Various cyber actors have engaged in malicious activity against Government and Private Sector entities. The apparent objective of this activity has been the theft of intellectual property, trade secrets, and other sensitive business information. To this end, the malicious actors have employed a variety of techniques in order to infiltrate targeted organizations, establish a foothold, move laterally through the targets’ networks, and exfiltrate confidential or proprietary data. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation and other partners, has created this Joint Indicator Bulletin, containing cyber indicators related to this activity. Organizations are advised to examine current and historical security logs for evidence of malicious activity related to the indicators in this bulletin and deploy additional protections as appropriate.
This Joint Intelligence Bulletin provides law enforcement and private sector safety officials with protective measures in light of the recent explosions that took place at the 2013 Boston Marathon in Boston, Massachusetts. The information is provided to support the activities of DHS and FBI and to assist federal, state, local, tribal, and territorial government counterterrorism and first responder officials and the private sector to deter, prevent, preempt, or respond to terrorist attacks in the United States.
This Joint Intelligence Bulletin provides information on the devices used in the 15 April 2013 Boston Marathon explosions. The information is intended to provide aid in identifying devices and to support the activities of DHS and FBI and to assist federal, state, local, tribal, and territorial government counterterrorism and first responder officials and the private sector to deter, prevent, preempt, or respond to terrorist attacks in the United States.
This is an update of an RCR published on 1 July 2010. Rudimentary improvised explosive devices (IEDs) using pressure cookers to contain the initiator, switch, and explosive charge frequently have been used in Afghanistan, India, Nepal, and Pakistan. Pressure cookers are common in these countries, and their presence probably would not seem out of place or suspicious to passersby or authorities. Presence in an unusual location—or if noticed in a contanier such as a backpack—should be treated as suspicious.
Expressed or implied threats by an individual or a group communicating intent to commit acts of terrorism or violence or advocating violence against a person, population, or to damage or destroy a facility can be an indicator of pre-operational attack planning. For example, in 2010 a Virginia-based US person pled guilty to communicating threats after he posted a video to the Internet encouraging violent extremists to attack the creators of a television show, including highlighting their residence and urging online readers to “pay them a visit.” He also admitted to soliciting others to desensitize law enforcement by placing suspicious looking but innocent packages in public places, which could then be followed up by real explosives.
Stolen, cloned, or repurposed commercial or official vehicles—such as police cars, ambulances, and public utility service trucks—have been used in terrorist attacks. These vehicles could facilitate terrorist access to restricted and hardened targets as well as to emergency scenes. The use of these vehicles can provide individuals the ability to approach targets to conduct pre-operational surveillance or carry out primary attacks or secondary attacks against first responders.
A DHS presentation from March 11, 2013 regarding the implementation of Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” authored by the Cyber-Dependent Infrastructure Identification Working Group (CDIIWG).
This guide offers recommendations for local outreach campaigns, explains how to effectively develop and disseminate messages in order to help the public better understand their role in reporting suspicious activity, and helps law enforcement agencies and community partners to understand, navigate, and use the many resources available to help build and sustain local efforts. New technologies, resources, and innovative practices highlighted within this document can be used to improve the education, communication, and trust amongst communities and law enforcement agencies who serve them. With the proper tools and knowledge, individuals and entire communities will help law enforcement agencies identify, investigate, and prevent crime and terrorism.
GAO Report: Increasing the Effectiveness of Efforts to Share Terrorism-Related Suspicious Activity Reports
The Department of Justice (DOJ) has largely implemented the Nationwide Suspicious Activity Reporting Initiative among fusion centers—entities that serve as the focal point within a state for sharing and analyzing suspicious activity reports and other threat information. The state and local law enforcement officials GAO interviewed generally said the initiative’s processes worked well, but that they could benefit from additional feedback from the Federal Bureau of Investigation (FBI) on how the reports they submit are used. The FBI has a feedback mechanism, but not all stakeholders were aware of it. Implementing formalized feedback mechanisms as part of the initiative could help stakeholders conduct accurate analyses of terrorism-related information, among other things.
The Homeland Security Geospatial Concept of Operations (GeoCONOPS) provides an understanding of the current landscape for the coordination of disaster response geospatial activities at the Federal level. The document serves the geospatial communities that support emergency management activities of the Federal government under Presidential Policy Directive 8 (PPD-8). This includes individual Emergency Support Functions (ESFs), the Joint Field Offices, FEMA Regional Coordination Centers (RRCC), and the National Response Coordination Center (NRCC). Stakeholders and actors representing the federal geospatial community have been extensively engaged in providing input for the development of the GeoCONOPS document. The GeoCONOPS serves as a guide to the Federal departments and agencies providing geospatial support under the Stafford Act which defines the programs and processes by which the Federal Government provides disaster and emergency assistance to state and local governments, tribal nations, eligible private nonprofit organizations, and individuals affected by a declared major disaster or emergency.
A document issued last month by the Department of Homeland Security identifies priorities for the collection of suspicious activity reports from local communities around the U.S. The document describes”topics of interest” identified by DHS Intelligence and Analysis (DHS/I&A) analysts as priorities for the Winter 2013 period that should be utilized by “law enforcement, first responders, and other homeland security professionals” to improve their reporting of suspicious activity.
(U//FOUO) DHS Intelligence and Analysis Suspicious Activity Reporting (SAR) Topics of Interest Winter 2013
DHS/I&A is interested in the following SAR topics, which have been updated based on current issues of national interest. Previous topics remain relevant, and law enforcement, first responders, and other homeland security professionals should continue to submit reports on these issues. Per the SAR Functional Standard, only information validated as reasonably indicative of preoperational planning related to terrorism should be reported as a SAR. I&A is reviewing SAR reports on these topics but would welcome any additional context, ideas or local analysis on these topics and opportunities for joint production.
Terrorists are attempting to recruit new members in the United States and overseas to support their operations, obtain funding, and conduct terrorist attacks. For example, in May 2012, Maryland-based Mohammad Hassan Khalid pled guilty to attempting to use the Internet to recruit individuals who had the ability to travel to and around Europe to conduct terrorist acts, in addition to providing logistical and financial support to terrorists. In prior cases of recruitment, individuals who were willing to participate in terrorist acts became involved with known and suspected terrorists, participated in paramilitary training abroad, or tried to acquire small arms and build explosives.
Terrorists or cyber criminals might try to discover vulnerabilities in computer systems by engaging in unauthorized testing of cybersecurity in order to exploit those vulnerabilities during an attack. These attempts might include port scanning, phishing, and password cracking. “Social engineering,” another technique, leverages unwitting insider access by eliciting information about operational and security procedures from employees, personnel, and their associates.
This Joint Intelligence Bulletin (JIB) is intended to provide information on the recent active shooter incidents that have taken place in the Homeland. This information is provided to support the activities of DHS and FBI and to assist private sector security officials and federal, state, local, tribal, and territorial law enforcement in identifying protective and support measures relating to active shooters.
Four days after the mass shooting last July in Aurora, Colorado, a project of the Houston Office of Public Safety and Homeland Security called Ready Houston released a training video to help educate members the public about how to survive a mass shooting. The six-minute video, which was produced with $200,000 from the Department of Homeland Security’s Urban Area Security Initiative, includes a dramatic recreation of a man dressed entirely in black walking into an office building and beginning to shoot people at random with a shotgun that he pulls from a small satchel. Variously described as “outlandish”, “surreal” and “over-the-top”, the video has met with mixed responses since it was re-released by several fusion centers and local agencies, including most recently the Alabama Department of Homeland Security.
This Reference Aid was jointly produced by DHS and the FBI to assist in the acquisition of detailed information in the aftermath of a successful or attempted radiological terrorism incident that would be of interest to the national law enforcement and emergency response communities. It is intended to help state, local, tribal, and territorial agencies and private sector entities deter, prevent, preempt, or respond to terrorist attacks against the United States.
(U//FOUO) DHS-FBI Bulletin: Indicators of Suspicious Chemical, Biological, and Radiological Activity
Law enforcement and first responders may encounter chemical, biological, or radiological (CBR) related material or equipment at private residences, businesses, or other sites not normally associated with such activities. There are legitimate reasons for possessing such material or equipment, but in some cases their presence can indicate intent or capability to build CBR weapons, particularly when other suspicious circumstances exist.
Terrorists may attempt to steal or divert precursor materials, uniforms, identification, blueprints, documents, access cards, facility vehicles, or other items–possibly with the help of knowledgeable insiders–for use in pre-operational planning or attacks. Emilio Suarez Trashorras, a Spanish national convicted for his role in the 2004 Madrid train bombings, stole the explosives used in the attack and the vehicles used to transport the explosives from a mining company where he worked.
(U//FOUO) National Counterterrorism Center Special Report: IED Targeting of First Response Personnel
Although most terrorist IED attacks outside war zones target civilians or symbols of authority and usually involve a single device, some are designed specifically to target emergency response personnel. The most common tactics involve using secondary or tertiary devices in tiered or sequential attacks intended to kill or maim response personnel after they arrive on the scene of an initial IED incident.
Terrorists may attempt to gain skills and knowledge necessary to plan and execute by obtaining specialized training, soliciting or stealing technical and proprietary information, or reaching out to academics and experts. In 2007, German police arrested three terrorist suspects for allegedly planning and preparing car bomb attacks against US citizens and interests in Germany. The suspects traveled to Pakistan where they received weapons and explosives training from a Pakistan-based Uzbek jihadist group called the Islamic Jihad Union.
This report examines the UASI grant program, including a detailed review of 15 cities that have received funding through the program. It is intended to assess whether spending on DHS antiterrorism grants like UASI have made us safer, and whether the taxpayer dollars that have been spent on these programs have yielded an adequate return on investment in terms of improved security.
Terrorists often conduct physical surveillance to identify suitable targets, determine vulnerabilities, plan attack methods, or assess the target’s security posture. In March 2010, David Coleman Headley pled guilty for his role in the November 2008 terrorist attacks in Mumbai, India by conducting video and photographic surveillance of potential targets, as well as later surveilling Danish newspaper offices–the target of another attack plot.
Terrorists and criminals may use photos or videos of potential targets to gain insight into security operations and details of facility operations, including traffic flow through and around facilities, opening times, and access requirements. In late 2000 and early 2001, convicted al-Oa’ida operative Dhiren Barot took extensive video footage and numerous photographs of sites in downtown New York City and Washington, DC in preparation for planned attacks. Photographs and video useful in planning an attack may include facility security devices (surveillance cameras, security locks, metal detectors, jersey walls and planters); security personnel; facility entrances and exits; and other features such as lighting, access routes, gates, roads, walkways, and bridges.
Terrorists overseas and in domestic attack plots have used various methods to acquire and store materials necessary to construct explosives. Najibullah Zazi, who pled guilty in 2010 to plotting to attack the New York subway system, made multiple, large-quantity purchases of chemical components needed to assemble the homemade explosive Triacetone Triperoxide (TATP)—6 bottles on one day and 12 bottles on a separate day—at beauty supply stores throughout the summer of 2009. Law enforcement and first responders should be aware that the possession, storage, or attempt to acquire unusual quantities of laboratory equipment, personal protective equipment, chemicals, and flammable accelerants—although legal to purchase and own—could provide indicators of preoperational attack planning.