Following the Office of the Inspector General’s (OIG) April 2011 report on the FBI’s ability to address the national cyber intrusion threat, in October 2012 the FBI launched its Next Generation Cyber (Next Gen Cyber) Initiative to enhance its ability to address cybersecurity threats to the United States. In fiscal year 2014, the FBI initially budgeted $314 million for its Next Gen Cyber Initiative, including a total of 1,333 full-time positions (including 756 agents). In addition, the Department of Justice (Department) requested an $86.6 million increase in funding for fiscal year 2014 to support the Initiative. The objective of this audit was to evaluate the FBI’s implementation of its Next Gen Cyber Initiative.
Militia extremists are expanding their target sets to include Muslims and Islamic religious institutions in the United States. This has resulted in increased violent rhetoric and plotting and has the potential to lead, over the long term, to additional harassment of or violence against Muslims by domestic extremists. The FBI makes these assessments with high confidence on the basis of a large body of source reporting generated mainly since 2013. This information augments prior FBI analysis that established militia extremists target government personnel and law enforcement officers, perceived threats from abroad, and individuals or institutions that seek to constrain Second Amendment rights.
In May 2015, the wife of a US military member was approached in front of her home by two Middle-Eastern males. The men stated that she was the wife of a US interrogator. When she denied their claims, the men laughed. The two men left the area in a dark-colored, four-door sedan with two other Middle-Eastern males in the vehicle. The woman had observed the vehicle in the neighborhood on previous occasions.
FBI Cyber Division Bulletin: Hacking Team Exploit Used in Spearphishing Campaign Targeting U.S. Government
A bulletin issued by the FBI Cyber Division discusses a spearphishing campaign targeting U.S. government agencies in June and July of 2015. The campaign utilized a Adobe Flash exploit CVE-2015-5119 that was discovered in the 400GB data archive from hacked Italian surveillance technology company Hacking Team that was released publicly earlier this month. The exploit was being sold as a product of Hacking Team and was listed in their product knowledge base. The bulletin notes that the Flash exploit was being used in phishing emails in June 2015 despite the fact that the Hacking Team data was only made public on July 5, 2015.
FBI Cyber Division Bulletin: Distributed Denial of Service Attack Bitcoin Extortion Campaigns Expanding
Recent FBI investigations and open source reporting reveal that extortion campaigns conducted via e-mails threatening Distributed Denial of Service (DDoS) attacks continue to expand targets from unregulated activities, such as illegal gaming activity, to now include legitimate business operations. The increase in scope has resulted in additional attacks with Bitcoin ransom amounts trending upwards as well.
(U//FOUO) DHS-FBI-NCTC Bulletin: ISIL Supporters Targeting Uniformed Personnel for Weapons and Equipment
In the first half of 2015 there were at least two instances of Islamic State of Iraq and the Levant (ISIL) inspired individuals in the West expressing interest in targeting law enforcement (LE) to obtain weapons and other specialized gear through theft. As ISIL continues to exhort its individuals in the West to carry out attacks, the potential exists that some terrorists may use this tactic and attempt to steal weapons or issued items, such as credentials, badges, uniforms, radios, ballistic vests, vehicles, and other equipment, which could be used in furtherance of an attack. We note that laws governing the purchase of firearms differ widely among Western nations making this tactic more likely to occur in countries where laws are most restrictive and firearms are harder to obtain through legitimate means.
The FBI has obtained information regarding cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII). Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by these groups. Any activity related to these groups detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.
This Executive Summary provides a brief overview of the results of the Department of Justice (Department or DOJ) Office of the Inspector General’s (OIG) third review of the Federal Bureau of Investigation’s (FBI) use of the investigative authority granted by Section 215 of the Patriot Act. Section 215 is often referred to as the “business record” provision. The OIG’s first report, A Review of the Federal Bureau of Investigation’s Use of Section 215 Orders for Business Records, was issued in March 2007 and covered calendar years 2002 through 2005. The OIG’s second report, A Review of the FBI’s Use of Section 215 Orders for Business Records in 2006, was issued in March 2008 and covered calendar year 2006. This third review was initiated to examine the progress the Department and the FBI have made in addressing the OIG recommendations which were included in our second report. We also reviewed the FBI’s use of Section 215 authority in calendar years 2007, 2008, and 2009.
The FBI is providing the following information with HIGH confidence: The FBI has obtained information regarding one or more groups of cyber actors who have compromised and stolen sensitive business information from US commercial and government networks through cyber espionage. Analysis indicates a significant amount of the computer network exploitation activities emanated from infrastructure located within China. Any activity related to these groups detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.
The FBI and TSA are currently analyzing claims in recent media reports which included statements that critical in-flight networks on commercial aircraft may be vulnerable to remote intrusion. At this time, the FBI and TSA have no information to support these claims but continue to leverage public and private sector partnerships to evaluate potential threats posed by intrusions into a commercial aircraft’s secure networks. The FBI and TSA also continuously monitor and analyze reporting on cyber and technical threats to proactively deter individuals from using remote intrusions to disrupt any portion of the aviation sector, including its business networks, critical navigation and air traffic control signals, and the onboard networks of commercial aircraft.
(U//FOUO) DHS-FBI Bulletin: Twenty Years After Oklahoma City Bombing, Domestic Extremism Remains a Persistent Threat
This Joint Intelligence Bulletin (JIB) prepared by the FBI and DHS is intended to provide law enforcement with a summary of significant domestic extremist incidents occurring during the previous 15 months. This product highlights the breadth and frequency of current domestic extremist threats against Homeland targets, and places them in the context of the 20th anniversary of the1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, Oklahoma. This information is provided to support the activities of the FBI and DHS and to assist other federal, state, local, tribal, and territorial counterterrorism and law enforcement officials and private sector security officials in identifying existing or emerging threats to homeland security.
As of early March 2015, several extremist hacking groups indicated they would participate in a forthcoming operation, #OpIsrael, which will target Israeli and Jewish Web sites. The FBI assesses members of at least two extremist hacking groups are currently recruiting participants for the second anniversary of the operation, which started on 7 April 2013, and coincides with Holocaust Remembrance Day. These groups, typically located in the Middle East and North Africa, routinely conduct pro-extremist, anti-Israeli, and anti-Western cyber operations.
Sovereign Citizen (SC) activity typically involves criminal behavior that is generally non-violent but has lead to threats and plots against Court Officials by the more extremist adherents. Below are some indicators that you have encountered a SC during your normal duties and be a signal that additional precautions against fraudulent filings and personal harm be used.
This Joint Intelligence Bulletin (JIB) is intended to provide information on a continuing trend of Western youth being inspired by Islamic State of Iraq and the Levant (ISIL) messaging via social media to travel to Syria to participate in the conflict. This JIB is provided to support the activities of FBI and DHS to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners in deterring, preventing, or disrupting terrorist attacks in the United States.
Since the May 2010 publication of the Roll Call Release “Terrorist Use of Propane Cylinders,” terrorists have continued to advocate the use of propane cylinders in building improvised explosive devices (IEDs). Throughout 2014, al-Qa‘ida-inspired violent extremists posted on the Internet English-language instructions for building and using propane IEDs and encouraged attacks in the United States. The posts recommended military, commercial, and financial sector targets, major metropolitan areas, and mass gatherings.
A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. The actors typically utilize common computer intrusion techniques such as the use of TOR, open source reconnaissance, exploitation via SQL injection and web shells, and open source tools for further network penetration and persistence. Internet-facing infrastructures, such as web servers, are typical targets for this group. Once the actors penetrate a victim network, the actors exfiltrate network design information and legitimate user credentials for the victim network. Often times, the actors are able to harvest administrative user credentials and use the credentials to move laterally through a network.
This Private Industry Notification (PIN) highlights the use of Global Positioning Systems (GPS) jammers by criminals to thwart law enforcement response and investigation into cargo thefts in the United States. Since at least February 2012, various law enforcement and private sector partners have reported that GPS tracking devices have been jammed by criminals engaged in nefarious activity including cargo theft and illicit shipping of goods. Although banned by federal law, the jammers are readily available over the Internet and easy to employ.
Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods. Analysis of this malware is presented to provide the computer network defense (CND) community with indicators of this malware.
(U//FOUO) FBI Bulletin: Threat of Cyberterrorist and Hacktivist Activity in Response to U.S. Military Actions in the Middle East
The FBI has no information at this time to indicate specific cyber threats to US networks or infrastructure in response to ongoing US military air strikes against the terrorist group known as the Islamic State of Iraq and the Levant (ISIL), also known as the Islamic State of Iraq and al-Shams (ISIS) or the Islamic State (IS). However, the FBI assesses extremist hackers and hacktivist groups, including but not limited to those aligned with the ISIL ideology, will continue to threaten and may attempt offensive cyber actions against the United States in response to perceived or actual US military operations in Iraq or Syria. The FBI bases this assessment on recent, nonspecific, and probably aspirational threats made on social media platforms to carry out cyber as well as physical attacks in response to the US military presence in the Middle East.
The FBI is providing the following information with HIGH confidence. The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII). These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data.
Malicious cyber actors are using advanced search techniques, referred to as “Google dorking,” to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks. “Google dorking” has become the acknowledged term for this malicious activity, but it applies to any search engine with advanced search capabilities. By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities. For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.