National Counterterrorism Center

(U//FOUO) DHS-FBI-NCTC Bulletin: Tactics, Techniques, and Procedures Used in March 2016 Brussels Attacks

DHS-FBI-NCTC-BrusselsAttacks

This Joint Intelligence Bulletin (JIB) is intended to provide a review of the tactics, techniques, and procedures demonstrated by the perpetrators of the 22 March 2016 attacks in Brussels, Belgium. The analysis in this JIB is based on statements by European government and law enforcement officials cited in media reporting and is subject to change with the release of official details from post-incident investigations. This JIB is provided by DHS, FBI, and NCTC to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials, first responders and private sector partners in deterring, preventing, preempting, or disrupting terrorist attacks against the United States.

NCTC Counterterrorism Digest January 26-February 2, 2016

NCTC-CT-Digest-02-03-16

Counterterrorism Digest is a compilation of UNCLASSIFIED open source publicly available press material, to include relevant commentary on issues related to terrorism and counterterrorism over the past seven days. It is produced every Wednesday, excluding holidays. Counterterrorism Digest is produced by the National Counterterrorism Center and contains situational awareness items detailing on-going terrorism-related developments which may be of interest to security personnel.

NCTC Counterterrorism Digest January 20-26, 2016

NCTC-CT-Digest-01-27-16

Counterterrorism Digest is a compilation of UNCLASSIFIED open source publicly available press material, to include relevant commentary on issues related to terrorism and counterterrorism over the past seven days. It is produced every Wednesday, excluding holidays. Counterterrorism Digest is produced by the National Counterterrorism Center and contains situational awareness items detailing on-going terrorism-related developments which may be of interest to security personnel.

(U//FOUO) DHS-FBI-NCTC Bulletin: Tactics, Techniques, and Procedures Used in November 2015 Paris Attacks

DHS-FBI-NCTC-ParisAttacks

This Joint Intelligence Bulletin (JIB) is intended to provide a review of the tactics, techniques, and procedures demonstrated by the perpetrators of the 13 November 2015 attacks in Paris, France. This JIB does not provide analysis of any follow-on operations or operations occurring in Europe in the wake of the attacks. It relies on a variety of open source and media reporting for the analysis, which could change as official details of the post-incident investigations come to light. This JIB is intended to support the activities of DHS, FBI and NCTC to assist federal, state, and local government counterterrorism and law enforcement officials, first responders, and private-sector security partners in effectively deterring, preventing, preempting, or responding to terrorist attacks against the United States.

(U//FOUO) DHS-FBI-NCTC Bulletin: Terrorist Impersonation of First Responders Overseas

DHS-FBI-NCTC-ImpersonatingResponders

(U//FOUO) Two disrupted plots in Europe earlier this year highlight terrorists possible interest in impersonating first responders through the acquisition of authentic or fraudulent uniforms, equipment, vehicles, and other items which may be associated with government, military, law enforcement, fire,…

(U//FOUO) DHS-FBI-NCTC Bulletin: Risks for U.S. Persons Traveling to Fight ISIS

DHS-FBI-NCTC-FightingISIS_Page_1

This Joint Intelligence Bulletin highlights the potential risks for US persons traveling to Syria or Iraq to combat the Islamic State of Iraq and the Levant (ISIL) or expressing online a desire to do so. The FBI, DHS, and NCTC remain concerned that US persons traveling to combat ISIL are at risk of being killed, wounded, or captured. Further, ISIL members or supporters could attempt disingenuously to identify and target US persons so as to harm them before or upon their arrival in Syria or Iraq. The State Department has issued travel warnings for both Iraq and Syria and the US Government does not support US persons traveling overseas to combat ISIL.

(U//FOUO) DHS-FBI-NCTC Bulletin: ISIL Supporters Targeting Uniformed Personnel for Weapons and Equipment

DHS-FBI-NCTC-UniformsEquipmentISIL

In the first half of 2015 there were at least two instances of Islamic State of Iraq and the Levant (ISIL) inspired individuals in the West expressing interest in targeting law enforcement (LE) to obtain weapons and other specialized gear through theft. As ISIL continues to exhort its individuals in the West to carry out attacks, the potential exists that some terrorists may use this tactic and attempt to steal weapons or issued items, such as credentials, badges, uniforms, radios, ballistic vests, vehicles, and other equipment, which could be used in furtherance of an attack. We note that laws governing the purchase of firearms differ widely among Western nations making this tactic more likely to occur in countries where laws are most restrictive and firearms are harder to obtain through legitimate means.

(U//FOUO) DHS-FBI-NCTC Bulletin: Terrorists Encouraging Use of Propane Cylinders as IEDs

DhS-FBI-NCTC-PropaneIEDs

Since the May 2010 publication of the Roll Call Release “Terrorist Use of Propane Cylinders,” terrorists have continued to advocate the use of propane cylinders in building improvised explosive devices (IEDs). Throughout 2014, al-Qa‘ida-inspired violent extremists posted on the Internet English-language instructions for building and using propane IEDs and encouraged attacks in the United States. The posts recommended military, commercial, and financial sector targets, major metropolitan areas, and mass gatherings.

(U//FOUO) DHS-FBI-NCTC Bulletin: Malicious Cyber Actors Use Advanced Search Techniques

DHS-FBI-NCTC-GoogleDorking

Malicious cyber actors are using advanced search techniques, referred to as “Google dorking,” to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks. “Google dorking” has become the acknowledged term for this malicious activity, but it applies to any search engine with advanced search capabilities. By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities. For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.

(U//FOUO) DHS-FBI-NCTC Bulletin: Medical Treatment Presents Opportunity for Discovery of Violent Extremist Activities

DHS-FBI-NCTC-MedicalTreatmentExtremists

Efforts to gain expertise with explosive, incendiary, and chemical/biological devices may lead to injuries and emergency treatment, which may provide potential indicators of violent extremist activities to responding emergency medical service (EMS) personnel. Scene size-up and patient assessment provide first responders the opportunity to view both the scene and any patient injuries. EMS personnel and other first responders should consider the totality of information gleaned through direct observation and the statements of patients, witnesses, and bystanders to evaluate whether an injury is a genuine accident or related to violent extremist activity.

National Counterterrorism Center Flyer: College Drone Programs Can Be Targeted by Violent Extremists

NCTC-UAS-Extremists

College programs in unmanned aircraft systems (UAS) are susceptible to potential penetration or attack plotting by violent extremists. Enhanced information and operational security practices can reduce the likelihood of a violent extremist infiltrating UAS programs or planning an attack against students and faculty. There are potential indicators that a student or faculty member may possess ulterior motives for their interest in unmanned aircraft.

(U//FOUO) DHS-FBI-NCTC Bulletin: Terrorists Continued Interest in Targeting Mass Transit

DHS-FBI-NCTC-MassTransit

Terrorists in late December 2013 conducted three attacks targeting people using public transportation systems in Russia, emphasizing terrorists’ persistent interest in attacking locations where large congregations of people are confined to small, often enclosed spaces. Russian officials claim North Caucasus-based violent extremists associated with the Imirat Kavkaz (IK) probably conducted these attacks to embarrass the Russian government in the build-up to the 2014 Olympic Games in Sochi. The IK, a violent extremist group based in Russia, has no known capability in the Homeland and is unlikely to directly target Western interests overseas.

National Counterterrorism Center Enhanced Safeguards Decision Matrix

ODNI-Safeguards

The DNI, D/NCTC and the Attorney General approved revised Attorney General Guidelines for NCTC’s handling of US Person (USP) information in March 2012. These revised NCTC Attorney General Guidelines (“NCTC’s AGGs”) govern NCTC’s access, retention, use, and dissemination of datasets identified as including non-terrorism information and information pertaining exclusively to domestic terrorism, and provide NCTC with the authority to retain USP information for up to five years (unless a shorter period is required by law, executive order, regulation, international agreement, etc.). During this temporary retention and assessment period, additional safeguards and protections are applied to this data, to include baseline (and potentially enhanced) safeguards, as well as additional compliance, auditing, reporting and oversight mechanisms.

(U//FOUO) DHS-FBI-NCTC Bulletin: Fake Help Desk Scams an Ongoing Problem

DHS-FBI-NCTC-FakeHelpDesk

Law enforcement continues to see reporting of malicious cyber actors using fake help desk scams, also known as technical support scams. These scams, if successful, seek to compromise and take control of computer systems. Malicious cyber actors send users an e-mail or they make cold calls, purportedly representing a help desk from a legitimate software or hardware vendor. The malicious cyber actors try to trick users into believing that their computer is malfunctioning—often by having them look at a system log that typically shows scores of harmless or low-level errors—then convincing them to download software or let the “technician” remotely access the personal computer to “repair” it.

(U//FOUO) DHS-FBI-NCTC Bulletin: Building Security Measures May Hinder Emergency Response Efforts

DHS-FBI-NCTC-SecurityMeasuresResponse

Facility security measures, such as interior control points or exterior barriers, may require first responders to adjust normal protocols and procedures to operate rapidly during emergencies. The timeline below is an overview of attacks and plots against US-based facilities with varying levels of security. The diversity of tactics and targets used underscores the need for interagency exercises and training that incorporates multiple scenarios to account for building security measures likely to be encountered.

(U//FOUO) DHS-FBI-NCTC Bulletin: Extortion Schemes Use Telephony-Based Denial-of-Service Attacks

DHS-FBI-NCTC-TDoSExtortion

Since at least January 2012, criminals are using telephony-based denial-of-service (TDoS) combined with extortion scams to phone an employee’s office and demand the employee repay an alleged loan. If the victim does not comply, the criminals initiate TDoS attacks against the employer’s phone numbers. TDoS uses automated calling programs—similar to those used by telemarketers—to prevent victims from making or receiving calls.

(U//FOUO) National Counterterrorism Center Report: Common Misconceptions About Homeland Plotting

A facilitated brainstorming session was convened to identify and examine the most common misconceptions about conventional Homeland plotting. These misconceptions stemmed from inquiries received from Federal, state, local, tribal, and private-sector consumers and from articles published by outside experts and in the media. Analysts identified the following six misconceptions as the most common and compared them with current analytic lines.

(U//FOUO) National Counterterrorism Center: Urban Exploration Offers Insight on Infrastructure Vulnerabilities

Urban Explorers (UE)—hobbyists who seek illicit access to transportation and industrial facilities in urban areas—frequently post photographs, video footage, and diagrams on line that could be used by terrorists to remotely identify and surveil potential targets. Advanced navigation and mapping technologies, including three dimensional modeling and geo-tagging, could aid terrorists in pinpointing locations in dense urban environments. Any suspicious UE activity should be reported to the nearest State and Major Area Fusion Center and to the local FBI Joint Terrorism Task Force.

(U//FOUO) National Counterterrorism Center Special Report: IED Targeting of First Response Personnel

Although most terrorist IED attacks outside war zones target civilians or symbols of authority and usually involve a single device, some are designed specifically to target emergency response personnel. The most common tactics involve using secondary or tertiary devices in tiered or sequential attacks intended to kill or maim response personnel after they arrive on the scene of an initial IED incident.

(U//FOUO) National Counterterrorism Center Advisory: Homegrown Violent Extremists Targeting Law-Enforcement Officers

Some homegrown violent extremists (HVE) have targeted US law-enforcement entities and have used publicly available information to counter these entities’ CT tactics and security practices. Law-enforcement entities are being identified by these extremists as both strategic targets and targets of opportunity, mainly because a core element of HVE subculture perceives that persecution by US law enforcement reflects the West’s inherent aggression toward Islam, which reinforces the violent opposition by HVEs to law enforcement.

(U//FOUO) National Counterterrorism Center Mobilizing Homegrown Violent Extremists (HVEs) Behavioral Indicators

A US Government interagency study of homegrown violent extremists (HVEs) revealed four major mobilizing patterns shared by a majority of HVE cases between 2008 and 2010, providing officials with an emerging picture of distinct behaviors often associated with an individual mobilizing for violence. These four patterns—links to known extremists, ideological commitment to extremism, international travel, and pursuit of weapons and associated training—repeatedly appeared in the case studies, reinforcing initial assessments of potential trends. Awareness of the patterns can help combat the recent rise in these cases while providing a data-driven tool for assessing potential changes in the HVE threat to the Homeland.