Since June, advanced persistent threat (APT) actors have been targeting the aviation industry and attempting to extract confidential information by sending “spear-phishing” emails designed to trick recipients into opening malicious attachments or follow links to infected websites. According to an FBI Cyber Division bulletin from July 8, “individuals associated with the air travel industry” have received an increased number of spear-phishing emails often using spoofed senders “in an attempt to make the e-mail appear more legitimate.”
(U//FOUO) FBI Cyber Division Bulletin: Advanced Persistent Threat (APT) Actors Targeting Aviation Industry
Since June 2013, the FBI has observed advanced persistent threat (APT) actors’ increased interest in the aviation industry. APT actors have sent spear-phishing e-mails targeting individuals associated with the air travel industry. Some of the spear-phishing e-mails originated from a spoofed sender in an attempt to make the e-mail appear more legitimate. E-mail recipients should be aware of suspicious and potentially malicious e-mail attachments or links.
In 2011, the U.S. Department of Homeland Security’s (DHS) Office of Intelligence and Analysis (I&A), in coordination with federal and SLTT partners, began conducting an annual assessment of fusion centers to evaluate their progress in achieving the COCs and ECs and to collect additional data to better understand the characteristics of individual fusion centers and the National Network as a whole. DHS/I&A initiated the 2012 Fusion Center Assessment (2012 Assessment) in August 2012 as the second iteration of the annual assessment process and the first assessment to provide data on year-over-year progress in implementing the COCs and ECs. The 2012 Assessment was also the first assessment to collect National Network performance data based on an initial set of five performance measures adopted in 2011. This 2012 National Network of Fusion Centers Final Report (2012 Final Report) summarizes and characterizes the overall capabilities and performance of the National Network based on the results of the 2012 Assessment. This report does not include fusion center-specific capability or performance data. Instead, it uses aggregated data from the 2012 Assessment to describe the capability and performance achievements of the National Network.
Department of Defense, Department of Homeland Security, Department of Justice, Federal Bureau of Investigation
A collection of Network Security Agreements (NSAs) entered into with foreign communications infrastructure providers ensuring U.S. government agencies the ability to access communications data when legally requested. The agreements range in date from 1999 to 2011 and involve a rotating group of government agencies including the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), Department of Justice (DoJ), Department of Defense (DoD) and sometimes the Department of the Treasury. According to the Washington Post, the agreements require companies to maintain what amounts to an “internal corporate cell of American citizens with government clearances” ensuring that “when U.S. government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely.”
Fireworks are a common component used in Improvised Explosive Devices (IEDs). The US Government is asking consumer fireworks retailers to be aware of this phenomenon and familiarize themselves with some possible indicators of suspicious activity. This list is not inclusive, nor is it intended to limit the lawful conduct of innocent persons. The totality of behavioral indicators and other relevant circumstances should be considered.
Recent incidents in the Homeland demonstrate that consumer fireworks—widely used during the upcoming 4 July 2013 celebrations—can be misused by criminals and violent extremists to construct improvised explosive devices (IEDs). Consumer fireworks are defined as devices that produce audible and visible effects by combustion, containing between 50-130 milligrams of explosive material. They are banned in Delaware, Massachusetts, New Jersey, and New York.
Malicious actors may leverage the Internet to gain information against a potential target to support pre-operational planning efforts for kinetic or cyber attacks. Malicious actors can use Internet search engines for information such as maps, company photographs or blueprints, and gain additional details from social media sites and Web blogs. Some actors may use more sophisticated techniques—such as phishing, spear phishing, or actual penetration of an organization’s network or devices—which can be used to gather personal, sensitive, or proprietary data.
(U//FOUO) DHS-FBI Report: Idaho Man Arrested for Providing Material Support to Islamic Movement of Uzbekistan
This Joint Intelligence Bulletin (JIB) provides information on the 16 May 2013 arrest of Idaho-based Uzbekistan national Fazliddin Kurbanov by the FBI Boise Joint Terrorism Task Force (JTTF). On 16 May, Kurbanov was charged under two indictments alleging terrorism, one each in the United States District Court, District of Idaho and United States District Court, District of Utah. FBI and DHS are providing this information to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and the private sector in deterring, preventing, or disrupting terrorist attacks against the United States. All events described in this JIB are taken from the criminal indictment. The charges contained in the indictment are mere allegations. As in any criminal case, the defendant is presumed innocent until proven guilty in a court of law.
More than a dozen images originally published on the website Кавказская политика Kavkazskaya Politika (Politics of the Caucasus) after being displayed at a press conference held in Moscow by Ibragim Todashev’s father Abdul-Baki Todashev on May 30, 2013. Ibragim Todashev was shot seven times in his Orlando, Florida apartment on May 22, 2013 following eight hours of questioning by an FBI Special Agent from the Boston Field Office and at least one Massachusetts State Police trooper. Law enforcement sources have provided media outlets with several differing versions of the events leading up to Todashev’s death. First, sources described Todashev being shot after he reportedly attacked the FBI agent with a knife. In later accounts, Todashev was described as being unarmed. In the most recent version of events Todashev reportedly overturned a table, knocking the FBI agent to the ground, before lunging at the agent with a pole or broomstick.
State, local, tribal and territorial (SLTT) computer networks have been increasingly targeted by cyber adversaries. At the same time, the expansion of mobile devices integrated into SLTT networks provides new opportunities for cyber adversaries seeking to collect information or disrupt operations by compromising mobile technology and exploiting vulnerabilities in portable operating systems, application software, and hardware. Compromise of a mobile device can have an impact beyond the device itself; malware can propagate across interconnected networks.
Terrorists and violent extremists have used—or considered using—diversionary tactics in terrorist attacks overseas. Diversionary tactics are often used to draw security forces and first responders away from the intended primary target of the attack and may be used as part of a complex or multi-pronged attack. Diverting first responders to a location other than the primary target of an attack delays the response and the provision of medical care to victims, and depletes first responder resources.
Terrorists and violent extremists could use unsuspecting civilians to transport improvised explosive devices (IEDs) artfully concealed in seemingly harmless items for use in attacks in the Homeland. Overseas attacks demonstrate that violent extremists have successfully used unsuspecting individuals to carry items containing IEDs to specific targets where the devices are then detonated remotely. This tactic enables terrorists and violent extremists to place IEDs in secure areas, among large gatherings of people, or at high profile events and detonate them from a standoff distance.
Multiple groups, and individual hacker handles have claimed their intent to attack U.S. websites as part of OpUSA. As seen in many hacktivist operations (Ops), willing participants have posted free tools to assist other like minded individuals in their attack efforts. Often, more coordinated attacks will name a specific tool, target, day and time for the attack. That has not been the case for OpUSA thus far. Individual hacker groups seem to be conducting attacks independently, each claiming responsibility for individual defacements and data breaches that have supposedly recently taken place. Below you will find some of the tools being posted in conversations about OpUSA and links to US-CERT sites which provide background on the vulnerabilities exploited by these tools as well as mitigation advice for computer network defense actions.
DHS-FBI Bulletins Identifying IP Addresses, Hostnames Associated With Malicious Cyber Activity Against the U.S. Government
Various cyber actors have engaged in malicious activity against Government and Private Sector entities. The apparent objective of this activity has been the theft of intellectual property, trade secrets, and other sensitive business information. To this end, the malicious actors have employed a variety of techniques in order to infiltrate targeted organizations, establish a foothold, move laterally through the targets’ networks, and exfiltrate confidential or proprietary data. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation and other partners, has created this Joint Indicator Bulletin, containing cyber indicators related to this activity. Organizations are advised to examine current and historical security logs for evidence of malicious activity related to the indicators in this bulletin and deploy additional protections as appropriate.
This Joint Intelligence Bulletin provides law enforcement and private sector safety officials with protective measures in light of the recent explosions that took place at the 2013 Boston Marathon in Boston, Massachusetts. The information is provided to support the activities of DHS and FBI and to assist federal, state, local, tribal, and territorial government counterterrorism and first responder officials and the private sector to deter, prevent, preempt, or respond to terrorist attacks in the United States.
This Joint Intelligence Bulletin provides information on the devices used in the 15 April 2013 Boston Marathon explosions. The information is intended to provide aid in identifying devices and to support the activities of DHS and FBI and to assist federal, state, local, tribal, and territorial government counterterrorism and first responder officials and the private sector to deter, prevent, preempt, or respond to terrorist attacks in the United States.
This is an update of an RCR published on 1 July 2010. Rudimentary improvised explosive devices (IEDs) using pressure cookers to contain the initiator, switch, and explosive charge frequently have been used in Afghanistan, India, Nepal, and Pakistan. Pressure cookers are common in these countries, and their presence probably would not seem out of place or suspicious to passersby or authorities. Presence in an unusual location—or if noticed in a contanier such as a backpack—should be treated as suspicious.
The FBI assesses with high confidence recreationally used exploding targets (ETs), commonly referred to as tannerite, or reactive targets, can be used as an explosive for illicit purposes by criminals and extremists and explosive precursor chemicals (EPCs) present in ETs can be combined with other materials to manufacture explosives for use in improvised explosive devices (IEDs).
Recent FBI intelligence from multiple FBI HUMINT sources indicates a shift in Los Zetas recruiting methods and reliance on non-traditional associates. Past, accurate FBI reporting indicated Los Zetas previously focused its recruitment on members with prior specialized training, such as ex-military and ex-law enforcement officers, and not on US-based gangs or US persons in order to maintain a highly-disciplined and structured hierarchy. This hierarchy, which resembled a military-style command and control structure, facilitated drug trafficking operations and maintained lines of authority. However, current FBI reporting indicates that Los Zetas is recruiting and relying on non-traditional, non-military trained associates—US-based prison and street gangs and non-Mexican nationals—to perform drug trafficking and support operations in Mexico and in the United States.
Expressed or implied threats by an individual or a group communicating intent to commit acts of terrorism or violence or advocating violence against a person, population, or to damage or destroy a facility can be an indicator of pre-operational attack planning. For example, in 2010 a Virginia-based US person pled guilty to communicating threats after he posted a video to the Internet encouraging violent extremists to attack the creators of a television show, including highlighting their residence and urging online readers to “pay them a visit.” He also admitted to soliciting others to desensitize law enforcement by placing suspicious looking but innocent packages in public places, which could then be followed up by real explosives.
Stolen, cloned, or repurposed commercial or official vehicles—such as police cars, ambulances, and public utility service trucks—have been used in terrorist attacks. These vehicles could facilitate terrorist access to restricted and hardened targets as well as to emergency scenes. The use of these vehicles can provide individuals the ability to approach targets to conduct pre-operational surveillance or carry out primary attacks or secondary attacks against first responders.
GAO Report: Increasing the Effectiveness of Efforts to Share Terrorism-Related Suspicious Activity Reports
The Department of Justice (DOJ) has largely implemented the Nationwide Suspicious Activity Reporting Initiative among fusion centers—entities that serve as the focal point within a state for sharing and analyzing suspicious activity reports and other threat information. The state and local law enforcement officials GAO interviewed generally said the initiative’s processes worked well, but that they could benefit from additional feedback from the Federal Bureau of Investigation (FBI) on how the reports they submit are used. The FBI has a feedback mechanism, but not all stakeholders were aware of it. Implementing formalized feedback mechanisms as part of the initiative could help stakeholders conduct accurate analyses of terrorism-related information, among other things.
Terrorists are attempting to recruit new members in the United States and overseas to support their operations, obtain funding, and conduct terrorist attacks. For example, in May 2012, Maryland-based Mohammad Hassan Khalid pled guilty to attempting to use the Internet to recruit individuals who had the ability to travel to and around Europe to conduct terrorist acts, in addition to providing logistical and financial support to terrorists. In prior cases of recruitment, individuals who were willing to participate in terrorist acts became involved with known and suspected terrorists, participated in paramilitary training abroad, or tried to acquire small arms and build explosives.
Terrorists or cyber criminals might try to discover vulnerabilities in computer systems by engaging in unauthorized testing of cybersecurity in order to exploit those vulnerabilities during an attack. These attempts might include port scanning, phishing, and password cracking. “Social engineering,” another technique, leverages unwitting insider access by eliciting information about operational and security procedures from employees, personnel, and their associates.