Documents

FBI Cyber Division Bulletin: KeySweeper Wireless Keystroke Logger Disguised as USB Device Charger

FBI-KeySweeper

KeySweeper is a covert device that resembles a functional Universal Serial Bus (USB) enabled device charger which conceals hardware capable of harvesting keystrokes from certain wireless keyboards. If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information. Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.
Technical Details

DoD-NORTHCOM Defense Support of Civil Authorities Republican National Convention 2016 Presentation

DoD-OhioRNC16

On order and in response to natural/manmade incidents, the Defense Coordinating Officer / Defense Coordinating Element (DCO/DCE) anticipates and conducts Defense Support of Civil Authorities (DSCA) operations coordinating Title 10 forces and resources in support of the Federal Primary Agency (PA) in order to minimize impacts to the American people, infrastructure and environment.

EU Communication: Restoring Trust in Transatlantic Data Flows

EU-TransatlanticDataFlows

In June 2013, reports concerning large-scale intelligence collection programmes in the U.S. raised serious concerns at both EU and Member State level about the impact on the fundamental rights of Europeans of large-scale processing of personal data by both public authorities and private companies in the United States. In response, on 27 November 2013 the Commission issued a Communication on Rebuilding Trust in EU-U.S. Data Flows setting out an action plan to restore trust in data transfers for the benefit of the digital economy, the protection of European individuals’ rights, and the broader transatlantic relationship.

U.S. Special Operations Command White Paper: The Gray Zone

USSOCOM-GrayZones

Gray zone security challenges, existing short of a formal state of war, present novel complications for U.S. policy and interests in the 21st century. We have well-developed vocabularies, doctrines and mental models to describe war and peace, but the numerous gray zone challenges in between defy easy categorization. For purposes of this paper, gray zone challenges are defined as competitive interactions among and within state and non-state actors that fall between the traditional war and peace duality. They are characterized by ambiguity about the nature of the conflict, opacity of the parties involved, or uncertainty about the relevant policy and legal frameworks.

Joint Staff Strategic Assessment: Maneuver and Engagement in the Narrative Space

SMA-NarrativeSpace

This paper was produced in support of the Strategic Multi-layer Assessment (SMA) of the Islamic State of Iraq and the Levant (ISIL) led by Joint Staff J39 in support of the Special Operations Command Central (SOCCENT). The paper leverages and melds the latest thinking of academic and operational subject matter experts in fields of organizational and social dynamics, network analysis, psychology, information operations and narrative development, social media analysis, and doctrine development related to aspects of maneuver and engagement in the narrative space.

DHS Infrastructure Report: Nuclear Reactors, Materials, and Waste Sector Cyberdependencies

OCIA-NuclearCyberdependency

The Department of Homeland Security Office of Cyber and Infrastructure Analysis (DHS OCIA) produces cyberdependency papers to address emerging risks to critical infrastructure and provide increased awareness of the threats, vulnerabilities, and consequences of those risks to the Homeland. This note informs infrastructure and cybersecurity analysts about the potential consequences of cyber-related incidents in the Nuclear Reactors, Materials, and Waste Sector and its resilience to such incidents. This note also clarifies how computer systems support infrastructure operations, how cybersecurity incidents compromise these operations, and the likely functional outcome of a compromise.

(U//FOUO) New Jersey Fusion Center: Potential Concerns for Transportation Security

NJROIC-TransportationSecurity

The NJ ROIC currently has no specific indication of any credible specific threats to transportation facilities. However, with the rise in “self-radicalized” actor(s), and homegrown violent extremists (HVEs) influenced by ISIL and other terror groups, targeted violent attacks to any of these sectors could occur with little or no notice by an individual(s) who has not yet garnered law enforcement attention. This advisory highlights recent transportation concerns in the wake of the recent attacks in Belgium.

FBI Flash Alerts on MSIL/Samas.A Ransomware and Indicators of Compromise

FBI-SamasRansomware

The FBI previously identified that the actor(s) exploit Java-based Web servers to gain persistent access to a victim network and infect Windows-based hosts. The FBI also indicated that several victims have reported the initial intrusion occurred via JBOSS applications. Further analysis of victim machines indicates that, in at least two cases, the attackers used a Python tool, known as JexBoss, to probe and exploit target systems. Analysis of the JexBoss Exploit Kit identified the specific JBoss services targeted and vulnerabilities exploited. The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future.

U.S. Central Command Report on Medecins Sans Frontieres Kunduz Trauma Centre Airstrike

CENTCOM-KunduzHospitalAttack

On Oct. 3, 2015, members of U.S. Forces-Afghanistan (USFOR-A) supporting a partnered Afghan force, conducted a combat operation that struck Trauma Center in Kunduz operated by Médecins Sans Frontières (MSF), also known as “Doctors without Borders.” U.S. Army Gen. John Campbell, then the Commander of USFOR-A, directed an investigation to determine the cause of this incident. The lead investigating officer was Army Maj. Gen. William Hickman. He was assisted by Air Force Brig. Gen. Robert Armfield and Army Brig. Gen Sean Jenkins. All three generals were brought in from outside Afghanistan in order to provide an objective perspective. The investigation team included over a dozen subject matter experts from several specialty fields.

U.S. Army TRADOC Report: Syria Threat Tactics

USArmy-SyriaThreats

Syria and its ongoing civil war represent an operational environment (OE) that includes many of the characteristics illustrative of the complexities of modern warfare. Now in its fourth year, the civil war in Syria has lured a variety of threat actors from the Middle East and beyond. What began as a protest for improved opportunities and human rights has devolved into a full-scale civil war. As the Syrian military and security forces fought to subdue the civil unrest across the country, these protest groups responded with increasing violence aided by internal and external forces with a long history of terrorist activity. Ill-suited for the scale of combat that was unfolding across the country, Syrian forces turned to their allies for help, including Hezbollah and Iran. The inclusion of these forces has in many ways transformed the military of President Bashar al Assad from a conventional defensive force to a counterinsurgency force.

U.S. Army TRADOC Report: The Battle for Sinjar, Iraq

USArmy-BattleforSinjar

This Tactical Action Report (TAR) provides information on the capture and subsequent recapture of Sinjar, a town at the foot of the Sinjar Mountains. The Nineveh Offensive, of which Sinjar was a key target, led to the capture of a large part of northern Iraq and included the occupation of Mosul. ISIL pushed Peshmerga forces from the area and threatened Erbil, the government seat of the KRG in 2014. A growing humanitarian crisis developed as ISIL began purging villages in the Sinjar area of the minority group known as Yazidis. Thousands were killed, kidnapped, or forced to flee their homes. Many Yazidis retreated to the Sinjar Mountains where they were besieged by ISIL fighters. These circumstances led to President Barack Obama ordering air strikes to protect Erbil, where US military advisors were headquartered, and to relieve the displaced Yazidi civilians. Over a year later Peshmerga fighters, with the help of other Kurdish factions, pushed ISIL forces out of Sinjar and other surrounding areas and severed a key supply route connecting ISIL-held Raqqa, Syria, with Mosul, Iraq.

(U//FOUO) DHS-FBI-NCTC Bulletin: Tactics, Techniques, and Procedures Used in March 2016 Brussels Attacks

DHS-FBI-NCTC-BrusselsAttacks

This Joint Intelligence Bulletin (JIB) is intended to provide a review of the tactics, techniques, and procedures demonstrated by the perpetrators of the 22 March 2016 attacks in Brussels, Belgium. The analysis in this JIB is based on statements by European government and law enforcement officials cited in media reporting and is subject to change with the release of official details from post-incident investigations. This JIB is provided by DHS, FBI, and NCTC to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials, first responders and private sector partners in deterring, preventing, preempting, or disrupting terrorist attacks against the United States.

FBI Cyber Bulletin: Smart Farming May Increase Cyber Targeting Against US Food and Agriculture Sector

FBI-SmartFarmHacking

The FBI and the US Department of Agriculture (USDA) assess the Food and Agriculture (FA) Sector is increasingly vulnerable to cyber attacks as farmers become more reliant on digitized data. While precision agriculture technology (a.k.a. smart farming)a reduces farming costs and increases crop yields, farmers need to be aware of and understand the associated cyber risks to their data and ensure that companies entrusted to manage their data, including digital management tool and application developers and cloud service providers, develop adequate cybersecurity and breach response plans.

(U//FOUO) MS-ISAC Intel Paper: Common Cyber Threats to Universities

MS-ISAC-UniversityCyberThreats

The Multi-­State Information Sharing and Analysis Center (MS-­ISAC) assesses with high confidence that cyber threat actors routinely target universities, for the purposes of financial gain, notoriety, or entertainment, and often to gain access to personally identifiable information (PII) and/or sensitive research. MS-­ISAC believes universities are inherently more vulnerable to cyber targeting than other state, local, tribal, and territorial (SLTT) government entities, due to the non-­restrictive research environment with less compartmentalization and less access restriction, which results in more opportunity for infection, and when infection occurs, easier transmission through a network.

U.S. Army North Commander Testimony: The Role of the Army in the Homeland

ARNORTH-ArmyRoleHomeland

Our history is replete with examples where both Guard and Active forces were employed to respond to our Nation’s disasters. In the recent era, the defining disaster was Hurricane Katrina, a Category 3 hurricane that forced the breach of levies and the subsequent massive flooding of New Orleans. It rapidly overwhelmed the capabilities of Louisiana that saw the C, NGB send upwards of 50,000 Guardsmen from other States and the President send in the 82nd Airborne Division. There have been other similar incidents in our lifetime: Hurricane Andrew (1992) where President Bush sent 2,000 to 5,000 Troops from Ft Bragg, Hurricane Hugo (1989) where over 3,000 Service members were sent in support, and the 1988 Yellowstone Fires where approximately 1,000 active duty Soldiers and Marines provided direct fire line support as part of JTF Yellowstone. These show that there are those potential catastrophic disasters (New Madrid Seismic Zone, Cascadia Subduction Zone, Cyber Attack, or even an Improvised Nuclear Detonation) that can hit the United States where the President will not hesitate to call upon Federal Forces.

(U//FOUO) DHS Intelligence Assessment: Damaging Cyber Attacks Possible but Not Likely Against the US Energy Sector

DHS-CyberAttacksEnergySector

This Assessment establishes a baseline analysis of cyber threats to the US energy sector based on comprehensive FY 2014 incident reporting data compiled by ICS-CERT, as well as reporting by the Intelligence Community (IC), private sector cybersecurity industry, and open source media between early 2011 and January 2016. This Assessment is designed to help close gaps between the private sector’s and the IC’s understanding of current cyber threats facing the US energy sector. Critical infrastructure owners and operators can use this analysis to better understand cyber threats facing the US energy sector and help focus defensive strategies and operations to mitigate these threats. The Assessment does not include an in-depth analysis of foreign cyber doctrines or nation-state red lines for conducting cyber attacks against the United States. The information cutoff date for this Assessment is January 2016.

Boston Fusion Center Bulletin: Terror Attacks on Entertainment Venues

BRIC-EntertainmentVenueAttacks

Several recent incidents underline the possibility that soft targets, including entertainment venues such as bars and restaurants, are increasingly chosen over hard targets that may hold more significance to the victims and the attacking person or group. Using analysis of recent events and data from the START Global Terrorism Database, the BRIC completed the following study to raise awareness regarding the targeting of entertainment venues by violent extremist groups.

FBI Cyber Bulletin: Global Extremists Conducting Cyber Activity in Support of ISIL

FBI-CyberAttackISIL

Over the past 18-24 months, an unknown number of online extremists have conducted “hacktivist” cyber operations – primarily Web site defacements, denial-of-service attacks, and release of personally identifiable information (PII) in an effort to spread pro-Islamic State of Iraq and the Levant (ISIL) propaganda and to incite violence against the United States and the West. Recent open source reporting from the Daily Mail India, indicates ISIL is recruiting Indian hackers and offering upwards of $10,000 USD per job to hack government Web sites, steal data, and to build social media databases for recruiting purposes. Indian officials believe as many as 30,000 hackers in India may have been contacted. The FBI cannot confirm the validity of the media reports, and beyond this single article on Indian hackers and ISIL, does not have information indicating any such relationship exists to date. The FBI assesses this activity is most likely independent of ISIL’s leaders located in Syria and Iraq.

Europol Cooperation with Non-Law Enforcement Partners in Combating Cybercrime

EUROPOL-CybercrimeCooperation

The prevention, investigation and prosecution of cybercrime calls for a close cooperation between partners from various sectors. The European Cybercrime Centre (EC3) at Europol has gained practical experience in such forms of multi-disciplinary cooperation and aims to share some of this experience through this note as input for discussions at the Conference on Jurisdictions in Cyberspace on 7-8 March 2016, organised by the Dutch Presidency of the Council of European Union.