OFFICIAL USE ONLY ASSOCIATION 0F AMERICAN RAILROADS RAIL AWARENESS DAILY ANALYTIC REPORT (RADAR) August 26 - September 3, 2019 - i a oer-FR -- v' LI Fi?} a; .. OFFICIAL USE ONLY OFFICIAL USE ONLY Summary of Content Activism - Washington, DC: Climate Activists Plan to ?Shut Down9 Kev Infrastructure 0.0 On Monday, September 23, 2019, climate activists in Washington, DC, associated with various environmental organizations are reportedly planning on staging a ?Shut Down climate strike as part of the upcoming global week of action from September 20 - 27. - Minnesota: Anti?Police Protesters Block State Fair and Disrupt Traffic and Light Rail 03? On Saturday, August 24, 2019, activists in St. Paul, Minnesota disrupted street traf?c, shut down access to a light rail train, and blocked off the main entrance to the Minnesota State Fair, as part of their anti-ICE and police campaign. - Germany: Open Letter to Extinction Rebellion Expresses Support for Violence On August 26, 2019, the website of the anarchist group Enough 14! published an open letter by the Hambi bleibt! group addressed the Cologne branch of Extinction Rebellion that expressed support for engaging in violence against law enforcement authorities in order to address the problems caused by climate change. The open letter is framed as addressing replies from the Cologne branch of Extinction Rebellion regarding objections to the ideas and tactics advocated by Hambi bleibt! for climate-related actions. Rail Security Awareness - North America: Justin RIikulka Defends New York Times Critique of Oil-bv-Rail Industry 9 0.0 On Monday, August 26, 2019, proli?c oil-by?rail critic Justin Mikulka published a new commentary on DeSmogBlog, titled ?Rail Industry Attacks New York Time Over Lac-M?gantic Oil Train Tragedy.? In it, he accuses Railway Age ?nancial editor David Nahass of writing a ??awed critique? of a recent New York Times article that suggested little has been done by the rail industry to ensure the safety of oil trains since the 2013 Lac-Megantic disaster. OFFICIAL USE ONLY OFFICIAL USE ONLY Summary of Content Rail Security Awareness (cont?d) France: French National Rail Dismiss Employees on Charges of Radicalization Employees of French bus and rail networks have reportedly been dismissed after being accused of ?radicalization? under the country?s 2016 anti-terror legislation. According to local media, employees have faced dismissal after investigations conducted by the National Service for Administrative Security Investigations (SNEAS). These measures and procedures are meant to be applied to trades that have been deemed sensitive, such as metro train drivers or bus drivers. 9 0.0 Terrorism United States/Eurone/Russia: ISIS l\Iedia Channel Calls for Attacks As of Tuesday, August 20, 2019, online researchers identi?ed three images posted to a pro-Islamic State of Iraq and Syria (ISIS) channel on an messaging platform. The first image depicts New York City with, what appears to be, a New York Police Department (NY PD) of?cer in the foreground. Australia: Government to Block Access to Internet Domains that Contain Terrorist Content On Sunday, August 25, 2019, several news outlets released articles detailing that Australia is set to block access to internet 0 0.9 0.. domains that host terrorist content during crisis events. Cyber China: Hong Kong Protesters I7sing Pokemon Go and Tinder to Organize Actions Protesters in Hong Kong are reportedly using gaming and dating apps such as Pokemon Go and Tinder to spread messages in an effort to mobilize for demonstrations and communicate messages. The use of this technology goes hand in hand with more traditional methods of communication in the face of confrontations with law enforcement. 9.9 OFFICIAL USE ONLY OFFICIAL USE ONLY Summary of Content Cyber (cont?d) - United States: FBI Report Highlights Insider Threat Risks 02? FBI Intelligence Study outlining threats posed by cyber insider threat actors by utilizing existing or shared credentials, knowledge of networks, and proprietary data. ??orldwide: Top Trends and Brands used in Phishing Campaig? 03? The email security ?rm Vade Secure, released a report of the top 25 brands that are used in Phishing Campaigns. Not surprising, Nlicrosoft took the #1 spot for the ?fth time since the company began publishing the report. Paypal came in second but saw a decrease of 8.4% and Facebook had a dramatic increase of 176%. ??orldwide: New Ransomware Discovered with Potential Links to Russia 03? On Monday, August 26, 2019, it was reported that a new ransomware know as Nemty has been identi?ed and may be containing references to the Russian president and anti-virus software. Ukraine: Employees at Nuclear Power Plant Use Network to l\Iine 0:0 The Ukrainian Secret Service (SBU) is leading an investigation over the potential security breach at the South Ukraine Nuclear Power Plant, located near the city of Yuzhnoukrainsk, in southern Ukraine, after employees at the facility allegedly connected part of the plant?s internal network to the internet so that they could mine ??orldwide: Cyber Hacking Group Targeting Oil Gas Companies in the l\Iiddle East 02? On Tuesday, August 27, 2019, it was reported that a Nliddle Eastern cyber-espionage is intensifying with a new hacking group targeting critical infrastructure in the Middle East, and telecoms across Africa and Asia. ??orldwide: False Flags and the Decline of International Hacktivism Recorded Future published a report, ?Return to Normalcy: False Flags and the Decline of International Hacktivism,? that analyzes the rise and fall of hacktivism operations of 81 self identi?ed hacktivist groups. OFFICIAL USE ONLY OFFICIAL USE ONLY Washington, DC: Climate Activists Plan to ?Shut Down? Key Infrastructure On Monday, September 23, 2019, starting at 6:00 am local time (LT), climate activists in Washington, DC, associated with various environmental organizations are planning to stage a ?Shut Down climate strike as part of the upcoming global week of action from September 20 - 27. Activists have indicated plans to block key infrastructure, such as busy roads and intersections, in order to ?stop business?as?usual? - a phrase that has become widely used by protesters when referencing the upcoming week of action. Hundreds of events are planned, with more than 100 of them in the United States. Groups involved in the Shut Down DC event include af?liates of Rising Tide, Extinction Rebellion, and 350.01g, as well as other local environmental organizations. Many activists have so far pledged to skip work and/or school in order to participate in the demonstrations. The event website includes two maps, of which displays open data on traf?c . . y, 1 volumes, major roads and the locations of speci?c oil and gas industry lobbyists, government buildings, energy I . .. companies, and other trade associations labeled as ?climate criminals.? The second details certain tactics participating activists plan to use during the Shut Down DC demonstrations, such as dividing the city into 5-10 zones with separate groups engaging in sit-ins, pickets, and lockdowns. I: - l-xb Saran vasld 0'3? 3" anon to .. .. m? ?We do not take this action We know that this shutdown will cause massive disruption to people who bear no responsibility for the climate catastrophe we are facing,? the event page description says. Dc Smmun 1019 Cunm The upcoming ?Global Climate Strike? week of action during September 20 27, 2019, will include demonstrations in over a hundred cities across the US. and Canada. While no planned direct actions targeting rail infrastructure have yet been identi?ed, there is an increased possibility - particularly in Washington, DC, and the Paci?c Northwest region - that activists may engage in some form of blockade or lockdown to intentionally interfere with passenger or freight train operations. The threat against freight rail is assessed to be greater in states like Oregon or Washington, where Extinction Rebellion activists have already blocked tracks to protest oil trains and the Zenith Portland Terminal within the past year. However, in Washington, DC, disruptive activity will likely be more focused on public transit, which, based on past experience in Britain with Extinction Rebellion, could include activists gluing themselves to rail transit or commuter trains. Climate activists also notably used glue in July of this year to attach themselves to the tunnels under the US. Capitol Building. 1, 2, g, 3 OFFICIAL USE ONLY Anti-Police Protesters Block State Fair and Disrupt Traf?c and Light Rail On Saturday, August 24, 2019, activists in St. Paul, Minnesota, disrupted street traf?c, shut down access to a light rail train, and blocked off the main entrance to the Minnesota State Fair, as part of their anti-ICE and anti-police campaign. Speci?cally, the direct actionists demanded justice for the victims of alleged police killings and called for an end to ICE raids, detention camps, and the separation of families at the US-Mexico border. Participants in the unlawful and disruptive actions also demanded the US government halt all military intervention in foreign countries. Local news media accounts indicated that the direct actionists were subject to harassment from counter protesters, who ?lmed and alleged assaulted them. However, there were no serious injuries reported. . .. This campaign of disruptive actions initially began at the Minnesota State Fair back in 2014, in response to the death of Marcus Golden, who was shot by St. Paul Police Department of?cers. Since then, the actions have grown signi?cantly, with more supporters and organizations participating each year, such as, Twin Cities Coalition for Justice 4 Jamar, Justice for Justine Damond and Anti-War Committee. Protesters took to the streets to march, blocking a main intersection preventing traf?c and light rail from ?owing. At the light rail station, direct actionists expressed opposition to Metro Transit for a new policy that stops trains from running for two hours during the night. During the action at the fair, supporting organizations and family members who?ve been affected by police shootings gave speeches. As the action concluded, protesters marched back to their starting location, with no signi?cant police interference. Jess Sundin of Twin Cities Coalition for Justice 4 Jamar stated in a speech, ?the politicians that we have, the county attorneys that we have in Minneapolis, Saint Paul, and across the state, are unwilling to stand up to police departments in the state, and that?s why we have hundreds of people who are killed by police across the state.? With this public position as the foundation, the continuation of similar actions is likely with further impacts to transit and rail operations. In addition to managing and monitoring the annual protest, St Paul Police addressed security concerns following the shooting attack at a similar event the Gilroy Garlic Festival in Gilroy, California, on July 28, 2019, that killed three and terrorized thousands of patrons. The Minnesota State Fair draws over two million visitors and attracts high pro?le leaders, including presidential candidates and local government of?cials, necessitating heightened security measures to assure safety. Intelligence and information sharing among law enforcement components enables monitoring for potential threats. At this year?s event, more than 200 police of?cers in uniform and plain clothes patrolled the fair and visitors had to undergo checks of their carried bags at the entry gates, now a common practice at large, widely attended public venues. 5 OFFICIAL USE ONLY Germany: Open Letter to Extinction Rebellion Expresses Support for Violence On Monday, August 26, 2019, the website of the anarchist group Enough 14! published an open letter by the Hambi bleibt! Group, addressed to the Cologne branch of Extinction Rebellion, that expressed support for engaging in violence against law enforcement authorities in order to address the problems caused by climate change. The open letter is framed as a response to comments from members of the Cologne branch on Extinction Rebellion?s objections to the ideas and tactics advocated by Hambi bleibt! for climate-related actions. The open letter speci?cally targets the police and condemns law enforcement for defending the system responsible for the climate crisis: ?The police exists to protect and ensure an entirely violent system that?s causing the climate crisis.? The letter counters calls by XR leaders to gain support through tactics such as mass arrests by arguing that ?If there would be no/police/military we (those that are organized to struggle for climate justice) could shut down every coal industry in Germany until tomorrow, the next day entire beyond. We can?t because the police/military is stopping us from doing so, until we become uncontrollable. . Additionally, the letter draws on what it claims are historical examples proving the effectiveness of violence over the use of peaceful tactics. Hambi bleibt! is a group of activists who have undertaken environmentalist-related direct action tactics in Hambacher Forest since 2012. According to local media, the police have recorded almost 1,700 politically motivated crimes in the area. The group?s advocacy of using violent tactics in protest actions related to climate change appears to be intended to appeal to members of more ?mainstream? environmentalist groups. Extinction Rebellion, founded in Britain in 2018, currently has active branches in several different countries and cities that have engaged in disruptive protest actions targeting government and private organizations. The open letter posted by Hambi Bleibt in response to Extinction Rebellion?s Cologne branch may be indicative of the ideas about ideology and tactics under discussions by some local environmentalist activists. It is possible that groups more open to violence may attempt to appeal to members of more mainstream environmentalist groups as protests against climate 4 change continue in different countries around the world. The resort to violent or destructive tactics in direct action a? AMBACHER campaigns is likely to increase as frustrations mount with the lack of desired dramatic action by government organizations .32: to curtail use of fossil fuels. Indeed, some aggressive activist groups maintain the position that destruction of property to 5-1? resist climate chain is ?non-violent? civil disobedience and merits protection against criminal prosecution as a ?necessity? to protect society from the far greater ills imposed by use of fossil fuels. g, 1 OFFICIAL USE ONLY On Monday, August 26, 2019, proli?c oil-by-rail critic Justin Mikulka published commentary on the DeSmogBIog, titled, ?Rail Industry Attacks New York Times Over Lac-M?gantic Oil Train Tragedy.? In the piece, Mikulka accuses Railway Age ?nancial editor David Nahass of writing a ??awed critique? of a recent New York Times article that suggested little has been done by the rail industry to ensure the safety of oil trains since the 2013 Lac-Megantic disaster. According to Mikulka, Nahass omits serious risks of moving ?ammable cargo by rail while contending that the New York Times had exploited 47 deaths. Mikulka emphasizes the Victims? ?memory should always serve as a reminder of the importance of safety and the need for best practices throughout the railroad industry.? Mikulka disputes three points he says Nahass used to evidence safety improvements made by the rail industry, including tank car design, positive train control (PTC), and train speed guidelines. He claims that Nahass failed to cite speci?c accidents that show new tank cars are still capable of rupturing after a derailment. Moreover, Mikulka maintains that every major oil train accident since the Lac-Megantic disaster has happened below the speed limits and that the rail industry had intentionally delayed the implementation of PTC safety measures. In Nahass?s article, he states that training and technology should be the focus of safety and prevention and applying these will improve safety. Although he does not list the efforts made since the tragedy, enhanced safety practices, to include implementation of PTC, have been accomplished most at the industry?s voluntary initiative and investment. 2, l_0, OFFICIAL USE ONLY North America: Justin Mikulka Defends Critique of Oil-by-Rail Industry Justin Mikulka recently released a new book, titled ?Bomb Trains: How Industry Greed and Regulatory Failure Put the Public at Risk,? which he mentions in his latest DeSmogBlog submission. He is currently scheduled to appear at two speaking engagements, dubbed ?Oil Trains: Are Pro?ts Worth Our Risks?,? in the Chicago area on October 10 and 11, 2019. These events are being organized by Railroad Workers United (RWU) and include appearances by prominent oil-by-rail critic Bruce Campbell and former Mosier, Oregon, ?re chief Jim Appleton, who served as Incident Commander for the June 2016 oil train derailment and ?re at the town. The railroad industry has made signi?cant progress in implementing Positive Train Control, a safety system that can override human error to prevent collisions. Reviewing the veri?ed statistics on implementation: 100% of required PTC-related hardware is installed; 100% of PTC- related communications frequency spectrum is place; and 100% of the required employee training is completed all accomplished as of the end of 2018. Overall, PTC is in operation on 91% of required Class 1 routes. l-?rcighl Railroad Slums Locum-gm, 100x Employees of French bus and rail networks have reportedly been dismissed after being accused of radicalization under the country?s 2016 anti-terror legislation. According to local news media accounts in France, employees have faced dismissal after investigations conducted by the National Service for Administrative Security Investigations (SNEAS). These measures and procedures are meant to be applied to trades with duties deemed sensitive, such as metro train drivers or bus drivers. Under legislation in force since March 22, 2016, public transportation companies are able to ask the police to investigate employees whose behavior is of concern. Further, companies are able to request law enforcement investigations of candidates for employment and of employees seeking to change positions within an organization. In order to conduct these investigations, the SNEAS reportedly relies on ?les related to ?the prevention of terrorism or breaches of public security and order.? The SNEAS examines listings that include the name of individuals who are suspected of either involvement in movements identi?ed by the French government as extremist or individuals suspected of having gone through a process of religious radicalization. Based on this information, the SNEAS will issue either a positive or negative opinion of the individual in question to the employer. This legislation has already had an effect on the hiring and internal employment policies of some French transportation companies. According to a report by Deputies Eric Poulliat and Eric Diard of France?s main legislative body, the National Assembly, the country?s national rail network has reported that, out of 2,125 job applications it had received 20 negative responses, while two negative responses had been received for 300 internal transfers. Additionally, as of the end of 2018, the public transport operator for the capital Paris had sent around 5,800 cases for review, which resulted in 124 layoffs. These policies have been met with criticism from some quarters, with concerns that the decisions to dismiss an employee or applicant based on a the information and opinion provided by SNEAS are arbitrary and lacking in transparency. OFFICIAL USE ONLY France: French National Rail Dismisses Employees on Charges of Radicalization The 2016 anti-terror legislation will likely continue to be used as the basis for screening existing and potential employees in transportation companies. The latitude accorded to the French government and transportation companies to screen potentially radicalized employees is part of France?s ongoing efforts to respond both to the threat posed by terrorist and violent extremist groups and to the wide ranging problems posed by radicalization in French society. It is likely the policies behind the SNEAS investigations will continue to be a controversial issue in France for the foreseeable future. To date, this matter has not been among the targets of the continuing ?yellow vest? anti- government protest actions. However, that prospect remains. Q, OFFICIAL USE ONLY United States/Europe/Russia: ISIS Media Channel Calls for Attacks As of Tuesday, August 20, 2019, online researchers identi?ed three images posted to a pro-Islamic State of Iraq and Syria (ISIS) channel on an messaging platform. - The ?rst image depicts New York City with, what appears to be, a New York Police Department (NYPD) of?cer in the foreground. ISIS ?ghters can be seen below brandishing pistols with the following threatening message depicted: ?Pigs! You will soon pay for your crimes.? 1mg}; The second image depicts the aftermath of the August 2017 terror attack in Barcelona and features ISIS - . .H ?ghters as well as the same threatening message. rm . f? The third image includes a message calling on all ?mujahidin? in America, Europe and Russia ?to answer the i - call? and target the ?crusader citizens? there. It shows smaller photos of cities in each of the named countries . that have been altered to make them appear destroyed at the hands of ISIS militants. GREEN Bl RDS In late July, open source analysis reported the ?Greenbirds? source of propaganda supportive of ISIS, with threats of violence, had posted two images to social media threatening British above and underground passenger rail systems. One image depicted the South Kensington station in the London Underground system with the caption, "As if they've been driven toward death while they were looking on.? The second image is of an unidenti?ed train station in Britain with the tag "@greenbirds" photoshopped on a sign over the depicted train platform. OFFICIAL USE ONLY Government to Block Access to Internet Domains with Terrorist Content On Sunday, August 25, 2019, several news outlets released articles detailing that Australia is set to block access to internet domains that host terrorist content during crisis events. Australian Prime Minister Scott Morrison, while in France to magma m: ?712.33 1:22:21 participate in the 45th G7 leaders forum, said the government?s goal is to prevent extremist militants from exploiting ?13-'le Immune! ?mm?xz'wmw?rm?r 7'22?" digital platforms to promote terrorist or criminal content. nah! 0 I'll In recent years, Australia and New Zealand have created stricter guidelines with regards to the freedom of expression on social media, especially in the wake of the Christchurch massacre in March 2019 that killed 51 worshippers in two New Zealand mosques. An element that made this horri?c event even more significant is the fact that shooter, Brenton Tarrant, live-streamed the deadly event on Facebook. Since the shooting, the Australian government has vowed to establish a new structure to block domains from hosting such content. With a new framework in place, Australia?s eSafety Commissioner would decide on a case-by?case basis on what would be censored. Additionally, a 24/7 Crisis Coordination Centre would be established to monitor globally for any potential extremist posted material. mum NW In the event that digital platforms do not adhere to new safety regulations, the government would have to step-in to enact legislation to combat this concern. However, at this point, the regulatory action remains pending. It was announced that a number of major technology companies, including Facebook, YouTube, Amazon, Microsoft, and Twitter, as well as ZZE-?xleiti Telstra, Vodafone, TPG, and Optus, are expected to present details to the Australian government by the end of September 2019 on how they will address such safety recommendations. Recently, Sky News New Zealand was ?ned $2,560 by New Zealand?s Broadcasting Standards Authority after showing clips from the Christchurch attacker?s live streamed video. Similar efforts have been proposed by the European Commission (EC) to prevent dissemination of terrorist and extremists content on the internet. Broadcasting of violent videos may in?uence others to mimic the lethal and destructive acts depicted and glorify the perpetrators. The EC legislation would mandate that social media platforms take down terrorist and violent extremist content within an hour of being noti?ed of its presence. Concerns have been raised by social media and freedom of speech advocates that the one-hour timeframe does not give adequate time to investigate and the threat of penalties for non compliance will incentivize platforms to err on the side of caution by presumptively removing content based on complaints, not thorough review. Added concerns question how a digital media ban would affect the reporting of critical events and terrorist attacks. 1_5, 1_6 OFFICIAL USE ONLY China: Hong Kong Protesters Using Pokemon Go, Uber and Tinder to Organize ?gg?i? MUBERWK. li?l?'?Iil?. ?u?azm?. @4777Iorder. tt?lau?. i Activists in Hong Kong will likely continue to utilize all available means of communication to promote and coordinate protest activity as anti- government civil unrest continues. It is equally likely that, in the near future, the authorities in Hong Kong, with the support of the national government in China, will take additional measures to circumscribe the use of social media applications in the city in order to prevent protest activity. OFFICIAL USE ONLY Protesters in Hong Kong are reportedly using gaming and dating apps, such as Pokemon Go, Uber and Tinder, to spread messages in an effort to communicate and mobilize for demonstrations. The use ofthis technology goes hand in hand with more traditional methods of communication in the face of increasingly Violent and disruptive confrontations with law enforcement. Anti-govemment protest activity in Hong Kong has centered around opposition to a proposed extradition bill that would allow for the suspects to be extradited outside of the city, including to mainland China. Some participants have reportedly used the Tinder dating app to post schedules and information about the protests, while Pokemon G0 has reportedly been used by some activists to disguise their activities from the authorities. In July 2019, in response to being denied permission to march in one of Hong Kong?s suburbs, demonstrators claimed that they were showing up for a game of Pokemon Go instead. In addition to Tinder and Pokemon Go, activists have used Apple?s AirDrop services both to share information with visiting tourists from the mainland (to circumvent Chinese government restrictions on online communications between Hong Kong and mainland China) as well as to invite people to protests (such as commuters on Hong Kong?s subway). Images calling for protests sent to recipients? phones are usually unsolicited. a Gavin Huang ?i?l qr tr. mmr: 1x? I run-tr?: rf'? r-r Tvl? x1r:r Although some activists have used these tactics in promoting and organizing protests, most of this work is done through more traditional means, such ?catama- as use of LIHKG, a Hong Kong equivalent to Reddit. Demonstrators have primarily communicated through groups on the social uywmm?-mna? mas-'3- messaging platform Telegram and have also streamed actions on the gaming platform Twitch. The use of less conventional forms of communication by activists is reportedly the result of harsh crackdowns by the police. OFFICIAL USE ONLY United States: FBI Report Highlights Insider Threat Risks A recently published Federal Bureau of Investigation (FBI) Intelligence Study outlines threats posed by cyber insider threat actors by utilizing existing or shared credentials, knowledge of networks, and proprietary data. LASSITIID POR OFFIC USE ONLY The FBI study addresses the following key intelligence questions: - How are actors using emerging or existing technologies to conduct cyber network operations? - What circumstances, events, or actions would trigger a computer network attack? - How do cyber actors use access to targeted systems or ex?ltrated data? - How are current events driving cyber actors, operations, and policies? (?yber Insider Threat Actors Very Likely Exploit I?nique Knowledge Drawing upon information gained from law enforcement database searches, the FBI and Accesses To Inflict analysis make the following key judgments as of March 2019: Significant Losses 0n - In 149 of the 205 cases reviewed, actors had accessed data through existing or shared credentials, including their own; shared administrative credentials; or ?ctitious credentials :3 August 2019 created just before termination of employment. Cyber insider threat actors no longer having access through their own credentials typically preserved it by installing malware or creating back doors. Cyber insider threat actors in 116 of the 205 cases claimed their motivations were primarily retaliatory. In 56 cases, the actors claimed a ?nancial motivation, including extortion. Thirty-three cases involved abuse of privileged or unauthorized access with an undetermined motivation. The sectors most affected included commercial facilities (82 cases), information technology (42), healthcare and public health (21), and government facilities (17). The case review, however, found victims in all but two sectors: (1) dams and (2) nuclear materials, reactors, and waste. Cyber insider threat actors identi?ed in the study most often targeted victims? company data such as proprietary systems, programs, and employee and customer data or caused network disruptions or outages. For the 89 companies that quanti?ed losses, the average was more than $3.5 million. Cyber threat actor subjects were not prosecuted in approximately 66 percent (84 of 127) of the closed investigations due to a variety of factors, including insuf?cient evidence, lack of subject cooperation, no identi?ed ?nancial loss, an uncooperative Victim, referral of the case to state or local authorities, a determination the case constituted a low priority relative to other cases in the Assistant US Attomey?s district, or for reasons not speci?cally declared. OFFICIAL USE ONLY Worldwide: Top Trends and Brands used in Phishing Campaigns The email security ?rm, Vade Secure, has published a report of the top 25 brands exploited or leveraged in phishing campaigns. Not surprisingly, Microsoft took the #1 spot for the ?fth time since Vade Secure began publishing the report. Paypal came in second but saw a decrease of Facebook had a dramatic increase of 176%. Vade Secure reports that its detected 20,217 unique NIicrosoft phishing URLs that is, 222 a day. Signi?cantly, this ?gure is only re?ective of the traf?c that Vade Secure monitors. Not only does Microsoft have a large market share for Of?ce 360 that would increase the likelihood of it being used as bait, but its credentials offer a single entry point to the entire Office 360 platform. The main types of phishing include suspended accounts and links to OneDrive/SharePoint documents, voicemail recordings, and even faxes. Also of note is the use of different character sets in the subject line to bypass detection measures. The report also noted that 80% of phishing emails are sent on weekdays, notably Tuesday or Wednesday. Other trends of interest found by Vade Secure and other security ?rms analyzing phishing campaigns include: Cloud services and Financial services represent the most URLs associated with phishing; however, social media platforms had the largest increase. Phishing attempts targeting Financial and Banking customers are more prevalent over the weekend. Brand impersonation is the most popular and effective tactic. Financial, Human Resources and Commerce offers or requests were the top lures. Phishing attempts are often timed to correspond with an event or announcement from the company, for example Amazon Prime Day Holidays and Tax season see a spike in related phishing attempts as they take advantage of distracted employees and understaffed IT resources during holiday vacations. Cybercriminals use brevity and a sense of urgency to coax recipients to click on a link or download a document containing malicious code One of the most effective means of mitigating successful phishing campaigns is continued and updated cyber security awareness training for all employees. Annual training should re?ect current trends, tactics and techniques used by threat actors, as they evolve over time. l_9 Phishers' Favorites Top 25 7019 Wurldwidr- I'dilinn Credit Agricola Dropoox Coogle Wells Fargo Chase Adobe Orange Linkedln Allbaoa . Yahoo Stripe Socrcte Genera . Comcast unuununuu OVH OFFICIAL USE ONLY Worldwide: New Ransomware Discovered with Potential Links to Russia On Monday, August 26, 2019, it was reported that a new ransomware know as Nemty has been identi?ed and it may contain references to the Russian president and anti-virus software. As reported, Nemty, will delete the shadow copies of all ?les it processes, as it is a malware. This feature enables eliminating the targeted victims? ability to access any deleted ?les from the Windows Operating System (OS). In the ransomware, Victims can see a ransom note from the attacker, indicating that for a set price the key will be provided and the data released. The payment portal is hosted on the Tor network for anonymity, which makes users have to upload their con?guration ?le. The user is then given another website link that contains a chat function with other ransom information. Additionally, this variant of ransomware can make the following changes: 2019?08?24: Nemty Ransomware Copy Removal delete or alter system ?les; - WW I Backup 5. modify registry entries; steal information from your system; 5f:- . . . zsx; :hecl tnevfelse set disable antivirus programs; and install other malware Several unusual details have been discovered by researchers. The mutually exclusive (mutex) object is a ?ag that .. resource sharing, such as access to a system ?le. In this case, the mutex was named ?hate? (see attached image). Also discovered in the code of Nemty was a link to a picture of Vladimir Putin, with a caption reading, added you to the list of [insult], but only with pencil for now.? Notably, there is a veri?cation Nemty makes to identify computers in Russia, Belarus, Kazakhstan, Tajikistan, and Ukraine. The ?isRU? check in the malware code simply marks the systems as being in one of ?ve countries and then sends the attacker necessary data that includes the computer name, username, OS, and computer ID. Currently, it is believed that Nemty is deployed via compromised remote desktop protocol (RDP). Although phishing emails remain the top vector for breaches, malware distribution through RDP is increasing. This type of attack does not require any victim interaction, such as clicking a malicious link or opening an infected ?le attachment. The RDP credentials can be obtained through brute-force attacks, password leaks or bought online in cybercrime forums. Because many organizations do not properly install security patches, these tactics are more easily effective. In May and June of this year, NIicrosoft and NSA issued alerts stressing the importance of patching the Bluekeep vulnerability found in the several legacy Windows RDP versions including Window 7 and XP. Q, A The Ukrainian Secret Service (SBU) is leading an investigation into the potential security breach at the South Ukraine Nuclear Power Plant, located near the city of Yuzhnoukrainsk in southern Ukraine, after employees at the facility allegedly connected part of the plant?s internal network to the internet so that they could mine According to news media reports, the incident occurred in July 2019. On July 10, 2019, the SBU raided the nuclear plant, where the authorities reportedly seized equipment and computers that were speci?cally related to mining. This equipment was found in the facility?s administration of?ces. Authorities uncovered and con?scated two bespoke mining hardware rigs from the administration of?ces, as well as network and ?ber-optic cables. Also on July 10, mining equipment was uncovered at the nuclear plant by a branch of the National Guard of Ukraine. One ongoing area of investigation is whether the mining rigs could have been used to access the plant?s network in order to obtain classi?ed data related to the plant itself. However, it is currently unclear if any classi?ed data was compromised as a result of the alleged activities at the plant. It is also unclear if any military staff was charged as a result of the investigation. Media reports indicate that one possible reason for the suspects attempting this scheme was a recent spike in the trading prices of after a long period of decline. In recent years, there have reportedly been similar incidents at other sensitive sites in other countries. In February 2018, engineers from the Russian Nuclear Center (who were arrested) used the agency?s supercomputer for related purposes. Similar unauthorized activity occurred in March 2018 at the Bureau of Meteorology in Australia. An April 2018 incident involved an employee at the Romanian Nuclear Research Institute for Nuclear Physics and Engineering). OFFICIAL USE ONLY Ukraine: Employees at Nuclear Power Plant Use Network to Mine RUSSIA *Kiev A Mariupo Berdyansk. UCLJ CW: mmum SevastopoIo 150 miles It is possible that additional information regarding attempted activities at the South Ukraine Nuclear Power Plant will emerge during the course of the ongoing investigation. The alleged attempts by employees at this facility, coupled with the similar activity reported at other nuclear sites in Russia, Australia, and Romania during 2018, demonstrate the substantial ?nancial presents. The prospect of a fast gain overrides the risk of placing employment in jeopardy if the unauthorized and illicit activity is detected. This misguided risk calculation can be made by employees in sensitive positions anywhere. Q, On Tuesday, August 27, 2019, it was reported that the scope of Nliddle Eastern cyber-espionage is intensifying with a new hacking group targeting critical infrastructure, notably telecommunications, in multiple countries in the region and elsewhere in Asia and Africa. The new Lyceum advanced persistent threat (APT) has been identi?ed by several cybersecurity ?rms under the names Lyceum and Hexane. This illicit cyber actor has primarily been targeting oil and gas companies in the Middle East, in particular Kuwait. Although the majority of the Lyceum attacks were directed at companies in the energy sector, the group has also been carrying out attacks against telecommunication providers in Central Asia and Africa. In a report published today by Secureworks, researchers explained the Lyceum attack method: - First stage: utilize techniques such as password spraying and brute-force attacks to breach individual email accounts at specific organizations. Second stage: utilizes compromised email accounts to send spear-phishing emails with malicious excel ?les to executives, human resources (HR) staff, information technology (IT) personnel in the compromised company. Third stage: drops a payload called DanDrop, a Visual Basic for Applications (VBA) macro script to infect the target with DanBot, a remote access trojan (RAT). ybersecurity experts indicate that the modus operandi (MO) of Lyceum is quite similar to APT33 and APT34, which were two groups with ties to Iran. However, at this stage, there has not been con?rmation of a direct link of the new Lyceum APT to speci?c state?sponsored cyber-espionage. Further, thus far, there is no evidence that the group is interested in or has the capability to target the Operational Technology (OT) environment. Conversely, advise that this risk should not be dismissed since compromising the IT environment can be a prerequisite or preparation for later targeting of the OT environment. 5, g, OFFICIAL USE ONLY OFFICIAL USE ONLY Worldwide: Hacking Group Targeting Oil Gas Companies in the Middle East from Dragos note that the group Lyceum/Hexane has likely been operation since 2018. The recent accelerated operations have coincided with the escalation of tensions political, economic, and military in the Middle East region during the past year-plus. Dragos further notes that the targeting by Lyceum and Hexane of the telecommunication sector may be part of a pattern of attempting to leverage third- party organizations along the supply chains of potential targets. The Railway Alert Network (RAN) is closely monitoring the cyber activities in the NIiddle East, speci?cally groups directly or potentially linked to the Islamic Republic of Iran. OFFICIAL USE ONLY Worldwide: False Flags and the Decline of International Hacktivism Recorded Future published a report, ?Return to Normalcy: False Flags and the Decline of International 1? i Hacktivism,? that analyzes the rise and fall of hacktivism operations of 81 self-identi?ed hacktivist groups. 8 ?le The report focuses on answerlng these cluestlons: We I on. What 1s the current state of hackt1v1sm? How does it compare to previous years? we DO Nat 0m -. Who are the current players? we DO amt. How has targeting changed? Expect Us. What are known links between hacktivism and other types of cyber operations? Recorded Future assessed that overall there has been a decline in successful hacktivist operations. The trend in use of the tactic is shifting back to smaller and more regional groups instead of broad large scale public operations by hacktivist conglomerates such as Anonymous. One observation contributing to this decline is the improvement of network defenses by companies. Additionally, the steep decline of international hacktivism began in 2016 following signi?cant drops dating to 2013 due to increased arrests of members of hacking collectives, Anonymous and Lulzsec. However, regional chapters of Anonymous remain active but have differing missions and targets. Conversely, Recorded Future has seen an increase in nation state actors conducting false ?ag operations under the guise of hacktivism. For example, threat actors such as Guccifer 2.0 behind the Democratic National Committee breach, and the Shadow Brokers, who leaked cyber tools believed to belong to the National Security Agency, were revealed to be operating for or connected to nation states. In these two examples, the illicit actors and their hacktivist activities were linked back to the Russian government. Additionally, most of Russia?s ?grassroots? hacktivist organizations or operations have been associated with Russian intelligence organizations, or have been linked to Russian government support. will-151m 9? 194qu I?ll-P" Regional state sponsored actors, like Iran?s Al Qassam Cyber Fighters and the Syrian Electronic Army, . have cooperated With other, more organic hackt1v1st groups to participate in hackt1v1st operations that are line With their interests and m1ss10n. OFFICIAL USE ONLY Hacktivism has demonstrated many ?avors, political, religious, environmental, animal rights and other social concerns. Recently, news media sources reported the personal information of 120 Royal Canadian Mounted Police (RCNIP) had been leaked publicly by a hacktivist group, the National Frog Agency, angry with the Canadian government?s issuance of licenses to hunt polar bears. In 2016, the Dakota Access Pipeline (DAPL) construction spanning three states was being opposed by US. Native American groups and environmental activists. The demonstrators garnered the support of a hacktivist group calling themselves Anonymous, who launched Denial of Service attacks and leaked personal information of employees of organizations associated . mm With DAPL, hOplcmus Phase 4 ?Opts acerc-t North Dakota ?TangoDoww for making enemies your people instead of sen/mg The ongoing direct action campaigns them-Shame on against climate change have, at times, targeted the Transportation Sector. To date, there has not been any indication of illicit cyber operations in support of these actions. However, organizations across transportation modes, including the rail industry, remain vigilant and monitor activity in the expectation that tactics evolve to include potential integration of cyber. OFFICIAL USE ONLY OFFICIAL USE ONLY Worldwide: False Flags and the Decline of International Hacktivism Another example of false ?ag operations includes the rise of a hacktivist organization claiming to be linked to the Islamic State of Iraq and Syria (ISIS), the United yber Caliphate (UC but later discovered to be linked to the Russian 3 government?s military intelligence organization, the GRU. The yber Caliphate was responsible for doxxing thousands of US military personnel in 2015. us Central Comma AVERICAK 33L: EDS AI 3 WINS. VDUR 5.5M. Terrorist organizations have conducted attacks associated With hacktivism to further their message. ISIS-af?liated hacker, Ardit Ferizi, was sentenced to 20 years in 2016 for providing material support to the terrorist group and for unlawfully gaining access to a protected computer without authorization. The latter activity was intended to obtain information for use by ISIS in its planning and operations. The assessment further states that terrorist organizations which are involved with military and cyber con?ict may be motivated to conduct more destructive operations. As an overall assessment: . Hacktivism-related attack vectors have remained consistent and somewhat popular with trends of shifting in use. ommonly used, and effective, tactics include: Distributed Denial of Service attacks: defacement of public facing websites and accounts: compromise and publication of sensitive data; and takeover of key accounts Although in decline, hacktivism will continue to persist, targeting government, military and private organizations as a technique for political and social activism. It is also likely that these groups, both regional and international, will attract more skilled and dedicated members capable of utilizing more sophisticated tactics and tools. 2_9