NCTC assesses that the Sunni violent extremist threat in the US has evolved from one defined by complex, large-scale attacks directed by a foreign terrorist organization (FTO) to mostly self-initiated attacks by homegrown violent extremists using relatively simple methods. Of the 28 Sunni violent extremist attacks in the US since 9/11 only three were directed by an FTO. Most attacks were perpetrated by individuals enabled—through encouragement or operational support—or inspired by ISIS, al-Qa‘ida, and al-Qa‘ida affiliates.
(U//FOUO) Northern California Fusion Center: Violent Tactics Showcased at Berkeley Riots Likely to be Used at Future Demonstrations
Tactics used by violent Anti-fascists at events in Berkeley on 1 February, 4 March, and 15 April 2017 highlight their ability to exploit peaceful protests with coordinated violent demonstrations, attack law enforcement personnel, destroy property, and conduct information campaigns to advance their socio-political goals. This Advisory Bulletin is intended to inform law enforcement involved in operational planning and event safety at gatherings that violent anti-fascist elements may target.
In August, ISIS released a seven-minute, English-language video encouraging would-be fighters to travel to the Philippines instead of Syria and Iraq. The video was the latest sign the group has shifted its recruiting tactics as it loses ground to Coalition Forces in the Middle East. Asia has become a new focus for ISIS, according to private sector analysts, such as Flashpoint Intelligence.
As the American Army fought in Iraq and Afghanistan, it became the best tactical level counter insurgency force of the modern era. America’s enemies, however, did not rest. Russia observed the transformation of the American Army and began a transformation of their own. This new military barely resembles its former Soviet self. Wielding a sophisticated blend of Unmanned Aircraft Systems (UAS), electronic warfare (EW) jamming equipment, and long range rocket artillery, it took the Soviet model out of the 1980s and into the 21st Century.
(U//FOUO) DHS Reference Aid: Overview of Recently Successful or Arrested HVEs’ Radicalization to Violence
This Reference Aid is based on I&A’s review of the radicalization to violence of 39 US homegrown violent extremists (HVEs) who either successfully carried out or were arrested before attempting to carry out attacks in the Homeland between 1 January 2015 and 31 December 2016. It is intended to inform federal, state, local, tribal, and territorial counterterrorism, law enforcement, and countering violent extremism (CVE) officials. For additional information about these HVEs, please see the classified I&A Intelligence Assessment “(U//FOUO) Commonalities in HVEs’ Radicalization to Violence Provide Prevention Opportunities,” published 10 February 2017.
This case study is an examination of behaviors that resulted in a disrupted terrorist attack, revealing a cycle of planning and preparation that could provide indicators for preventing similar attempts. The terrorist attack planning cycle is not a static, linear process but rather could begin in any of the several stages with variances in details, sequence, and timing. An individual’s mobilization to violence often provides observable behavioral indicators such as, pre-attack surveillance, training, and rehearsal. The indicators potentially allow third-party observers and law enforcement to identify individuals moving to violence, circumstances that may allow for disruption of planned attacks. This product is intended to cultivate an awareness of the planning cycle among stakeholders for identification, mitigation, and disruption of attack planning.
We assess with moderate confidence that cyber actors, including those who support violent extremism, are likely to continue targeting first responders on the World Wide Web, including by distributing personally identifiable information (PII) for the purpose of soliciting attacks from willing sympathizers in the homeland, hacking government websites, or attacking 911 phone systems to hinder first responders’ ability to respond to crises.
The Delaware State Police (DSP) Intelligence Unit is providing the following information for officer safety and situational awareness. Officers should be mindful, when placing prisoners in custody, of smart watches and similar devices that can connect via Bluetooth to a cellular device. Smart watches have the capability to both make and receive phone calls and text messages, as well as erasing same. This could cause an issue if a cellular device and it’s contents are being used as evidence. Through experimentation at Troop 7, it was determined that if a prisoner is in the detention area and the phone is seized, the watch could still be operational.
Terrorist and violent extremist groups have long expressed interest in poisoning and adulterating food and beverage supplies in the West but rarely use this as a tactic. Nonetheless, recent incidents in Europe and Africa underscore the continued interest by some groups in targeting food products at point-of-sale, distribution, and storage. The mere threat of product adulteration in the Homeland almost certainly would cause psychological and economic harm. While we have not seen any specific, credible terrorist threats against Homeland food production and distribution infrastructure, we cannot rule out the possibility of inspired violent extremists or disgruntled insiders attempting to adulterate or poison food and beverages with commonly available toxic industrial chemicals or crude biological toxins due to the relative ease of product manipulation, especially at the last point of sale, which criminal actors have demonstrated consistently in the past.
OCIA assesses that if specific industrial control systems (ICS) were successfully infected with ransomware, it could affect the ability of certain sectors to provide real-time management and control of large networks of geographically scattered equipment. Although security researchers have demonstrated the possibility of ransomware targeting control systems, OCIA assesses that such an attack is highly unlikely given the higher success rate against consumer and business systems, the likelihood that business and process control networks are segmented, and the ability for operators to take a control system out of service and employ manual overrides.
On May 12, 2017, organizations across the world reported ransomware infections impacting their computer systems. The infections, caused by a ransomware strain referred to as WannaCry, restricts users’ access to a computer and demands a ransom to unlock it. The U.S. Department of Justice defines ransomware as, a type of malicious software cyber actors use to deny access to systems or data until the ransom is paid. After the initial infection, ransomware attempts to spread through systems and networks.
Recent large-scale civil disturbances in two states led the respective governors to mobilize state National Guard (NG) forces. These incidents raised questions and concerns about the appropriate and effective use of NG intelligence capabilities to support domestic civil disturbance operations. Domestic missions are no different from overseas missions in that a key requirement for mission success is situational awareness (SA)—leaders and commanders at all levels must be aware of the situation on the ground and have a deep understanding of the operational environment in which their forces are operating and the inherent threats faced in that environment. Overseas, where the threat is by definition foreign, the intelligence component provides the preponderance of threat data. Domestically, defining threat information may entail the collection of information concerning U.S. persons. By law, the military and civilian intelligence components face constraints in the manner they may lawfully collect, disseminate, and retain such information.
Use of vehicles by violent extremists for ramming attacks has increased steadily, while use of vehicle-borne improvised explosive devices (VBIEDs) remains rare outside the Middle East. Given the ease with which ramming attacks can be accomplished, it is likely use of this tactic will continue to rise. Unlike VBIEDs, ramming attacks require little specialized training or skill, present minimal risk of detection when acquiring the weapon, and offer flexibility with regard to preparation, timing, and target. Foreign terrorist organizations (FTOs) have pointedly encouraged use of vehicle ramming attacks, offering explicit tactical advice on vehicle selection, driving tips to maximize fatalities, and targeting suggestions that include parades, festivals, street fairs, outdoor markets or conventions, political rallies, and other crowded targets of opportunity.
Vehicle-ramming attacks are considered unsophisticated, in that a perpetrator could carry out such an attack with minimal planning and training. It is likely that terrorist groups will continue to encourage aspiring attackers to employ unsophisticated tactics such as vehicle-ramming, since these types of attacks minimize the potential for premature detection and could inflict mass fatalities if successful. Furthermore, events that draw large groups of people—and thus present an attractive vehicle ramming target—are usually scheduled and announced in advance, which greatly facilitates attack planning and training activities.
The Department of Homeland Security (DHS) assesses that given the high value of patient information and proprietary data on the black market, the Healthcare and Public Health Sector will continue to be one of the primary targets for malicious cyber actors. Stolen health data sells on the black market for more than 10 to 20 times the price of stolen credit card data. DHS assesses that growth in the medical device market over the next 4 years will result in more devices connected to the Internet, and an increase in the number of cyber-related incidents that target those devices. This is partly because manufacturers do not place enough emphasis on the security of medical devices.
An unidentified actor or actors between November 2016 and January 2017 targeted a US water and sewage authority’s network, resulting in excessive cellular charges and unusual traffic on ports 10000 and 9600, according to an FBI source with excellent access who spoke in confidence but whose reliability cannot be determined. The FBI source indicated that four of the seven devices on the authority’s cellular data plan were impacted with high data usage, which was likely a result of compromised network devices. The November 2016–December 2016 billing cycle totaled $45,000, and the December 2016–January 2017 billing cycle totaled $53,000.
(U//FOUO) U. S. Marine Corps Forces Europe and Africa Campaign Plan 2016-2020: Theater Crisis and Contingency Response Forces in Readiness
The U.S. Marine Corps Forces Europe and Africa Campaign Plan 2016-2020 defines the organization’s desired baseline operating conditions and capabilities beyond a one-year planning and execution cycle and directs action to achieve desired end states. The Campaign Plan synthesizes strategic guidance provided by U.S. European Command (USEUCOM), U.S. Africa Command (USAFRICOM), and Headquarters Marine Corps (HQMC); accounts for the Commanders’ priorities and vision; establishes a deliberate yet broadly-defined multi-year plan to achieve stated objectives; and provides a framework for implementation, periodic assessment, and refinement.
(U//FOUO) NCTC Homegrown Violent Extremist Mobilization Indicators for Public Safety Personnel 2017 Edition
The indicators of violent extremist mobilization described herein are intended to provide federal, state, local, territorial and tribal law enforcement a roadmap of observable behaviors that could inform whether individuals or groups are preparing to engage in violent extremist activities including potential travel overseas to join a Foreign Terrorist Organization (FTO). The indicators are grouped by their assessed levels of diagnosticity—meaning how clearly we judge the behavior demonstrates an individual’s trajectory towards terrorist activity.
Department of Homeland Security, Federal Bureau of Investigation, Intelligence Fusion Centers, U.S. Secret Service
(U//FOUO) DHS-FBI-USSS Joint Threat Assessment 2017 Presidential Address to a Joint Session of Congress
This Joint Threat Assessment (JTA) addresses threats to the 2017 Presidential Address to a Joint Session of Congress (the Presidential Address) at the US Capitol Building in Washington, DC, on 28 February 2017. This assessment does not consider nonviolent civil disobedience tactics (for example, protests without a permit) that are outside the scope of federal law enforcement jurisdiction; however, civil disobedience tactics designed to cause a hazard to public safety and/or law enforcement fall within the scope of this assessment.
Recent calls over the past year for attacks on hospitals in the West by media outlets sympathetic to the Islamic State of Iraq and ash-Sham (ISIS) highlight terrorists’ perception of hospitals as viable targets for attack. Targeting hospitals and healthcare facilities is consistent with ISIS’s tactics in Iraq and Syria, its previous calls for attacks on hospitals in the West, and the group’s calls for attacks in the West using “all available means.” While we have not seen any specific, credible threat against hospitals and healthcare facilities in the United States, we remain concerned that calls for such attacks may resonate with some violent extremists and lone offenders in the Homeland because of their likely perceived vulnerabilities and value as targets.
CI focuses on negating, mitigating, or degrading the foreign intelligence and security services (FISS) and international terrorist organizations (ITO) collection threat that targets Army interests through the conduct of investigations, operations, collection, analysis, production, and technical services and support.
(U//FOUO) DHS Intelligence Note: Germany Christmas Market Attack Underscores Threat to Mass Gatherings and Open-Access Venues
A 25-ton commercial truck transporting steel beams from Poland to Germany plowed into crowds at a Christmas market in Berlin at about 2000 local time on 19 December, killing at least 12 people and injuring 48 others, several critically, according to media reporting citing public security officials involved in the investigation. The truck was reportedly traveling at approximately 40 miles per hour when it rammed the Christmas market stands. Police estimate the vehicle traveled 80 yards into the Christmas market before coming to a halt.
The Arab World is a vast area which is home to people from diverse cultures. The way in which people behave and interact with you will therefore vary greatly across the region. This guide discusses aspects of Arab culture that you might experience in Algeria, Bahrain, Egypt, Iraq, Jordan, Kuwait, Lebanon, Libya, Mauritania, Morocco, Oman, the Palestinian Territories, Qatar, Saudi Arabia, Sudan, Syria, Tunisia, the United Arab Emirates (UAE) and Yemen. Further reading on individual countries is recommended before you deploy.