The Department of Homeland Security has updated the NTAS Bulletin from December 2015, further highlighting the risk of homeland terrorism threats. “In December, we described a new phase in the global threat environment, which has implications on the homeland. This basic assessment has not changed. In this environment, we are particularly concerned about homegrown violent extremists who could strike with little or no notice. The tragic events of Orlando several days ago reinforce this. Accordingly, increased public vigilance and awareness continue to be of utmost importance. This bulletin has a five-month duration and will expire just before the holiday season. We will reassess the threats of terrorism at that time. Since issuing the first Bulletin in December, our concerns that violent extremists could be inspired to conduct attacks inside the U.S. have not diminished. Though we know of no intelligence that is both specific and credible at this time of a plot by terrorist organizations to attack the homeland, the reality is terrorist-inspired individuals have conducted, or attempted to conduct, attacks in the United States. DHS is especially concerned that terrorist-inspired individuals and homegrown violent extremists may be encouraged or inspired to target public events or places. As we saw in the attacks in San Bernardino, Paris, Brussels, and, most recently, Orlando, terrorists will consider a diverse and wide selection of targets for attacks. Terrorist use of the Internet to inspire individuals to violence or join their ranks remains a major source of concern. In the current environment, DHS is also concerned about threats and violence directed at particular communities and individuals across the country, based on perceived religion, ethnicity, nationality or sexual orientation. Counterterrorism Efforts DHS and the FBI continue to provide guidance to state and local partners on increased security measures. The public may observe an increased law enforcement and security presence across communities, in public places and at events in the months ahead. This may include additional restrictions and searches on bags, more K-9 teams, and the use of screening technologies. The FBI is investigating potential terrorism-related activities associated with this broad threat throughout the United States. Federal, state, and local authorities are coordinating numerous law enforcement actions and conducting community outreach to address this evolving threat.
Each year in a series of Congressional hearings, the Director of National Intelligence testifies on the US Intelligence Community’s assessment of worldwide threats. On February 9, 2016, Director of National Intelligence James Clapper provided this year’s first unclassified testimony to the Senate Armed Services Committee where he described the current state of intelligence and national security issues facing the United States. Director Clapper began his opening statement with a characterization of global trends in which “unpredictable instability’ has become the “new normal.” He went on to highlight the geographic dispersal of violent extremism, regional political instability and the growing refugee crisis particularly in Europe. In addition, the IC’s assessment points to environmental challenges such as climate change, technological innovation resulting in growing cyber threats, and increasingly assertive adversaries as contributing factors to the erosion of global stability. Taken together with the DNI’s oral and written statements, this resource—organized by both regional and subject area insights—provides an overview of the IC’s Worldwide Threat Assessment for 2016. Detailed summary of the 2016 Worldwide Threat Assessment of the U.S. Intelligence Community PDF Report
Executive Summary The lifting of nuclear sanctions placed on the Islamic Republic of Iran based on the Joint Comprehensive Plan of Action (JCPOA) has ensured the unfreezing of approximately $150 billion in ready assets, opening of long-term trade partnerships (already extended by several nations), and lifting of technology transfer sanctions. Given the Islamic Republic’s continued emphasis on cyber-enabled operations, it is likely that significant portions of freed assets will be purposed towards expanded augmentation of these programs. Over time, augmentation will grant regime-sponsored actors the ability to conduct more sophisticated offensive computer network operations. Such operations include those traditionally understood as offensive, namely cyber espionage and computer network attack (disruptive/destructive operations), as well as those conducted under the guise of internal security and defense, such as domestic information influence operations inline with the regime’s all-encompassing “soft war” cultural doctrine. Historically, Iran has leveraged these capabilities against U.S. interests, and motivating factors for continuing will persist well beyond the nuclear agreement. Over time, these factors will likely translate to additional challenges for U.S. computer network defense, intelligence, and diplomatic efforts. The JCPOA has granted Iran access to capital in the short term due to the unfreezing of assets, and in the long term due to trade agreements On January 16, nuclear sanctions placed on the Islamic Republic of Iran were lifted based on the Joint Comprehensive Plan of Action (JCPOA) created between it and the permanent members of the United Nations Security Council (P5+1), which includes the United States, the United Kingdom, China, Russia, France, and Germany. The plan of action, agreed to on July 14 2015 and adopted on October 18, was designed to ensure Iran’s nuclear program was “exclusively peaceful.” In return, the Iranian regime was granted legitimate access to the world’s markets. From 2011-2015, stalwart measures on market access and technology transfer bans, industry developments were progressed extremely slowly, and the economy was stifled. Economists have estimated that $150 billion worth of ready assets was made available to the Islamic Republic immediately, with the newly acquired ability to legitimately gain more via subsequently proposed economic partnerships with a number of nations. Within two weeks of the JCPOA implementation, heads of state and high ranking diplomats from several nations, including both Italy and China, have secured long term trade agreements, the latter with which will amount to roughly $600 billion in bi-lateral trade in over the next decade. The two way opening of Iran’s economy will almost certainly raise Iran’s GDP in the years to come, even in the face of a tumbling oil market The short and long term increases in available capital via JCPOA-enabled trade deals are expected to increase overall GDP over the next several years. This opening will be enhanced by the Rouhani administration’s recent economic reforms designed to open up Iran’s markets to the world and promote private businesses within Iran. Some estimates suggest that within 18 months time, these new conditions may easily allow economic growth of around 8%, even with a crumbling oil market. Iran has stated that it doesn’t plan to cut production — like other nations such as Russian and Saudi Arabia — to curb plummeting oil prices. The lifting of sanctions on transfers of dual-use technologies to Iran will make it easier to grow its cyber programs In 2010, under the Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010 (CISADA), the regime was subjected to “asset freezes on Iranians determined to have violated human rights” and forbidden from the “sale of dual-use technologies which can be used to monitor or control the internet.” However, state-sponsored Iranian actors were able to circumvent this
“KeySweeper is a covert device that resembles a functional Universal Serial Bus (USB) enabled device charger which conceals hardware capable of harvesting keystrokes from certain wireless keyboards. If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information. Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen. KeySweeper is an Arduino-baseda device which is contained within the shell of a USB phone charger. It is capable of detecting and decrypting radio frequency (RF) signals from certain Microsoft wireless keyboards manufactured before 2011 (many of which are still available for purchase). The wireless keyboard transmits these RF signals so the associated dongle plugged into a computer can identify which keys the user types. KeySweeper, which measures two to three inches, contains a Subscriber Identity Module (SIM) card that uses a cellular connection to send the data to an associated Web server. This SIM card also enables the device to send text messages to an associated mobile device when it picks up certain keywords such as Web site addresses. A small flash memory module can also store data if the SMS capability is somehow impeded. KeySweeper is hidden within a USB device charger and can be powered directly from an electrical outlet to harvest, decrypt, transmit, and store stolen data. A rechargeable battery serves as optional backup power should the device be removed from the wall. According to a Microsoft spokesperson, customers using Microsoft Bluetooth-enabled keyboards are protected against KeySweeper attacks. In addition, users of their 2.4GHz wireless keyboard designs produced after 2011 are also protected because those keyboards use Advanced Encryption Standard (AES) encryption technology. Since Arduino devices are modular and programmable, an actor could harvest data by capturing and decrypting communications protocols from various other wireless devices, depending on the weakness or exploitability of that protocol’s encryption. The device is easy to overlook as it harvests and sends sensitive data to a collector. Although KeySweeper was designed to harvest from a particular brand of wireless keyboard, a cyber actor could program the device to conduct reconnaissance against a variety of devices. Given that RF ranges for all wireless devices registered with the FCC are located on the FCC’s Web site, discovering the frequency for any registered device is relatively simple. An actor could swap out the RF board for one that matches the frequency of the other device. A KeySweeper-like device could be used to harvest data from wireless devices other than wireless keyboards, to potentially include data from Bluetooth, Wi-Fi, or SMS traffic, depending on the difficulty of cracking a protocol’s chosen encryption method. Though the data could be collected, decryption depends on the configuration and protocol. The primary method of defense is for corporations to restrict the use of wireless keyboards. Since the KeySweeper requires over-the-air transmission, a wired keyboard will be safe from this type of attack. However, if the use of a wireless keyboard cannot be prevented, then ensuring a strong encryption on the keyboard is vital. A keyboard using AES encryption makes it more difficult to read keystrokes as there are currently no known practical attacks to read AES encrypted data. Keyboards using Bluetooth are also safe from KeySweeper as it listens on a different channel than that which Bluetooth transmits. However, Bluetooth keyboards must have encryption turned on and a strong pairing PIN to protect it from a similar type of data-harvesting attack. Additional best practices to
The Federal Bureau of Investigation has issued an alert to law enforcement regarding a business email hack that nearly resulted in the theft of $1m USD from an Indian casino in the state of Washington. The FBI warns that other casinos are potentially at risk given that the spearphishing attack appears to have originated from a vendor servicing multiple casinos. According to the FBI: “FBI Seattle Field Office is releasing this report to alert law enforcement of a Business Email Compromise (BEC) scheme targeting an Indian casino located in the State of Washington, as of March 2016. FBI Seattle was in receipt of information indicating an unidentified actor sent phishing emails to the identified Indian casino, likely hacked an associated project management company and generated fraudulent emails impersonating the former Controller of the Indian casino in order to send a request for the wire transfer of nearly $1 million to two bank accounts in Hong Kong. The bank that housed the Indian casino’s accounts stopped the wire transfer after it called to confirm the wire request with the casino’s Director of Finance. A review of the wire transfer request indicated it was sent using the former casino Controller’s email account and altered wire transfer request forms. The casino’s Information Security Officer believed two separate phishing emails were used to gain access to the casino’s computer network. The first phishing email appeared to be sent internally from the casino’s scanner to the casino’s Director of Finance’s email account. The casino’s Director of Information Technology believed the email contained a malicious attachment which was opened and allowed unauthorized access to the computer which housed prior wire transfer requests. Several employees of the tribe’s Office of Legal Counsel received a second phishing email with a malicious attachment on 30 March 2016 from what appeared to be the president of the project management company who worked on the casino’s expansion project. The subject line of the email was “IMPORTANT AND CONFIDENTIAL,” the body of the email stated, “I’ve shared an item with you. Please find the shared document checklist for your reference.” The attached file was titled “List.pdf.” The casino’s Information Security Officer believed legitimate forms previously sent to the project management company were altered to add the casino’s logo and the intended recipients of the fraudulent transfer. The casino’s Information Security Officer assessed the project management company’s computer network likely also was hacked by the unidentified actor. The project management company was known to work with several Indian-owned casinos throughout the United States; potentially putting other Indian-owned casinos at risk to be targeted by the same BEC Scheme. According to the project management company’s website, the company worked on Indian casino projects in Idaho, Washington, New York, and New Mexico but also claimed to be active in other regions.”
The FBI and the US Department of Agriculture (USDA) assess the Food and Agriculture (FA) Sector is increasingly vulnerable to cyber attacks as farmers become more reliant on digitized data. While precision agriculture technology (a.k.a. smart farming)a reduces farming costs and increases crop yields, farmers need to be aware of and understand the associated cyber risks to their data and ensure that companies entrusted to manage their data, including digital management tool and application developers and cloud service providers, develop adequate cybersecurity and breach response plans. Threat The FBI and USDA assess the farming industry’s growing adoption of precision agriculture technology may increase cyber targeting activity against the FA Sector with the intent to steal farm-level data in bulk. A recent example of government-authorized big data analytics demonstrates the value of aggregating farm-level data to track and even anticipate crop availability and pricing. Similarly, criminals could aggregate stolen data or steal analyzed data to exploit US agriculture resources and market trends. The Wall Street Journal in March 2014 reported concerns that the FA Sector will face increased cyber targeting with the growing adoption of equipment and services that collect and analyze farm-level data, including information about soil content and past crop yields as well as planting recommendations (i.e., precision agriculture). On 27 January 2016, the USDA announced the winners of a contest in which Microsoft hosted a century of public climate and crop data for competitors worldwide to design data visualization tools for farmers. For example, the winning tool allows users to follow trends in local crop availability and prices. The intent of the contest was to explore how to render big data in agriculture into a tool that allows farmers to make sustainable decisions that have an impact on food supply. Other Potential Cyber Risks to Farm-Level Data In addition to theft, farm-level data may also be vulnerable to ransomware and data destruction. Ransomware has become a significant threat to US businesses and individuals. Perpetrators use ransomware to encrypt a user’s important files, rendering them unreadable until a ransom is paid. Hacktivists may also destroy data to protest, for example, the use of genetically-modified organisms (GMOs) or pesticides. The single most important protection measure against these threats is to implement a robust data back-up and recovery plan. Back-ups should be maintained in a separate and secure location so that malicious actors cannot readily access them from local networks. Lessons from the Healthcare and Public Health (HPH) Sector In October 2014, the US Food and Drug Administration (FDA) sponsored a public workshop to discuss the cybersecurity challenges facing the HPH Sector. With regard to medical device manufacturing, expert panelists discussed how hospitals’ financial constraints and focus on patient safety and convenience have resulted in the improper use of legacy devices and a high demand for user-friendly, interoperable devices. This industry pressure has resulted in manufacturers prioritizing usability over security, thereby rendering connected hospital networks vulnerable to cyber attacks. Panelists discussed how industry leaders’ procurement demands—or “market pressures”—for manufacturers to prioritize device cybersecurity very likely are the key to ensuring cybersecurity standards are raised for medical devices overall. Smart Farming May Increase Cyber Targeting Against US Food and Agriculture Sector PDF Report
The Department of Homeland Security Office of Cyber and Infrastructure Analysis (DHS OCIA) produces cyberdependency papers to address emerging risks to critical infrastructure and provide increased awareness of the threats, vulnerabilities, and consequences of those risks to the Homeland. This note informs infrastructure and cybersecurity analysts about the potential consequences of cyber-related incidents in the Nuclear Reactors, Materials, and Waste Sector and its resilience to such incidents. This note also clarifies how computer systems support infrastructure operations, how cybersecurity incidents compromise these operations, and the likely functional outcome of a compromise. For this note, infrastructure cybersecurity incidents are defined as actual and potential events that exploit cybersecurity vulnerabilities. Cyber attacks can disrupt or corrupt normal operating conditions in computer systems; networks; industrial control systems (ICS); or electronic devices that control, monitor, or support the function of infrastructure. Infrastructure is cyberdependent when it relies on computers or information technology to support its physical operations and essential functions. This note focuses on the potential impacts of incidents on various types of Nuclear Reactors, Materials, and Waste Sector cyberdependent systems and functions. A cybersecurity incident at a Nuclear Reactors, Materials, and Waste Sector asset may have no effect on the infrastructure itself, yet still affect the Sector by the addition of new protective requirements. So many safeguards exist that cyber attacks against a nuclear power plant are not likely to succeed without the aid of authorized personnel within the restricted access areas. Analysis of complex, sophisticated, and distributed cyber attacks against multiple Nuclear Reactors, Materials, and Waste Sector assets is beyond the scope of and resources available for this note. DHS OCIA developed this note with input from the Idaho National Laboratory and in coordination with the DHS National Protection and Programs Directorate (NPPD) Office of Infrastructure Protection and the DHS NPPD Office of Cybersecurity and Communication Industrial Control Systems Computer Emergency Response Team (ICS–CERT); National Infrastructure Simulation and Analysis Center (NISAC); the Nuclear Regulatory Commission (NRC); and representatives of the Nuclear Reactors, Materials, and Waste Sector Coordinating Council. KEY FINDINGS Nothing suggests that a cyber attack executed through the Internet could cause a nuclear reactor to malfunction and breach containment. Nuclear power reactors have comprehensive safeguards that protect control system safety and security and prevent the misuse of portable media (e.g., Universal Serial Bus [USB] devices) and portable equipment (e.g., maintenance laptops) from circumventing these protections. The layered defense protecting critical digital assets in nuclear power plants are designed to prevent the possibility of anyone without unescorted access from initiating a cybersecurity incident affecting these systems. If preexisting undetected vulnerabilities or compromises in the digital equipment or software create a problem, alternative means are available for accomplishing safety and security functions. U.S. nuclear power reactor safety systems must have at least two independent systems to (1) keep the reactor coolant pressure boundary intact, (2) shut down and maintain the plant in a safe shutdown condition, and (3) ensure no radioactive release occurs in excess of federal limits. Multiple ways exist to read critical plant operational parameters. All operators are trained to rely on more than one indicator to make decisions in operating a plant. Even if authorized and knowledgeable individuals attempted to do harm, they would have to compromise several systems to sabotage the plant. If a single nuclear power reactor goes offline, the electric grid could manage the loss of supply in most circumstances. Under peak loads, the worst cascading effect might be rolling blackouts until the supply and demand balance. POTENTIAL CONSEQUENCES OF CYBERSECURITY INCIDENTS The protections achieved through compliance with regulations are expected to preclude any consequence from cybersecurity
The following 19 incidents and disrupted plots are derived from data collected by the FBI. These events, conducted by individuals inspired by a political or social agenda without foreign direction, are criminal in nature and caused, or could have reasonably led to death, grievous harm, or financial losses of at least $1 million. The targets, tactics, and number of significant events occurring in 2015 are consistent with the 15 events identified for 20141, 19 events for 2013 and 12 events for 20122. The information presented here occurred between 1 January 2015 and 31 December 2015. 22 January 2015 Atlanta, Georgia A sovereign citizen extremist allegedly engaged in extensive ideologically-motivated mortgage, bank, and tax fraud, debt elimination schemes, and identity theft with cumulative estimated losses totaling $1.5 million. Federal charges are pending. 6 February 2015 Chicago, Illinois Animal rights extremist(s) are suspected of allegedly setting fire to an occupied building containing horse carriages and of spray painting “FREE,” “SAVE THE HORSES,” and “FREEDOM” at the scene. The arson destroyed 13 carriages and significantly damaged the building, leading to $130,000 in estimated damages. Two people and four horses occupied the building at the time of the arson. This case remains under federal investigation. 9 February 2015 Orange County, Florida A sovereign citizen extremist shot and wounded two Sheriff’s deputies in an ambush as they responded to a domestic incident. Sheriff’s deputies subsequently shot and killed the individual. 19 February 2015 Elkins, West Virginia An anarchist extremist was arrested for unlawful possession of explosives. According to reporting, the individual expressed anti- government sentiment and planned to bomb the federal courthouse in Elkins, West Virginia, to shoot first responders, and to target a concert area and bank during a festival in October 2015. Searches recovered numerous weapons, explosives, boosters, electric blasting caps and ammunition. The subject pled guilty and was sentenced in July 2015 to eight months in federal prison for possession of stolen explosives. 12 March 2015 Stover, Missouri A white supremacy extremist was arrested and charged in federal court for allegedly making threats against President Obama. The individual solicited to obtain a firearm from a confidential informant and sought assistance in the plan from an undercover law enforcement officer. The subject is being held in federal custody pending trial. 25 March 2015 St. Louis, Missouri An anarchist extremist was arrested for multiple firearms violations. The subject, who expressed anti-government and anti-law enforcement sentiments and does not pay taxes, stated he wanted to kill multiple police officers and his ex-wife. He pled guilty to a federal charge of possession of a machine gun in November 2015 and was sentenced in February 2016. 25 March 2015 Livingston, Montana A militia extremist who was convicted of illegal possession of a machine gun and possession of an unregistered firearm planned to shoot politicians, judges, and law enforcement officers. The individual is awaiting sentencing in federal court. 2 April 2015 Tallahassee, Florida Three white supremacy extremists associated with the Traditional American Knights of the Ku Klux Klan allegedly engaged in a conspiracy to murder an African American man. The individuals were arrested on state charges and currently are awaiting trial. 10 April 2015 Signal Mountain, Tennessee The FBI disrupted a plot by a militia extremist allegedly to set fire to a mosque, school, and cafeteria at an Islamic community in upstate New York. The case is currently being adjudicated in federal court. 17 June 2015 Charleston, South Carolina A white supremacy extremist allegedly shot and killed nine people at the Emmanuel AME Church. All of the victims were African American. The individual, who has been charged by