This Joint Intelligence Bulletin (JIB) is intended to provide a review of the tactics, techniques, and procedures demonstrated by the perpetrators of the 13 November 2015 attacks in Paris, France. This JIB does not provide analysis of any follow-on operations or operations occurring in Europe in the wake of the attacks. It relies on a variety of open source and media reporting for the analysis, which could change as official details of the post-incident investigations come to light. This JIB is intended to support the activities of DHS, FBI and NCTC to assist federal, state, and local government counterterrorism and law enforcement officials, first responders, and private-sector security partners in effectively deterring, preventing, preempting, or responding to terrorist attacks against the United States.
(U//FOUO) Two disrupted plots in Europe earlier this year highlight terrorists possible interest in impersonating first responders through the acquisition of authentic or fraudulent uniforms, equipment, vehicles, and other items which may be associated with government, military, law enforcement, fire,…
This Joint Intelligence Bulletin highlights the potential risks for US persons traveling to Syria or Iraq to combat the Islamic State of Iraq and the Levant (ISIL) or expressing online a desire to do so. The FBI, DHS, and NCTC remain concerned that US persons traveling to combat ISIL are at risk of being killed, wounded, or captured. Further, ISIL members or supporters could attempt disingenuously to identify and target US persons so as to harm them before or upon their arrival in Syria or Iraq. The State Department has issued travel warnings for both Iraq and Syria and the US Government does not support US persons traveling overseas to combat ISIL.
(U//FOUO) DHS-FBI-NCTC Bulletin: ISIL Supporters Targeting Uniformed Personnel for Weapons and Equipment
In the first half of 2015 there were at least two instances of Islamic State of Iraq and the Levant (ISIL) inspired individuals in the West expressing interest in targeting law enforcement (LE) to obtain weapons and other specialized gear through theft. As ISIL continues to exhort its individuals in the West to carry out attacks, the potential exists that some terrorists may use this tactic and attempt to steal weapons or issued items, such as credentials, badges, uniforms, radios, ballistic vests, vehicles, and other equipment, which could be used in furtherance of an attack. We note that laws governing the purchase of firearms differ widely among Western nations making this tactic more likely to occur in countries where laws are most restrictive and firearms are harder to obtain through legitimate means.
Since the May 2010 publication of the Roll Call Release “Terrorist Use of Propane Cylinders,” terrorists have continued to advocate the use of propane cylinders in building improvised explosive devices (IEDs). Throughout 2014, al-Qa‘ida-inspired violent extremists posted on the Internet English-language instructions for building and using propane IEDs and encouraged attacks in the United States. The posts recommended military, commercial, and financial sector targets, major metropolitan areas, and mass gatherings.
Malicious cyber actors are using advanced search techniques, referred to as “Google dorking,” to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks. “Google dorking” has become the acknowledged term for this malicious activity, but it applies to any search engine with advanced search capabilities. By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities. For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.
(U//FOUO) DHS-FBI-NCTC Bulletin: Medical Treatment Presents Opportunity for Discovery of Violent Extremist Activities
Efforts to gain expertise with explosive, incendiary, and chemical/biological devices may lead to injuries and emergency treatment, which may provide potential indicators of violent extremist activities to responding emergency medical service (EMS) personnel. Scene size-up and patient assessment provide first responders the opportunity to view both the scene and any patient injuries. EMS personnel and other first responders should consider the totality of information gleaned through direct observation and the statements of patients, witnesses, and bystanders to evaluate whether an injury is a genuine accident or related to violent extremist activity.
National Counterterrorism Center Flyer: College Drone Programs Can Be Targeted by Violent Extremists
College programs in unmanned aircraft systems (UAS) are susceptible to potential penetration or attack plotting by violent extremists. Enhanced information and operational security practices can reduce the likelihood of a violent extremist infiltrating UAS programs or planning an attack against students and faculty. There are potential indicators that a student or faculty member may possess ulterior motives for their interest in unmanned aircraft.
Terrorists in late December 2013 conducted three attacks targeting people using public transportation systems in Russia, emphasizing terrorists’ persistent interest in attacking locations where large congregations of people are confined to small, often enclosed spaces. Russian officials claim North Caucasus-based violent extremists associated with the Imirat Kavkaz (IK) probably conducted these attacks to embarrass the Russian government in the build-up to the 2014 Olympic Games in Sochi. The IK, a violent extremist group based in Russia, has no known capability in the Homeland and is unlikely to directly target Western interests overseas.
The DNI, D/NCTC and the Attorney General approved revised Attorney General Guidelines for NCTC’s handling of US Person (USP) information in March 2012. These revised NCTC Attorney General Guidelines (“NCTC’s AGGs”) govern NCTC’s access, retention, use, and dissemination of datasets identified as including non-terrorism information and information pertaining exclusively to domestic terrorism, and provide NCTC with the authority to retain USP information for up to five years (unless a shorter period is required by law, executive order, regulation, international agreement, etc.). During this temporary retention and assessment period, additional safeguards and protections are applied to this data, to include baseline (and potentially enhanced) safeguards, as well as additional compliance, auditing, reporting and oversight mechanisms.
Law enforcement continues to see reporting of malicious cyber actors using fake help desk scams, also known as technical support scams. These scams, if successful, seek to compromise and take control of computer systems. Malicious cyber actors send users an e-mail or they make cold calls, purportedly representing a help desk from a legitimate software or hardware vendor. The malicious cyber actors try to trick users into believing that their computer is malfunctioning—often by having them look at a system log that typically shows scores of harmless or low-level errors—then convincing them to download software or let the “technician” remotely access the personal computer to “repair” it.
Facility security measures, such as interior control points or exterior barriers, may require first responders to adjust normal protocols and procedures to operate rapidly during emergencies. The timeline below is an overview of attacks and plots against US-based facilities with varying levels of security. The diversity of tactics and targets used underscores the need for interagency exercises and training that incorporates multiple scenarios to account for building security measures likely to be encountered.
Since at least January 2012, criminals are using telephony-based denial-of-service (TDoS) combined with extortion scams to phone an employee’s office and demand the employee repay an alleged loan. If the victim does not comply, the criminals initiate TDoS attacks against the employer’s phone numbers. TDoS uses automated calling programs—similar to those used by telemarketers—to prevent victims from making or receiving calls.
A facilitated brainstorming session was convened to identify and examine the most common misconceptions about conventional Homeland plotting. These misconceptions stemmed from inquiries received from Federal, state, local, tribal, and private-sector consumers and from articles published by outside experts and in the media. Analysts identified the following six misconceptions as the most common and compared them with current analytic lines.
(U//FOUO) National Counterterrorism Center: Urban Exploration Offers Insight on Infrastructure Vulnerabilities
Urban Explorers (UE)—hobbyists who seek illicit access to transportation and industrial facilities in urban areas—frequently post photographs, video footage, and diagrams on line that could be used by terrorists to remotely identify and surveil potential targets. Advanced navigation and mapping technologies, including three dimensional modeling and geo-tagging, could aid terrorists in pinpointing locations in dense urban environments. Any suspicious UE activity should be reported to the nearest State and Major Area Fusion Center and to the local FBI Joint Terrorism Task Force.
(U//FOUO) National Counterterrorism Center Special Report: IED Targeting of First Response Personnel
Although most terrorist IED attacks outside war zones target civilians or symbols of authority and usually involve a single device, some are designed specifically to target emergency response personnel. The most common tactics involve using secondary or tertiary devices in tiered or sequential attacks intended to kill or maim response personnel after they arrive on the scene of an initial IED incident.
(U//FOUO) National Counterterrorism Center Advisory: Homegrown Violent Extremists Targeting Law-Enforcement Officers
Some homegrown violent extremists (HVE) have targeted US law-enforcement entities and have used publicly available information to counter these entities’ CT tactics and security practices. Law-enforcement entities are being identified by these extremists as both strategic targets and targets of opportunity, mainly because a core element of HVE subculture perceives that persecution by US law enforcement reflects the West’s inherent aggression toward Islam, which reinforces the violent opposition by HVEs to law enforcement.
(U//FOUO) National Counterterrorism Center Mobilizing Homegrown Violent Extremists (HVEs) Behavioral Indicators
A US Government interagency study of homegrown violent extremists (HVEs) revealed four major mobilizing patterns shared by a majority of HVE cases between 2008 and 2010, providing officials with an emerging picture of distinct behaviors often associated with an individual mobilizing for violence. These four patterns—links to known extremists, ideological commitment to extremism, international travel, and pursuit of weapons and associated training—repeatedly appeared in the case studies, reinforcing initial assessments of potential trends. Awareness of the patterns can help combat the recent rise in these cases while providing a data-driven tool for assessing potential changes in the HVE threat to the Homeland.
Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center, U.S. Northern Command
This Joint Special Event Threat Assessment (JSETA) addresses potential threats to the National Football League (NFL)USPER Super Bowl XLV, which will be played on 6 February 2011 at Cowboys Stadium in Arlington, Texas. It focuses on potential threats to the game—and to various NFL-sanctioned events scheduled for the Dallas/Ft. Worth Metroplex-area during the 12 days prior to the game—from international and domestic terrorists, cyber actors, criminals, and foreign intelligence services.
The attempted bombing in Times Square on 1 May 2010 highlights the need to identify Homegrown Violent Extremists before they carry out a terrorist act. The ability of the bomber to operate under the radar demonstrates the difficulties associated with identifying terrorist activity and reinforces the need for law enforcement, at all levels, to be vigilant and identify individuals who are planning violence or other illegal activities in support of terrorism.
Elements of the U. S. government hosted an interdisciplinary, unclassified workshop to better understand the potential threat from independently acting terrorists with biological expertise. Such lone-actor terrorists have the potential to carry out high-impact biological attacks while generating few signatures, making detection or disruption of their efforts challenging. The one-day workshop explored the possible motivations, intents, and objectives of lone-actor terrorists who might consider conducting biological attacks; examined scientific infrastructure vulnerabilities that these individuals could exploit; and identified strategies to mitigate this potential threat.