Department of Homeland Security

(U//FOUO) DHS Report: Ransomware Goals of Malicious Actors and Current System Vulnerabilities

OCIA assesses that if specific industrial control systems (ICS) were successfully infected with ransomware, it could affect the ability of certain sectors to provide real-time management and control of large networks of geographically scattered equipment. Although security researchers have demonstrated the possibility of ransomware targeting control systems, OCIA assesses that such an attack is highly unlikely given the higher success rate against consumer and business systems, the likelihood that business and process control networks are segmented, and the ability for operators to take a control system out of service and employ manual overrides.

(U//FOUO) DHS Report: Potential Impacts of WannaCry Ransomware on Critical Infrastructure

On May 12, 2017, organizations across the world reported ransomware infections impacting their computer systems. The infections, caused by a ransomware strain referred to as WannaCry, restricts users’ access to a computer and demands a ransom to unlock it. The U.S. Department of Justice defines ransomware as, a type of malicious software cyber actors use to deny access to systems or data until the ransom is paid. After the initial infection, ransomware attempts to spread through systems and networks.

(U//FOUO) Los Angeles Joint Regional Intelligence Center: Vehicle Ramming Attacks Increasing

Use of vehicles by violent extremists for ramming attacks has increased steadily, while use of vehicle-borne improvised explosive devices (VBIEDs) remains rare outside the Middle East. Given the ease with which ramming attacks can be accomplished, it is likely use of this tactic will continue to rise. Unlike VBIEDs, ramming attacks require little specialized training or skill, present minimal risk of detection when acquiring the weapon, and offer flexibility with regard to preparation, timing, and target. Foreign terrorist organizations (FTOs) have pointedly encouraged use of vehicle ramming attacks, offering explicit tactical advice on vehicle selection, driving tips to maximize fatalities, and targeting suggestions that include parades, festivals, street fairs, outdoor markets or conventions, political rallies, and other crowded targets of opportunity.

(U//FOUO) TSA Report: Vehicle Ramming Attacks Threat Landscape, Indicators, Countermeasures

Vehicle-ramming attacks are considered unsophisticated, in that a perpetrator could carry out such an attack with minimal planning and training. It is likely that terrorist groups will continue to encourage aspiring attackers to employ unsophisticated tactics such as vehicle-ramming, since these types of attacks minimize the potential for premature detection and could inflict mass fatalities if successful. Furthermore, events that draw large groups of people—and thus present an attractive vehicle ramming target—are usually scheduled and announced in advance, which greatly facilitates attack planning and training activities.

DHS Guide: Risks to Critical Infrastructure Using Cloud Services

Cloud services offer a number of benefits such as scalability, high availability, and decreased ownership cost. As a result, owners and operators in several critical infrastructure sectors such as Communications, Energy, Financial Services, Information Technology, and Transportation Services have migrated in-house computing resources to cloud infrastructures. However, cloud service environments still possess many of the same potential vulnerabilities associated with internally hosted environments, as well as additional exploits to virtual systems or networks. Owners and operators of critical infrastructure need to fully understand the risk environment as they address current cloud services and consider additional migration.

(U//FOUO) DHS Critical Infrastructure Note: Healthcare and Public Health Sector Cyberdependencies

The Department of Homeland Security (DHS) assesses that given the high value of patient information and proprietary data on the black market, the Healthcare and Public Health Sector will continue to be one of the primary targets for malicious cyber actors. Stolen health data sells on the black market for more than 10 to 20 times the price of stolen credit card data. DHS assesses that growth in the medical device market over the next 4 years will result in more devices connected to the Internet, and an increase in the number of cyber-related incidents that target those devices. This is partly because manufacturers do not place enough emphasis on the security of medical devices.

Regional Organized Crime Information Center Research Report: War on Cops

It seemed as if war had been declared on cops. First a sniper in Dallas and then an active shooter in Baton Rouge. “It has been a tough week physically and emotionally,” said Senior Corporal Trevor Perez, one of a couple dozen Dallas police officers and honor guard members to make the seven-hour trip to Baton Rouge to attend the funerals of Baton Rouge police officers, in this case that of Matthew Gerald. All the more tough because the corporal and his colleagues had just recently paid their respects at nearly a dozen similar funerals back in Texas.

(U//FOUO) DHS Intelligence Note: Unknown Cyber Actors Target US Water and Sewage Authority Network

An unidentified actor or actors between November 2016 and January 2017 targeted a US water and sewage authority’s network, resulting in excessive cellular charges and unusual traffic on ports 10000 and 9600, according to an FBI source with excellent access who spoke in confidence but whose reliability cannot be determined. The FBI source indicated that four of the seven devices on the authority’s cellular data plan were impacted with high data usage, which was likely a result of compromised network devices. The November 2016–December 2016 billing cycle totaled $45,000, and the December 2016–January 2017 billing cycle totaled $53,000.

(U//FOUO) DHS-FBI-USSS Joint Threat Assessment 2017 Presidential Address to a Joint Session of Congress

This Joint Threat Assessment (JTA) addresses threats to the 2017 Presidential Address to a Joint Session of Congress (the Presidential Address) at the US Capitol Building in Washington, DC, on 28 February 2017. This assessment does not consider nonviolent civil disobedience tactics (for example, protests without a permit) that are outside the scope of federal law enforcement jurisdiction; however, civil disobedience tactics designed to cause a hazard to public safety and/or law enforcement fall within the scope of this assessment.

(U//FOUO) DHS-FBI-NCTC Bulletin: Terrorists Call for Attacks on Hospitals, Healthcare Facilities

Recent calls over the past year for attacks on hospitals in the West by media outlets sympathetic to the Islamic State of Iraq and ash-Sham (ISIS) highlight terrorists’ perception of hospitals as viable targets for attack. Targeting hospitals and healthcare facilities is consistent with ISIS’s tactics in Iraq and Syria, its previous calls for attacks on hospitals in the West, and the group’s calls for attacks in the West using “all available means.” While we have not seen any specific, credible threat against hospitals and healthcare facilities in the United States, we remain concerned that calls for such attacks may resonate with some violent extremists and lone offenders in the Homeland because of their likely perceived vulnerabilities and value as targets.

(U//FOUO) DHS-FBI Intelligence Assessment: Baseline Comparison of US and Foreign Anarchist Extremist Movements

This joint DHS and FBI Assessment examines the possible reasons why anarchist extremist attacks in certain countries abroad and in the United States differ in the frequency of incidents and degree of lethality employed in order to determine ways US anarchist extremists actions might become more lethal in the future. This Assessment is intended to establish a baseline comparison of the US and foreign anarchist extremist movements and create new lines of research; follow-on assessments will update the findings identified in the paper, to include the breadth of data after the end of the reporting period (as warranted by new information), and identify new areas for DHS and FBI collaboration on the topic. This Assessment is also produced in anticipation of a heightened threat of anarchist extremist violence in 2016 related to the upcoming Democratic and Republican National Conventions—events historically associated with violence from the movement.

(U//FOUO) DHS Intelligence Note: Germany Christmas Market Attack Underscores Threat to Mass Gatherings and Open-Access Venues

A 25-ton commercial truck transporting steel beams from Poland to Germany plowed into crowds at a Christmas market in Berlin at about 2000 local time on 19 December, killing at least 12 people and injuring 48 others, several critically, according to media reporting citing public security officials involved in the investigation. The truck was reportedly traveling at approximately 40 miles per hour when it rammed the Christmas market stands. Police estimate the vehicle traveled 80 yards into the Christmas market before coming to a halt.

DHS-FBI Joint Analysis Report on GRIZZLY STEPPE Russian Malicious Cyber Activity

This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.

(U//FOUO) DHS, Fusion Centers Reference Aid: Malicious Terrorism Hoaxes Likely to Endure, Strain State and Local First Responder Resources

This Reference Aid is intended to provide information on malicious terrorism hoaxes that will continue to challenge first responder resources throughout the Homeland and territories. This Reference Aid is provided by I&A, DIAC, NCRIC, NVRIC, and NJ-ROIC to support their respective activities, to provide situational awareness, and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and first responders with recognizing the indicators and implications of malicious terrorism hoaxes. The use of hoax calls may also be used as a technique to lure authorities to a particular location for the purpose of conducting a potential attack, but is not discussed in this article, as luring is viewed as its own distinct tactic.

(U//FOUO) DHS Assessment: Cyber Threats and Vulnerabilities to US Election Infrastructure

DHS has no indication that adversaries or criminals are planning cyber operations against US election infrastructure that would change the outcome of the coming US election. Multiple checks and redundancies in US election infrastructure—including diversity of systems, non-Internet connected voting machines, pre-election testing, and processes for media, campaign, and election officials to check, audit, and validate results—make it likely that cyber manipulation of US election systems intended to change the outcome of a national election would be detected.

DHS US-CERT Understanding Distributed-Denial-of-Service Attacks

One of the most significant cyber threats to businesses, local and federal government agencies is the Distributed-Denial-of-Service attack (DDoS). A Distributed Denial of Service attack (DDoS) occurs when an attacker commands a number of computers to send numerous requests to a target computer. The overwhelming flood of requests to the website or computer network can cause it to shut down or fail to handle the requests of legitimate users, much like a rush hour traffic jam on the freeway. This type of attack can completely disrupt an organization’s operations until the network is able to be restored. Understanding the basic concept and methods of a DDoS attack can help operators of both large and small networks mitigate the severity of the attack.

DHS San Francisco Earthquake Study Hayward Fault Magnitude 7.0 Scenario

The results of this analysis show a strong earthquake will likely cause significant damage to critical infrastructure in the area affecting 547 dams or water control structures, render approximately 300 roadway segments unusable, and cause damage to 172 water and wastewater treatment systems. The scenario earthquake will likely cause damage to 154 dams in the area. Seven of the dams will likely experience Extensive or Complete damage. The Ward Creek Dam, which is used for flood control, is likely to incur Complete damage. Extensive damage to the James H. Turner Dam poses the greatest risk to downstream population. The earthquake will cause damages to many road segments, bridges, and tunnels in the area. As a result, travel times on these roadways and others will increase significantly. Multiple areas on freeways such as I–680, I–880, and I–580 will have the highest above normal traffic volumes. Several bridges on these freeways will also likely incur Extensive damage. Tunnels in the area will likely have less damage with bores in the Caldecott Tunnel on State Route 24 experiencing only Moderate damage.

(U//FOUO) DHS-FBI-NCTC Bulletin: Homegrown Violent Extremists Focusing More on Civilian Targets

This Joint Intelligence Bulletin (JIB) is intended to provide new insight into the targeting preferences of some homegrown violent extremists (HVEs) and to examine detection challenges and opportunities. This JIB is provided by FBI, DHS, and NCTC to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners in deterring, preventing, or disrupting terrorist attacks within the United States.

Joint Staff Strategic Assessment: Counter-Da’esh Influence Operations Cognitive Space Narrative Simulation Insights

When planning to deal with any adversary or potential adversaries, it is essential to understand who they are, how they function, their strengths and vulnerabilities, and why they oppose us. Events over the course of the last year and a half highlight the importance of those factors as they relate to the Islamic State of Iraq and the Levant (ISIL or Da’esh). One of Da’esh’s obvious strengths is its ability to propagate tailored messages that resonate with its audiences. If the US Government and our allies are to counter Da’esh effectively, we must attack this center of gravity.

(U//FOUO) DHS Field Analysis Report: Growing Trend of Ransomware Attacks Targeting Hospitals

The healthcare sector has been a desirable target for hackers due to the sensitive nature of patient information contained in their systems. The stakes are very high in the healthcare industry because any disruption in operations and care can have significant repercussions for patients. As such, this industry offers an ideal victim for ransomware, and these attacks are likely to continue—disrupting employee access to important documents and patient data and hampering the ability to provide critical services—creating a public safety concern.