The FBI received information of an additional IP address, 188.8.131.52, which was detected in the July 2016 compromise of a state’s Board of Election Web site. Additionally, in August 2016 attempted intrusion activities into another state’s Board of Election system identified the IP address, 184.108.40.206 used in the aforementioned compromise.
The purpose of this LIR is to inform DSAC and other relevant private sector partners about new methods ATM skimming crews use to target standalone or kiosk-style ATM terminals such as those found at casinos, hotels, airports, shopping malls, gas stations, restaurants, and supermarkets. The skimming crews intercept customers’ account data through the ATMs’ external cables. The activity observed to date in the United States was discovered at convenience store locations in California, Delaware, and Pennsylvania. This LIR provides details on the methods used in these skimming attempts as well as previously reported use of internal wiretap skimming devices.
On July 10, 2015, the Federal Bureau of Investigation (FBI) initiated a full investigation based upon a referral received from the US Intelligence Community Inspector General (ICIG), submitted in accordance with Section 811 (c) of the Intelligence Authorization Act of 1995 and dated July 6, 2015, regarding the potential unauthorized transmission and storage of classified information on the personal e-mail server of former Secretary of State Hillary Clinton (Clinton). The FBI’s investigation focused on determining whether classified information was transmitted or stored on unclassified systems in violation of federal criminal statutes and whether classified information was compromised by unauthorized individuals, to include foreign governments or intelligence services, via cyber intrusion or other means.
The FBI has obtained information regarding a malicious cyber group that has compromised the networks of foreign banks. The actors have exploited vulnerabilities in the internal environments of the banks and initiated unauthorized monetary transfers over an international payment messaging system. In some instances, the actors have been present on victim networks for a significant period of time. Contact law enforcement immediately regarding any activity related to the indicators of compromise (IOCs) in the attached appendix that are associated with this group.
(U//FOUO) DHS-FBI Bulletin: Law Enforcement Vigilance and Caution Urged at Public and Political Events
This Joint Intelligence Bulletin (JIB) is intended to provide situational awareness concerning the domestic extremist threat to national public and political events. This JIB is provided by the FBI and DHS to support law enforcement in their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners in deterring, preventing, or disrupting terrorist attacks against the United States.
The ‘Locky’ malware is a ransomware variant, which has extensively utilized spam campaigns to distribute malicious files that download and execute code capable of encrypting numerous critical file types on both local and networked file stores. Encrypted files are renamed with a unique hexadecimal filename and receive the “.locky” extension. Each directory containing encrypted files contains instructions on how to utilize Bitcoin in order to pay a ransom for file recovery, and the system’s computer background is also changed to contain payment instructions. Recovery of encrypted files is impossible without data backup or acquisition of the private key due to the well-implemented, strong encryption. Historically, while payment of the ransom may result in receipt of the valid private key, enabling decryption of the targeted files, the FBI does not recommended the victim pay the ransom.
While in the United States, some of the September 11 hijackers were in contact with, and received support or assistance from, individuals who may be connected to the Saudi Government. There is information, primarily from FBI sources, that at least two of those individuals were alleged by some to be Saudi intelligence officers. The Joint Inquiry’s review confirmed that the Intelligence Community also has information, much of which has yet to be independently verified, indicating that individuals associated with Saudi Government in the United States may have other ties to al-Qa’ida and other terrorist groups. The FBI and CIA have informed the Joint Inquiry that, since the September 11 attacks, they are treating the Saudi issue seriously, but both still have only a limited understanding of the Saudi Government’s ties to terrorist elements. In their testimony, neither CIA nor FBI witnesses were able to identify definitively the extent of Saudi support for terrorist activity globally or within the United States and the extent to which such support, if it exists, is knowing or inadvertent in nature.
(U//FOUO) FBI New Orleans Alert: Violence Against Law Enforcement and Riots Planned for July 8-10 2016
A financially motivated cyber crime insider trading scheme targets international law firm information used to facilitate business ventures. The scheme involves a hacker compromising the law firm’s computer networks and monitoring them for material, non-public information (MNPI). This information, gained prior to a public announcement, is then used by a criminal with international stock market expertise to strategically place bids and generate a monetary profit.
KeySweeper is a covert device that resembles a functional Universal Serial Bus (USB) enabled device charger which conceals hardware capable of harvesting keystrokes from certain wireless keyboards. If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information. Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen.
The FBI previously identified that the actor(s) exploit Java-based Web servers to gain persistent access to a victim network and infect Windows-based hosts. The FBI also indicated that several victims have reported the initial intrusion occurred via JBOSS applications. Further analysis of victim machines indicates that, in at least two cases, the attackers used a Python tool, known as JexBoss, to probe and exploit target systems. Analysis of the JexBoss Exploit Kit identified the specific JBoss services targeted and vulnerabilities exploited. The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future.
(U//FOUO) DHS-FBI-NCTC Bulletin: Tactics, Techniques, and Procedures Used in March 2016 Brussels Attacks
This Joint Intelligence Bulletin (JIB) is intended to provide a review of the tactics, techniques, and procedures demonstrated by the perpetrators of the 22 March 2016 attacks in Brussels, Belgium. The analysis in this JIB is based on statements by European government and law enforcement officials cited in media reporting and is subject to change with the release of official details from post-incident investigations. This JIB is provided by DHS, FBI, and NCTC to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials, first responders and private sector partners in deterring, preventing, preempting, or disrupting terrorist attacks against the United States.
FBI Cyber Bulletin: Smart Farming May Increase Cyber Targeting Against US Food and Agriculture Sector
The FBI and the US Department of Agriculture (USDA) assess the Food and Agriculture (FA) Sector is increasingly vulnerable to cyber attacks as farmers become more reliant on digitized data. While precision agriculture technology (a.k.a. smart farming)a reduces farming costs and increases crop yields, farmers need to be aware of and understand the associated cyber risks to their data and ensure that companies entrusted to manage their data, including digital management tool and application developers and cloud service providers, develop adequate cybersecurity and breach response plans.
Over the past 18-24 months, an unknown number of online extremists have conducted “hacktivist” cyber operations – primarily Web site defacements, denial-of-service attacks, and release of personally identifiable information (PII) in an effort to spread pro-Islamic State of Iraq and the Levant (ISIL) propaganda and to incite violence against the United States and the West. Recent open source reporting from the Daily Mail India, indicates ISIL is recruiting Indian hackers and offering upwards of $10,000 USD per job to hack government Web sites, steal data, and to build social media databases for recruiting purposes. Indian officials believe as many as 30,000 hackers in India may have been contacted. The FBI cannot confirm the validity of the media reports, and beyond this single article on Indian hackers and ISIL, does not have information indicating any such relationship exists to date. The FBI assesses this activity is most likely independent of ISIL’s leaders located in Syria and Iraq.
Despite efforts to counter violent extremism, the threat continues to evolve within our borders. Extremism and acts of targeted violence continue to impact our local communities and online violent propaganda has permeated social media. Countering these prevailing dynamics requires a fresh approach that focuses on education and enhancing public safety—protecting our citizens from becoming radicalized by identifying the catalysts driving extremism.
(U//LES) DHS-FBI Bulletin: Domestic Extremists Arrested for Illegal Occupation of Malheur National Wildlife Refuge
This Joint Intelligence Bulletin (JIB) is intended to provide information on the recent arrest of 11 domestic extremists for conspiracy to impede officers of the United States from discharging their official duties through force, intimidation, or threats, in violation of 18 USC §372. This JIB is provided by the FBI and DHS to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials in deterring, preventing, or disrupting terrorist attacks against the United States. As in any criminal case, defendants are presumed innocent until proven guilty in a court of law.
The FBI has obtained information regarding a group of cyber actors who have compromised and stolen sensitive military information from US cleared defense contractors (CDCs) through cyber intrusions. This group utilizes infrastructure emanating from China to conduct their nefarious computer network exploitation (CNE) activities. Information obtained from victims and subsequent analysis indicates that they were targeted based on their US Navy Seaport Enhanced contracts. The actors did not target information pertaining to a specific contract but instead stole all information that they accessed via their malicious cyber activities. Any activity related to this group detected on a network should be considered an indication of a compromise requiring extensive mitigation and contact with law enforcement.
Disruptive cyber attacks by criminal hackers—primarily distributed-denial-of-service (DDoS) attacks—targeting local law enforcement websites have increased since August 2014. We judge that this is almost certainly a result of the heightened coverage surrounding the alleged use of excessive force by law enforcement and an increased focus on incidents of perceived police brutality. The primary impact from the majority of these attacks has been the temporary disruption of the targeted public-facing websites.
(U//LES) FBI Suicide Vest and Belt Use in Middle East, Africa, and Europe Show Minimal Signs of Tactic Migration
The FBI Terrorism Explosive Device Analytical Center (TEDAC) assesses the tactics used to construct suicide vest and belt improvised explosive devices (IEDs) in the Middle Eastern, African, and European regions likely have minimal correlation. Use of these tactics allows suicide bombers to discretely move to a desired target location and make real-time decisions to maximize lethality. The suicide belt design allows the wearer to conceal the device and blend in with their surrounding environment, as well as to position themselves in potentially crowded environments while not raising suspicion.
(U//FOUO) FBI Counterintelligence Note: Huawei Chinese Government-Subsidized Telecommunications Company
Huawei is a threat to intellectual property and business communications due to its opaque relationship with the Chinese Government. Huawei has legal obligations to work on behalf of the Chinese state, probably through the Chinese Communist Party (CCP) committee residing within Huawei. This relationship likely influences the company’s decision-making through threats of corruption investigations.
(U//FOUO) Two disrupted plots in Europe earlier this year highlight terrorists possible interest in impersonating first responders through the acquisition of authentic or fraudulent uniforms, equipment, vehicles, and other items which may be associated with government, military, law enforcement, fire,…
This Joint Intelligence Bulletin highlights the potential risks for US persons traveling to Syria or Iraq to combat the Islamic State of Iraq and the Levant (ISIL) or expressing online a desire to do so. The FBI, DHS, and NCTC remain concerned that US persons traveling to combat ISIL are at risk of being killed, wounded, or captured. Further, ISIL members or supporters could attempt disingenuously to identify and target US persons so as to harm them before or upon their arrival in Syria or Iraq. The State Department has issued travel warnings for both Iraq and Syria and the US Government does not support US persons traveling overseas to combat ISIL.
The Criminal Justice Information Services (CJIS) Division’s Quick Capture Platform (QCP) is a state-of-the-art biometric system that enables investigators to collect and store fingerprint data during domestic and international investigations. The QCP enables instant access to federal fingerprint databases. This comprehensive access to the main United States (U.S.) Government biometric holdings enables QCP users to quickly establish whether a subject has possible terrorist links (in the U.S. or abroad) or is likely to pose a threat to the U.S.
Following the Office of the Inspector General’s (OIG) April 2011 report on the FBI’s ability to address the national cyber intrusion threat, in October 2012 the FBI launched its Next Generation Cyber (Next Gen Cyber) Initiative to enhance its ability to address cybersecurity threats to the United States. In fiscal year 2014, the FBI initially budgeted $314 million for its Next Gen Cyber Initiative, including a total of 1,333 full-time positions (including 756 agents). In addition, the Department of Justice (Department) requested an $86.6 million increase in funding for fiscal year 2014 to support the Initiative. The objective of this audit was to evaluate the FBI’s implementation of its Next Gen Cyber Initiative.