Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 Minnesota Fusion Center Weekly Partner Brief The Minnesota Fusion Center and FBI encourage agencies and partners to submit information regarding suspicious activity to the Minnesota Fusion Center via your local law enforcement. If you have any questions, concerns, or feedback, please contact the Minnesota Fusion Center at 651-793-3730 or mn.fc@state.mn.us. Brief Contents for 25 April 2019 The PB Spotlight  Situational Awareness Message - Update 2: Islamic State of Iraq and Syria (ISIS) Publishes Claim of Responsibility for Coordinated Bombings in Sri Lanka Homeland Security  (U) Ideologically Motivated Lone Actors, Small Groups Pose Greatest Terrorist Threat to Homeland CIKR - Energy  New Study Examines Current State of Grid Cybersecurity Efforts CIKR - Communications  A Risk Analysis of Huawei 5G CIKR - Healthcare and Public Health  DEA National Prescription TakeBack Day  Potential Vape Pen Fire Hazard CIKR - Information Technology  Cyber Insider Threat Actors Disrupt Networks and Steal Data, Inflicting Significant Losses to US Businesses  (U//FOUO) Realistic Phishing Attack Targeting Minnesota County Employees CIKR - Emergency Services  Aviation Safety Alert: Agency UAS (Drone) Operations at Wildfire Incidents  EMR-ISAC Available Training  Minnesota Fusion Center Basic Threat Liaison Officer Training Course  Virtual Instructor-Led Training May 2019 Course Schedule Significant Dates and Active Alerts WARNING: The information contained in this document is classified For Official Use Only (FOUO). No portion of this document should be released to the media or general public. This document may contain data classified as confidential, nonpublic, and/or private data under Minnesota Government Data Practices Chapter 13 and subject to restriction. Any release of this information could adversely affect or jeopardize investigative activities. Furthermore, all classified information is governed by Executive Order 12958 and 13292. Any unauthorized disclosure of classified information may constitute a violation of Title 18, sections 641, 793, 798, 952, and 1924. Minnesota Fusion Statute ?l3.37 MN Security Information Declaration dated 16 January 2019 (U) Situational Awareness Message - Update 2: Islamic State of Iraq and Syria (ISIS) Publishes Claim of Responsibility for Coordinated Bombings in Sri Lanka Numerous news media accounts have cited a claim of responsibility by the Islamic State of Iraq and Syria (ISIS) for the coordinated suicide bombings that targeted churches and hotels in Sri Lanka on Easter Sunday. The terrorist attacks killed more than 200 people and wounded more than 500 others. The claim, posted in Arabic text by affiliated Amaq News Agency, reads as follows: A security source for Amaq Agency: The attack that targeted citizens of the [anti-ISIS international] coalition and Christians in Sri Lanka two days ago was carried out by fighters of the Islamic State. No details on the attackers, their planning and preparations, or the execution of the operation are provided to validate the claim. In recent months, it has become commonplace for Amaq to claim that acts of terrorism or other forms of violence have been perpetrated by ??ghters ofthe Islamic State? without providing validating evidence. Previously, Amaq had regularly included details on an attack or attempt, beyond the simple claim, to establish its veracity. The Defense Minister of Sri Lanka stated publicly that the attacks may have been an act of vengeance for the mass shootings at two mosques in Christchurch, New Zealand, on 15 March 2019. The gunman struck during a prayer period and killed 50 Muslims worshippers. In the aftermath ofthe Christchurch mass shootings, ISIS has called on ?believers? to exact retribution by attacks against Christians and Jews at places of worship. Sri Lankan authorities have reported that, as of Tuesday, 23 April 2019, a total of 40 suspects have been detained for alleged involvement in the bombings. Published reports indicate that among them is a Syrian national undergoing interrogation by investigators. Source: Association of American Railroads Railway Alert Network (RAN) MNFC Analyst Comment: While ISIS claimed responsibility for the attacks in Sri Lanka, the Sri Lankan government placed blame on the Islamic group known as National Thowheed Jamath (NTJ). That said, Sri Lankan authorities are still investigating what role, if any, international terrorist organizations, including ISIS, played in the recent attack. (U) Former DHS Secretaries Michael Cherto? and Jeh Johnson will co-chair a new Communitv Safetv and Securitv Task convened by the Anti-Defamation League (ADL), a leading anti-hate organization, and the Secure Community Network (SCN), the homeland security and safety initiative of The Jewish Federations of North America and the Conference of Presidents of Major American Jewish Organizations. The task force will include faith and community leaders and local, state, and federal law enforcement representatives. The task force will work to enhance the safety, security, and resiliency of religious communities. Given that many threats impact all faith-based institutions regardless of affiliation, and as seen in the tragic attack on the Muslim community in New Zealand, the task force will develop best practices to: 0 (U) Enhance the safety, security, and resilience of all faith-based communities; 0 (U) Increase coordination and cooperation related to incident tracking, information sharing, reporting and addressing threats; and 0 (U) Build partnerships within and across communities. (U) Building from the experience and expertise developed within the Jewish community, and inclusive of other faith- based communities, the Task Force will make recommendations to more e?ectively address hate crimes while enhancing safety and security for all faith-based institutions. Additional resources are hyperlinked below or in the original ICEFISHX email. 0 Sri Lankan Bombings Highlight Heightened Threat to Faith-Based Communities and Soft Targets amid Religious Holidays (DHS, FBI, NCTC) 0 (U) Security ofSoft Targets and Crowded Places - Resource Guide (DHS Cybersecurity and Infrastructure Security Agency) Return to Title Page Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 Homeland Security (U) Ideologically Motivated Lone Actors, Small Groups Pose Greatest Terrorist Threat to Homeland (U) Scope. This Intelligence Assessment provides strategic analysis on the terrorist threat to the Homeland, with particular attention paid to threats from lone actors and small groups, the targets they select, and the tactics they use. This product is intended to inform the DHS Counterterrorism Strategy. The information cutoff date for this Assessment is 23 March 2019. (U) Key Judgments (U) The Counterterrorism Mission Center (CTMC) assesses ideologically motivated lone actors and small groups— including those inspired by foreign terrorist organizations (FTOs) and those inspired by other extremist ideologies— pose the greatest terrorist threat to the Homeland because of their ability, in many instances, to remain undetected by law enforcement until operational and their general willingness to attack soft targets with simple weapons. (U) CTMC assesses counterterrorism pressure against FTOs has diminished—although not eliminated—the threat to the Homeland from FTO-directed attacks. Since the September 11, 2001 attacks, the violent extremist threat emanating from FTO-linked individuals in the United States has evolved from one defined by complex, large-scale attacks directed by an FTO to mostly self-initiated attacks by violent extremists inspired by an FTO and using relatively simple methods. (U) CTMC assesses the specific ideological grievances of lone actors and small groups likely inform their target selections. Lone actors and small groups inspired by FTOs, such as the Islamic State of Iraq and ash-Sham (ISIS), often select from a broad range of civilian and government-related targets that are often highlighted in English language violent extremist messaging and in weapons and explosives tutorials. Other ideologically driven lone actors and small groups—such as white supremacist extremists, black supremacist extremists, and other domestic terrorists not inspired by an FTO—typically select from a more narrow set of targets specific to their grievances. (U) CTMC assesses lone actors and small groups’ preference for relatively simple weapons—small arms, edged weapons, vehicles, and rudimentary IEDs—is driven primarily by the ease of obtaining and using them. The effectiveness of these tactics varies, but in some cases has resulted in significant casualties. (U) CTMC assesses that some lone actors and small groups will consider adapting tactics and embracing new technology to circumvent security measures, although we have no information indicating that lone actors and small groups will broadly abandon the use of simple tactics. We cannot preclude the possibility that some attackers will attempt more complex or technologically sophisticated attacks against high-profile targets. (U) Lone Actors, Small Group Threat Persists (U) CTMC assesses ideologically motivated lone actors and small groups—including those inspired by FTOs and those inspired by other extremist ideologies—pose the greatest terrorist threat to the Homeland because of their ability to, in many instances, remain undetected by law enforcement until operational and their general willingness to attack soft targets with simple weapons.  (U) CTMC has seen at least 35 lone actor and small group attacks in the Homeland since 2014, resulting in at least 140 fatalities.  (U) On 27 October 2018, a lone actor inspired by white supremacist extremist ideology who had been espousing anti-immigrant sentiment attacked a Pittsburgh synagogue with handguns and an AR-15 rifle, allegedly killing 11 people and injuring six others, according to an indictment. Law enforcement did not have prior knowledge of the suspect’s plans to engage in ideologically motivated violence. The attacker was charged with several federal offenses, including hate crimes. Return to Title Page 3 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019  (U) An ISIS-inspired individual on 31 October 2017 allegedly drove a truck into a crowded pedestrian walkway and bicycle path in New York City, killing eight people and injuring 12 others, according to the indictment filed in the case. Law enforcement did not have prior knowledge of the suspect’s plans to engage in ideologically motivated violence. The attacker was charged with several federal offenses, including providing material support to ISIS. (U) FTO-Directed Attack Threat Diminished (U) CTMC assesses counterterrorism pressure against FTOs has diminished—although not eliminated—the threat to the Homeland from FTO-directed attacks. Since the September 11, 2001 attacks, the violent extremist threat emanating from FTO-linked individuals in the United States has evolved from one defined by complex, large-scale attacks directed by an FTO to mostly self-initiated attacks by violent extremists inspired by an FTO and using relatively simple methods.  (U) There have been no FTO-directed attacks inside the United States since the attempted Times Square bombing in 2010.  (U) The US-led anti-ISIS coalition and local forces have recaptured the territory in Syria and Iraq previously held by ISIS, according to media reporting.  (U) No returned US foreign fighters from Syria or Iraq have conducted a terrorist attack in the Homeland and only one was arrested for plotting an attack after returning to the United States, according to a February 2018 academic study of American foreign fighters who joined groups in Syria and Iraq and the indictment filed in the case of the plotter.  (U) Since the September 11, 2001 attacks, DHS and the US Government have implemented changes in aviation security, visa-free travel, and information sharing, among other areas, that have made it increasingly difficult for FTOs or other organized groups to attack the Homeland, according to congressional testimony from a former DHS Secretary. (U) Ideological Grievances Inform Lone Actor and Small Group Target Selection (U) CTMC assesses the specific ideological grievances of lone actors and small groups likely inform their target selections. Lone actors and small groups inspired by FTOs, such as ISIS, often select from a broad range of civilian and government-related targets that are often highlighted in English-language violent extremist messaging and in weapons and explosives tutorials. Other ideologically driven lone actors and small groups—such as white supremacist extremists, black supremacist extremists, and other domestic terrorists not inspired by an FTO — typically select from a more narrow set of targets specific to their grievances.  (U) FTO-inspired lone actors and small groups typically attack soft targets, including crowded public spaces. These targeting decisions are probably influenced by English-language calls for wide-ranging attacks against Westerners by FTOs—particularly ISIS and al-Qa’ida in the Arabian Peninsula (AQAP)—since at least 2010. For instance, in September 2014, ISIS’s then-spokesman began calling for supporters to conduct independent attacks in the West and granted permission for followers to kill anyone perceived to be a disbeliever, civilian and military personnel alike.  (U) The Pennsylvania-based individual who allegedly shot several worshipers at the Pittsburgh synagogue made statements indicating his desire to “kill Jews,” during the attack, according to the indictment filed in his case. This attacker was charged with several federal offenses, including hate crimes. A Texas-based individual espousing antiMuslim sentiment set fire to a Victoria, Texas mosque on 28 January 2017 in order to send a message to the local Muslim community, according to press reporting. The attacker was sentenced to 24 years in prison. In September 2016, an Indiana-based individual adhering to black supremacist extremist ideology shot and killed a Caucasian male near Indianapolis and, the following month, fired shots at two Indianapolis police headquarters, according to press reporting. The attacker, who made statements such as “white must die,” was sentenced to 37 years in prison for the police headquarters shootings. Return to Title Page 4 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 (U) Weapons Access, Capability Drives Tactic Selection (U) CTMC assesses lone actors and small groups’ preference for relatively simple weapons—small arms, edged weapons, vehicles, and rudimentary IEDs—is primarily driven by the ease of obtaining and using them. The effectiveness of these tactics varies, but in some cases has resulted in a significant number of casualties.  (U) A lone actor inspired by white supremacist extremist ideology and expressing anti-Muslim sentiment allegedly stabbed three individuals with a knife on a Portland, Oregon light rail car on 26 May 2017, killing two and injuring one, according to press reporting. The attacker is awaiting trial on state charges related to this attack.  (U) An ISIS-inspired individual armed with an AR-15 and a handgun shot patrons at a crowded Orlando nightclub, killing 49 and injuring 53 on 12 June 2016, according to press reporting citing the Chief of the Orlando Police Department. The attacker purchased both weapons legally, according to press reporting citing law enforcement.  (U) An individual inspired by ISIS and al-Qa’ida planted several IEDs in New York and New Jersey in September 2016, according to a Department of Justice press release. One of the IEDs injured over 30 when it detonated in the Chelsea neighborhood of Manhattan. Another device detonated along the route of a US Marine Corps charity race near Seaside Park, New Jersey before the start of the event, which had been delayed due to other law enforcement activity. Had the race started on time, the IED would have detonated as runners were passing by it. The attacker had also planted additional devices and purchased several IED components online, according to press reporting. He was sentenced to life in prison in February 2018. (U) Potential for New Tactics (U) CTMC assesses that some lone actors and small groups will consider adapting tactics and embracing new technology to circumvent security measures, although we have no information indicating that lone actors and small groups will broadly abandon the use of simple tactics. We cannot preclude the possibility that some attackers will attempt more complex or technologically sophisticated attacks against high-profile targets.  (U) 3D-printed firearms still require a metal part, but technological advances have provided potential opportunities to defeat metal detectors. 3D-printed firearms and other types of “ghost guns”—weapons that are not commercially manufactured and do not have serial numbers—continue to pose a challenge to law enforcement, particularly when used by violent extremists or criminal actors to avoid firearms regulations and security measures.  (U) Technological advances enable small unmanned aircraft systems (sUAS) to carry heavier payloads and fly longer distances, and advances in “swarm” technology offer opportunities to link multiple sUAS systems. Attackers may consider using this technology against a wide variety of critical infrastructure targets.  (U) Some simple toxic chemicals with legitimate commercial uses—such as chlorine—are relatively easy to acquire and could potentially be used in an attack. Source: DHS Return to Title Page 5 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 CIKR - Energy New Study Examines Current State of Grid Cybersecurity Efforts (U//FOUO MNFC Analyst Comment: A new study by the Vermont Law School’s Institute for Energy and the Environment lays out the challenges of protecting the electric grid from cyberattacks and provides some methods that may hold the keys to future success. The “Improving the Cybersecurity of the Electric Distribution Grid” study, funded by Florida-based nonprofit Protect Our Power, includes case studies of several states that detail ongoing challenges while also examining best practices for how state electric utility commissions and their regulated utilities can increase investments to enhance grid security. Below are key points related to identified vulnerabilities and threats to the US electrical grid. To read the full 64-page study, click the source link below. Overview This report breaks down a complicated problem, how to secure the distribution grid against a cyberattack, into actions and questions. It provides examples of where action is being taken and who is taking that action. The report captures when there were questions about how to act and who can act. Acting on each of the identified areas and resolving the identified questions will require cooperation and commitment from many stakeholders. Improving the cybersecurity of the distribution grid will take time; the time to act is now. Vulnerability The US electrical grid is the most complicated machine ever assembled, 3,300 utilities using 200,000 miles of highvoltage transmission lines and 55,000 substations send electricity over 5.5 million miles of distribution lines to customers. There are hundreds of millions of moving, interconnected pieces working in concert to make sure that the lights stay on. However, the sheer size of the system makes it difficult to defend against all attacks. The vulnerability of our electric system increases as the potential attack surface of our electric system grows. Increases in automation, growth in the number and type of distributed energy resources, and the convergence of enterprise information technology (IT) and operations technology (OT) are producing a larger attack surface that must be protected against intrusion and attack. The distribution system constitutes 80-90% of all grid infrastructure and is the focal point for many parts of the evolving nature of electricity generation and distribution. The National Academy of Sciences report highlighted the rigidity of the electricity system and its inability to withstand or quickly recover from attacks on multiple components. Adding millions of internet-connected home appliances to the grid management operations is creating new and unexpected points of access to a grid that was designed for a unidirectional utility-customer relationship. The pace of connections is accelerating which adds impetus to resolving obstacles now. Adding to the complexity is the distribution utilities come in multiple sizes and business models. A distribution utility can serve a thousand customers or a million customers; it can be investor-owner, a membership cooperative, or a public power utility; it might be part of a larger FERC-regulated entity, subject to state commission jurisdiction, or responsive only to its members or elected officials; it might have dedicated cybersecurity staff or it might be reliant on external expertise. The diversity is a strength, but it raises difficulty in crafting a unified response. This report addresses some of the fundamental concepts that can be deployed across a variety of utilities. Threat Each day brings more reports on new, emerging threats to the electricity system. Recent attacks in Ukraine demonstrated that distribution systems are ripe for targeting. The targeting of distribution systems is not a problem that exists only outside the US. The ICS-CERT report noted that there were more than 270 cyber emergencies within the US energy sector from 2013 to 2015. In fact, the energy sector was targeted more than any other sector. The sophistication of threat actors continues to grow as well. The capability and capacity of cybercrime groups and nation-states increases every day and their focus on critical infrastructure systems is becoming more acute. The Director of National Intelligence’s Worldwide Threat Assessment recently stated that China and Russia have the capability to cause localized, temporary disruptions to US gas and electricity distribution systems. More concerning is that the assessment reports that Russia is actively mapping American critical infrastructure systems “with the long term goal of being able to cause substantial damage.” Source: Vermont Law Return to Title Page 6 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 CIKR - Communications A Risk Analysis of Huawei 5G Telecommunications networks are special—they are designed to enable wiretapping. Mandates such as the Communications Assistance for Law Enforcement Act (CALEA) in the US and similar requirements elsewhere effectively require that the network operator use equipment that contains surveillance hooks to answer government requests. Because of this, telecommunications companies and countries that upgrade their networks must consider the risk of wiretapping when deploying new cellular equipment. Right now, this calculation is playing out in the debate around whether the US and others should use Huawei 5G equipment. There are effectively three options: use Huawei equipment, ban Huawei equipment, or simply not upgrade to 5G. Recently, the UK’s Huawei Cyber Security Evaluation Centre Oversight Board released a new report—its fifth—which makes clear that it is impossible to mitigate these risks technically. According to the board, the code that Huawei uses, like so much of the rest of the code running the world, is simply a nightmare: It is complex, written in an “unsafe” manner, using “unsafe” languages. The scale and complexity make it impossible to analyze the code to look for new bugs, let alone efforts at sabotage. Sabotage can be particularly sneaky and very hard to detect even when one does have source code, and even if discovered it can also be almost indistinguishable from a “mistake.” This leaves three options for countries considering what to do about 5G.  A country can decide to buy Huawei equipment and save a considerable amount of money in doing so. The risk is simply that every high-level political figure and executive may have their calls monitored by Chinese intelligence.  Purchase equipment from Huawei’s European competitors, Ericsson or Nokia. These manufacturers are more expensive than Huawei but provide the greatest political assurance: None of the major spying nations can exert the same pressure on Nokia (Finnish) or Ericsson (Swedish) that they can on domestic companies.  Simply avoid the hype. The claims about 5G being “20x faster” than preexisting 4G are effectively disingenuous marketing as real-world performance rarely reaches the theoretical peak bandwidth. 4G systems are already effectively at the “Shannon limit “ - that is the limitation on the ability to transmit information within a given amount of radio spectrum at a given power. 5G cannot break fundamental laws of nature. Source: LawFare Author: Nicolas Weaver (U//FOUO) MNFC Analyst Comment: The full report, “Huawei Cyber Security Evaluation Centre Oversight Board: Annual Report 2019”, presented to the British Government, can be viewed here. CIKR - Healthcare and Public Health National Drug Take Back Day The National Prescription Drug Take Back Day is Saturday, 27 April 2019, and addresses a crucial public safety and public health issue. According to the 2017 National Survey on Drug Use and Health, six million Americans misused controlled prescription drugs. The study shows that a majority of abused prescription drugs were obtained from family and friends, often from the home medicine cabinet. The DEA’s Take Back Day events provide an opportunity for Americans to prevent drug addiction and overdose deaths. Collection sites can be found by visiting the DEA Drug Take Back Day website. Source: DEA Return to Title Page 7 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 CIKR - Healthcare and Public Health (continued) Potential Vape Pen Fire Hazard Key Findings: Vape pens and e-cigarettes can pose a risk of fire and/or explosion, which can cause injury and/or property damage, when stored incorrectly. Details: Vape pens and e-cigarettes pose a risk of fire and/or explosion when stored incorrectly.   The potential hazards increase when the device contains faulty batteries, or if the unit is inadvertently activated. The risks associated with these hazards include injury to personnel and/or property damage, including other evidence that is stored in close proximity. The Union County Prosecutor’s Office Forensic Laboratory and Office of Forensic Sciences have reported an increase in submissions of vape pens and e-cigarettes for CDS analysis. Two recent incidents to note:   October 2018, a vape pen stored in the evidence room was found switched “on” and began emitting smoke. The vapes “on” button was inadvertently being depressed by compression against other evidence. April 2018, a vape pen battery was removed; however, remained operational due to an internal power supply. The pen’s on/off button was pressed five times to turn the device “off.” Recommendations for Law Enforcement and Evidence Handlers: To avoid a potential fire hazard, only submit the cartridge, containing the liquid, for forensic laboratory analysis. (See Image Below).    If the entire device needs to be submitted:  Shut off the unit. (Press button 5 times. If the button is pressed once, the pen should not illuminate. If it still illuminates, the pen is not shut off. Repeat the process.)  Remove battery if possible. Ensure the battery located within the battery compartment is removed (some have removable batteries, while others are not removable) If the battery cannot be shut off, it should be packaged in a quart paint can for storage. If the battery cannot be separated from the vape cartridge, it should be placed in a quart paint can. Source: Office of the New Jersey Regional Operations and Intelligence Center Return to Title Page 8 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 CIKR - Information Technology Cyber Insider Threat Actors Disrupt Networks and Steal Data, Inflicting Significant Losses to US Businesses Summary The FBI continues to observe US businesses’ reporting significant losses caused by cyber insider threat actors.a These cases often involve former or disgruntled employees exploiting their enhanced privileges—such as unfettered access to company networks and software, remote login credentials, and administrative permissions—to harm companies. Cyber insider threat actors most often are motivated by revenge, but they also conduct attacks to profit financially from stolen information, gain a competitive edge at a new company, engage in extortion, or commit fraud through unauthorized sales and purchases. The FBI identified the following trends after reviewing cyber insider threat cases over the past three years:      In most cases, actors held an Information Technology role (system administrators, technical support, network engineers, IT contractors, etc.). The actors’ length of employment varied, but most worked for the victim company for between one and 10 years. The damage actors caused most often led to network and operation disruption, data deletion, theft of proprietary information, or the compromise of personally identifiable information of customers and employees. The average reported loss due to a cyber insider threat incident was $3.5 million. Actors typically had a history of discipline for poor conduct or misusing company assets. Cyber insider threat actors’ methods often involved:           Using existing or shared administrative credentials and knowledge of company networks and culture to steal data and disrupt operations. Some also used their inside knowledge to conceal their activities, with varying success. Establishing fake administrative accounts before leaving victim companies. Using their unique knowledge to maintain persistent access to networks and leveraging open source coding sites to troubleshoot access issues. Social engineering other employees, like the Help Desk or other third-party contractors, to share/reset passwords. Creating backdoors into company networks and using remote access software or tools to log into those networks. Installing malware and keyloggers on company computers and devices. Stealing employee and customer data or exploiting their privileged access to profit from unauthorized sales. Contacting and bribing former coworkers to provide client lists, company data, or network access. Using their privileges as IT employees to activate accounts of other former employees, elevating the privileges of those accounts prior to their departure, and using those credentials to engage in criminal activities. Taking active steps to conceal their crimes, such as disabling relevant network or application logging functions. Protection and Defense  Ensure employee access to company network systems and databases is revoked when employees leave. Coordinate employee terminations with the Human Resources and IT departments-including the Help Desk.  Maintain an audit of administrative accounts before and after a major hiring or contracting event, and following the departure of key IT personnel.  Monitor unusual employee network activity, especially in the weeks leading up to an employee’s leaving the company.  Monitor suspicious physical security habits of employees, especially the abnormal use of personal devices such as concealing devices in the workspace or using personal devices to photograph sensitive information.  Change passwords to shared administrator network or remote login credentials regularly. Ensure passwords are changed when an employee with administrative access leaves the company.  Maintain a robust and tiered backup strategy for computer networks and servers.  Monitor data uploads to all media, email, or cloud storage outside of the company network. _______________ a (U) Cyber insider threat actors include former and current employees or contractors who use their unique accesses and knowledge of company networks or policies to disrupt network operations or steal proprietary or sensitive information for financial gain. Cyber insider threat actors are often investigated and/or charged for violations of the Computer Fraud and Abuse Act. Return to Title Page 9 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019     Regularly monitor online postings for proprietary products. Establish alerts for unusual activities on administrative accounts, and after all network-level access changes. Regularly review remote login sessions and unusual activity conducted outside of normal working hours. Establish and raise awareness of a reporting mechanism for violations of ethics, brand, or intellectual property rights. Additional Resources For additional information on the methodologies and impact of cyber insider threats, please refer to “Increase in Insider Threat Cases Highlight Significant Risks to Business Networks and Proprietary Information,” available at https:// www.ic3.gov/media/2014/140923.aspx. Victim Reporting The FBI encourages recipients to report suspicious activity to their local FBI field office, which can be located at https:// www.fbi.gov/contact-us/field-offices, or to file a complaint online at https://www.ic3.gov/complaint/splash.aspx. Administrative Note This product is marked TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For comments or questions related to the content or dissemination of this product, contact CyWatch. Source: FBI (U//FOUO) Realistic Phishing Attack Targeting Minnesota County Employees (U//FOUO) The Minnesota Information Technology (MNIT) Security Operations Center (SOC) recently became aware of a realistic phishing site that is designed to mimic an official county site and trick employees into revealing credentials. The SOC has not yet determined if this site has been used in an attack. If it has not already been used, the SOC believes it will very likely be used in an active attack in the near future. (U//FOUO) The site is hosted at: [county name]countymn.employeesurveyhub [.]com (modified with [] brackets to prevent accidental clicking) (U//FOUO) This site is hosted on a third-party web host – likely a site that has been registered with stolen credit cards or other information. Other government entities are likely being targeted from this same set of servers/hosts/domains. (U//FOUO) The site (similar to the image below) is designed to trick employees into thinking that they are responding to a real survey. Victims who visit the survey site are immediately prompted to enter their network/email credentials to access the survey. If they enter the credentials, the survey will appear to work, but the credentials will be compromised and likely misused. (U//FOUO) This attack is very similar to a phishing incident that targeted State of Minnesota employees in January (image right). If the tactics remain the same, the victims (both county employees and external citizens/partners) will likely receive an email spoofed to appear to come from a real county employee. The message will not likely come from a county email address, but will contain a display name that matches an employee name and will contain a signature block that is similar to a real employee’s email signature (but with different phone numbers to prevent verification calls to the employee). (U//FOUO) It is strongly recommended that government personnel and agencies implement blocks where possible to limit access to the “employeesurveyhub.com” domain and consider options to block emails containing those links or communicating with employees for awareness if this attack occurs as expected. (U//FOUO) Please reach out the Security Operations Center at SOC@state.mn.us or 651-201-1281 if you have questions or need assistance. Source: MNIT SOC Return to Title Page 10 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 CIKR - Emergency Services Aviation Safety Alert Date: 18 April 2019 Subject: Agency UAS (drone) Operations at Wildfire Incidents Distribution: All Agencies Supporting Fire Incidents in MN Discussion: On Tuesday, 16 April, Minnesota Department of Natural Resources’ (DNR) aircraft ,including a helicopter, fixed-wing aerial supervision platform, and two single-engine air tankers responded to a wildfire in East-Central Minnesota. Aerial footage was obtained by a Unmanned Aerial System (UAS) of the helicopter with its water bucket, and this footage was included in a video posted to social media. UAS operation on wildfire incidents creates extreme danger for flight crews of manned aircraft. This Safety Alert is to explain these dangers and provide information about coordinating the use of drones on wildfire incidents. 1. Wildfire suppression aircraft are directed to land or leave the scene of a wildfire if a UAS is being operated in the airspace of a wildfire incident. To prevent damage and injury to flight crews, manned aircraft including helicopters, aerial supervision platforms, and tankers cannot operate in the same airspace as a UAS. Agencies that support wildfire operations including fire departments, emergency management agencies, and law enforcement are asked to de-conflict the airspace by notifying the Incident Commander that a UAS is operating over a wildfire. If/When manned aircraft are requested, all UAS’s operated by Fire Departments (FD), Emergency Management (EM), and law enforcement (LE) agencies must be grounded or suppression aircraft will be grounded and/or released. UAS incursions result in disruptions to wildfire suppression operations and have occurred in many areas of the United States, as well as in 2018 near Little Falls, MN. 2. Fire department, emergency management, and law enforcement agency UAS can be valuable to management of wildfire incidents. Like other suppression resources, UAS can provide value to Incident Commanders by obtaining information about wildfire incidents. UAS resources provided by FD, EM, or LE agencies could be asked to perform reconnaissance. The availability of this resource must be communicated to the Incident Commander to authorize and coordinate any use. Airspace Coordination: Firefighting aircraft follow a communications standard known as the Fire Traffic Area (FTA), which is typically a 5-mile radius from the center point of an incident. UAS must follow this standard. The airspace surrounding an incident is managed by the aerial supervisor who must implement FTA procedures. All wildland fire incidents, regardless of aircraft on scene, have an FTA. The FTA is not a Temporary Flight Restriction (TFR) and does not pertain to other aircraft who have legal access within a TFR (Medevac, Law Enforcement, Media, Visual Flight Rules (VFR) airport traffic, Instrument Flight Rules (IFR) traffic cleared by the Federal Aviation Administration (FAA).) However, fire suppression aircraft will be grounded and/or released from a wildfire if a UAS is in the FTA. For additional information on the FTA visit: https://www.nwcg.gov/sites/default/files/publications/pms505d FTA-card2015.pdf Recommendations: Review this Aviation Safety Alert, share with your agencies remote pilots, and help MN DNR wildfire aviation resources work in the safest work environment possible. Questions may be directed to Darren Neuman, MN DNR Forestry Wildfire Aviation Supervisor at or Matt Woodwick, MN DNR Forestry Assistant Wildfire Aviation Supervisor at Source: MN Department of Natural Resources Return to Title Page 11 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 Fires and Cultural Heritage: Protecting Our National Treasures The recent devastating fire at Notre Dame Cathedral in Paris and last year’s fire at the National Museum of Brazil underscore how valuable and vulnerable a nation’s cultural heritage can be. Cultural heritage is not a renewable commodity; when it is gone, communities lose resources for economic development, tourism, and commerce, as well as their shared identity, history, and knowledge. A new curriculum is available to help cultural institutions – museums, libraries, archives, historical societies, government records agencies, and more – work with their first responders to build that all-important relationship at the local level and to write a disaster plan to protect the resources that these cultural institutions hold in the public trust. “Finding Common Ground: Collaborative Training for the Cultural Heritage and Emergency Response Communities” was developed by the Massachusetts Board of Library Commissioners (MBLC) in conjunction with the Massachusetts Department of Fire Services with grant support from the National Endowment for the Humanities. The course package includes:  Five pre-program preservation webinars to ensure all participants arrive with the same foundational knowledge.  Training materials for the program’s five workshops.  Checklists to help develop your own live burn and salvage exercise.  Handouts for each workshop. The pilot program was very successful in Massachusetts, with 198 out of a maximum possible 200 registrants. Nearly all participating institutions completed a risk assessment, at least 30 institutions completed disaster plans during the training, and cultural stewards expressed a dramatic increase in their comfort level responding to disasters. Most important, nearly every first responder felt more comfortable working with their local cultural stewards – and vice versa. (Source: MBLC) DHS Announces 2019 Preparedness Grants Totaling Over $1.7 Billion The Department of Homeland Security (DHS) announced the release of Fiscal Year (FY) 2019 Notices of Funding Opportunity for eight DHS preparedness grant programs totaling more than $1.7 billion. The grant programs provide funding to state, local, tribal, and territorial governments, as well as transportation authorities, nonprofit organizations, and the private sector, to improve the nation’s readiness in preventing, protecting against, responding to, recovering from and mitigating terrorist attacks, major disasters, and other emergencies.  Emergency Management Performance Grant - divided into 10 grants by FEMA region  Homeland Security Grant Program  Tribal Homeland Security Grant Program  Nonprofit Security Grant Program  Intercity Passenger Rail - Amtrak Program  Port, Transit, and Intercity Bus Security Grant Programs FY2019 grant guidance focuses on the nation’s highest risk areas, including urban areas that face the most significant threats. For FY2019, the Urban Area Security Initiative (UASI) will enhance regional preparedness and capabilities by funding 31 high-threat, high-density urban areas. Consistent with previous grant guidance, dedicated funding is provided for law enforcement and terrorism prevention throughout the country to prepare for, prevent, and respond to pre-operational activity and other crimes that are precursors or indicators of terrorist activity. (Source: Grants.gov) Return to Title Page 12 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 Healthcare and Public Health Sector Highlights Newsletters The Department of Health and Human Services (HHS) Office of the Assistant Secretary for Preparedness and Response (ASPR) works to ensure the resiliency of healthcare and public health facilities through effective planning and risk management through ASPR’s Division of Critical Infrastructure Protection (CIP). ASPR CIP provides many resources for the sector, including four topical editions of the weekly e-mail newsletter Healthcare and Public Health Sector Highlights bulletin. Topics include:  Preparedness, Resilience, and Response (sent every Thursday).  Cybersecurity (sent every Friday).  Healthcare Supply Chain (sent the second Wednesday of every month).  Infectious Diseases (sent the third Wednesday of every month). To subscribe to any (or all) of these bulletins visit the subscription page on the ASPR website. (Source: ASPR) Source: US Fire Administration Return to Title Page 13 Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 Available Training Minnesota Fusion Center Basic Threat Liaison Officer Training Course (U//FOUO) The Minnesota Fusion Center (MNFC) is offering its Basic Threat Liaison Officer (TLO) Training Course on Thursday, 09 May 2019, at the Minnesota Bureau of Criminal Apprehension, 1430 Maryland Avenue East, St. Paul, MN 55106. The course will be conducted from 0800 - 1200. (U//FOUO) The course will train students on becoming a TLO with the MNFC. This POST-certified course (Post Credits: 4) is being presented throughout the State of Minnesota. (U) WHAT ARE THE TYPICAL DUTIES OF A TLO?       (U//FOUO) Serve as their agency’s point of contact in matters related to terrorism and terrorism-related tips and leads. (U//FOUO) Maintain a relationship with the Minnesota Fusion Center; receive and disseminate terrorismrelated information and intelligence to others in their agency in a timely and lawful manner. Information and intelligence received must only be shared with those that have a valid need and right to know the information. (U//FOUO) Help others within their agency identify potential terrorism-related situations and share intelligence related to terrorist activity. (U//FOUO) Receive leads that originate from within their agency regarding suspicious activity that may be related to terrorism and forward the information to the local fusion center for follow-up. The TLO may also refer the reporting party to the fusion center for suspicious activity reporting. (U//FOUO) Conduct, coordinate, and/or assist with department training in topics related to terrorism. (U//FOUO) Conduct, coordinate, and/or facilitate community meetings, conferences, and other terrorism information-sharing activities. (U) AUDIENCE (U//FOUO) Any peace officer, firefighter, emergency manager, EMS provider, federal agent, military investigative/ intelligence personnel, law enforcement analyst, or anyone in the public/private sector working closely with the public safety/homeland security community. (U) HOW TO REGISTER (U//FOUO) Register on the BCA Training website. Upon successful registration, you will receive a “BCA Pending Registration” e-mail for final submission. This course is free to all participants, but you must click on the “Credit Card Payment” link into order to be confirmed for course attendance. (U//FOUO) Space is limited, and early registration is recommended. For questions regarding this course, please contact the Minnesota Fusion Center at 651-793-3730 or mn.fc@state.mn.us. Return to Title Page 14 Minnesota Fusion Statute ?l3.37 MN Security Information Declaration dated 16 January 2019 Available Training DEFEND TODAY. VIRTUAL INSTRUCTOR-LED TRAINING (VILT) May 2019 Course Schedule DESCRIPTION "."irttial Instructor-Led Training 1 Ti :99 provide general awareness level counter- improvised explosive device (C-IED) information to a broad audience through an on-line virtual training experience with a live Perfect for participants with time availability constraints, they can be taken as stand-alone courses or serve as prerequisites for many of the instructor-led courses provrded by the Of?ce for Bombing Prevention (OBP). L. .4 REGISTRATION INFORMATION Register on the Schedule 8. Registration Page at: Chsqov-?obp Note: FEMA SID 1101111191 311:1 113590.1911'1 .1119 1911011911 10 app 1} To obtain a FEMA SID. go to: chi. VIRTUAL CLASSROOM Approximately 2 busuness days prior to the course start date. you Will receive login Instructions. "All times are Eastern Standard Time. :3 EQUIPMENT REQUIREMENTS Laptop/desktop/mobile devrce With intemet connection capable of running Adobe Connect. Landline or mobile phone to call into Phone Bridge. AWR-333 - Improvised Explosive Device Construction and Classi?cation (IED-CC): Provides foundational knowledge on the construction and classi?cation of IEDs. [75 Min] Date Times Date Times 2333:: 13533232131391? 512212019 11:00 AM - i 512912019 2:00 PM - 3:15 PM 5?1512019 9:00 AM Introduction to the Terrorist Attack Cycle (ITAC): Introduces a model of the terrorist attack cycle that describes the nature of terrorist surveilance, target selection, planning, and other activities that occur before and immediateiy after an attack. [105 Min] Date Times Date Times 51812019 2:00 PM - 3:45 PM 5122/2019 2:00 PM - 3:45 PM 51912019 2:00 PM - 3:45 PM 512312019 2:00 PM - 3:45 PM 511412019 2:00 PM - 3:45 PM 512812019 6:00 PM - 7:45 PM AWR-335 - Response to Suspicious Behaviors and Items (RSBI): Provides participants with an awareness of the indicators of suspicious behavior and the basic responses to suspicious behaviors and/or items. [75 Min] Date Times Date Times 5?2'2019 9300 '10315 512112019 9:00 AM . 10:15 AM 51712019 9.00 AM -10.15AM 512312019 11:00 AM -12:15 PM 51912019 11:00 AM -12:15 PM 512812019 4.00 PM 5.15 PM 511412019 11.00 AM - 12.15 PM 5130,2019 2.00 PM 3.15 PM 511612019 9:00 AM - AWR-337 - Improvised Explosive Device Explosive Effects Mitigation Provides an introduction to the fundamentals of explosives effects. Details the difference between blast, thennallincendiary, and fragmentation effects. [75 Min] Date Times Date Times 511/2019 2:00 PM - 3:15 PM 511612019 11:00 AM - 12:15 PM 51212019 11:00 AM - 12:15 PM 512112019 2:00 PM - 3:15 PM 51712019 2:00 PM - 3:15 PM 512912019 6:00 PM - 7:15 PM 511512019 2:00 PM - 3:15 PM 513012019 4:00 PM - 5:15 PM AWR-338 - Homemade Explosives and Precursor Awareness (HME-P): Provides foundational knowledge on HMEs and common prewrsor materials that are used to manufacture HME. [75 Min] Date Times Date Times 5?2?2019 PM p? 512312019 9:00 AM - 10:15 AM 51912019 9.00 AM - 10.15 AM 512812019 2:00 PM - 3:15 PM 511412019 9:00 AM 10.15 AM 513012019 6.00 PM 7.15 511612019 2:00 PM - 3:15 PM AWR-340 - Protective Measures Awareness (PMA): Provides an overview of the risk management mm, surveillance detection, and the development of appropriate protective measures based on facility characteristics. [75 Hit] Date Times Date Times ??019 "?00 AM 12:15 PM 512112019 11:00 AM - 12:15 PM 5712019 11:00 AM - 12:15 PM 512212019 9.00 AM - 10.15 AM 51312019 9.00 AM - 10.15 AM 5090019 4,00 5,15 511512019 11:00 AM - 12:15 PM Courses are provided by DHS with no charge to attend. Return to Title Page Minnesota Fusion Center//Unclassified//FOUO//Minnesota Statute §13.37 MN Security Information Declaration dated 16 January 2019 Significant Dates/Events 01 May 02 - 05 May 04 May 04 May 05 May 05 May 05 May - 04 June 05 - 11 May 09 - 12 May May Day Festival of Nations 2019 West Side Cinco de Mayo Festival National Firefighters’ Day 45th Annual May Day Parade, Ceremony, and Festival Cinco de Mayo Ramadan National Correctional Officers Week 72nd Annual Minnesota Governor’s Fishing Opener Worldwide St. Paul, MN St. Paul, MN Nationwide Minneapolis Worldwide Worldwide Nationwide Albert Lea, MN Recently Added to the ICEFISHX Library 28 March 2019 (U//FOUO) CBRN Incidents and Related FTO Propaganda - A Recent Timeline 18 March 2019 (U//FOUO) Protecting Places of Worship 04 February 2019 (U//FOUO) Situational Awareness for the First Anniversary of the Marjory Stoneman Douglas High School Mass Shooting 09 January 2019 (U//FOUO) Environmental Extremist Group Publishes a Call for Action in Opposition of Pipeline Construction Alert Graphics: 25 April 2019 NTAS FPCON INFOCON MARSEC Current Alerts: NTAS Bulletin – extended to 07/18/2019: “…terrorist groups are urging recruits to adopt easy-to-use tools to target public places and events. Specific attack tactics have included the use of vehicle ramming, small arms, straight-edged blades or knives, and homemade explosives, as well as other acts such as taking hostages.” Expired Alerts: No expired alerts. BRAVO 3 - Risk Identified 1 - Low Fire Danger Rating DNR SSR SEOC Alert Graphic Descriptions Planning Level Region 1 Extreme III Region 2 High III Region 3 Very High III Region 4 Moderate III Level III+: Enhanced Monitoring Statewide Planning Level III NTAS Two-level terrorism threat advisory system which replaced the old color-coded system. Overseen by Department of Homeland Security. FPCON Terrorist threat system that describes the amount of measures to be taken by security agencies in order to mitigate threats against military facilities. Replaces the old DEFCON levels and is overseen by Department of Defense. INFOCON Threat level system similar to FPCON which is used by the military to defend against a computer network attack. Overseen by Department of Defense. MARSEC Three-tiered US Coast Guard Maritime Security system designed to communicate an assessment of possible terrorist activity directed towards maritime sectors of transportation, to include nautical facilities and vessels within the jurisdiction of the US. DNR SSR Statewide planning levels for the four regions of Minnesota regarding fire danger ratings. SEOC Minnesota’s level of response based upon scope and magnitude of incidents which occur in the state. Overseen by Minnesota Homeland Security and Emergency Management. Go to www.icefishx.org to become a member, receive this and other products directly, and access the Minnesota Fusion Center Resource Library. WARNING: The information contained in this document is classified For Official Use Only (FOUO). No portion of this document should be released to the media or general public. This document may contain data classified as confidential, nonpublic, and/or private data under Minnesota Government Data Practices Chapter 13 and subject to restriction. Any release of this information could adversely affect or jeopardize investigative activities. Furthermore, all classified information is governed by Executive Order 12958 and 13292. Any unauthorized disclosure of classified information may constitute a violation of Title 18, sections 641, 793, 798, 952, and 1924. Return to Title Page 16