Following the Office of the Inspector General’s (OIG) April 2011 report on the FBI’s ability to address the national cyber intrusion threat, in October 2012 the FBI launched its Next Generation Cyber (Next Gen Cyber) Initiative to enhance its ability to address cybersecurity threats to the United States. In fiscal year 2014, the FBI initially budgeted $314 million for its Next Gen Cyber Initiative, including a total of 1,333 full-time positions (including 756 agents). In addition, the Department of Justice (Department) requested an $86.6 million increase in funding for fiscal year 2014 to support the Initiative. The objective of this audit was to evaluate the FBI’s implementation of its Next Gen Cyber Initiative.
Militia extremists are expanding their target sets to include Muslims and Islamic religious institutions in the United States. This has resulted in increased violent rhetoric and plotting and has the potential to lead, over the long term, to additional harassment of or violence against Muslims by domestic extremists. The FBI makes these assessments with high confidence on the basis of a large body of source reporting generated mainly since 2013. This information augments prior FBI analysis that established militia extremists target government personnel and law enforcement officers, perceived threats from abroad, and individuals or institutions that seek to constrain Second Amendment rights.
In May 2015, the wife of a US military member was approached in front of her home by two Middle-Eastern males. The men stated that she was the wife of a US interrogator. When she denied their claims, the men laughed. The two men left the area in a dark-colored, four-door sedan with two other Middle-Eastern males in the vehicle. The woman had observed the vehicle in the neighborhood on previous occasions.
FBI Cyber Division Bulletin: Hacking Team Exploit Used in Spearphishing Campaign Targeting U.S. Government
A bulletin issued by the FBI Cyber Division discusses a spearphishing campaign targeting U.S. government agencies in June and July of 2015. The campaign utilized a Adobe Flash exploit CVE-2015-5119 that was discovered in the 400GB data archive from hacked Italian surveillance technology company Hacking Team that was released publicly earlier this month. The exploit was being sold as a product of Hacking Team and was listed in their product knowledge base. The bulletin notes that the Flash exploit was being used in phishing emails in June 2015 despite the fact that the Hacking Team data was only made public on July 5, 2015.
FBI Cyber Division Bulletin: Distributed Denial of Service Attack Bitcoin Extortion Campaigns Expanding
Recent FBI investigations and open source reporting reveal that extortion campaigns conducted via e-mails threatening Distributed Denial of Service (DDoS) attacks continue to expand targets from unregulated activities, such as illegal gaming activity, to now include legitimate business operations. The increase in scope has resulted in additional attacks with Bitcoin ransom amounts trending upwards as well.
(U//FOUO) DHS-FBI-NCTC Bulletin: ISIL Supporters Targeting Uniformed Personnel for Weapons and Equipment
In the first half of 2015 there were at least two instances of Islamic State of Iraq and the Levant (ISIL) inspired individuals in the West expressing interest in targeting law enforcement (LE) to obtain weapons and other specialized gear through theft. As ISIL continues to exhort its individuals in the West to carry out attacks, the potential exists that some terrorists may use this tactic and attempt to steal weapons or issued items, such as credentials, badges, uniforms, radios, ballistic vests, vehicles, and other equipment, which could be used in furtherance of an attack. We note that laws governing the purchase of firearms differ widely among Western nations making this tactic more likely to occur in countries where laws are most restrictive and firearms are harder to obtain through legitimate means.
The FBI has obtained information regarding cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII). Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by these groups. Any activity related to these groups detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.
This Executive Summary provides a brief overview of the results of the Department of Justice (Department or DOJ) Office of the Inspector General’s (OIG) third review of the Federal Bureau of Investigation’s (FBI) use of the investigative authority granted by Section 215 of the Patriot Act. Section 215 is often referred to as the “business record” provision. The OIG’s first report, A Review of the Federal Bureau of Investigation’s Use of Section 215 Orders for Business Records, was issued in March 2007 and covered calendar years 2002 through 2005. The OIG’s second report, A Review of the FBI’s Use of Section 215 Orders for Business Records in 2006, was issued in March 2008 and covered calendar year 2006. This third review was initiated to examine the progress the Department and the FBI have made in addressing the OIG recommendations which were included in our second report. We also reviewed the FBI’s use of Section 215 authority in calendar years 2007, 2008, and 2009.
The FBI is providing the following information with HIGH confidence: The FBI has obtained information regarding one or more groups of cyber actors who have compromised and stolen sensitive business information from US commercial and government networks through cyber espionage. Analysis indicates a significant amount of the computer network exploitation activities emanated from infrastructure located within China. Any activity related to these groups detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.
The FBI and TSA are currently analyzing claims in recent media reports which included statements that critical in-flight networks on commercial aircraft may be vulnerable to remote intrusion. At this time, the FBI and TSA have no information to support these claims but continue to leverage public and private sector partnerships to evaluate potential threats posed by intrusions into a commercial aircraft’s secure networks. The FBI and TSA also continuously monitor and analyze reporting on cyber and technical threats to proactively deter individuals from using remote intrusions to disrupt any portion of the aviation sector, including its business networks, critical navigation and air traffic control signals, and the onboard networks of commercial aircraft.
A joint intelligence bulletin released by the Department of Homeland Security and FBI to coincide with the twentieth anniversary of the Oklahoma City Bombing warns that “domestic extremism will remain a persistent threat through the end of 2015 and beyond” with “high confidence that lone offenders and those who pursue leaderless resistance continue to pose the greatest threat of violence.” The bulletin, which is based on “recent patterns of extremist activity” often “taken by those who plan and act alone or in small cells,” states that domestic extremism “remains a persistent threat, and the United States has experienced violent ideologically-motivated criminal acts, both prior to and after the Oklahoma City attack” including “assaults, arsons, shootings, and use, or attempted use, of improvised incendiary and explosive devices, resulting in death, injury, and property damage.” Moreover, the bulletin states that “many of the same motivations used by domestic extremists to justify their criminal acts in the mid-1990s—anti-government and anti-law enforcement sentiment; racial, ethnic, and religious hatred; and advocacy of violent conspiracy theories—continue to influence domestic extremists and their targeting choices in 2015.”
(U//FOUO) DHS-FBI Bulletin: Twenty Years After Oklahoma City Bombing, Domestic Extremism Remains a Persistent Threat
This Joint Intelligence Bulletin (JIB) prepared by the FBI and DHS is intended to provide law enforcement with a summary of significant domestic extremist incidents occurring during the previous 15 months. This product highlights the breadth and frequency of current domestic extremist threats against Homeland targets, and places them in the context of the 20th anniversary of the1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, Oklahoma. This information is provided to support the activities of the FBI and DHS and to assist other federal, state, local, tribal, and territorial counterterrorism and law enforcement officials and private sector security officials in identifying existing or emerging threats to homeland security.
As of early March 2015, several extremist hacking groups indicated they would participate in a forthcoming operation, #OpIsrael, which will target Israeli and Jewish Web sites. The FBI assesses members of at least two extremist hacking groups are currently recruiting participants for the second anniversary of the operation, which started on 7 April 2013, and coincides with Holocaust Remembrance Day. These groups, typically located in the Middle East and North Africa, routinely conduct pro-extremist, anti-Israeli, and anti-Western cyber operations.
Information Sharing Environment (ISE) Functional Standard for Suspicious Activity Reporting Version 1.5.5
This issuance updates the Functional Standard for ISE-SARs and is one of a series of Common Terrorism Information Sharing Standards (CTISS) issued by the Program Manager for the Information Sharing Environment (PM-ISE). While limited to describing the ISE-SAR process and associated information exchanges, information from this process may support other ISE processes, to include alerts, warnings, and notifications; situational awareness reporting; and terrorist watchlisting.
Sovereign Citizen (SC) activity typically involves criminal behavior that is generally non-violent but has lead to threats and plots against Court Officials by the more extremist adherents. Below are some indicators that you have encountered a SC during your normal duties and be a signal that additional precautions against fraudulent filings and personal harm be used.
The vision of the 2014–2017 National Strategy is to connect the geographic and public safety diversity of over 38,000 states, counties, cities, and towns together in a way that creates a national information sharing asset that is coordinated with and contributes to federal information sharing efforts. Federal efforts to connect the knowledge and capabilities of the Intelligence Community (IC) often involve state and local law enforcement joining federal efforts. The NNFC is the reversal and broadening of this framework, inviting federal partners to join state and local public safety information sharing efforts. In carrying out this strategy, IC professionals have an opportunity and avenue to bring their knowledge and capabilities to state and major urban area fusion centers, designated by governors and staffed by state and local professionals. As a unique national asset, this state and local network must work seamlessly with field-based intelligence and information sharing entities, providing geographic and interdisciplinary knowledge and perspective without interrupting or replicating federal efforts. The 2014–2017 National Strategy integrates with other criminal intelligence sharing efforts supported by the Criminal Intelligence Coordinating Council.
The “innovative use of social media and messaging” by the Islamic State of Iraq and the Levant (ISIL) “has played a key role in motivating young Western males and females to travel to the Syrian conflict to join and support the self-declared Islamic State” according to a join intelligence bulletin released by the Department of Homeland Security and FBI last month. The 5-page bulletin titled “ISIL Social Media Messaging Resonating with Western Youth” was disseminated to law enforcement throughout the country at the end of February to report on the “continuing trend” of Western youth being inspired to travel to Syria and join ISIL forces. According to the bulletin, this trend is aided by the fact that “Western youth are willing to connect over social media with like-minded persons, and have proven adept at obfuscating such social media usage from their parents and guardians.”
This Joint Intelligence Bulletin (JIB) is intended to provide information on a continuing trend of Western youth being inspired by Islamic State of Iraq and the Levant (ISIL) messaging via social media to travel to Syria to participate in the conflict. This JIB is provided to support the activities of FBI and DHS to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners in deterring, preventing, or disrupting terrorist attacks in the United States.
Since the May 2010 publication of the Roll Call Release “Terrorist Use of Propane Cylinders,” terrorists have continued to advocate the use of propane cylinders in building improvised explosive devices (IEDs). Throughout 2014, al-Qa‘ida-inspired violent extremists posted on the Internet English-language instructions for building and using propane IEDs and encouraged attacks in the United States. The posts recommended military, commercial, and financial sector targets, major metropolitan areas, and mass gatherings.
A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. The actors typically utilize common computer intrusion techniques such as the use of TOR, open source reconnaissance, exploitation via SQL injection and web shells, and open source tools for further network penetration and persistence. Internet-facing infrastructures, such as web servers, are typical targets for this group. Once the actors penetrate a victim network, the actors exfiltrate network design information and legitimate user credentials for the victim network. Often times, the actors are able to harvest administrative user credentials and use the credentials to move laterally through a network.
This Private Industry Notification (PIN) highlights the use of Global Positioning Systems (GPS) jammers by criminals to thwart law enforcement response and investigation into cargo thefts in the United States. Since at least February 2012, various law enforcement and private sector partners have reported that GPS tracking devices have been jammed by criminals engaged in nefarious activity including cargo theft and illicit shipping of goods. Although banned by federal law, the jammers are readily available over the Internet and easy to employ.
Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods. Analysis of this malware is presented to provide the computer network defense (CND) community with indicators of this malware.