On January 27, 2018 at approximately 12:15pm local time, a vehicle resembling an ambulance and laden with explosives detonated after it passed through a police checkpoint in Kabul, Afghanistan. The explosion killed more than 100 people and wounded approximately 235 others. According to the deputy spokesperson for the Afghanistan Interior Ministry, the vehicle was painted to resemble an ambulance and had successfully passed through a checkpoint after the attacker allegedly told police he was transporting a patient to a nearby hospital. While stopped at a second checkpoint farther inside the city limits, the attacker detonated the explosives concealed in the vehicle.
Over the past few years, there has been a definitive rise in school shooting incidents – specifically ‘Active Shooter’ or ‘Rampage Shooting’ events – but while the motives may have evolved, school violence is anything but new. With captive targets, a predictable attack environment, and little to no security hurdles, schools have long been a lucrative environment for violence. Recently though, the violent trend seems to be more popular amongst those with erroneous notions of vengeance, mental instability, and those seeking copycat infamy more than the staunch ideologist typically seen in other types of violent extremism. With that in mind, this joint Washington State Fusion Center (WSFC) and Oregon TITAN Fusion Center (TITAN) assessment intends to aid law enforcement and private and public sector security in understanding the various intricacies of the new-aged active or rampage shooter, how to recognize the signs, and what current measures are being taken to help mitigate the threat.
(U//FOUO) DHS Bulletin: Chemical Splash and Spray Attacks Potential Tactic for Violent Extremists in Homeland
We assess that terrorists likely view tactics involving throwing or spraying acids and a variety of chemical liquids, hereafter referred to as a chemical spray and splash attack (CSSA), as a viable tactic to cause injury and disrupt critical infrastructure, judging from open source reporting describing terrorist social media posts and terrorist and violent extremist use of this tactic overseas. An analysis of a small number of incidents described in media reporting revealed that CSSAs are commonly used by criminal actors to further criminal activities and by violent extremist groups overseas to create fear, intimidate, punish, and disfigure individuals and groups that resist their control or ideology in their area of operations; the tactic, however, has rarely been operationalized by actors in the Homeland. We note, however, that homegrown violent extremists (HVEs) and lone offenders likely would find this tactic appealing and could easily adapt it to the Homeland, as it requires no specific technical expertise and the materials most often associated with criminal attack are usually unregulated and widely available.
(U//FOUO) California Cybersecurity Integration Center Advisory: Security Concerns with Kaspersky Labs Products
On 11 July, the United States Government removed Moscow-based Kaspersky Lab from two lists of approved vendors used by government agencies to purchase technology equipment, amid concerns the cyber security firm’s products could be used by the Kremlin to gain entry into U.S. networks. Last month the Senate Armed Services Committee passed a defense spending policy bill that would ban Kaspersky products from use in the military. The move came a day after the FBI interviewed several of the company’s U.S. employees at their private homes as part of a counterintelligence investigation into its operations.
(U//FOUO) Northern California Fusion Center: Violent Tactics Showcased at Berkeley Riots Likely to be Used at Future Demonstrations
Tactics used by violent Anti-fascists at events in Berkeley on 1 February, 4 March, and 15 April 2017 highlight their ability to exploit peaceful protests with coordinated violent demonstrations, attack law enforcement personnel, destroy property, and conduct information campaigns to advance their socio-political goals. This Advisory Bulletin is intended to inform law enforcement involved in operational planning and event safety at gatherings that violent anti-fascist elements may target.
Use of vehicles by violent extremists for ramming attacks has increased steadily, while use of vehicle-borne improvised explosive devices (VBIEDs) remains rare outside the Middle East. Given the ease with which ramming attacks can be accomplished, it is likely use of this tactic will continue to rise. Unlike VBIEDs, ramming attacks require little specialized training or skill, present minimal risk of detection when acquiring the weapon, and offer flexibility with regard to preparation, timing, and target. Foreign terrorist organizations (FTOs) have pointedly encouraged use of vehicle ramming attacks, offering explicit tactical advice on vehicle selection, driving tips to maximize fatalities, and targeting suggestions that include parades, festivals, street fairs, outdoor markets or conventions, political rallies, and other crowded targets of opportunity.
Department of Homeland Security, Federal Bureau of Investigation, Intelligence Fusion Centers, U.S. Secret Service
(U//FOUO) DHS-FBI-USSS Joint Threat Assessment 2017 Presidential Address to a Joint Session of Congress
This Joint Threat Assessment (JTA) addresses threats to the 2017 Presidential Address to a Joint Session of Congress (the Presidential Address) at the US Capitol Building in Washington, DC, on 28 February 2017. This assessment does not consider nonviolent civil disobedience tactics (for example, protests without a permit) that are outside the scope of federal law enforcement jurisdiction; however, civil disobedience tactics designed to cause a hazard to public safety and/or law enforcement fall within the scope of this assessment.
(U//FOUO) DHS, Fusion Centers Reference Aid: Malicious Terrorism Hoaxes Likely to Endure, Strain State and Local First Responder Resources
This Reference Aid is intended to provide information on malicious terrorism hoaxes that will continue to challenge first responder resources throughout the Homeland and territories. This Reference Aid is provided by I&A, DIAC, NCRIC, NVRIC, and NJ-ROIC to support their respective activities, to provide situational awareness, and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and first responders with recognizing the indicators and implications of malicious terrorism hoaxes. The use of hoax calls may also be used as a technique to lure authorities to a particular location for the purpose of conducting a potential attack, but is not discussed in this article, as luring is viewed as its own distinct tactic.
(U//FOUO) New Jersey Regional Operations Intelligence Center Bulletin: Improvised Explosive Device Awareness
The healthcare sector has been a desirable target for hackers due to the sensitive nature of patient information contained in their systems. The stakes are very high in the healthcare industry because any disruption in operations and care can have significant repercussions for patients. As such, this industry offers an ideal victim for ransomware, and these attacks are likely to continue—disrupting employee access to important documents and patient data and hampering the ability to provide critical services—creating a public safety concern.
(U//FOUO) Wisconsin Fusion Centers Bulletin: Threats Against Law Enforcement and Public Sector Personnel
The NJ ROIC currently has no specific indication of any credible specific threats to transportation facilities. However, with the rise in “self-radicalized” actor(s), and homegrown violent extremists (HVEs) influenced by ISIL and other terror groups, targeted violent attacks to any of these sectors could occur with little or no notice by an individual(s) who has not yet garnered law enforcement attention. This advisory highlights recent transportation concerns in the wake of the recent attacks in Belgium.
(U//FOUO) Boston Regional Intelligence Center Suspicious Activity Behavior & Indicators For Public Sector Partners
This document is intended to highlight several suspicious activity behaviors and indicators that may be indicative of preoperational terrorist activity for business owners and private sector security personnel. This product focuses on behaviors and indicators that would be of interest prior to any major event. This proactive public safety strategy is an ongoing attempt to provide our private sector partners with some information on suspicious activity.
Recent events surrounding the occupation of the Malheur Wildlife Refuge in Harney County Oregon, have culminated in the fatal confrontation of Northern Arizona rancher, LaVoy Finicum. His funeral services will be held on 05 FEB 2016, in Kanab, UT. Finicum will be buried on 06 FEB 2016, close to his Arizona ranch in Cane Beds, AZ. While no credible threats to law enforcement are present at this time, armed extremists are expected to travel through UT; some of which may see this event as a tipping point, and potentially shift toward more violent action. A number of individuals, several of whom were present at the Burns, OR occupation, are planning caravans from UT and NV to travel to the funeral in show of support.
In September 2014, The Islamic State of Iraq and Syria (ISIS) released a propaganda video encouraging its followers to murder “intelligence officers, police officers, soldiers and civilians.” The video was re-released in January 2015 and specifically named the United States, France, Australia and Canada as targets. Now, first responders have an additional threat: Impersonation and misrepresentation by terrorists as first responders. The impersonators main goals are to further their attack plan and do harm to unsuspecting citizens as well as members of the emergency services community.
The New Jersey Office of Homeland Security and Preparedness (OHSP) compiles a statewide list of special events that provides situational awareness to law enforcement, as well as to assist in local planning requirements. Special events include any events that attracts large numbers of participants. Examples include concerts, marathons, parades, sporting events, holiday gatherings, etc.
SWATTING is the act of sending a SWAT team or some type of law enforcement response to a location by convincing law enforcement that an incident has occurred or is about to occur that requires immediate law enforcement response. Characteristics of swatting include, but are not limited to: Callers using internet-based phones such as Skype USBUS and Magic Jack USBUS, or callers using a legal Caller Identification (ID) masking service. Caller ID spoofing/masking services permit cell phones and landline phones to spoof the call’s origins through a service fee based software. Reports of bomb-threats and SWATTING incidents are coming from area elementary, middle, and high schools, along with universities as well. Federal, state, and local partners are working to identify where the calls are originating from.
This Field Analysis Report (FAR) is designed to support awareness and inform enforcement and collection operations of federal, state, and local partners involved in homeland security and counterterrorism efforts. Some of the activities described in the FAR may be constitutionally protected activities and should be supported by additional facts to justify increased suspicion. The totality of relevant circumstances should be evaluated when considering any law enforcement response or action. Our assessment of the level of the Islamic State of Iraq and the Levant’s (ISIL) name recognition since its declaration of a caliphate in June 2014 is based on a review of suspicious activity reporting (SAR) across the United States between 1 January and 30 December 2014, criminal complaints of US persons charged with supporting or seeking to support ISIL, Bureau of Prisons (BOP) intelligence reporting, and DHS I&A open source reporting to assess the influence of ISIL’s messaging campaign within the United States and ISIL’s perceived legitimacy among homegrown violent extremists (HVEs).
(U//FOUO) Northern California Fusion Center Bulletin: Sabotage Against Electricity and Telecommunications Targets
This document identifies recommended actions and guidance for state and major urban area fusion centers (fusion centers) to integrate information technology, cybersecurity, and cybercrime1 prevention (cyber) intelligence and analytic capabilities. Development of these capabilities will inform local, state, and national detection, mitigation, response, recovery, investigation, and criminal prosecution activities that support and maintain the United States’ cybersecurity.
The vision of the 2014–2017 National Strategy is to connect the geographic and public safety diversity of over 38,000 states, counties, cities, and towns together in a way that creates a national information sharing asset that is coordinated with and contributes to federal information sharing efforts. Federal efforts to connect the knowledge and capabilities of the Intelligence Community (IC) often involve state and local law enforcement joining federal efforts. The NNFC is the reversal and broadening of this framework, inviting federal partners to join state and local public safety information sharing efforts. In carrying out this strategy, IC professionals have an opportunity and avenue to bring their knowledge and capabilities to state and major urban area fusion centers, designated by governors and staffed by state and local professionals. As a unique national asset, this state and local network must work seamlessly with field-based intelligence and information sharing entities, providing geographic and interdisciplinary knowledge and perspective without interrupting or replicating federal efforts. The 2014–2017 National Strategy integrates with other criminal intelligence sharing efforts supported by the Criminal Intelligence Coordinating Council.
(U//FOUO) Virginia Fusion Center Bulletin: Malicious Activists May Promote Harm to Emergency Vehicles
The Virginia Fusion Center (VFC) has observed via open sources that actors affiliated with the Anonymous hacktivist movement released a video which purportedly identifies a Chicago Office of Emergency Management and Communications (OEMC) vehicle as a tool for law enforcement wiretapping efforts by police and fusion center personnel in Chicago, Illinois. The VFC is sharing this information for situational awareness, as emergency management vehicles operating near protest areas may be targeted by precipitating violent or malicious activity.