activities at the Federal level. The document serves the geospatial communities that support emergency management activities of the Federal government under Presidential Policy Directive 8 (PPD-8). This includes individual Emergency Support Functions (ESFs), the Joint Field Offices, FEMA Regional Coordination Centers (RRCC), and the National Response Coordination Center (NRCC). Stakeholders and actors representing the federal geospatial community have been extensively engaged in providing input for the development of the GeoCONOPS document. The GeoCONOPS serves as a guide to the Federal departments and agencies providing geospatial support under the Stafford Act which defines the programs and processes by which the Federal Government provides disaster and emergency assistance to state and local governments, tribal nations, eligible private nonprofit organizations, and individuals affected by a declared major disaster or emergency.

DHS/I&A is interested in the following SAR topics, which have been updated based on current issues of national interest. Previous topics remain relevant, and law enforcement, first responders, and other homeland security professionals should continue to submit reports on these issues. Per the SAR Functional Standard, only information validated as reasonably indicative of preoperational planning related to terrorism should be reported as a SAR. I&A is reviewing SAR reports on these topics but would welcome any additional context, ideas or local analysis on these topics and opportunities for joint production.

During recent weeks, various sources in law enforcement and media outlets have been reporting phone kidnapping scams occurring in Central and Northern New Jersey and New York. In most incidents, scammers have alleged that a member of the phone scam victim’s family had been involved in a car accident and claimed to have taken the victim’s family member hostage. The scammers then claim they will drop their hostage at a hospital after a certain amount of money (usually $1500‐2000) is wired via Western Union to the scammers, as restitution for damage to the scammer’s vehicle. In addition, the scammers state that they have the hostage’s cell phone and any attempts to call the cell phone or disengage from the conversation will result in the murder or beating of the hostage.

Terrorists are attempting to recruit new members in the United States and overseas to support their operations, obtain funding, and conduct terrorist attacks. For example, in May 2012, Maryland-based Mohammad Hassan Khalid pled guilty to attempting to use the Internet to recruit individuals who had the ability to travel to and around Europe to conduct terrorist acts, in addition to providing logistical and financial support to terrorists. In prior cases of recruitment, individuals who were willing to participate in terrorist acts became involved with known and suspected terrorists, participated in paramilitary training abroad, or tried to acquire small arms and build explosives.

This product analyzes major terror attacks on hotels and provides a strategic-level assessment of the groups, tactics, and frequency of global terror attacks against hotels from 2002 – 2011. Additionally, the product identifies the deadliest types of attacks, comparing casualty counts and attack methods. The product was derived from media reporting and unclassified, for official use only sources.

This report attempts to analyze the indicators and commonalities of recent school shootings in an effort to inform public safety officials and assist in the detection and prevention of potential school shooter plots or attacks. All incidents included in this assessment occurred in the United States while classes were in session. Domestic violence shootings and gang violence were not included in an effort to differentiate between “active shooter” incidents and other acts of violence. DHS defines an “active shooter” as an individual actively engaged in killing or attempting to kill people in a confined and populated area.

This report examines the 29 deadliest mass shootings in the past 13 years, starting with the shootings at Columbine High School in Colorado in 1999, to identify commonalities and trends. These 29 incidents include shooting incidents in which at least five people were killed.

Terrorists or cyber criminals might try to discover vulnerabilities in computer systems by engaging in unauthorized testing of cybersecurity in order to exploit those vulnerabilities during an attack. These attempts might include port scanning, phishing, and password cracking. “Social engineering,” another technique, leverages unwitting insider access by eliciting information about operational and security procedures from employees, personnel, and their associates.

The Central California Intelligence Center (CCIC)/Sacramento Regional Threat Assessment Center (RTAC) has prepared the following Situational Information Report on exploding targets, a commercially available binary explosive agent, to provide law enforcement and public safety officials with a better understanding of the potential public safety risks involving its use. While exploding targets are legally permissible depending on state and local regulations, the CCIC is concerned that the mixture may be more dangerous than what is stated on the manufacturer’s website especially if mishandled by individuals with novice experience in handling explosive components or when used in large quantities to detonate bigger targets and, in essence, creating an explosives or incendiary device.

This Joint Intelligence Bulletin (JIB) is intended to provide information on the recent active shooter incidents that have taken place in the Homeland. This information is provided to support the activities of DHS and FBI and to assist private sector security officials and federal, state, local, tribal, and territorial law enforcement in identifying protective and support measures relating to active shooters.

This Reference Aid was jointly produced by DHS and the FBI to assist in the acquisition of detailed information in the aftermath of a successful or attempted radiological terrorism incident that would be of interest to the national law enforcement and emergency response communities. It is intended to help state, local, tribal, and territorial agencies and private sector entities deter, prevent, preempt, or respond to terrorist attacks against the United States.

Law enforcement and first responders may encounter chemical, biological, or radiological (CBR) related material or equipment at private residences, businesses, or other sites not normally associated with such activities. There are legitimate reasons for possessing such material or equipment, but in some cases their presence can indicate intent or capability to build CBR weapons, particularly when other suspicious circumstances exist.