UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN

Joint Cyber Bulletin

December 30, 2014, JP2014-0451

(U) Malicious Cyber Actors Attempt to Disrupt Law
Enforcement and Government Websites

California State Threat
Assessment Center

Multi-State Information Sharing
and Analysis Center (MS-ISAC)

Northern California Regional
Intelligence Center

Risk: low probability of occurrence – Impact: limited impact event
(U//FOUO) Executive Summary: Since at least December 1st, malicious cyber actor(s)
have targeted a variety of police departments and municipalities nationwide. These
malicious actors claim to be acting out in reaction to Ferguson-related protests and
incidents of alleged police brutality by employing both denial of service (DoS) and doxxing
tactics against their targets. We assess that any organization that receives negative
mainstream media coverage related to incidents of alleged police brutality, is at risk for
DoS attacks and senior executives and involved officers are at risk of being doxxed.
(U//FOUO) The Risk: Beginning on December 1st, malicious cyber actor(s) operating the
Anonymous affiliated @DigitaShadow TwitterU.S. entity account claimed to have targeted 25
law enforcement, state, and local government websites and doxxed two government
officials, in 9 separate states. While some of the attacks are substantiated as DoS attacks
and attributed to @DigitaShadow, we believe @DigitaShadow is also posting falsified
information in an effort to further promote a hacktivist agenda.
(U//FOUO) The Actor: @DigitaShadow claims to be aligned with Anonymous and
GhostSec. In August and November, @DigitaShadow actively participated in #OpFerguson,
and supported other Anonymous operations targeting alleged incidents of police brutality;
primarily claiming participation in successful DoS attacks.1 (DoS – an explicit attempt to
make a machine or network resource unavailable to its intended audience.2) As of December
7, 2014, @DigitaShadow’s Twitter posts indicate a shift toward more opportunistic
targeting, including targeting of state and local government and law enforcement websites
regardless of recent alleged incidents of police brutality.
(U) The Events: In December, @DigitaShadow shifted focus from #OpFerguson, to
supporting operations relating to incidents of alleged police brutality, and then to
opportunistic attacks against other local governments. December targeting in relation to
alleged incidents of police brutality includes numerous California websites, as well as
websites for New York, Ohio, and Utah-based government agencies. Targeting of websites
not affiliated with known alleged incidents of police brutality included attacks targeting
Florida, New York, Texas, Virginia, and Washington-based government agency websites.
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN
Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not
via publicly accessible channels.

 UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN



(U) On December 7, @DigitaShadow claimed via
Twitter to have taken four Police Department
websites in California’s Bay Area3,4,5,6 offline,
allegedly in support of protests occurring in
Berkeley, CA.

UNCLASSIFIED
(U) States Where @DigitaShadow
Claimed Activity Against a State, Local,
or Law Enforcement Agency
December 1-29, 2014
State
# of Websites Targeted
California
8
Florida
1
Illinois
1
New York
3
Ohio
4
Texas
5
Utah
1
Virginia
1
Washington
1
TOTAL
25



(U) On December 8, @DigitaShadow claimed via
Twitter successful DoS attacks against the
California Highway Patrol7 and San Diego Police
Department8 websites.



(U) Between December 7 and 10, @DigitaShadow
targeting expanded to include websites for state
and local governments and law enforcement
agencies based in Florida,9 Washington,10
Virginia,11 New York,12 Utah,13 and Texas.14



(U) On December 9, @DigitaShadow posted information regarding the targeting of the
City of Oakland and Oakland Police Department websites15,16 in conjunction with
Anonymous targeting Oakland PD social media accounts in response to a protester that
was reportedly hit in the head with a non-lethal round and transported to a hospital.17



(U//FOUO) On December 10,
UNCLASSIFIED//FOR OFFICIAL USE ONLY
@DigitaShadow posted a link to
(U) Possible @DigitaShadow Coordination
the doxxing of a state Governor,18
(U//FOUO) It is possible that @DigitaShadow is
which
is
the
first
time
coordinating with other Anonymous-affiliated actors, as the
@DigitaShadow
was
directly
account has referenced the #OpAnonVerdict and
linked to a doxx. (Doxxing –
#OpXmasPD campaigns. For instance, an affiliated Twitter
account, @DigitaWarfare predominantly posted doxxings of
collecting and releasing the
government officials, while @DigitaShadow focused on
personal information of targets.)
announcing alleged DoS attacks. At one point,
On December 19, the actor doxed
@DigitaShadow claimed that @DigitaWarfare was a bot that
a law enforcement officer for
reposted @DigitaShadow’s Twitter posts.21 @DigitaWarfare
producing
police
supporting
posted the doxx of a Chief of Police, which @DigitaShadow
referenced in one instance.22 Then on December 11, Twitter
material in response to a highly
suspended the @DigitaWarfare account.23 Almost
publicized incident of alleged
immediately following the suspension the @DigitaShadow
police brutality.19,20 There are only
account posted the doxx of a state Governor.24 It is likely that
two doxing incidents, so it is not
the actors behind these accounts are affiliated or know each
clear if @DigitaShadow intends to
other, however, there is currently no substantiation of this
information.
begin doxxing government and
law enforcement officials. We
recommend that all government and law enforcement officials be aware of the potential
for doxxes.21222324252627
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN

Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not
via publicly accessible channels.

 UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN

UNCLASSIFIED//FOR OFFICIAL USE ONLY
(U) Other California Targeting Attempts


(U) On December 9 a malicious cyber actor claiming to be affiliated with Anonymous posted a video on
#OccupyOakland’s Twitter page calling for unspecified action be taken against a Berkeley Police Officer
following the officer’s involvement in a recent Bay Area protest.25



(U//FOUO) During the evening of December 9 a municipality experienced a DoS attack that affected email
and Internet access for their police department. A Twitter account using the handle @OpBerkeley took
credit for the attack.26



(U//FOUO) On December 9 and 11, two California police departments reported potential DoS activity
targeting their networks, but were able to mitigate the threat prior to any damage.27 No targeting claims
were posted on social media and actor attribution is unknown.

(U//FOUO) Outlook: Due to @DigitaShadow’s shift to more opportunistic targeting, we
believe the actor(s) are disorganized and lack a concrete agenda. As a result, it is possible
that targeting by @DigitaShadow will suddenly cease or shift focus. Despite this
assessment, entities should be aware that the actor(s) behind @DigitaShadow have already
announced that they are watching a court case in Texas, and indicated the likelihood of
increased targeting of government entities in the event of an unfavorable decision.28
(U) The Action: We recommend the following protective actions:
(U) Proactive DoS attack protections include:
 (U) Establish connections with multiple Internet Service Providers (ISPs) for
redundancy;
 (U) Ensure Service Level Agreements with ISPs contain provisions for DoS prevention
(such as IP address rotation);
 (U) Conduct rate-limiting of traffic at the network perimeter;
 (U) Installations for Intrusion Detection System (IDS)/ Intrusion Prevention System
(IPS) recommended for workplace;
 (U) Create backup, remote-site network infrastructure utilizing multiple addressing
schemes; and,
 (U) Use Content Delivery Network (CDN) providers that host geographically or logically
separated services.
(U) Reactive DoS attack protections include:
 (U) Execute ISP address rotation;
 (U) Block source IP addresses generating DoS traffic at enterprise boundary or within
ISP infrastructure; and,
 (U) Acquire increased bandwidth capability from the ISP.
(U) Other best practices to prevent network infiltration include the following:
 (U) Ensure website is protected against SQL injection attempts;
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN
Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not
via publicly accessible channels.

 UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN







(U) Routinely update and patch server;
(U) Employ the latest version of tools designed to scan ports and IP addresses to
identify vulnerabilities;
(U) Configure e-mail systems with rules/filters to compartmentalize incoming mail,
ensuring mass e-mail influxes will only affect a single/limited address;
(U) Prohibit users from visiting or clicking on suspicious sites or links; and,
(U) Update content management software, firewalls, and anti-virus software.

(U) To prevent doxing, consider implementing the following measures:
 (U) Identify what personal information is available online and restrict it where
possible. Restrict access to public records containing personal information by
contacting the appropriate agency or requesting that those public directory websites
withhold your information;
 (U) Turn on all privacy settings on social media sites and refrain from posting pictures
identifying you as a LEO or SLTT government official;
 (U) Utilize two-factor authentication when available on website requiring a log in;
 (U) Closely monitor your credit and banking activity and do not use automatic login
features; and,
 (U) Advise family members to take the same precautions.
(U) The information in this document is current as of December 30, 2014. More information
regarding potential cyber threats is available by contacting:
California State
Threat Assessment Center
916-874-1100
STAC@caloes.ca.gov

Center for Internet Security
Integrated Intelligence Center
MS-ISAC
518-266-3460
IIC@cisecurity.org
www.cisecurity.org

Northern California
Regional Intelligence
Center
866-367-8847
cyber@ncric.ca.gov

(U) Tracked by: HSEC-1.1, HSEC-1.8, HSEC-1.9, HSEC-1.10
(U) Feedback
(U) The CIS/MS-ISAC, NCRIC and STAC encourage your feedback using the survey found at
https://www.surveymonkey.com/s/63SMDS7.
(U) Endnotes
1

(U) @DigitaShadow(November 2014). Twitter. Accessed online: https://twitter.com/DigitaShadow
(U) Preimesberger, Chris "DDoS Attack Volume Escalates as New Methods Emerge". eWeek. (May 28, 2014).
Accessed online: http://www.eweek.com/security/slideshows/ddos-attack-volume-escalates-as-new-methodsemerge.html.
2

UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN
Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not
via publicly accessible channels.

 UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN

3

(U) @DigitaShadow (December 8, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/541840443923648512
4
(U) @DigitaShadow (December 8, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/541819059936190464
5
(U) @DigitaShadow (December 8, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/541813486037528576
6
(U) @DigitaShadow (December 7, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/541811315468431361
7
(U) @DigitaShadow (December 8, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542124056473243649
8
(U) @DigitaShadow (December 8, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542174365035790336
9
(U) @DigitaShadow (December 7, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542179980609077248
10
(U) @DigitaShadow (December 9, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542167213034446849
11
(U) @DigitaShadow (December 9, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542163653878116352
12
(U) @DigitaShadow (December 9, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542564758449565698
13
(U) @DigitaShadow (December 9, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542569977099079680
14
(U) @DigitaShadow (December 9, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542580210231947264
15
(U) @DigitaShadow (December 9, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542557832026263552
16
(U) @DigitaShadow (December 9, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542801194306269184
17
(U) “Anonymous Takes Down Oakland Police Website, Twitter, After Protester Shot With Non-Lethal Rounds”.
Inquisitr. (December 10, 2014). Accessed online: http://www.inquisitr.com/1668595/anonymous-takes-downoakland-police-website-twitter-after-protester-shot-with-non-lethal-rounds/#ch6HpFJkH6GLFcQS.99
18
(U) @DigitaShadow (December 10, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542760535302103040
19
(U) @DigitaShadow (December 19, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/546137115550310400
20
(U) “Ind. Company responds to police protests with ‘Breathe Easy’ shirts”. The Indy Channel. (December 15,
2014). Accessed online: http://www.theindychannel.com/news/local-news/ind-company-responds-to-policeprotests-with-breathe-easy-shirts
21
(U) @DigitaShadow (November 19, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/535335266933026816
22
(U) @DigitaShadow (December 7, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/541806875105579008
23
(U) @DigitaWarfare (December 11, 2014). Twitter. Accessed online:
https://twitter.com/account/suspended
24
(U) @DigitaShadow (December 10, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/542760535302103040
25
(U) @OccupyOakland (December 9, 2014). Twitter. Accessed online:
https://twitter.com/OccupyOakland/status/542444605057167360
26
(U) Information received from the Northern California Regional Intelligence Center (NCRIC).
UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN
Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not
via publicly accessible channels.

 UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN

27

(U) Information received from the NCRIC.
(U) @DigitaShadow (December 17, 2014). Twitter. Accessed online:
https://twitter.com/DigitaShadow/status/545453734479011840
28

UNCLASSIFIED//FOR OFFICIAL USE ONLY
Traffic Light Protocol: GREEN
Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not
via publicly accessible channels.