Federal Bureau of Investigation

FBI Cyber Division
Counterterrorism Division
Office of Private Sector
National Domestic Communications Assistance Center
Behavioral Analysis Unit
Counterintelligence Division
Phoenix Field Office
Criminal Justice Information Systems Division

The number of active shooter incidents in schools (ASIS) has remained steady over the past 18 years, with an average of 2.8 shootings per year. ASIS are most likely to happen at the high school level or higher (37 out of 52). The average deaths from ASIS was 7.4; however, this includes the 2007 Virginia Tech shooting and the 2012 Sandy Hook Elementary School shooting, where 32 and 26 people died, respectively. Most of the deaths from ASIS resulted during incidents that met the threshold for a mass killing (81 percent).

FBI Behavioral Analysis Unit’s Key Findings in October 2017 Las Vegas Mass Shooting

January 30, 2019

On October 1, 2017, over 22,000 people gathered for a music festival at a 15-acre, open-air concert venue in Las Vegas, Nevada. On the final night of the festival, Stephen Craig Paddock opened fire into the crowd from the 32nd floor of the Mandalay Bay Resort and Casino. The gunfire started around 10:05 p.m. and continued for approximately eleven minutes, with Paddock firing over 1,000 rounds. Fifty-eight persons were killed and several hundred more were injured. As responding law enforcement officers assembled in the hallway outside of his hotel room, Paddock committed suicide.

FBI Study: Pre-Attack Behaviors of Active Shooters in the U.S. 2000-2013

September 17, 2018

In 2017 there were 30 separate active shootings in the United States, the largest number ever recorded by the FBI during a one-year period.1 With so many attacks occurring, it can become easy to believe that nothing can stop an active shooter determined to commit violence. “The offender just snapped” and “There’s no way that anyone could have seen this coming” are common reactions that can fuel a collective sense of a “new normal,” one punctuated by a sense of hopelessness and helplessness. Faced with so many tragedies, society routinely wrestles with a fundamental question: can anything be done to prevent attacks on our loved ones, our children, our schools, our churches, concerts, and communities?

FBI Cyber Bulletin: Identified Qakbot Malware Variant Found on Thumb Drive Manufactured in China

August 5, 2018

In March 2018, an identified financial services corporation received a thumb drive infected with the bank credential-stealing Qakbot malware variant, targeting information from networked computers and financial institution web sites. The financial services corporation purchased bulk thumb drives from a US online retailer of computer hardware. The thumb drives were originally manufactured in China. According to FBI forensic analysis, the Qakbot malware was on the infected thumb drive before the drive arrived in the United States. Qakbot is extremely persistent and requires removal of all malware from every device. Failure to remove even one node of malware may result in re-infecting previously sanitized systems possibly costing the victim hundreds of thousands of dollars in malware removal and system downtime.

FBI Report: Active Shooter Incidents in the United States in 2016 and 2017

July 29, 2018

As with past FBI active shooter-related publications, this report does not encompass all gun-related situations. Rather, it focuses on a specific type of shooting situation. The FBI defines an active shooter as one or more individuals actively engaged in killing or attempting to kill people in a populated area. Implicit in this definition is the shooter’s use of one or more firearms. The active aspect of the definition inherently implies that both law enforcement personnel and citizens have the potential to affect the outcome of the event based upon their responses to the situation.

FBI Report: E-mail Account Compromise Techniques Used to Steal Millions in Real Estate Settlement Funds

July 4, 2018

The Office of Private Sector, in coordination with the Criminal Investigative Division, is providing this LIR to inform private sector partners about the increasing use of e-mail account compromise (EAC) techniques in the US real estate settlement industry. Consumer borrowers, settlement/title companies, real estate agents, real estate attorneys, builders, and others are being targeted by criminal actors netting millions in illicit proceeds. These proceeds are often directed initially to US banks then re-directed via money service businesses and international accounts to Mexico, Nigeria, South Africa, China, Ghana, Turkey, and India. The increased use of EAC techniques, as well as, the evolving expansion into previously unidentified countries indicates this fraud scheme is not slowing and puts additional strain on industry participants to be vigilant with their e-mail communications and identity verification processes.

FBI Cyber Bulletin: APT Actors Likely to Target US Cleared Defense Contractors

June 23, 2018

APT actors in the near future likely intend to target US Cleared Defense Contractors (CDC) via spear phishing campaigns or network infrastructure compromises, according to recent intelligence. Common spear phish targets may include individuals featured on internet-facing CDC Web sites and high-ranking CDC executives.

(U//FOUO) DHS-FBI-NCTC Bulletin: Online Information May Provide Potential Roadmap for Crude Chemical-Biological Attacks

March 18, 2018

The late 2016 arrest of two California teenagers for allegedly planning a “mass casualty event” by carrying out a chemical attack at a local high school pep rally highlights how individuals can use online resources to plan crude chemical or biological attacks. Violent extremists continue to circulate often ineffective or misleading how-to instructions for producing and disseminating poisons, crude biological toxins, and toxic industrial chemicals that in many cases are commercially available and easy to obtain. While we have no indication the suspects in this case subscribed to or consumed material related to violent extremist ideologies, their activity highlights one path to conducting a potential chemical or biological attack.

FBI Cyber Division Bulletin: Cyber Criminal Group Threatens Schools and Students

February 5, 2018

Since April 2016, a loosely affiliated group of highly trained hackers calling themselves TheDarkOverlord (TDO) have conducted various extortion schemes with a recent focus on the public school system. TDO used remote access tools to breach school district networks and then proceeded to steal sensitive data. To extort money from its victims, including students, TDO threatened violence or the release of stolen sensitive data.

(U//FOUO) DHS-FBI-NCTC Bulletin: Rail-Safety for First Responders

December 10, 2017

There is continued terrorist interest in attacking the rail system either as the primary target or as an attack mechanism. The US railroad system includes 800 railroads, 144,000 miles of track, and 212,000 railroad crossings. First responders should work closely with railroad police departments and other security partners to better protect rail assets—including freight rail (railcars loaded with commodities or hazardous materials), passenger rail (Amtrak, regional, or commuter rail), heavy rail (metro, and subway), and light rail (street cars, tramways, or trolleys)—from terrorist attacks and criminal activities. This product was developed to provide general rail safety tips and resources to help increase first responder awareness of the rail environment.

DHS-FBI-NCTC Bulletin: Complex Operating Environment Food and Agriculture

November 12, 2017

Food and agriculture infrastructure is a $1 trillion industry, almost entirely under private ownership and comprises an estimated 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing, and storage facilities. Intentional contamination of the food supply could have significant public health and economic consequences depending on the commodity, the agent used, and where in the supply chain the contaminant was added. This product provides first responders and private-sector stakeholders an awareness of the complex operating environment that may result from intentional contamination of the food supply and identifies key collaborative partners and indicators to minimize the risk of an intentional attack on the food supply.

DHS-FBI Guide: Handling Threats to Private Citizens and Locations Named Online by Violent Extremists

October 22, 2017

The fusion center has no information to indicate specific or credible threats to people whose names have been published online by violent extremists. You are being provided this advisory to assist your agency in responding to queries from members of the public or other concerned parties. This information, which often includes personally identifiable information (PII) obtained maliciously via the Internet, most likely represents aspirational threats. Its primary purpose is likely to heighten anxiety and a sense of vulnerability. It is unlikely that violent extremist-inspired individuals in the United States will target people identified online, but this cannot be ruled out entirely.

DHS-FBI-NCTC Bulletin: Acid Attacks Potential Opportunistic Threat and Treatment Awareness

October 8, 2017

The number of criminal and gang-related assaults involving acid or other corrosive substances has risen sharply in some Western countries. As of July 2017, police statistics in England indicate assaults and threats involving corrosives have risen from 183 in 2012 to more than 500 this year, according to open source reporting. Although there has been minimal specific interest by terrorists in acid attacks to date, we judge the increase in criminal incidents coupled with recent English-language terrorist messaging encouraging attacks using acid may spur opportunistic terrorist use of the tactic, underscoring the potential threat and importance of an immediate on-scene emergency response.

(U//LES) FBI Intelligence Assessment: Black Identity Extremists Likely Motivated to Target Law Enforcement Officers

October 7, 2017

The FBI assesses it is very likely Black Identity Extremist (BIE) perceptions of police brutality against African Americans spurred an increase in premeditated, retaliatory lethal violence against law enforcement and will very likely serve as justification for such violence. The FBI assess it is very likely this increase began following the 9 August 2014 shooting of Michael Brown in Ferguson, Missouri, and the subsequent Grand Jury November 2014 declination to indict the police officers involved. The FBI assesses it is very likely incidents of alleged police abuse against African Americans since then have continued to feed the resurgence in ideologically motivated, violent criminal activity within the BIE movement. The FBI assesses it is very likely some BIEs are influenced by a mix of anti-authoritarian, Moorish sovereign citizen ideology, and BIE ideology. The FBI has high confidence in these assessments, based on a history of violent incidents attributed to individuals who acted on behalf of their ideological beliefs, documented in FBI investigations and other law enforcement and open source reporting. The FBI makes this judgment with the key assumption the recent incidents are ideologically motivated.

(U//FOUO) DHS Reference Aid: Overview of Recently Successful or Arrested HVEs’ Radicalization to Violence

September 4, 2017

This Reference Aid is based on I&A’s review of the radicalization to violence of 39 US homegrown violent extremists (HVEs) who either successfully carried out or were arrested before attempting to carry out attacks in the Homeland between 1 January 2015 and 31 December 2016. It is intended to inform federal, state, local, tribal, and territorial counterterrorism, law enforcement, and countering violent extremism (CVE) officials. For additional information about these HVEs, please see the classified I&A Intelligence Assessment “(U//FOUO) Commonalities in HVEs’ Radicalization to Violence Provide Prevention Opportunities,” published 10 February 2017.

(U//FOUO) DHS-FBI-NCTC Guide: Terrorist Attack Planning Cycle – A Homeland Case Study

September 4, 2017

This case study is an examination of behaviors that resulted in a disrupted terrorist attack, revealing a cycle of planning and preparation that could provide indicators for preventing similar attempts. The terrorist attack planning cycle is not a static, linear process but rather could begin in any of the several stages with variances in details, sequence, and timing. An individual’s mobilization to violence often provides observable behavioral indicators such as, pre-attack surveillance, training, and rehearsal. The indicators potentially allow third-party observers and law enforcement to identify individuals moving to violence, circumstances that may allow for disruption of planned attacks. This product is intended to cultivate an awareness of the planning cycle among stakeholders for identification, mitigation, and disruption of attack planning.

DHS-FBI-NCTC Guide: International Partnerships Necessary To Mitigate ISIS’s Organ Harvesting for Terrorist Funding

September 3, 2017

The Islamic State of Iraq and ash-Sham (ISIS) is attempting to obtain money from organ harvesting, including from its own injured members, captives, and deceased individuals. Identification, prevention, and interdiction of organ harvesting and trafficking is a highly complex issue which may be effectively addressed through international partnerships among governmental, health, law enforcement, legal, and private-sector entities.

(U//FOUO) DHS-FBI-NCTC Guide: Cyber Threats to First Responders are a Persistent Concern

August 28, 2017

We assess with moderate confidence that cyber actors, including those who support violent extremism, are likely to continue targeting first responders on the World Wide Web, including by distributing personally identifiable information (PII) for the purpose of soliciting attacks from willing sympathizers in the homeland, hacking government websites, or attacking 911 phone systems to hinder first responders’ ability to respond to crises.

FBI Cyber Bulletin: IP Addresses and Domains Used by Iran-Based Cyber Actors to Attack Victims Worldwide

July 31, 2017

The FBI assesses a group of malicious cyber actors—likely located in Iran—use Virtual Private Server infrastructure hosted in the United States to compromise government, corporate, and academic computer networks based in the Middle East, Europe and the United States. This infrastructure is used in conjunction with identified malicious domains to support a broad cyber campaign which likely includes the use of e-mail spear phishing, social engineering, and malicious Web sites (“watering hole attack”). These cyber actors almost certainly have been involved in this activity since at least early-2015.

Page 2 of 2

« 1 2

China, Federal Bureau of Investigation

Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center

Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center

Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center

Department of Homeland Security, Federal Bureau of Investigation, Intelligence Fusion Centers

Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center

Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center

Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center

Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center