(U//FOUO) We assess with moderate confidence that cyber actors, including those who support violent extremism, are likely to continue targeting first responders on the World Wide Web, including by distributing personally identifiable information (PII) for the purpose of soliciting attacks from willing sympathizers in the homeland, hacking government websites, or attacking 911 phone systems to hinder first responders’ ability to respond to crises.
• (U//FOUO) In January 2017, police in Washington, DC discovered multiple disruptions to their surveillance cameras as a result of ransomware infections. Hackers compromised 70% of the cameras across the city, eight days before the Presidential Inauguration, which prevented officials from accessing the command and control center of the surveillance system. The infected cameras were configured with default remote access passwords, according to FBI reporting.
• (U) In October 2016, a telephony denial of service attack to the 911 network impacted emergency call centers in at least 12 states. Several centers reported they were inundated with fake phone calls. As a result, authorities were in danger of losing service to their switches and operators had difficulty in distinguishing fake incoming calls from legitimate calls for service. Authorities arrested a US person for the cyber attack, and charged him with three counts of felony computer tampering.
• (U//FOUO) In March 2016 there were two doxing attacks in the US. In early March, the pro-ISIS Caliphate Cyber Army (CCA) posted PII of 50 police officers from New Jersey. The PII included the officers’ names, home and work addresses, and phone numbers. In mid-March, prior to merging with other hacking groups to form the United Cyber Caliphate (UCC), the CCA hacking group posted a “kill list” containing the PII of 36 Minnesota police officers. According to the FBI, it is investigating threatening phone calls to law enforcement officials, possibly resulting from CCA postings.
(U) POTENTIAL CYBER-ATTACK TACTICS AGAINST FIRST RESPONDERS: With the expanding use of Internet-connected technology, first responders should be aware of existing and emerging tactics and technologies used by cyber actors with malicious intent.
• (U) DOXING: The process of gathering information about a person or business using online public sources including social media profiles, reverse phone lookup, and search engines.
• (U) RANSOMWARE: An attack that typically propagates through one of two mechanisms: user-initiated actions such as clicking on a malicious link in a spam e-mail or on a website, or through malvertising and drive-by downloads,b which do not require any user interaction. Clicking on links, especially in emails from unknown senders, could instigate a ransomware program which will lock and encrypt the computer until a fee is paid.
• (U) PHISHING: The act of scamming a user, typically through email, into surrendering private information that will be used for identity theft. These attacks tend to focus on convincing the subject to provide personal information, such as bank account numbers or social security numbers.
• (U) SPEAR-PHISHING: A type of phishing attack that focuses on a single user or department within an organization to obtain sensitive information such as login IDs and passwords. Spear phishing targets a department by creating an email that appears to come from the organization (for example, human resources) asking the subject to reset his or her user name and password.
• (U) WHALING: A type of phishing attack directed at high-level individuals or executives within a company.
• (U) SOCIAL ENGINEERING: The act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information which the individual does not realize will be used to attack a computer network.
• (U) TROJAN: A destructive program that masquerades as a benign application. These programs are typically sent as a link within an email that the sender tries to convince the subject to click on.
• (U) DENIAL OF SERVICE (DoS): A malicious attack on a network designed to disable the network by flooding it with useless traffic, making it unable to process legitimate traffic. Malicious actors may direct computer traffic to the subject’s website to slow down or disrupt the site’s ability to function.
• (U) TELEPHONY DENIAL OF SERVICE (TDoS): Occurs when malicious actors seek to overwhelm an agency’s phone system by flooding the agency’s telephone switches with repeated calls from spoofed numbers, clogging lines, and inhibiting real callers from connecting.
• (U) DISTRIBUTED DENIAL OF SERVICE (DDoS): A type of DOS attack in which multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a denial of service.
• (U) PORT SCANNING: The act of systematically scanning a computer’s ports to find a weakened access point to break into a computer. Malicious actors may use this technique to find weak access points a subject’s computer uses to access the Internet. Once found, the actor will attempt to hack the computer and gain access to the subject’s computer network.
• (U) ZOMBIE: A computer that is under the control of a malicious hacker without the knowledge of the computer owner.