The FBI has obtained information regarding cyber actors who have compromised and stolen sensitive business information and Personally Identifiable Information (PII). Information obtained from victims indicates that PII was a priority target. The FBI notes that stolen PII has been used in other instances to target or otherwise facilitate various malicious activities such as financial fraud though the FBI is not aware of such activity by these groups. Any activity related to these groups detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.
This Executive Summary provides a brief overview of the results of the Department of Justice (Department or DOJ) Office of the Inspector General’s (OIG) third review of the Federal Bureau of Investigation’s (FBI) use of the investigative authority granted by Section 215 of the Patriot Act. Section 215 is often referred to as the “business record” provision. The OIG’s first report, A Review of the Federal Bureau of Investigation’s Use of Section 215 Orders for Business Records, was issued in March 2007 and covered calendar years 2002 through 2005. The OIG’s second report, A Review of the FBI’s Use of Section 215 Orders for Business Records in 2006, was issued in March 2008 and covered calendar year 2006. This third review was initiated to examine the progress the Department and the FBI have made in addressing the OIG recommendations which were included in our second report. We also reviewed the FBI’s use of Section 215 authority in calendar years 2007, 2008, and 2009.
The FBI is providing the following information with HIGH confidence: The FBI has obtained information regarding one or more groups of cyber actors who have compromised and stolen sensitive business information from US commercial and government networks through cyber espionage. Analysis indicates a significant amount of the computer network exploitation activities emanated from infrastructure located within China. Any activity related to these groups detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.
The FBI and TSA are currently analyzing claims in recent media reports which included statements that critical in-flight networks on commercial aircraft may be vulnerable to remote intrusion. At this time, the FBI and TSA have no information to support these claims but continue to leverage public and private sector partnerships to evaluate potential threats posed by intrusions into a commercial aircraft’s secure networks. The FBI and TSA also continuously monitor and analyze reporting on cyber and technical threats to proactively deter individuals from using remote intrusions to disrupt any portion of the aviation sector, including its business networks, critical navigation and air traffic control signals, and the onboard networks of commercial aircraft.
A joint intelligence bulletin released by the Department of Homeland Security and FBI to coincide with the twentieth anniversary of the Oklahoma City Bombing warns that “domestic extremism will remain a persistent threat through the end of 2015 and beyond” with “high confidence that lone offenders and those who pursue leaderless resistance continue to pose the greatest threat of violence.” The bulletin, which is based on “recent patterns of extremist activity” often “taken by those who plan and act alone or in small cells,” states that domestic extremism “remains a persistent threat, and the United States has experienced violent ideologically-motivated criminal acts, both prior to and after the Oklahoma City attack” including “assaults, arsons, shootings, and use, or attempted use, of improvised incendiary and explosive devices, resulting in death, injury, and property damage.” Moreover, the bulletin states that “many of the same motivations used by domestic extremists to justify their criminal acts in the mid-1990s—anti-government and anti-law enforcement sentiment; racial, ethnic, and religious hatred; and advocacy of violent conspiracy theories—continue to influence domestic extremists and their targeting choices in 2015.”
(U//FOUO) DHS-FBI Bulletin: Twenty Years After Oklahoma City Bombing, Domestic Extremism Remains a Persistent Threat
This Joint Intelligence Bulletin (JIB) prepared by the FBI and DHS is intended to provide law enforcement with a summary of significant domestic extremist incidents occurring during the previous 15 months. This product highlights the breadth and frequency of current domestic extremist threats against Homeland targets, and places them in the context of the 20th anniversary of the1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, Oklahoma. This information is provided to support the activities of the FBI and DHS and to assist other federal, state, local, tribal, and territorial counterterrorism and law enforcement officials and private sector security officials in identifying existing or emerging threats to homeland security.
As of early March 2015, several extremist hacking groups indicated they would participate in a forthcoming operation, #OpIsrael, which will target Israeli and Jewish Web sites. The FBI assesses members of at least two extremist hacking groups are currently recruiting participants for the second anniversary of the operation, which started on 7 April 2013, and coincides with Holocaust Remembrance Day. These groups, typically located in the Middle East and North Africa, routinely conduct pro-extremist, anti-Israeli, and anti-Western cyber operations.
Information Sharing Environment (ISE) Functional Standard for Suspicious Activity Reporting Version 1.5.5
This issuance updates the Functional Standard for ISE-SARs and is one of a series of Common Terrorism Information Sharing Standards (CTISS) issued by the Program Manager for the Information Sharing Environment (PM-ISE). While limited to describing the ISE-SAR process and associated information exchanges, information from this process may support other ISE processes, to include alerts, warnings, and notifications; situational awareness reporting; and terrorist watchlisting.
Sovereign Citizen (SC) activity typically involves criminal behavior that is generally non-violent but has lead to threats and plots against Court Officials by the more extremist adherents. Below are some indicators that you have encountered a SC during your normal duties and be a signal that additional precautions against fraudulent filings and personal harm be used.
The vision of the 2014–2017 National Strategy is to connect the geographic and public safety diversity of over 38,000 states, counties, cities, and towns together in a way that creates a national information sharing asset that is coordinated with and contributes to federal information sharing efforts. Federal efforts to connect the knowledge and capabilities of the Intelligence Community (IC) often involve state and local law enforcement joining federal efforts. The NNFC is the reversal and broadening of this framework, inviting federal partners to join state and local public safety information sharing efforts. In carrying out this strategy, IC professionals have an opportunity and avenue to bring their knowledge and capabilities to state and major urban area fusion centers, designated by governors and staffed by state and local professionals. As a unique national asset, this state and local network must work seamlessly with field-based intelligence and information sharing entities, providing geographic and interdisciplinary knowledge and perspective without interrupting or replicating federal efforts. The 2014–2017 National Strategy integrates with other criminal intelligence sharing efforts supported by the Criminal Intelligence Coordinating Council.
The “innovative use of social media and messaging” by the Islamic State of Iraq and the Levant (ISIL) “has played a key role in motivating young Western males and females to travel to the Syrian conflict to join and support the self-declared Islamic State” according to a join intelligence bulletin released by the Department of Homeland Security and FBI last month. The 5-page bulletin titled “ISIL Social Media Messaging Resonating with Western Youth” was disseminated to law enforcement throughout the country at the end of February to report on the “continuing trend” of Western youth being inspired to travel to Syria and join ISIL forces. According to the bulletin, this trend is aided by the fact that “Western youth are willing to connect over social media with like-minded persons, and have proven adept at obfuscating such social media usage from their parents and guardians.”
This Joint Intelligence Bulletin (JIB) is intended to provide information on a continuing trend of Western youth being inspired by Islamic State of Iraq and the Levant (ISIL) messaging via social media to travel to Syria to participate in the conflict. This JIB is provided to support the activities of FBI and DHS to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners in deterring, preventing, or disrupting terrorist attacks in the United States.
Since the May 2010 publication of the Roll Call Release “Terrorist Use of Propane Cylinders,” terrorists have continued to advocate the use of propane cylinders in building improvised explosive devices (IEDs). Throughout 2014, al-Qa‘ida-inspired violent extremists posted on the Internet English-language instructions for building and using propane IEDs and encouraged attacks in the United States. The posts recommended military, commercial, and financial sector targets, major metropolitan areas, and mass gatherings.
A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. The actors typically utilize common computer intrusion techniques such as the use of TOR, open source reconnaissance, exploitation via SQL injection and web shells, and open source tools for further network penetration and persistence. Internet-facing infrastructures, such as web servers, are typical targets for this group. Once the actors penetrate a victim network, the actors exfiltrate network design information and legitimate user credentials for the victim network. Often times, the actors are able to harvest administrative user credentials and use the credentials to move laterally through a network.
This Private Industry Notification (PIN) highlights the use of Global Positioning Systems (GPS) jammers by criminals to thwart law enforcement response and investigation into cargo thefts in the United States. Since at least February 2012, various law enforcement and private sector partners have reported that GPS tracking devices have been jammed by criminals engaged in nefarious activity including cargo theft and illicit shipping of goods. Although banned by federal law, the jammers are readily available over the Internet and easy to employ.
Destructive malware used by unknown computer network exploitation (CNE) operators has been identified. This malware has the capability to overwrite a victim host’s master boot record (MBR) and all data files. The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods. Analysis of this malware is presented to provide the computer network defense (CND) community with indicators of this malware.
The FBI Cyber Division has issued a notification to private industry and law enforcement to be aware of the potential for retaliatory cyber attacks following recent U.S. military actions in the Middle East. While the FBI has “no information at this time to indicate specific cyber threats to US networks or infrastructure in response to ongoing US military air strikes against the terrorist group known as the Islamic State of Iraq and the Levant (ISIL)” the bulletin states that the FBI believes that “extremist hackers and hacktivist groups, including but not limited to those aligned with the ISIL ideology, will continue to threaten and may attempt offensive cyber actions against the United States in response to perceived or actual US military operations in Iraq or Syria.”
(U//FOUO) FBI Bulletin: Threat of Cyberterrorist and Hacktivist Activity in Response to U.S. Military Actions in the Middle East
The FBI has no information at this time to indicate specific cyber threats to US networks or infrastructure in response to ongoing US military air strikes against the terrorist group known as the Islamic State of Iraq and the Levant (ISIL), also known as the Islamic State of Iraq and al-Shams (ISIS) or the Islamic State (IS). However, the FBI assesses extremist hackers and hacktivist groups, including but not limited to those aligned with the ISIL ideology, will continue to threaten and may attempt offensive cyber actions against the United States in response to perceived or actual US military operations in Iraq or Syria. The FBI bases this assessment on recent, nonspecific, and probably aspirational threats made on social media platforms to carry out cyber as well as physical attacks in response to the US military presence in the Middle East.
The FBI is providing the following information with HIGH confidence. The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII). These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data.
This review is a follow-up to three previous OIG reports concerning the FBI’s use of national security letter authorities. In our first and second NSL reports, issued in March 2007 and March 2008, the OIG found repeated instances of the FBI’s misuse of NSL authorities during 2003 through 2006. During our first NSL review we also discovered the FBI’s practice of issuing exigent letters and using other informal methods to obtain telephone records, instead of using NSLs or other legal process. We addressed these practices in a separate report issued in January 2010.
A bulletin issued by the Department of Homeland Security, the FBI and the National Counterterrorism Center earlier this month warns law enforcement and private security personnel that malicious cyber actors can use “advanced search techniques” to discover sensitive information and other vulnerabilities in websites. The bulletin, titled “Malicious Cyber Actors Use Advanced Search Techniques,” describes a set of techniques collectively referred to as “Google dorking” or “Google hacking” that are used to refine search queries to provide more specific results.
Malicious cyber actors are using advanced search techniques, referred to as “Google dorking,” to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks. “Google dorking” has become the acknowledged term for this malicious activity, but it applies to any search engine with advanced search capabilities. By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities. For example, a simple “operator:keyword” syntax, such as “filetype:xls intext:username,” in the standard search box would retrieve Excel spreadsheets containing usernames. Additionally, freely available online tools can run automated scans using multiple dork queries.