This Joint Analysis Report (JAR) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). This document provides technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, and private sector entities. The U.S. Government is referring to this malicious cyber activity by RIS as GRIZZLY STEPPE.
FBI Cyber Bulletin: APT Targeting U.S. Private Sector, Government Networks Using Presidential Election Lures
Likely Advanced Persistent Threat (APT) cyber actors have targeted US private sector and government networks since August 2016 with spear phishing campaigns, using newly identified exploits contained within lures related to foreign affairs and the recent US presidential election. The FBI analyzed malicious Microsoft Office documents, a zip archive, a first-stage downloader, a second-stage in-memory-only PNG wrapped malware, and a BAT-initiated PowerShell script associated with the campaigns. This FLASH provides rules and signatures to assist in network defense efforts.
FBI Cyber Bulletin: Denial of Service Attack Against DNS Host Highlights Vulnerability of Internet of Things Devices
This Joint Intelligence Bulletin (JIB) is intended to provide new insight into the targeting preferences of some homegrown violent extremists (HVEs) and to examine detection challenges and opportunities. This JIB is provided by FBI, DHS, and NCTC to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners in deterring, preventing, or disrupting terrorist attacks within the United States.
FBI Interview Notes from Hillary Clinton E-Mail Investigation for Mishandling of Classified Information
The FBI received information of an additional IP address, 184.108.40.206, which was detected in the July 2016 compromise of a state’s Board of Election Web site. Additionally, in August 2016 attempted intrusion activities into another state’s Board of Election system identified the IP address, 220.127.116.11 used in the aforementioned compromise.
The purpose of this LIR is to inform DSAC and other relevant private sector partners about new methods ATM skimming crews use to target standalone or kiosk-style ATM terminals such as those found at casinos, hotels, airports, shopping malls, gas stations, restaurants, and supermarkets. The skimming crews intercept customers’ account data through the ATMs’ external cables. The activity observed to date in the United States was discovered at convenience store locations in California, Delaware, and Pennsylvania. This LIR provides details on the methods used in these skimming attempts as well as previously reported use of internal wiretap skimming devices.
On July 10, 2015, the Federal Bureau of Investigation (FBI) initiated a full investigation based upon a referral received from the US Intelligence Community Inspector General (ICIG), submitted in accordance with Section 811 (c) of the Intelligence Authorization Act of 1995 and dated July 6, 2015, regarding the potential unauthorized transmission and storage of classified information on the personal e-mail server of former Secretary of State Hillary Clinton (Clinton). The FBI’s investigation focused on determining whether classified information was transmitted or stored on unclassified systems in violation of federal criminal statutes and whether classified information was compromised by unauthorized individuals, to include foreign governments or intelligence services, via cyber intrusion or other means.
Chinese Talent Programs are a vital part of Chinese industry. Talent programs recruit experts to fill technical jobs that drive innovation and growth in China’s economy. National, provincial, and municipal talent recruitment programs provide opportunities for experts to work in industry and academic organizations supporting key areas deemed critical to China’s development. The talent programs recruit experts globally from businesses, industry, and universities with multiple incentives to work in China. Associating with these talent programs is legal and breaks no laws; however, individuals who agree to the Chinese terms must understand what is and is not legal under US law when sharing information. A simple download of intellectual property (IP) or proprietary information has the potential to become criminal activity.
The FBI has obtained information regarding a malicious cyber group that has compromised the networks of foreign banks. The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorized monetary transfers over an international payment messaging system. In some instances, the actors have been present on victim networks for a significant period of time. Contact law enforcement immediately regarding any activity related to the indicators of compromise (IOCs) in the attached appendix that are associated with this group.
(U//FOUO) DHS-FBI Bulletin: Law Enforcement Vigilance and Caution Urged at Public and Political Events
This Joint Intelligence Bulletin (JIB) is intended to provide situational awareness concerning the domestic extremist threat to national public and political events. This JIB is provided by the FBI and DHS to support law enforcement in their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners in deterring, preventing, or disrupting terrorist attacks against the United States.
The ‘Locky’ malware is a ransomware variant, which has extensively utilized spam campaigns to distribute malicious files that download and execute code capable of encrypting numerous critical file types on both local and networked file stores. Encrypted files are renamed with a unique hexadecimal filename and receive the “.locky” extension. Each directory containing encrypted files contains instructions on how to utilize Bitcoin in order to pay a ransom for file recovery, and the system’s computer background is also changed to contain payment instructions. Recovery of encrypted files is impossible without data backup or acquisition of the private key due to the well-implemented, strong encryption. Historically, while payment of the ransom may result in receipt of the valid private key, enabling decryption of the targeted files, the FBI does not recommended the victim pay the ransom.
As of 5 May 2016, the Islamic State of Iraq and the Levant (ISIL) Sympathizer hacking group United Cyber Caliphate (UCC) defaced a Nigerian-hosted Web site, posting an html file containing the heading “USA Online Company Data Dumped by United Cyber Caliphate,” there was no other message or threat associated with the file. The file contained approximately 1,137 entries, many of which appeared to be US-based individuals with corresponding personally identifiable information (PII) fields such as name, company, e-mail, phone, city, state, and zip code. The PII was doxed from the personnel directory of a US business, according to FBI and open source reporting.
(U//FOUO) FBI New Orleans Alert: Violence Against Law Enforcement and Riots Planned for July 8-10 2016
The FBI has identified two Android malware families, SlemBunk and Marcher, actively phishing for specified US financial institutions’ customer credentials. The malware monitors the infected phone for the launch of a targeted mobile banking application to inject a phishing overlay over the legitimate application’s user interface. The malware then displays an indistinguishable fake login interface to steal the victim’s banking credentials. According to cyber threat industry reports, both malware families have targeted foreign financial institutions since 2014, gradually broadening the list to include Western banks, and offered the malware for lease or purchase, respectively, in underground forums. At least as of December 2015, the malware expanded its configuration to include the Android package names of US financial institutions.
A financially motivated cyber crime insider trading scheme targets international law firm information used to facilitate business ventures. The scheme involves a hacker compromising the law firm’s computer networks and monitoring them for material, non-public information (MNPI). This information, gained prior to a public announcement, is then used by a criminal with international stock market expertise to strategically place bids and generate a monetary profit.
KeySweeper is a covert device that resembles a functional Universal Serial Bus (USB) enabled device charger which conceals hardware capable of harvesting keystrokes from certain wireless keyboards. If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information. Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.
The FBI previously identified that the actor(s) exploit Java-based Web servers to gain persistent access to a victim network and infect Windows-based hosts. The FBI also indicated that several victims have reported the initial intrusion occurred via JBOSS applications. Further analysis of victim machines indicates that, in at least two cases, the attackers used a Python tool, known as JexBoss, to probe and exploit target systems. Analysis of the JexBoss Exploit Kit identified the specific JBoss services targeted and vulnerabilities exploited. The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future.
(U//FOUO) DHS-FBI-NCTC Bulletin: Tactics, Techniques, and Procedures Used in March 2016 Brussels Attacks
This Joint Intelligence Bulletin (JIB) is intended to provide a review of the tactics, techniques, and procedures demonstrated by the perpetrators of the 22 March 2016 attacks in Brussels, Belgium. The analysis in this JIB is based on statements by European government and law enforcement officials cited in media reporting and is subject to change with the release of official details from post-incident investigations. This JIB is provided by DHS, FBI, and NCTC to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials, first responders and private sector partners in deterring, preventing, preempting, or disrupting terrorist attacks against the United States.
FBI Cyber Bulletin: Smart Farming May Increase Cyber Targeting Against US Food and Agriculture Sector
The FBI and the US Department of Agriculture (USDA) assess the Food and Agriculture (FA) Sector is increasingly vulnerable to cyber attacks as farmers become more reliant on digitized data. While precision agriculture technology (a.k.a. smart farming)a reduces farming costs and increases crop yields, farmers need to be aware of and understand the associated cyber risks to their data and ensure that companies entrusted to manage their data, including digital management tool and application developers and cloud service providers, develop adequate cybersecurity and breach response plans.
Over the past 18-24 months, an unknown number of online extremists have conducted “hacktivist” cyber operations – primarily Web site defacements, denial-of-service attacks, and release of personally identifiable information (PII) in an effort to spread pro-Islamic State of Iraq and the Levant (ISIL) propaganda and to incite violence against the United States and the West. Recent open source reporting from the Daily Mail India, indicates ISIL is recruiting Indian hackers and offering upwards of $10,000 USD per job to hack government Web sites, steal data, and to build social media databases for recruiting purposes. Indian officials believe as many as 30,000 hackers in India may have been contacted. The FBI cannot confirm the validity of the media reports, and beyond this single article on Indian hackers and ISIL, does not have information indicating any such relationship exists to date. The FBI assesses this activity is most likely independent of ISIL’s leaders located in Syria and Iraq.
Despite efforts to counter violent extremism, the threat continues to evolve within our borders. Extremism and acts of targeted violence continue to impact our local communities and online violent propaganda has permeated social media. Countering these prevailing dynamics requires a fresh approach that focuses on education and enhancing public safety—protecting our citizens from becoming radicalized by identifying the catalysts driving extremism.
(U//LES) DHS-FBI Bulletin: Domestic Extremists Arrested for Illegal Occupation of Malheur National Wildlife Refuge
This Joint Intelligence Bulletin (JIB) is intended to provide information on the recent arrest of 11 domestic extremists for conspiracy to impede officers of the United States from discharging their official duties through force, intimidation, or threats, in violation of 18 USC §372. This JIB is provided by the FBI and DHS to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials in deterring, preventing, or disrupting terrorist attacks against the United States. As in any criminal case, defendants are presumed innocent until proven guilty in a court of law.
The FBI has obtained information regarding a group of cyber actors who have compromised and stolen sensitive military information from US cleared defense contractors (CDCs) through cyber intrusions. This group utilizes infrastructure emanating from China to conduct their nefarious computer network exploitation (CNE) activities. Information obtained from victims and subsequent analysis indicates that they were targeted based on their US Navy Seaport Enhanced contracts. The actors did not target information pertaining to a specific contract but instead stole all information that they accessed via their malicious cyber activities. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.