Expressed or implied threats by an individual or a group communicating intent to commit acts of terrorism or violence or advocating violence against a person, population, or to damage or destroy a facility can be an indicator of pre-operational attack planning. For example, in 2010 a Virginia-based US person pled guilty to communicating threats after he posted a video to the Internet encouraging violent extremists to attack the creators of a television show, including highlighting their residence and urging online readers to “pay them a visit.” He also admitted to soliciting others to desensitize law enforcement by placing suspicious looking but innocent packages in public places, which could then be followed up by real explosives.
Stolen, cloned, or repurposed commercial or official vehicles—such as police cars, ambulances, and public utility service trucks—have been used in terrorist attacks. These vehicles could facilitate terrorist access to restricted and hardened targets as well as to emergency scenes. The use of these vehicles can provide individuals the ability to approach targets to conduct pre-operational surveillance or carry out primary attacks or secondary attacks against first responders.
GAO Report: Increasing the Effectiveness of Efforts to Share Terrorism-Related Suspicious Activity Reports
The Department of Justice (DOJ) has largely implemented the Nationwide Suspicious Activity Reporting Initiative among fusion centers—entities that serve as the focal point within a state for sharing and analyzing suspicious activity reports and other threat information. The state and local law enforcement officials GAO interviewed generally said the initiative’s processes worked well, but that they could benefit from additional feedback from the Federal Bureau of Investigation (FBI) on how the reports they submit are used. The FBI has a feedback mechanism, but not all stakeholders were aware of it. Implementing formalized feedback mechanisms as part of the initiative could help stakeholders conduct accurate analyses of terrorism-related information, among other things.
Terrorists are attempting to recruit new members in the United States and overseas to support their operations, obtain funding, and conduct terrorist attacks. For example, in May 2012, Maryland-based Mohammad Hassan Khalid pled guilty to attempting to use the Internet to recruit individuals who had the ability to travel to and around Europe to conduct terrorist acts, in addition to providing logistical and financial support to terrorists. In prior cases of recruitment, individuals who were willing to participate in terrorist acts became involved with known and suspected terrorists, participated in paramilitary training abroad, or tried to acquire small arms and build explosives.
Terrorists or cyber criminals might try to discover vulnerabilities in computer systems by engaging in unauthorized testing of cybersecurity in order to exploit those vulnerabilities during an attack. These attempts might include port scanning, phishing, and password cracking. “Social engineering,” another technique, leverages unwitting insider access by eliciting information about operational and security procedures from employees, personnel, and their associates.
An FBI analysis of active shooter incidents since 2002 found that 96% of the attacks were perpetrated by males, most of which acted alone. The statistic is found in a joint intelligence bulletin released at the end of December by the Department of Homeland Security and FBI. The bulletin provides brief advice on crisis response and long-term protective measures as well as statistics related to past active shooter incidents, which are defined as situations where one or more individuals participates in a “random or systematic killing spree demonstrating their intent to harm others with a firearm.” Active shooters are distinguished from other “traditional criminal acts, such as robbery or hostage-taking” by their intention to commit “mass murder”. The FBI analyzed 154 active shooter events in the United States between 2002 and 2012 that included three or more individuals being shot.
This Joint Intelligence Bulletin (JIB) is intended to provide information on the recent active shooter incidents that have taken place in the Homeland. This information is provided to support the activities of DHS and FBI and to assist private sector security officials and federal, state, local, tribal, and territorial law enforcement in identifying protective and support measures relating to active shooters.
As we enter an era in which the administration of law enforcement becomes more complicated, greater challenges are thrust not only upon police officials, but also upon the community at large. The bomb threat is one such challenge. The bomber has a distinct advantage over other criminals because he can pick his time and place from afar, and use the bomb threat as a weapon to achieve his criminal objectives. This bulletin has been prepared in order to provide law enforcement and public safety agencies with a working base from which to establish their own bomb threat response capability; and to enable these same agencies, when called upon by potential bomb or bomb threat targets in the business community, to offer assistance in developing guidelines for a bomb threat response plan.
This Reference Aid was jointly produced by DHS and the FBI to assist in the acquisition of detailed information in the aftermath of a successful or attempted radiological terrorism incident that would be of interest to the national law enforcement and emergency response communities. It is intended to help state, local, tribal, and territorial agencies and private sector entities deter, prevent, preempt, or respond to terrorist attacks against the United States.
(U//FOUO) DHS-FBI Bulletin: Indicators of Suspicious Chemical, Biological, and Radiological Activity
Law enforcement and first responders may encounter chemical, biological, or radiological (CBR) related material or equipment at private residences, businesses, or other sites not normally associated with such activities. There are legitimate reasons for possessing such material or equipment, but in some cases their presence can indicate intent or capability to build CBR weapons, particularly when other suspicious circumstances exist.
Terrorists may attempt to steal or divert precursor materials, uniforms, identification, blueprints, documents, access cards, facility vehicles, or other items–possibly with the help of knowledgeable insiders–for use in pre-operational planning or attacks. Emilio Suarez Trashorras, a Spanish national convicted for his role in the 2004 Madrid train bombings, stole the explosives used in the attack and the vehicles used to transport the explosives from a mining company where he worked.
Terrorists may attempt to gain skills and knowledge necessary to plan and execute by obtaining specialized training, soliciting or stealing technical and proprietary information, or reaching out to academics and experts. In 2007, German police arrested three terrorist suspects for allegedly planning and preparing car bomb attacks against US citizens and interests in Germany. The suspects traveled to Pakistan where they received weapons and explosives training from a Pakistan-based Uzbek jihadist group called the Islamic Jihad Union.
In February and March 2012, unauthorized IP addresses accessed the Industrial Control System (ICS) network of a New Jersey air conditioning company, US Business 1. The intruders were able to access a backdoor into the ICS system that allowed access to the main control mechanism for the company’s internal heating, ventilation, and air conditioning (HVAC) units. US Business 1 was using the Tridium Niagara ICS system, which has been widely reported in the media to contain multiple vulnerabilities that could allow an attacker to remotely control the system.
Terrorists often conduct physical surveillance to identify suitable targets, determine vulnerabilities, plan attack methods, or assess the target’s security posture. In March 2010, David Coleman Headley pled guilty for his role in the November 2008 terrorist attacks in Mumbai, India by conducting video and photographic surveillance of potential targets, as well as later surveilling Danish newspaper offices–the target of another attack plot.
Terrorists and criminals may use photos or videos of potential targets to gain insight into security operations and details of facility operations, including traffic flow through and around facilities, opening times, and access requirements. In late 2000 and early 2001, convicted al-Oa’ida operative Dhiren Barot took extensive video footage and numerous photographs of sites in downtown New York City and Washington, DC in preparation for planned attacks. Photographs and video useful in planning an attack may include facility security devices (surveillance cameras, security locks, metal detectors, jersey walls and planters); security personnel; facility entrances and exits; and other features such as lighting, access routes, gates, roads, walkways, and bridges.
Terrorists overseas and in domestic attack plots have used various methods to acquire and store materials necessary to construct explosives. Najibullah Zazi, who pled guilty in 2010 to plotting to attack the New York subway system, made multiple, large-quantity purchases of chemical components needed to assemble the homemade explosive Triacetone Triperoxide (TATP)—6 bottles on one day and 12 bottles on a separate day—at beauty supply stores throughout the summer of 2009. Law enforcement and first responders should be aware that the possession, storage, or attempt to acquire unusual quantities of laboratory equipment, personal protective equipment, chemicals, and flammable accelerants—although legal to purchase and own—could provide indicators of preoperational attack planning.
(U//LES) FBI Sovereign Citizen Extremists Targeting Law Enforcement Creates Potential for Violent Traffic Stops
The FBI assesses with medium confidence, based on reliable source reporting and reports from other law enforcement agencies, some sovereign citizen extremistsb are making more specific plans to interfere with state and local law enforcement officers during traffic stops and, in some cases, intentionally initiating contact with law enforcement. The FBI assesses with medium confidence that a shift from reacting to law enforcement scrutiny1,2 to targeting police officers indicates an increased interest in harassing and intimidating police and may lead to potentially hostile confrontations.
DHS and FBI Call for Increased Vigilance in Jewish Communities Following Israel’s Recent Military Actions
Last Friday, officials from the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) hosted a teleconference with the directors of fusion centers around the country as well as the Major City Intelligence Commanders across to discuss the “heightened tensions in the Middle East due to the on-going military actions between Israel and Hamas.” A bulletin from the New York State Intelligence Center (NYSIC) described the conference call, stating that the DHS and FBI representatives emphasized that there is “currently no credible or specific information suggesting any violent actions in the United States as a result of these tensions” but requested increased vigilance from “law enforcement in regions where Jewish consulates or large Jewish populations exist was encouraged, and law enforcement officials on the teleconference from those areas discussed measures being taken to ensure the safety and security of their local communities, which included increased law enforcement presence, community outreach and encouraging reporting of suspicious activities.”
(U//FOUO) DHS-FBI Bulletin: No Specific Threats to American Jewish Community, Despite Recent World Events
This Joint Intelligence Bulletin (JIB) provides law enforcement and private sector safety officials with an evaluation of potential terrorist threats to Jewish organizations, facilities, and personnel in the United states. The information is provided to support the activities of DHS and FBI and to assist federal. state, local, tribal, and territorial government counterterrorism and first responder officials to deter, prevent, preempt, or respond to terrorist attacks in the United States.
A presentation on recent cyber attacks on the U.S. financial industry included in a collection of documents provided to banks and financial institutions by a local branch of the FBI Cyber Division office and distributed by the Oklahoma Bankers Association.
Terrorist groups, including al-Qa‘ida, and violent extremists have considered using or have possessed cyanide compounds. Cyanides probably appeal to terrorists because of their toxicity, availability, and ease of dissemination. Some of the cyanide tactics that have been considered by terrorists include mixing it with oils and lotions for use as a contact poison, contaminating food or water supplies, or by using it in an improvised chemical dispersal device.
Tens of thousands of dams, levees, navigation locks, industrial waste impoundments, and other water retention and control structures are located throughout the United States. Due to their iconic nature and potential impact on public safety, these structures present attractive targets for terrorist activity. Explosive attacks pose a significant threat, as evidenced by past plots against foreign infrastructure targets. Cyber intrusions present another concern and could be used to sabotage or control site operations. The FBI is interested in any information that could help mitigate threats to the security of dams or other water retention and control infrastructure.
Maritime transportation infrastructure—to include watercraft, seaports, harbors, and waterways—is vital to the United States’ economy and national security. Maritime shipping accounts for ninety-nine percent of all US overseas trade. Additionally, passenger ships transport more than 140 million people to and from US ports each year. Countless vacationers enjoy maritime recreation on US lakes and beaches. All of these activities depend upon safe and open waterways, which the FBI defends from a variety of criminal and national security threats. A top concern is that past attacks on foreign passenger ferries and cargo liners could inspire similar action against US commercial vessels. Additional threats to maritime security include: contraband smuggling, human trafficking, piracy and crimes at sea, and cyber attacks against maritime information systems.
Terrorists might use disguises, fraudulent or stolen credentials, and cloned or repurposed vehicles to gain access to restricted areas, to blend in with their surroundings when conducting surveillance, or to conceal other activities while planning or executing an attack. Anders Breivik, the gunman who was sentenced to 21 years in prison for the July 2011 attack on the Workers’ Youth League summer camp in Norway, wore a police uniform and displayed false identification to gain unauthorized access to the camp. Depending on the target, disguises might be aimed at impersonating law enforcement, emergency services, or officials of an institution who have legitimate access to secured/restricted sites.
Known or possible terrorists have displayed suspicious behaviors while staying at hotels overseas—including avoiding questions typically asked of hotel registrants; showing unusual interest in hotel security; attempting access to restricted areas; and evading hotel staff. These behaviors also could be observed in U.S. hotels, and security and law enforcement personnel should be aware of the potential indicators of terrorist activity.