Department of Homeland Security

(U//FOUO) Kansas Intelligence Fusion Center Bulletin: pH1N1 Emerging Infectious Disease

From November through December 2013, CDC has received a number of reports of severe respiratory illness among young and middle-aged adults, many of whom were infected with influenza A (H1N1) pdm09 (pH1N1) virus. Multiple pH1N1-associated hospitalizations, including many requiring intensive care unit (ICU) admission, and some fatalities have been reported. The pH1N1 virus that emerged in 2009 caused more illness in children and young adults, compared to older adults, although severe illness was seen in all age groups. While it is not possible to predict which influenza viruses will predominate during the entire 2013- 14 influenza season, pH1N1 has been the predominant circulating virus so far. For the 2013-14 season, if pH1N1 virus continues to circulate widely, illness that disproportionately affects young and middle-aged adults may occur.

(U//FOUO) DHS Bulletin: Self-identified Anarchist Extremists Target Urban Gentrification Sites with Arson

This Note analyzes the recent use of arson by anarchist extremists targeting urban development sites they describe as negatively impacting lower income residents through “gentrification.” This information is provided to enable federal, state, local, tribal, and territorial law enforcement; first responders; and private sector security officials to identify, preempt, prevent, or respond to intentional acts targeting urban development sites by anarchist extremist campaigns.

(U//FOUO) New Jersey Fusion Center: School Attacks and Plots Since Sandy Hook

In the year since Sandy Hook, there have been a combined total of 22 actual school attacks and disrupted plots nationwide with some of the attacks resulting in the deaths of students and school personnel. The New Jersey Regional Operations Intelligence Center (ROIC) has examined recent reporting on the Sandy Hook attack and the incidents over the last year and provides the following analysis to law enforcement, school resource officers (SROs), and administrators to assist in school security planning efforts.

City of Oakland Domain Awareness Center Emails

Hundreds of emails from the City of Oakland relating to the construction of the City/Port of Oakland Joint Domain Awareness Center. The files were scanned from printouts held in a series of folders by the City of Oakland and were obtained via a public records request made by members of Occupy Oakland. The emails were the source material for a recent story in the East Bay Express by Darwin BondGraham stating that the City of Oakland had allowed the Domain Awareness Center’s prime contractor Science Applications International Corporation (SAIC) to perjure themselves by signing a disclosure form claiming that the company was in compliance with the city’s Nuclear Weapons Free Zone Ordinance which prohibits the city from doing business with contractors that are connected to the production or use of nuclear weapons. According to the article, SAIC has had a number of contracts relating to nuclear weapons for more than a decade, including a May 2013 U.S. Navy contact for “engineering services, testing, and integration for nuclear command control and communication (NC3) messaging systems.”

(U//FOUO) New Jersey Fusion Center Active Shooter Awareness for the 2013 Holiday Season

One of the most serious threats facing New Jersey and the entire U.S. Homeland continues to be that of the active shooter, regardless of motivation, who by the very nature of their associated tactics, techniques, and procedures, pose a serious challenge to security personnel based on their ability to operate independently, making them extremely difficult to detect and disrupt before conducting an attack.

(U//FOUO) New Jersey Fusion Center Mass Shootings Commonalities December 2012-October 2013

The New Jersey Regional Operations Intelligence Center (NJ ROIC) provides the following updated analysis of mass shootings in the last year (December 2012 to October 2013) in order to provide law enforcement personnel, security managers and emergency personnel with identified commonalities and trends, as well as indicators of potential violence.

DHS National Incident Management System: Intelligence/Investigations Function Guidance and Field Operations Guide

This document includes guidance on how various disciplines can use and integrate the I/I Function while adhering to NIMS concepts and principles. It includes information intended for the NIMS practitioner (including the Incident Commander/Unified Command [IC/UC]) that assists in the placement of the I/I Function within the command structure; provides guidance that may be used while implementing the I/I Function; and has an accompanying Intelligence/ Investigations Function Field Operations Guide (I/I FFOG). While this document provides an example of the I/I Function at the Section level, the IC/UC has the final determination of the scope and placement of the I/I Function within the command structure. The guidance provided in this document is applicable for both domestic incidents that use conventional unclassified information (e.g., open source information, criminal histories, medical records, or educational records) and terrorism incidents where information is often classified and requires the use of national intelligence capabilities.

(U//FOUO) DHS National Cybersecurity and Communications Integration Center (NCCIC) Capabilities Guide

The National Cybersecurity and Communications Integration Center (NCCIC) Resource and Capabilities Guide is intended to enhance cross-sector cyber security efforts and collaboration by better informing our cybersecurity and communications partners of the NCCIC’s tools, assets, and collaboration mechanisms offered. This guide also identifies the Center’s resources and capabilities as well as describes the processes for accessing NCCIC information portals and products, incident reporting systems, and relevant point of contact information for our community of partners.

DHS National Cybersecurity and Communications Integration Center Bulletin: Destructive Malware

As related to malware which may exhibit a potentially destructive capability, organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. In addition, the response required for such an event can be extremely resource intensive.

DHS National Cybersecurity and Communications Integration Center Bulletin: Cryptolocker Ransomware

The following product is a coordinated effort between NCCIC, U.S. Secret Service and The Cyber Intelligence Network (CIN), provided to assist in prevention, detection and mitigation of a new ransomeware campaign. Ransomware is malware that restricts access to infected computers and requires victims to pay a ransom in order to regain full access. Cryptolocker is particularly interesting in that it functions by encrypting victims computer files with a combination of RSA-2048 and AES-256 encryption. Once encrypted, victims are provided a window of time in which they can pay the actors to receive the key needed to decrypt their files.

Oakland Domain Awareness Center Purchasing Invoices March-July 2013

Scans of all invoices related to the City of Oakland’s contract with Science Applications International Corporation for the construction of the City/Port of Oakland Joint Domain Awareness Center. The documents were collected in a binder held by the City of Oakland and obtained via a public records request made by members of Occupy Oakland. The invoices are organized by month and range in date from March to July 2013.

(U//FOUO) Central Florida Intelligence Exchange Bulletin: Smoking Alcohol

This Brief was produced to alert emergency medical responders and healthcare providers to the dangerous levels of toxicity that can be presented by patients who have smoked alcohol. Although this practice is dangerous, it is not illegal. It is being practiced by young adults all over the country and causing serious medical emergencies and deaths as a result. Because this is a returning trend, unfamiliar to health care providers, there is no statistical data available concerning hospitalizations and deaths. The below information was assembled from open source research and can be duplicated and shared for the purposes of awareness and education.

(U//FOUO) DHS-FBI Bulletin: Compromises of Official Social Media Accounts Spread Disinformation

Malicious cyber actors have used compromised social media accounts to spread disinformation about alleged emergencies and attacks, most prominently through Twitter. Because it is difficult to determine the authenticity of a tweet, we anticipate malicious cyber actors will continue to seek to exploit Twitter and other social media platforms used by news organizations and public safety agencies to propagate disinformation.

(U//FOUO) Los Angeles Fusion Center: School Shootings Five-Year Analysis 2008-2013

From January 2008 to August 2013, 85 school shootings took place across the United States involving 97 attackers. Incidents analyzed met the definition of targeted school violence, including gang‐related shootings. “Targeted violence” is any incident of violence where an attacker selects a particular target prior to the violent attack. The number of incidents peaked at 29 in 2009 and have decreased to an average of 14 per year; two incidents have occurred this year to date.

(U//FOUO) DHS-FBI Suspicious Activity Reporting (SAR) Bulletin: Weapons Discovery

Possession of large amounts of weapons, ammunition, explosives, accelerants, or explosive precursor chemicals could indicate pre-operational terrorist attack planning or criminal activity. For example, in preparation for conducting the July 2011 attacks in Norway, Anders Behring Breivik stockpiled approximately 12,000 pounds of precursors, weapons, and armor and hid them underground in remote, wooded locations.

Nationwide Suspicious Activity Reporting (SAR) Initiative Annual Report 2012

Over the past year, the NSI PMO has continued its implementation efforts and outreach to NSI stakeholders to help ensure that law enforcement and homeland security partners are afforded another tool to help identify and prevent terrorism and other related criminal activity. The ongoing collaboration among DOJ, DHS, the FBI, SLTT partners, and the National Network of Fusion Centers has strengthened, allowing the NSI to expand its nationwide information sharing capability. As of March 2013, 73 fusion centers have met the requirements outlined by the NSI PMO to be fully NSI-Operational—an increase of 5 centers from the same time last year—and all 78 fusion centers now maintain the capability to contribute and share suspicious activity reports through the Shared Space or eGuardian. This expansion of the NSI has allowed the Federated Search Tool to be accessed by more trained users—increasing the number of searches to more than 76,400—and more than 25,900 Information Sharing Environment (ISE)-SARs had been submitted and shared by the end of March 2013. Further, with the support of the National Network of Fusion Centers, 46 states and the District of Columbia are participating in statewide implementation of the NSI; implementation efforts are currently under way in Guam, Puerto Rico, and the U.S. Virgin Islands to ensure a strengthened nationwide capacity for sharing ISE-SAR information.

(U//FOUO) DHS-FBI Joint Intelligence Bulletin: Nairobi Mall Attack and Al-Shabaab Threat

This Joint Intelligence Bulletin (JIB) provides information on the 21 September 2013 attack in Nairobi, Kenya likely conducted by al-Shabaab—an al-Qai‘da linked militant group based in Somalia. This JIB examines the ongoing incident and provides background on the threat from al-Shabaab. This JIB also highlights protective measures that can assist in mitigating threats in the United States using similar tactics and is provided to support the activities of FBI and DHS and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials, as well as first responders and private sector security officials to deter, prevent, preempt, or respond to terrorist attacks in the United States or overseas targeting US interests.

(U//FOUO) Massachusetts Fusion Center School Shootings Analysis 1992-2012

The Commonwealth Critical Infrastructure Program (CCIP) analyzed school shooting incidents from 1992-2012 to identify patterns in attacker backgrounds or tactics which could assist officials. Observations are presented in summary format to allow officials to draw their own conclusions. Mitigation steps included in this document are presented to facilitate discussion and are not comprehensive or prescriptive.

(U//FOUO) DHS-FBI Suspicious Activity Reporting Bulletin: Sabotage/Tampering/Vandalism

Terrorists may engage in sabotage, tampering, or vandalism as part of an attack or to gain access to restricted areas, steal materials, or provoke and observe security responses. For example, the 1Oth edition of al-Qa’ida in the Arabian Peninsula’s Inspire magazine suggests torching parked vehicles and causing automobile accidents by using lubricating oil or nails driven through wooden boards as simple tactics to cause both casualties and economic damage.