Minnesota Fusion Statute ?l3.37 MN Security Information Declaration dated 16 January 2019 Minnesota Minnesota Fusion Center Weekly Partner Brief The Minnesota Fusion Center and FBI encourage agencies and partners to submit information regarding suspicious activity to the Minnesota Fusion Center via your local law enforcement. If you have any questions, concerns, or feedback, please I neSOta contact the Minnesota Fusion Center at 651-793-3730 or mn.fc@state.mn.us. Bureau of Apprehension Fusion Center Brief Contents for 21 May 2020 The P8 Spotlight 0 FOUO Environmental Ri Extremist Tele ram User Incited Violence a ainst Lumber and Wood Industr Executives Homeland Security 0 Impact of US Terror Designation of Russian RMVE Organization 0 Terror Fire Season: ISIS Ramps Up Use of Wild?re Arson as Simple Tactic Law Enforcement 0 Widespread Terrorist and Criminal Use of Communications Challenges Law Enforcement Disruption Efforts Due to Lack of Lawful Access 0 Massive Fraud Against State Unemployment Insurance Programs CIKR - Information Technology 0 NXNSAttack Technique can be Abused for Large-Scale Attacks CIKR - Emergency Services 0 Learning to Recognize when Backdraft Conditions Exist can Save your Life 0 Occupant Load Determination Retail/Business 0 EMR-ISAC Significant Dates and Active Alerts EMERGENCY MEDICAL SERVICES WEEK. MAY 17-23, 2020 Ready today. Preparing for tomorrow. Content to support your COVID- I 9 response ant: to keep you and your rnmmimity safe- WARNING: The information contained in this document is classi?ed For Of?cial Use Only (FOUO). No portion of this document should be released to the media or general public. This document may contain data classi?ed as con?dential, nonpublic, and/or private data under Minnesota Government Data Practices Chapter 13 and subject to restriction. Any release ofthis information could adversely affect or jeopardize investigative activities. Furthermore, all classi?ed information is governed by Executive Order 12958 and 13292. Any unauthorized disclosure of classi?ed information may constitute a violation of Title 18, sections 641, 793, 798, 952, and 1924. Minnesota Fusion Statute ?l3.37 MN Security Information Declaration dated 16 January 2019 Environmental Rights Extremist Telegram User Incited Violence against Lumber and Wood Industry Executives On 16 May 2020, in an online forum, an environmental rights extremist discussed [see full statement to the right] rethinking tree spiking and other sabotage methods to stop logging. The individual explained that large corporations could cover costs of this type of sabotage, and even a few spiked trees would not be a setback for these companies. The individual stated, ?Perhaps instead of playing with the indirect game, direct action would be more effective in preventing the destruction of nature in a given country. A hundred spiked trees are nothing compared to an assassination of a CEO of a logging There?s a certain point at which a man must go and earn his Sainthood.? A second individual shared the post, pinning it to their site with the comment, ?Embrace the eco sainthood," along with screenshots and a list of business executives involved in the lumber and wood materials industry, including one executive of a Minnesota-based corporation with a stake in the logging industry. MNFC Analyst Comment: There have been very few tree spiking incidents in the United States and no known incidents in Minnesota; however, the act could be very detrimental to loggers in the field, as sabotaged saw blades revolving at high speeds could emit shrapnel. Environmental extremists utilize this as a tactic to stop the logging process. In a 2016 incident in Oregon, activists publicly stated they had spiked dozens of trees to prevent loggers from taking them down. The group responsible stated, ?This action was taken to stop production and is not intended to harm any worker at the mill.? While there are no known similar incidents in Minnesota, there are environmental extremist groups present in the state. Therefore, any incitement to harm a Minnesota-based executive can be of concern. Should you or your agency have any information or suspicious activity relative to this incitement or tree spiking, please report it to the MNFC at Source: MNFC MNFC Analyst Comment: Tree Spiking is the act of implanting metal rods or nails into trees at active lumber sites, in the attempt to destroy lumber equipment or injure workers. Full Statement of Environmental Extremist ?I've been rethinking tree spiking and other sabotage methods employed in order to stop logging - they are not as game-ending as one might assume. Large corporations can not only cover the costs caused by them - destroyed saw mills and maimed workers - they?re almost always in bed with the government, making sure that they can exploit as much of the country?s wilderness as possible. A few spiked trees is barely a minor setback for them. Perhaps instead of playing the indirect game, direct action would be more effective in preventing the destruction of nature in a given country. A hundred spiked trees are nothing compared to an assassination of a CEO of a logging company (or his political accomplice), after all - endangering the men on the ground, who are by and large working class White men of good character, does little to actually curb the problem at hand. As far as acceleration goes, even sabotage has its limits. There?s a certain point at which a man must go and earn his Sainthood.? tho can't be burned it tho Lore: 1- stand Image associated with the posts referenced Return to Title Page Minnesota Fusion Statute ?13.37 MN Security Information Declaration dated 16 January 2019 Impact of US Terror Designation of Russian RMVE Organization Scope. This Intelligence Note (IN) evaluates the potential implications associated with the Department of State?s 06 April terror- ist designation of the Russian Imperial Movement (RIM). Our analysis focuses on the limitations it will set for the group's ability to recruit, nance, and travel to the United States. This IN will also address the growing capabilities for information sharing between foreign partners and how some of our foreign partners have begun issuing terrorist designations to white supremacist extremist groups. The information is current as of 29 April 2020. MNFC Analyst Comment: Both the ideology and following surrounding the Russian Imperial Movement (RIM) is Russia-based. In terms of local significance, there is currently no known or confirmed nexus to Minnesota. While US-based racially motivated violent extremists with nationalism leanings may view RIM as a group ?ghting a similar racial-nationalist/anti? immigration fight, their ideologies would not necessarily align enough to accrues supporters in the Homeland. Open source articles have indicated interactions and trainings by RIM for European and US-based radicalization, recruitment, and incitement can and do occur in online settings, across both time and geographic space, and are not tied to any specific ideology. We assess the Department of State?s 06 April terrorist designation of the Saint Petersburg-based RIM and three of its leaders will undermine the group?s ability to recruit new members, raise funds, and send representatives to the United States. While US-based individuals have shown only limited interest in RIM, transnational communication between domestic terroristsa and likeminded individuals increases the sharing of grievances, expertise, and other support to drive radicalizationa and incite violence. 0 designation as a specially designated global terrorist authorizes federal law enforcement to open investigations into US-based individuals suspected of providing material support to the group and denies RIM members access to the US ?nancial systems, according to a Department of State press release.1 Following the US designation, US-based social media platforms?including Facebook, Twitter, and Instagram? shut down pages associated with the group and Russia?s national Internet censorship agency blocked the of?cial website, according to media reporting.2 0 The designation also enhances our ability to prevent RIM members from traveling to the United States and classi?es RIM members as known or suspected terrorists (KSTs), including them in the Terrorist Screening Center?s (TSC) Terrorist Screening Database In 2017, a RIM representative traveled to the United States, and at least one US citizen has attended a seminar at a RIM facility associated with paramilitary training near Saint Petersburg, according to Western news reporting.4 0 In late 2016, two Sweden-based racially or ethnically motivated violent extremists conducted a series of terrorist attacks against two refugee centers and a coffee house in Gothenburg, Sweden, according to a Department of State press release.5 Two of the attackers traveled to Saint Petersburg in August 2016 and underwent 11 days of paramilitary-style training. Following their arrests, Swedish prosecutors handling their case blamed RIM for radicalizing them and providing the training that enabled the attacks. This is the ?rst ever US designation of RMVE terrorists and the United States joins a short but growing list of Western countries who over the last year have applied counterterrorism authorities to designate RMVEs and white supremacist extremists. Such designations will enable formalized information sharing on RIM af?liates and other RMVE actors through HSPD-6 and PCSC agreements, dependent upon the foreign partner and their level of sharing. Information sharing between counties on RMVE groups and identities is often dif?cult as this issue is still in its infancy stages, so the designation provides an opportunity to share and collect information on its leaders, thereby giving us previously unknown insights as to its members and their associated networks. 0 On 21 June 2019, Canada added the ?rst white supremacist extremist group to its list of designated terrorist organizations, neo-Nazi group ?Blood and Honour? along with its armed branch, ?Combat 18,? according to Western news reporting.6 The group is primarily based out of Europe, but has chapters throughout the world, with several American white supremacist extremist groups and individuals proclaiming an association with ?Blood 7 Honour?. a (U) Please see De?nitions? box on the next page. Return 1?0 Title Page Minnesota Fusion Statute ?13.37 MN Security Information Declaration dated 16 January 2019 0 In 2016, the United Kingdom used its terror designation authorities against a white supremacist extremist group for the ?rst time and in February 2020, London outlawed membership of a neo-Nazi group following the arrest of several members accused of plotting attacks against the British royal family, according to a US counterterrorism research institution and a British government press release.8?9 0 By formally designating RIM, we have furthered our ability to track this group and its members as these entities may now be placed into designated DHS watchlisting programs. This has also allowed for increased information-sharing with our foreign partners regarding KST identities associated with RIM, thus signi?cantly hindering its members? and associates? ability to travel to the United States, according to a DHS press release and the Terrorist Screening Center?s Watchlisting Guidance.10'11 (U) DHS De?nitions A white supremacist extremist (WSE) is a group or individuals who facilitate or engage in acts of unlawful violence directed at the federal government, ethnic minorities, or Jewish persons in support of their belief that Caucasians are intellectually and morally superior to other races and their perception that the government is controlled by Jewish persons. Domestic terrorism is any act of unlawful violence that is dangerous to human life or potentially destructive of critical infrastructure or key resources committed by a group or individual based and operating entirely within the United States or its territories without direction or inspiration from a foreign terrorist group. This act is a violation of the criminal laws of the United States or of any state or other subdivision of the United States and appears to be intended to intimidate or coerce a civilian population, to in?uence the policy of a government by intimidation or coercion, or to affect the conduct of a government by mass destruction, assassination, or kidnapping. A domestic terrorist differs from a homegrown violent extremist in that the former is not inspired by and does not take direction from a foreign terrorist group or other foreign power. Radicalization is the process through which an individual changes from a nonviolent belief system to a belief system that includes the willingness to actively advocate, facilitate, or use unlawful violence as a method to affect societal or political change. Racially or ethnically motivated violent extremism (RMVE) are threats involving the potentially unlawful use or threat of force or violence, in furtherance of political and/or social agendas, which are deemed to derive from bias?often related to race or ethnicity?held by the actor against others, including a given population group. 1 I 06 APRIL 2020 I Designation of the Russian Imperial Movement I movement/I (UNCLASSIFIED) (UNCLASSIFIED) 2 [Washington Post I 13 APRIL I Inside white supremacist Russian Imperial Movement, designated foreign terrorist organization by US State Department I (UNCLASSIFIED) (UNCLASSIFIED) 3 I FBI TSC WLG 2018 I I 2018 I I Terrorist Screening Center22018 Watchlisting Guidance I I I 4 [Washington Post I 13 APRIL 2020 I Inside white-supremacist Russian Imperial Movement, designated foreign terrorist organization by US State Department I (UNCLASSIFIED) (UNCLASSIFIED) 5 I 06 APRIL 2020 I Designation of the Russian Imperial Movement I movement/I (UNCLASSIFIED) (UNCLASSIFIED) 6 7 I APRIL 2020 I Blood Honour I (UNCLASSIFIED) I (UNCLASSIFIED) 8 [Counterterrorism Center I JANUARY 2019 I The Evolution of Extreme-Right Terrorism and Efforts to Counter It in the United Kingdom I (UNCLASSIFIED) I (UNCLASSIFIED) I 9 Home Of?ce I 24 FEBRUARY I Government takes action to proscribe right-wing terrorist groups I I I (UNCLASSIFIED) I 1? I 07 JANUARY 2019 I I Known and Suspected Terrorists/Special Interest Aliens I I (UNCLASSIFIED) I (UNCLASSIFIED) I 11 I FBI TSC WLG 2018 I I 2018 I I Terrorist Screening Centerz2018 Watchlisting Guidance I I I (U) Source: DHS Return to Title Page Minnesota Fusion Statute ?l3.37 MN Security Information Declaration dated 16 January 2019 Homeland Security (continued) Terror Fire Season: ISIS Ramps Up Use of Wild?re Arson as Simple Tactic In both action and propaganda, ISIS is yet again promoting the use of arson as a terror tactic taking advantage of warming temperatures to ?nd fuel to set alight with the intent of sowing fear, economic pain and potentially casualties. A new video released by the terror group, ?Strike Their Necks,? is 49 minutes long, and centers around ISIS attacks in Iraq, all with the frenetic pace and production quality of videos produced in the Islamic State?s heyday. The video includes structure arson and nighttime footage of a small group of terrorists setting brush fires. ISIS has previously promoted the use of arson, both of occupied structures and of tinder-dry wildlands, as a cheap terror tactic that requires little skill but can in?ict immense fear and harm. In the ISIS newsletter al-Naba article, ?Roll Up Your Sleeves and Begin the Harvest May Allah Bless What You Reap,? ISIS reminded ?soldiers of the caliphate? that they ?have before you millions of their plantations, fields and homes, as well as their economic foundation? to burn. ISIS said the targets were ?apostates" whose ?hearts have long been burned" and vowed the blazes are ?just the beginning." The terror group also emphasized the economic impact of the fires, noting ?many agricultural lands have been destroyed? and ?tons of crops,? including wheat and barley, went up in ?ames in the jihadists? ?harvest of another kind.? (U) Image taken from video MNFC Analyst Comment: Any ?re outbreak or attack, especially during this time, could have a large impact on ?rst responder resources. This promoted tactic is not a new concept to the Islamic State (IS). The recent incitement of this tactic is of concern as ?rst responder resources are already minimized during the 0VID-19 pandemic. Additional/y, any targeting of other critical infrastructure and key resources sectors could detrimental/y impact the US during this time. The MNFC previously produced a product titled, Pro?Islamic State AI?Adiyat Media Foundation Releases Tips for Lone Wolf Arson Attacks,? which is available for download in the ICEFISHX library. This product provided an overview of an infographic included in the Islamic State?s (IS) newsletter ?AI-Naba,? released on 04 October 2018. In their newsletter, the IS incited followers to utilize ?re as a weapon. Specifically, they stated, ?setting ?re is very easy and the damage is huge so all you have to do is trust Allah and set the ?re and at from the target location and ?ames will do the rest so do you your best and dont let your brothers down.? Their attack tips and targets included the following: (U) Arson Attack Tips (U) Arson Attack Targets 0 Using different ways to cause ?res 0 Vehicles, houses, and farms remote/y utilizing timers and other assisting 0 Shopping centers, wherehouses [sic], gas methods stations, and other in?del trading fascilities [sic] Using ?ame grenades that are easy to make and throwing it at the target 0 Setting ?re in close locations to burn forests Forests near residential areas especially in times of drought Tall buildings and empty houses Attackers may utilize secondary attack methods in an attempt to maximize the damage and fatalities their initial attack caused. Not only may secondary attacks be more deadly than the initial attack, they may also be the intended attack. The use of secondary attack methods poses potential fatal threats to ?rst responders. For example, during the 2013 Boston Marathon, two bombs went o?r near the finish line, killing three spectators and wounding more than 260 other people. While the two detonations were only 12 seconds and 210 yards apart, athletes were still participating in the marathon and ?rst responders were running towards the scene as the second bomb detonated. There could have been more fatalities had there been more time between the two detonations. High?rise buildings are appealing targets to both Foreign Terrorist Organizations (FTO) and HVEs, as they pose a variety of challenges unique to the building?s structure, subsequently affecting transportation within, and evacuation from, impacted buildings. Source: HS Today Return to Title Page Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 Law Enforcement Widespread Terrorist and Criminal Use of Encrypted Communications Challenges Law Enforcement Disruption Efforts Due to Lack of Lawful Access Many social media platforms (or mobile messaging applications), utilize end-to-end encryption, where the users are the only individuals capable of decrypting the content. As a result of the ongoing COVID-19 pandemic, many states have issued “stay at home” orders, leading to increased use of various technologies which allow individuals to meet online for work, worship, education, recreation and socialization. As stay at home orders continue, criminals and domestic and international terrorists, who routinely utilize encrypted messaging applications in order to evade detection and forward criminal and terrorist activities could be exacerbated. Some Racially Motivated Violent Extremists (RMVEs) who advocate for the superiority of the white race specifically seek to exploit the COVID-19 pandemic to bolster their narratives and encourage attacks and hate crimes against minorities, including Jewish and Asian Americans. Law enforcement agencies face challenges when attempting to access real time or data stored on cell phones or computers due to encryption, even with a warrant based on probable cause. Encryption creates difficulty in uncovering evidence of an individual’s motives or criminal activities. For example, hate crimes cases require proof of the perpetrator’s bias. While building a case against an individual, prosecutors attempt to use the subject’s own words to prove motive and bias. If this type of evidence is not attainable, it becomes more difficult to successfully prosecute hate crime perpetrators. The FBI encourages our partners to be aware of lawful access challenges as well as to collaborate with law enforcement to identify potential violators and victims of hate crime offenses.  Use of cellular devices to threaten individuals across state lines is a violation of 18 USC. Section 875. This statute may also apply to communicating with hate groups via social media platforms. As the trend to encrypt communications metadata is accelerating, accessing data in motion has become substantially more limited. Additionally, data privacy and security laws, which are necessary to increase privacy and security of user data, will likely complicate traditional law enforcement collection and decrease the volume of exploitable digital exhaust.  Encryption is designed into devices, operating systems, communications and storage applications, and network communications. The FBI’s approach to recovering data stored in secured devices is multi-faceted, and there are several challenges in accessing securely stored data. Data recovery capabilities are product specific, and vary with product version, type, model, processor, software, etc. The challenges of defeating security implemented in hardened electronic components are substantial.  Data localization, retention, and transfer laws also complicate access to international data whether or not the relevant company or information resides in the United States. These laws may limit what data the USG may obtain. The FBI encourages individuals and organizations to remain vigilant and report any related suspicious activity to your local security personnel, law enforcement, and the FBI. These suspicious activities include, but are not limited to:  Potential hate crime perpetrators using open forum platforms to discuss transitioning all future communications to encrypted apps.  Uninvited individuals obtaining access to a private encrypted conversation through nefarious methods and using their gained access to send harassing and intimidating messages and/or images. An example of this is ZoomBombing.  Increasing purposeful use of certain applications by offenders based upon their awareness of the strong encryption utilized by specific manufacturers.  Potential criminal perpetrators utilizing Virtual Private Networks (VPNs) to mask their true identities while performing criminal acts Source: FBI Return to Title Page 6 Minnesota Fusion Statute ?l3.37 MN Security Information Declaration dated 16 January 2019 Law Enforcement (continued) Massive Fraud against State Unemployment Insurance Programs The United States Secret Service has received reporting of a well-organized Nigerian fraud ring exploiting the COVID-19 crisis to commit large-scale fraud against state unemployment insurance programs. The primary state targeted so far is Washington, while there is also evidence of attacks in North Carolina, Massachusetts, Rhode Island, Oklahoma, Wyoming, and Florida. It is extremely likely every state is vulnerable to this scheme and will be targeted if they have not been already. In the State of Washington, individuals residing out-of?state are receiving multiple ACH deposits from the State of Washington Unemployment Bene?t Program, all in different individuals? names with no connection to the account holder. A substantial amount of the fraudulent benefits submitted have used PII from ?rst responders, government personnel, and school employees. It is assumed the fraud ring behind this possess a substantial PII database to submit the volume of applications observed thus far. This fraud network is believed to consist of hundreds, if not thousands, of mules with potential losses in the hundreds of millions of dollars. The banks targeted have been at all levels including local banks, credit unions, and large national banks. Please communicate the information regarding this fraud to the appropriate of?ce at your local state level and liaison with local ?nancial institutions to identify mules and potential seizures. If you have reports of similar activity or do so in the future, please send to the following email router for coordination: Source: United States Secret Service CIKR - Information Technology NXNSAttack Technique can be Abused for Large-Scale Attacks NXNSAttack is a vulnerability in DNS servers that can be abused to launch denial of service (0005) attacks of massive proportions. NXNSAttack impacts recursive DNS servers and the process of DNS delegation. As a safety mechanism part of the DNS protocol, authoritative DNS servers can also ?delegate? this operation to alternative DNS servers of their choosing. The NXNSAttack technique has different facets and variations, but the basic steps are detailed below: 0 An attacker sends a DNS query to a recursive DNS server. The request is for a domain like ?attacker.com,? which is managed altacker as DNS clier?l through an attacker-controlled authoritative DNS server. 0 Since the recursive DNS server is not authorized to resolve this domain, it forwards the operation to the attacker?s malicious 1) attacker queries fo' . . rand123.sub.anacmr com A authoritative DNS server. 0 The malicious DNS server replies to the recursive DNS server with a message that equates to ?I?m delegating this DNS resolving 3 operation to this large list of name servers.? The list contains . . . . DNS thousands of subdomalns for a Victim webSIte. a [ego ve' 2) resolver queries 4) resolve! queues 0 The recursive DNS server forwards the DNS query to all the WW5 . I authoritative sewer ?lIlhOlIlmh/P servers subdomalns on the list, creating a surge in traf?c for the Victim 5 fm anackorcom tor Victim com f3) allacker delegates Using NXNSAttack can amplify a simple DNS query from 2 to 1,620 5575 times its initial size. The NXNSAttack packet ampli?cation factor (PAF) 333332-1313: m- depends on the DNS software running on a recursive DNS server; 00'? ?22:33:? however, in most cases, the ampli?cation factor is many times larger than other 0005 ampli?cation (re?ection) attacks, where the PAF is usually between lowly values of 2 and 10. authoritative DNS server. Source: Return to Title Page Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 CIKR - Healthcare and Public Health (U) Unethical Health Care Professionals Very Likely Exploit Patient Face Sheets in Exchange for Kickbacks and To Conduct Fraudulent Billing (U) Executive Summary (U//FOUO) The FBI assesses unethical health care professionals very likely collaborate with marketers representing various medical companies to exploit patient face sheets and patient PII in exchange for kickbacks and to conduct fraudulent billing. This assessment is based on covert meetings organized by unethical health care professionals to discuss prescriptions, patient referrals, and patient face sheets, as well as to arrange kickback payments.  (U) On 17 September 2018, a South Texas pharmaceutical marketer offered to pay a sub-marketer 35 percent of the pharmaceutical marketer’s company commission payment as a kickback to the sub-marketer for prescription referrals from doctors the sub-marketer worked closely with, according to a human source with direct access who has reported for over a year. As of 22 January 2019, the sub-marketer submitted prescriptions and patient face sheets from several doctors to the pharmaceutical marketer for compound medications. The prescriptions and patient face sheets were emailed or faxed to the pharmaceutical marketer for processing, according to the same source.  (U) As of 31 July 2018, a South-Central Texas doctor provided 41 patient face sheets with attached pre-filled prescription forms to a home health marketer. The marketer sorted the patient face sheets by insurance type and sent all private pay patients to a pharmaceutical marketer who represented various pharmacies and laboratories. The pharmaceutical marketer previously paid the home health marketer a kickback of $4,000 for 11 prescriptions. The marketer stated the doctor was unconcerned with what the home health marketer did with the prescriptions. In addition, neither the doctor nor the home health marketer spoke with patients about the medications they were unknowingly prescribed, according to a human source with direct access.  (U) On 26 April 2018, a marketer with a national home health company offered three sub-marketers a $250 kickback for every privately insured and Medicare patient referral sent to the national home health company, according to a human source with direct access. On 03 October 2018, the sub-marketers met with another national home health representative, who revealed a doctor provides patient face sheets once a week for them to determine whether the patients qualify for home health services at the national home health company. Personal information for patients not accepted to the national home health company was forwarded to the sub-marketers for placement elsewhere, according to the same source. (U//FOUO) Unethical Health Professionals Very Likely Forward Patient Face Sheets and Patient PII to Pharmaceutical Labs To Fraudulently Bill Patients Health Insurances (U//FOUO) The FBI assesses unethical health care professionals very likely forward patient face sheets and patient PII to pharmaceutical labs, resulting in the fraudulent billing of patients’ health insurances for unnecessary medications. This assessment is based on FBI interviews and complaints from patients who received medications they had not consented to from medical professionals and pharmacies with whom the patients had no prior or current affiliation.  (U) On 15 July 2019, a relative of a patient who had surgery at a Texas hospital reported that after being discharged, the patient received two prescriptions for Lidocaine in the mail from a South-Central Texas pharmacy unknown to the patient. The pharmacy’s prescription sheet included the patient’s hospital face sheet and the prescribing doctor on the prescription sheet was unknown to the patient, according to a human source with direct access.  (U) On 29 April 2019, shortly after a police officer was discharged from a Texas hospital, a pharmacist with an East Texas pharmacy contacted the officer in regard to a compound medicine prescribed to the officer. The officer stated that although the officer had no affiliation with the inquiring pharmacy and refused the prescription, the pharmacist insisted the officer try the medicines at no charge. The officer confirmed four compound prescriptions were charged to the officer’s health insurance, but charges were later reversed. The prescribing doctor obtained the officer’s personal data when the doctor oversaw part of the officer’s hospital care and submitted a prescription for compound medicines without the patient’s consent, according to a human source with direct access. 8 Minnesota Fusion Statute ?l3.37 MN Security Information Declaration dated 16 January 2019 (U) Outlook The FBI judges unethical health care professionals very likely will increase exploitation of patient face sheets in exchange for kickbacks, in the near term, as unethical health care professionals sell the information in exchange for kickbacks, victimizing the patients and defrauding the insurance companies. Additionally, the FBI judges the subsequent use of patient face sheets and patient PM to bill patients? health providers for unnecessary medications very likely will, in the long term, increase as unethical health professionals exploit a lack of effective means to mitigate the selling of patient information, increasing the ?nancial losses to health care providers and their participants. As most medical facilities maintain usage of patient face sheets to manage patients? care, indicators of exploitation of patient face sheets and patient largely include interviews of patients or former patients who received unnecessary medications or other medical services they had not consented to from pharmaceutical labs or other medical companies with whom they have no current or prior af?liation. Because it is dif?cult to determine whether unethical health care professionals, speci?cally marketers, are legally contracted business associates of covered entities as de?ned by HIPAA, additional indicators of exploitation of patient face sheets and patient include an increase in reporting from tripwires within health care industries identifying medical professionals and business associates collaborating on kickback schemes involving sharing of patient information and increased billing of unnecessary medications or medical serVIces. Source: FBI CIKR - Emergency Services Learning to Recognize when Backdraft Conditions Exist can Save your Life A backdraft is an air-driven event, unlike a ?ashover, which is thermally driven. Backdraft is usually de?ned as a de?agration resulting from the sudden introduction of oxygen into a ventilation-limited space containing unburned fuel and gases. When the air combines with the unburned fuel, rapid ignition can occur with devastating force. The normal oxygen level in air is approximately 21 percent. Below 14 percent, visible ?ame is reduced. When these fuels mix with air, they ignite and burn quickly, resulting in overpressure. Indications of a Backdraft Conditions for backdraft might include: 0 Black smoke becoming dense, greyish yellow without visible ?ames. The smoke color is indicating incomplete combustion. Usually the darker the smoke the more incomplete the combustion. 0 A well-sealed building might indicate air con?nement and excessive heat buildup. 0 High concentrations of ?ammable carbon monoxide could be present as a result of incomplete combustion. 0 Little or no visible ?ame. If ?ames are present, they may be blue in color. Another indicator, might be ?ames in smoke exiting the structure, especially in eaves of the structure. 0 Smoke leaving the building in puffs and being drawn back in. Fire is trying to ?nd oxygen, and this is the appearance of smoke pulling in under doors or through cracks. 0 Smoke stained windows, brown in color, with visible cracking and/or rattling. 0 Sudden, rapid movement of air and smoke inward when an opening is made. Situational Awareness and Defensive Steps to Protect Yourself and Your Crew 0 Perform a 360-degree size-up prior to opening-up wearing full personal protective equipment. 0 Create vertical ventilation prior to making entry. 0 Operate from a position of safety. Always plan an escape route. (U) Click image to view video 0 Pencil the ceiling with a straight stream, without disrupting the thermal layer, to cool gases below their ignition temperature. Source: US Fire Administration Return to Title Page Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 CIKR - Emergency Services (continued) Occupant Load Determination – Retail/Business Occupant load purposes Occupant load factors have been established through studies showing how much space people take for activities and movement. These occupant load factors are based on how the space is being used. The state fire and building codes use occupant load calculations to establish:  Egress provisions (such as the number of doors needed and the width of doors, stairs, aisles, and corridors)  When fire protection systems are required (sprinklers, fire alarm systems, etc.)  The type of occupancy (in some cases) Common occupant load factors Here are the common occupant load factors used in retail, business, and mercantile settings from Table 1004.5 of the 2020 Minnesota State Fire Code (MSFC):  Mercantile – 60 sq. ft. per person  Storage – 300 sq. ft. per person  Offices & Businesses (typical use) – 150 sq. ft. per person  Offices (high concentration – example: call centers) – 50 sq. ft. person Applying occupant load factors to buildings To determine the occupant load of a space, divide the size of the space by the occupant load factor of Table 1004.5 (see common ones above). In many retail or business settings, there may be more than one use. Please see the following example. Example of occupant load determination The following is an example of a retail building with a sales area and storage room. The occupant load is determined by measuring the two areas, dividing by the occupant load factors for each area, and adding the two numbers together. Since there are two uses here (retail and storage), there are two different calculations:    Storage Room (shown in yellow):  90 ft. by 20 ft. = 1,800 sq. ft.  1,800 sq. ft. divided by 300 sq. ft. per person = 6 persons Retail / Mercantile Sales Area (shown in blue):  90 ft. by 60 ft. = 5,400 sq. ft.  5,400 sq. ft. divided by 60 sq. ft. per person = 90 persons Total occupant load = 96 persons NOTE: If the occupant load calculations are for compliance with the Governor’s Executive Order for COVID-19 (50% reduction), divide the total occupant load determined above by 2 (total would be 48). Source: Minnesota State Fire Marshal Return to Title Page 10 Minnesota Fusion Statute ?13.37 MN Security Information Declaration dated 16 January 2019 Emergency Management and Response - ln'amatbn Sharing and Analyss The InfoGram May is Wild?re Awareness Month May is Wild?re Awareness Month and on top of all the usual wild?re-related threats to life and property, this year we have another facet to the wild?re response problem: a pandemic. Federal and state authorities are already drafting plans to manage spread in ?re camps used by ?re?ghters. See the Department of the Interior webpage on this topic for guidance on hiring ?re?ghters and protecting them from COVID-19 during wild?re response. In addition, if your agency is creating a COVID-19 response plan for managing personnel during this year?s wild?re season, Wild?re Lessons Learned offers several recent postings on this topic from agencies around the country. You can also submit your own lessons learned to the site. The US Fire Administration (USFA) maintains a wealth of information on wild?re response and wildland urban interface concerns. See the USFA website for things property owners can do to minimize the risk to homes and businesses against losses. You and your department can help homeowners with this process through continued outreach. (Source: USFA) FEMA Releases National Response Framework and NIMS Courses The Federal Emergency Management Agency (FEMA) released two independent study course revisions. National Response Framework, An Introduction, is designed to provide guidance for the whole community. Within this broad audience, the National Response Framework (NRF) focuses on those who are involved in delivering and applying the response core capabilities. First responders and emergency managers are part of this audience. This course revision incorporates the October 2019 NRF updates, including Community Lifelines. The Instructor Led Training (ILT) and classroom materials will be available later this year. National Incident Management System (NIMS) Resource Management is designed to introduce federal, state, local, tribal, and territorial emergency managers, ?rst responders, and incident commanders from all emergency management disciplines to NIMS Resource Management, as well as private industry and volunteer agency personnel responsible for coordination activities during a disaster. This revision incorporates the October 2017 NIMS updates. The course is complete with the ILT and classroom materials. See the National Preparedness Course Catalog for more information and additional courses. (Source: FEMA) Friday Webinars: Alternative Care Site Security, Funding Sources As part of the response to the pandemic, a number entities are involved in establishing AC5 to expand capacity to combat COVID-19. These sites are often placed in non-traditional settings such as major convention centers. This presents many security challenges. On Friday, 22 May 2020, from 2:30-3:45 pm Eastern, HHS and FEMA are hosting the webinar Funding Sources for the Establishment and Operationalization of Alternate Care Sites. This webinar will feature an overview of this issue and discuss the ACS Funding Summary Tip Sheet. (Source: Various) Nearly 2,000 Malicious Domains Created Every Day A new report from researchers found that more than 86,600 domains of the 1.2 million newly registered domain (NRDs) names containing keywords related to the COVID-19 pandemic from 09 March 2020 to 26 April 2020 are classi?ed as ?risky? or ?malicious.? A study analyzing all new domain names containing keywords related to the pandemic found that the United States, Germany, Russia, and Italy had the highest number of malicious coronavirus domains. The United States had far and away the most, with more than 29,000. (Source: TechRepub/ic) Return to Title Page Minnesota Fusion Statute ?13.37 MN Security Information Declaration dated 16 January 2019 The InfoGram Executive Order Prohibits Purchase of Foreign Power Grid Equipment Emergency Management and Response - ln'amatbn Sharing and Analyss The United States government appears to be concerned foreign adversaries could be trying to plant malicious or vulnerable equipment in the country?s power grid. That is why the latest executive order prohibits the acquisition of bulk-power system electric equipment that is designed, developed, manufactured or supplied by an entity that is ?controlled by, or subject to the jurisdiction or direction of a foreign adversary.? This applies to transactions that have been determined to pose a risk to the grid itself, to critical infrastructure or the economy, or to national security or the security and safety of people. (Source: Securitzweek) Coronavirus-Related Cyberattacks Surge 192K in One Week Over the past three weeks, a research firm found 192,000 coronavirus-related cyberattacks per week, a 30 percent surge compared with the previous weeks. These cyberattacks encompass malicious websites with the word ?corona? or ?covid? in the domain name, ?les with ?corona? in their name, and ?les attached to coronavirus-related phishing emails. (Source: TechRegub/ic) Cybercriminals Using Walls in Phishing Attacks New research revealed cyber-criminals are increasingly using official walls to disguise malicious content from email security systems and trick unsuspecting users. walls are typically used to verify human users before allowing access to web content, thus sophisticated scammers are beginning to use the Google-owned service to prevent automated URL analysis systems from accessing the actual content of phishing pages and to make phishing sites more believable in the eyes of the victim. (Source: lntosec Magazine) Source: US Fire Administration Return to Title Page Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 Significant Dates/Events 23 April 2020 17 May 2020 23 May 2020 25 May 2020 25 May 2020 14 June 2020 04 July 2020 15 July 2020 07 September 2020 Ramadan (ends 05/23/2020) National EMS Week (ends 05/23/2020) Eid al-Fitr (ends 05/24/2020) Memorial Day National Missing Children’s Day Flag Day Independence Day (Federal Holiday) Tax Day Extension Labor Day Worldwide Nationwide Worldwide Nationwide Nationwide Nationwide Nationwide Nationwide Nationwide Recently Added to the ICEFISHX Library 20 February 2020 08 January 2020 06 January 2020 18 December 2019 (U//FOUO) Criminal and Violent Extremist Use of Emojis (U//FOUO) JIB - Escalating Tensions between the United States and Iran Pose Potential Threats to the Homeland (U) National Terrorism Advisory System Bulletin (U//FOUO) Situational Awareness for the 2019 Holiday Season Alert Graphics: 21 May 2020 Alert Graphic Descriptions NTAS Two-level terrorism threat advisory system which replaced the old color-coded system. Overseen by Department of Homeland Security. FPCON Terrorist threat system that describes the amount of measures to be taken by security agencies in order to mitigate threats against military facilities. Replaces the old DEFCON levels and is overseen by Department of Defense. INFOCON Threat level system similar to FPCON which is used by the military to defend against a computer network attack. Overseen by Department of Defense. MARSEC Three-tiered US Coast Guard Maritime Security system designed to communicate an assessment of possible terrorist activity directed towards maritime sectors of transportation, to include nautical facilities and vessels within the jurisdiction of the US. DNR SSR Statewide planning levels for the four regions of Minnesota regarding fire danger ratings. SEOC Minnesota’s level of response based upon scope and magnitude of incidents which occur in the state. Overseen by Minnesota Homeland Security and Emergency Management. Current Alerts: No current alerts. NTAS FPCON INFOCON MARSEC DNR SSR SEOC Expired Alerts: NTAS Bulletin – extended to 03/18/2020: “terrorist groups are urging recruits to adopt easy-to-use tools to target public places and events. Specific attack tactics have included the use of vehicle ramming, small arms, straight-edged blades or knives, and homemade explosives, as well as other acts such as taking hostages.” BRAVO 3 - Risk Identified 1 - Low Statewide Planning Fire Danger Rating Planning Level Level Region 1 Moderate IV(E) Region 2 High IV(E) Region 3 Moderate IV(E) Region 4 Moderate IV(E) Level I: Full Activation IV(E) Go to www.icefishx.org to become a member, receive this and other products directly, and access the Minnesota Fusion Center Resource Library. WARNING: The information contained in this document is classified For Official Use Only (FOUO). No portion of this document should be released to the media or general public. This document may contain data classified as confidential, nonpublic, and/or private data under Minnesota Government Data Practices Chapter 13 and subject to restriction. Any release of this information could adversely affect or jeopardize investigative activities. Furthermore, all classified information is governed by Executive Order 12958 and 13292. Any unauthorized disclosure of classified information may constitute a violation of Title 18, sections 641, 793, 798, 952, and 1924. Return to Title Page 13