Office of Intelligence and Analysis

Counterterrorism Mission Center
Cyber Mission Center

China, Department of Homeland Security

(U//FOUO) DHS Report: Chinese Municipal Government Publishing Anti-US Social Media Content With Limited Reach

August 7, 2023

A People’s Republic of China (PRC) municipal government-controlled media outlet is very likely directing a cluster of English-language, coordinated inauthentic Twitter accounts that posted content denigrating the United States (see graphics). The cluster of accounts, which we have dubbed SPICYPANDA, has been active from at least January 2021 and has published sophisticated content, but it failed to grow a follower base thus far. DHS attributed SPICYPANDA to the municipal media entity Chongqing International Communications Center (CICC) based on its leadership’s creation of SPICYPANDA’s anti-US messaging campaign, its overt ties to a website promoted by the accounts, and its Western social media messaging accolades and capabilities.

(U//FOUO) DHS Bulletin: Online Foreign Influence Snapshot August 2022

November 7, 2022

We judge that narratives driven by Chinese, Iranian, and Russian state media, and proxy websites linked to these governments, often involve fact-based articles as well as editorials; these publications may include misinformation, disinformation, or factual but misrepresented information. This monthly “Snapshot” compiles English-language narratives, which we assess are intended for US and Western audiences, and highlights both consistent trends and emergent messaging, which we assess to reveal foreign actors’ changing influence priorities. We judge that, typically, China uses state and proxy media—including US-based outlets—to try to shape diaspora conduct and US public and leadership views; Iran state media manipulates emerging stories and emphasizes Tehran’s strength while denigrating US society and policy; and Russia uses both state and proxy media to amplify narratives seeking to weaken Washington’s global position relative to Moscow’s.

(U//FOUO) DHS Bulletin: Russia Cyber Threat Overview Substantive Revision

October 3, 2022

This Intelligence In View provides federal, state, local, and private sector stakeholders an overview of Russian Government-affiliated cyber activity targeting the United States and Russian regional adversaries, including disruptive or destructive cyber activity, cyber espionage in support of intelligence collection, and malign foreign influence in service of Russian political agendas. This In View also provides examples of malware and tools used by Russian Government-affiliated cyber actors.

(U//FOUO) DHS Bulletin: Domestic Violent Extremist Activity Likely in Response to US Supreme Court Decision on Abortion

June 24, 2022

Some domestic violent extremists (DVEs) will likely exploit the recent US Supreme Court decision to overturn Roe V. Wade to intensify violence against a wide range of targets. We expect violence could occur for weeks following the release, particularly as DVEs may be mobilized to respond to changes in state laws and ballot measures on abortion stemming from the decision. We base this assessment on an observed increase in violent incidents across the United States following the unauthorized disclosure in May of a draft majority opinion on the case.

(U//FOUO) DHS Reference Aid: 3-D Printed Plastic Weapons, Equipment, and Materials

June 2, 2022

Domestic violent extremists (DVEs) continue to exploit 3-D printing to produce weapons and firearm accessories that are unregulated and easy to acquire, according to recent federal and local arrests. This jointly authored Reference Aid is intended to highlight recent incidents of DVE misuse of 3-D printing and demonstrative examples of how the tactic could be exploited by DVEs in the United States.

(U//FOUO) DHS Bulletin: Moscow’s Invasion of Ukraine Impeding Reach of Russian State Media in the West

May 13, 2022

Russia’s invasion of Ukraine has spurred Western governments, social media companies, and individuals to limit or disengage from Russian state media outlets, likely degrading many outlets’ ability to directly message to Western audiences through 2022. This Western response impedes the ability of critical elements of Russia’s influence ecosystem to recruit and retain culturally adept media talent, shape in-country reporting, maintain a perception of media independence, and generate revenue. These setbacks affect multiple facets of RT’s and Sputnik’s operations, hampering the prospects for a speedy reconstitution of their Western-facing efforts. These actions, and others being considered by Western countries, go well beyond previous efforts to counter Moscow’s use of its state media outlets to spread mis-, dis-, and malinformation (MDM), such as deplatforming, foreign agent registration, and social media labeling of content.

(U//FOUO) DHS Bulletin: Warning of Potential for Cyber Attacks Targeting the United States in the Event of a Russian Invasion of Ukraine

February 13, 2022

We assess that Russia would consider initiating a cyber attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security. Russia maintains a range of offensive cyber tools that it could employ against US networks—from low-level denials-of-service to destructive attacks targeting critical infrastructure. However, we assess that Russia’s threshold for conducting disruptive or destructive cyber attacks in the Homeland probably remains very high and we have not observed Moscow directly employ these types of cyber attacks against US critical infrastructure—notwithstanding cyber espionage and potential prepositioning operations in the past.

(U//FOUO) DHS Bulletin: Iranian Influence Efforts Primarily Use Online Tools to Target US Audiences, Remain Easily Detectable for Now

December 3, 2021

We assess that Iran likely will continue to rely primarily on proxy news websites and affiliated social media accounts to attempt sustained influence against US audiences, while we expect intermittent, issue-specific influence attempts via other means (e.g., e-mails). We base this assessment on Iran’s actions since at least 2008 to build and maintain vast malign influence networks anchored by proxy websites, as well as Iran’s attempts to find new avenues to re-launch established malign influence networks after suspension. Tehran employs a network of proxy social media accounts and news websites that typically launder Iranian state media stories (stripped of attribution), plagiarize articles from Western wire services, and occasionally pay US persons to write articles to appear more legitimate to US audiences.

(U//FOUO) DHS Bulletin: Russia Likely to Continue Seeking to Undermine Faith in US Electoral Process

September 6, 2020

We assess that Russia is likely to continue amplifying criticisms of vote-by-mail and shifting voting processes amidst the COVID-19 pandemic to undermine public trust in the electoral process. Decisions made by state election officials on expanding vote-by-mail and adjusting in-person voting to accommodate challenges posed by COVID-19 have become topics of public debate. This public discussion represents a target for foreign malign influence operations that seeks to undermine faith in the electoral process by spreading disinformation about the accuracy of voter data for expanded vote-by-mail, outbound/inbound mail ballot process, signature verification and cure process, modifying scale of in-person voting, and safety and health concerns at polling places, according to CISA guidance documents provided to state and local election officials.

(U//FOUO) DHS Intelligence Bulletin: Worldwide Terrorist Operations Linked to Lebanese Hizballah or Iran

September 9, 2019

This Reference Aid examines tactics and targets garnered from a review of attacks or disrupted terrorist operations from 2012-2018 linked to either Lebanese Hizballah (LH) or Iran. It identifies behaviors and indicators that may rise to the level for suspicious activity reporting in areas such as recruitment, acquisition of expertise, materiel and weapons storage, target type, and operational security measures, which could assist federal, state, local, tribal, and territorial government counterterrorism agencies, law enforcement officials, and private sector partners in detecting, preventing, preempting, and disrupting potential terrorist activity in the Homeland. This Reference Aid does not imply these indicators would necessarily be observed or detected in every situation or that LH and Iran necessarily use the same tactics or demonstrate the same indicators. Some of these detection opportunities may come during the course of normal investigations into illegal activities in the United States such as illicit travel or smuggling of drugs, weapons, or cash, and lead to the discovery of pre-operational activity.

(U//FOUO) DHS-FBI-NCTC Bulletin: Attacks on Mosques in Christchurch, New Zealand May Inspire Supporters of Violent Ideologies

March 29, 2019

This Joint Intelligence Bulletin (JIB) is intended to provide information on Australian national and violent extremist Brenton Tarrant’s 15 March 2019 attacks on two mosques in Christchurch, New Zealand. These attacks underscore the enduring nature of violent threats posed to faith-based communities. FBI, DHS, and NCTC advise federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners responsible for securing faith-based communities in the Homeland to remain vigilant in light of the enduring threat to faith-based communities posed by domestic extremists (DEs), as well as by homegrown violent extremists (HVEs) who may seek retaliation.

(U//FOUO) DHS Guide: Cross-Border Gangs and their Mexican Drug Cartel Affiliations

January 14, 2019

Cross-border gangs play a unique role in the illicit transfer of people and goods across the southwest border. According to law enforcement reporting. Mexican cartels utilize US gangs to smuggle drugs and illegal aliens northbound. and smuggle cash. stolen automobiles. and weapons southbound. US gangs often freelance their work and seek profit-making opportunities with multiple cartels.

(U//FOUO) DHS Intelligence Note: Unidentified Cyber Actor Attacks State and Local Government Networks with GrandCrab Ransomware

July 22, 2018

An unidentified cyber actor in mid-March 2018 used GrandCrab Version 2 ransomware to attack a State of Connecticut municipality network and a state judicial branch network, according to DHS reporting derived from a state law enforcement official with direct and indirect access. The municipality did not pay the ransom, resulting in the encryption of multiple servers that affected some data backups and the loss of tax payment information and assessor data. The attack against the state judicial branch resulted in the infection of numerous computers, but minimal content encryption, according to the same DHS report.

(U//FOUO) DHS-FBI-NCTC Bulletin: Online Information May Provide Potential Roadmap for Crude Chemical-Biological Attacks

March 18, 2018

The late 2016 arrest of two California teenagers for allegedly planning a “mass casualty event” by carrying out a chemical attack at a local high school pep rally highlights how individuals can use online resources to plan crude chemical or biological attacks. Violent extremists continue to circulate often ineffective or misleading how-to instructions for producing and disseminating poisons, crude biological toxins, and toxic industrial chemicals that in many cases are commercially available and easy to obtain. While we have no indication the suspects in this case subscribed to or consumed material related to violent extremist ideologies, their activity highlights one path to conducting a potential chemical or biological attack.

(U//FOUO) DHS Bulletin: Chemical Splash and Spray Attacks Potential Tactic for Violent Extremists in Homeland

December 18, 2017

We assess that terrorists likely view tactics involving throwing or spraying acids and a variety of chemical liquids, hereafter referred to as a chemical spray and splash attack (CSSA), as a viable tactic to cause injury and disrupt critical infrastructure, judging from open source reporting describing terrorist social media posts and terrorist and violent extremist use of this tactic overseas. An analysis of a small number of incidents described in media reporting revealed that CSSAs are commonly used by criminal actors to further criminal activities and by violent extremist groups overseas to create fear, intimidate, punish, and disfigure individuals and groups that resist their control or ideology in their area of operations; the tactic, however, has rarely been operationalized by actors in the Homeland. We note, however, that homegrown violent extremists (HVEs) and lone offenders likely would find this tactic appealing and could easily adapt it to the Homeland, as it requires no specific technical expertise and the materials most often associated with criminal attack are usually unregulated and widely available.

(U//FOUO) DHS Reference Aid: Overview of Recently Successful or Arrested HVEs’ Radicalization to Violence

September 4, 2017

This Reference Aid is based on I&A’s review of the radicalization to violence of 39 US homegrown violent extremists (HVEs) who either successfully carried out or were arrested before attempting to carry out attacks in the Homeland between 1 January 2015 and 31 December 2016. It is intended to inform federal, state, local, tribal, and territorial counterterrorism, law enforcement, and countering violent extremism (CVE) officials. For additional information about these HVEs, please see the classified I&A Intelligence Assessment “(U//FOUO) Commonalities in HVEs’ Radicalization to Violence Provide Prevention Opportunities,” published 10 February 2017.

China, Department of Homeland Security

Department of Homeland Security, Iran, Lebanon

Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center

Department of Homeland Security, Mexico

Department of Homeland Security, Federal Bureau of Investigation, National Counterterrorism Center

Department of Homeland Security, Intelligence Fusion Centers