OFFICIAL USE ONLY ASSOCIATION OF AMERICAN RAILROADS RAIL AWARENESS DAILY ANALYTIC REPORT (RADAR) December 1 - 3, 2018 - . . 5' 1; ?519$ OFFICIAL USE ONLY OFFICIAL USE ONLY Worldwide: Weekly Incident Map RADAR Map November November 19 - 23, 2018 MISSOJL Transit Experts Weigh in on Survey anmrnes Sa?ety o? Anarchist Site Shares Mantra WatchGuard Technologies Releases Cyb.. Microsoft Powerporn?. Being Used as Ma.? 9 Indra Security Increased on Murntrul Tra . H. Unrtet: Kingdom loco Authorr?. es; ?i'i'arn United Kingdom Environmental Activists .. Cyber UK Inl'astructure Threatened by . Californra Lawsurt Filed Against Met'o Wrsconsm: Envrronmental Bloc Melbou'ne Ierror 01 Exposed Dy {9 Ira Certified Frnarl Accounts Comprom Canada? Truck Cargo Thieves Increasing Californra Crime on BART Rrses Arnrd .. Russian Hackers Target US and Europe Resorts Warns of Cyber Threats to Britau. MrnnesotaFi?lisconsn ArrtI-Pueline Aritr Germany: Alleged Arson Attacx in Some Australia Actwists Stage Three Drrect A Russran-Bac-(ed Hackl?ig Grow Launclre OFFICIAL USE ONLY OFFICIAL USE ONLY Summary of Content ??eeklv Incident Map Special Events - Special Events: State Funeral and Commemorations President George H. Bush The Joint Threat Assessment of the state funeral and related events honoring former President George H.W. Bush during December 3 - 5 found ?no information to indicate a speci?c, credible threat.? Union Paci?c is operating the train for the funeral procession from Spring, Texas, to the burial site at the Presidential Library and Museum at Texas University in College Station. Activism - Australia: Activists in Svdnev to Protest Adani's Carmichael Coal 1\Iine 0: On Saturday, December 8, a coalition of environmental activists will stage a march in Sydney, Australia, against the Adani energy ?rm?s Carmichael coal mine project in north Queensland. Activists will meet at Town Hall Square and march through Sydney?s town center. Rail Security Awareness - Japan: Autonomous Patrol Robot Tested at Shiniuku Train Station Japan?s first autonomous railway patrol robot operated in a trial run on Tuesday, November 29, 2018, at Tokyo?s Seibu Shinjuku Station. The ?Perseusbot? stands at about 5 1/2 feet tall, weighs nearly 375 pounds, and uses self-controlled movements and functions to scan for dangerous individuals and unattended, suspicious packages present or left in or at the vicinity of the rail station for a long period of time - Mexico: Cargo Theft Incidents Significantlv Increased in 2018 0 0: Throughout 2018, cargo theft incidents across Mexico have increased over 200 percent, according to the president of the National Transport Chamber. This dramatic increase, affecting rail and trucking, has caused major losses for transport companies and insurers. Terrorism - Arizona: Iraqi Refugee Accused of Providing Bomb-blaking Instructions 03? A refugee from Iraq living in Tucson, Arizona, is accused of making a bomb and instructing others on how to do so. FBI agents began investigating Ahmad Suhad Ahmad in December 2016 after he allegedly told an informant he knew how to detonate a bomb using a cellphone. Later, he allegedly agreed to build a remote-controlled explosive device for undercover FBI agents. OFFICIAL USE ONLY OFFICIAL USE ONLY Summary of Content Terrorism (cont?d) - Italv: Palestinian l\Ian Arrested on Suspicion of Plotting Chemical Terror Attack 03? A Palestinian man has been arrested in Sardinia on suspicion that he planned to carry out a chemical attack or to poison drinking water pipes with ricin and anthrax. The state anti-terror prosecutor told reporters the suspect is believed to be af?liated with ISIS. - Belgium: Report on Threat of Radicalization in Prisons and Homeschool Settings On Friday, November 29, Belgium?s State Security Service released its annual intelligence report, which warned that the country faces a persistent terror threat stemming from radicalization of prisoners and exposure of homeschooled children to Islamist propaganda. - Florida: Dozens of White Supremacist Gang 1\Iembers Arrested in Pasco Countv 0 On Thursday, November 15, authorities in Pasco County, announced arrests of 39 white supremacist gang members from groups called the ?Unforgiven? and ?United Aryan Brotherhood? and seizure of illegal ?rearms, narcotics, pipe bombs, and bomb-making materials. Cyber - New Industrial Espionage Campaign Targets Companies Using l\Ialware 03? Researchers reported discovery of a malware distribution campaign that targets companies using AutoCAD-based software. is a commercial computer-aided design and drafting software application. The campaign using this tactic appears to have been active since 2014. The assessment indicates the group behind this campaign likely very sophisticated and primarily interested in industrial espionage. - Critical Infrastructure is Dependent on Local and State Government Svstems 03? A recent article focuses on the importance of securing local and state government systems as a means of protecting critical infrastructure from cyber attacks. Highlighted are ransomware attacks that have increasingly targeted public agencies with responsibilities pertaining to critical infrastructure, such as utilities, police and ?re departments, school districts, and judicial and administrative services. - National vaer Awareness Svstem: Alwert on SamSam Ransomware National Cybersecurity and Communications Integration Center (N CCIC) and the FBI have issued an Alert on the SamSam ransomware, also known as SamSam actors targeted multiple industries across critical infrastructure sectors. Victims were located predominately in the United States. The Alert highlights attack tactics, indicators, and recommended mitigation measures. OFFICIAL USE ONLY OFFICIAL USE ONLY Special Events: State Funeral and Commemorations President George H. W. Bush George Herbert Walker Bush, the 41St President of the United States, died on Friday, November 30, 2018. Services honoring the former President began in Houston, Texas, according to the Joint Task Force National Capitol Region. On Monday morning, December 3, a departure ceremony took place at Ellington Field in Houston. A ?ight followed to Joint Base Andrews, Maryland, outside of Washington, DC, and then a procession to the United States Capitol Rotunda, to lie in state until the Wednesday morning, December 5. A funeral service is scheduled at the National Cathedral in northwest Washington, DC. Following this service, Bush will be taken back to Joint Base Andrews to return to Houston and lie in repose at St. Martin?s Episcopal Church until Thursday morning, December 6. A second funeral service is scheduled for 10:00 am Central time that day. Bush will then be transported by motorcade and train to the George Bush Presidential Library Museum at Texas University in College Station, Texas, where he will be laid to rest. He will be buried next to former First Lady Barbara Bush, who died in April, and their daughter Pauline Robinson ?Robin? Bush, who died at the age of 3 in 1953. The Joint Threat Assessment (J TA) for the 2018 State Funeral for former President George H.W. in Washington, DC, during the period of December 3 - 5, which is co-authored by the Federal Bureau of Investigation (FBI) and Department of Homeland Security Secret Service states there is no information to indicate a speci?c, credible threat to or associated with this event or related activities in the vicinity of the US Capitol Complex and the National Cathedral. The assessment notes, ?State funerals are considered no-notice events that signi?cantly reduce planning timelines for potential hostile actors.? The analysis adds that ?state funerals still present attractive targets due to the large gathering of senior US government of?cials, foreign dignitaries, and heads of state, as well as the symbolic nature of the venues and media attention expected.? Federal and state government authorities have developed and implemented security plans for these events, integrating private sector organizations into these preparations, including railroads with operations and police and security forces in the National Capital Region. UNCLASSIFIED Special Events: State Funeral and Commemorations President George H. W. Bush College Union Pacific Locomotive No. 4141 Station George H.W. Bush Memorial Route BUILDING AMERICA Union Paci?c (U P) is honored to participate in the funeral procession for President George H.W. Bush. The funeral train will leave Union Paci?c's West?eld Auto Facility . Thursday, December 6, at 1:00 pm Eastern time and should arrive at College Station across from Kyle Field at 3:25 pm. Hum-m: The train will be powered by UP locomotive number 4141. Unveiled on October 18, 2005, during a ceremony near the . - George Bush Presidential Library and Museum at Texas University 1n College Station, Texas, this locomotive marked only the sixth time that Union Paci?c has used 1n colors other than the traditional UP ?Armour Yellow? paint. - - I. The custom-painted locomotive incorporates the colors of the Air Force One used during Mr. Bush?s presidency and symbolizes national pride and strength. It bears the number 4141 in honor of the 41st president. The locomotive?s rear panel features elements from Air Force One?s wings and tail, including the American ?ag and sweeping lines of forward motion representing progress. UNCLASSIFIED OFFICIAL USE ONLY Australia: Activists in Sydney to Protest Adani's Carmichael Coal Mine On Saturday, December 8, 2018, a coalition of environmental activists will stage a march in Sydney, Australia, against the mm Carmichael coal mine operated by energy company, Adani. Organizers and participants will meet at Town Hall Square and march through Sydney?s town center. Social media-indicated participation is at 589, with more than 2,700 people interested in attending the march. The march is in response to an announcement by Adani CEO Lucas Dow on November 29, 2018, that construction of the - ?scaled-back version? of the Carmichael coal mine project will begin before end of year following regulatory approval of I sn SKY NWU ?nal management plans. The project will be self-funded, is expected to generate over 1,500 jobs during construction and initial gwey?usuana 0 phases, and is forecasted to have capital expenditures of around $2 billion with full production and coal exports estimated by 2020. i mm rallung 1m amnn on climate change ann Mlnl?ml? Will you me in praismg these kids? 2 What we want. Is The announcement of the project has been met with criticism as it comes at a time of a highly politicized push for ?stronger n.0,,mm,mum,? application of environmental approval laws.? Reporting indicates banks and businesses are not investing in the project. Additional disruptions may pertain with access to export/import on Aurizon?s regulated rail line, although the rail organization has indicated support for the project by stating it is legally mandated to consider new requests for access. Secondary impacts could emerge if Adani is unable to obtain support from other Aurizon rail customers. The march in Sydney will likely embolden participants to carry out further protests and mobilizations and possibly even direct action tactics against coal mines and distribution facilities in their respective hometowns. In recent months, the Australian government has continued to advance coal initiatives across the country. Activists have responded to these persistent efforts by continuing to cultivate their ?direct action? campaigns and increase their resistance efforts to undermine coal projects. Some activists have been emboldened to unfurl anti-coal banners outside of government buildings, such as the Parliament House in Canberra, and company headquarters linked to coal initiatives. Environmentalists are involving school age children in highly-publicized protests and may integrate their involvement in the solidarity marches expected to take place across Australia on December Town Hall Sq. Saturday. ?l?lam OFFICIAL USE ONLY OFFICIAL USE ONLY Japan: Autonomous Patrol Robot Tested at Shinjuku Train Station According to published reports, media outlets were offered the opportunity to View Japan?s ?rst autonomous railway patrol robot in a trial run on Tuesday, November 29, 2018, at Tokyo?s Seibu Shinjuku Station. An experimental robot, of?cially called the Perseusbot, was jointly developed by Seibu Railway Company, Tokyo Metropolitan Industrial Research Institute, and Japanese arti?cial intelligence ?rms, Earth Eyes and Nihon nisys. Perseusbot stands at 1.67 meters tall (about 5 1/2 feet), weighs about 170 kilograms (nearly 375 pounds), and uses self-controlled movements and functions to scan for dangerous individuals and unattended, suspicious packages present or left in or at the vicinity of the rail station for a long period of time. The robot employs arti?cial intelligence (AI) and an onboard camera to detect problems autonomously, rather than being remotely controlled. During a demonstration, the robot was reportedly able to identify a person who was seemed ill and then send the appropriate alert to a station employee?s smartphone. Another built-in capability includes Perseusbot?s ability to identify aggressive movements, indicating a precursor to con?ict. Despite its autonomy, Perseusbot ultimately relies on human security personnel to respond to potential threats. The robot is still reportedly undergoing ?eld testing, so that developers can gauge its capabilities and also the effect it has on pedestrian traf?c ?ow. Seibu Railway has publicly indicated its hopes that the introduction of such robots will help enhance safety at stations ahead of the 2020 Tokyo Olympics and Paralympics. A senior Seibu of?cial reportedly expressed the expectation that the robot will also be useful in providing services to passengers because a limited number of station staff must cover a large amount of space. 2, l_0. Deployment of autonomous robots as a means of monitoring for, and triggering response to, activity, behaviors, or objects presenting a potential threat to the safety and security of passengers and railway employees marks a substantial departure, in level of technological sophistication and expense, from surveillance cameras installed widely in stations and on board trains in many passenger railroads internationally. At this stage, the robot is a novelty. Testing during varying conditions that pertain throughout each day from intensive rush periods in mornings and evenings to comparative lulls late morning to early afternoon and late at night will evaluate the functionality of electronic con?gurations, algorithms to decipher behavioral indicators of concern, draining and recharging of batteries, comparative rates of accuracies and inaccuracies in reporting, and susceptibility to cyber hacking and spoo?ng. The concept is intriguing applying robotics and technology to expand opportunities for detection and guide the actions of security staff and supporting police, ?re, and emergency medical services. OFFICIAL USE ONLY Mexico: Cargo Theft Incidents Signi?cantly Increased in 2018 Throughout 2018, cargo theft incidents in Mexico have increased over 200 percent, according to the president of the National Transport Chamber (Canacar), Luis Exsome Zapata. This dramatic increase has caused major losses for transport companies and their insurers. The latter are now, in some cases, refusing to provide insurance for . . trucks that travel on certain highways of Mexico, especially in the states of Mexico, Puebla, Veracruz, Tlaxcala. g?igiggseas?fjpg?swirf and Michoacan, which have seen over 93 percent of all nationwide incidents. The Veracruz-Puebla Highway is . the most affected by the increase in theft, as it is one of Mexico?s major economic corridors, serving both the busiest port in the country in Veracruz and the capital, Mexico City, to which the majority of cargo is bound. The tactics employed by the cargo thieves has been evolving, with a notable use of new technologies such as GPS signal jammers. The assailants are setting up fake police checkpoints, taking advantage of poorly protected highways, and, in some cases, using cars disguised as police cruisers equipped with sirens to fool drivers. These tactics demonstrate the level of sophistication of the criminals involved, clearly indicating they are organized and systematic, rather than opportunistic and sporadic. Violence perpetrated against drivers has seen an uptick as well this year. At least 15 truck drivers have been killed during hij ackings and, in many cases, they are taken hostage. This scourge has caused a void in the ?eld. According to Canacar, over 50,000 new truck drivers are needed in Mexican. Recently, Federal Police and forces from the Mexican Army and Navy have been escorting truck drivers throughout the whole state of Tamaulipas. The initiative is intended to mitigate the risk of robberies and hijackings in a state that is under siege by the Cartel del Golfo and the Los Zetas Cartel. The state of Mexico has seen the most cargo theft incidents in all of Mexico, with 28 percent of overall cargo theft crimes. Puebla is a close second, followed by Michoacan, Tlaxcala, Nuevo Leon and alisco. Out of all reported cases, 93 percent occurred while the truck was in transit, ?ve percent while the truck was parked, and 2 percent in which the truck was stolen from a company's premises. Similarly, cargo theft on trains has increased 17 6 percent over the course of 2018, with reported cases going from 139 in 2017 to 384 this year. The state of Puebla is the most affected, followed by Guanajuato, Jalisco, and Sonora. Individuals who live near railroad tracks often force the trains to stop by placing objects directly on the track. They then proceed to loot whatever merchandise is on board. Statistically, a train theft occurs on average every 17 hours. While it may seem that most of the cases of such looting involve opportunistic locals, substantial evidence indicates that they may be orchestrated directly by organized crime groups. 1_2, 1_3, 1_5, 1_6, 1_7 OFFICIAL USE ONLY OFFICIAL USE ONLY Arizona: Iraqi Refugee Accused of Providing Bomb-Making Instructions A refugee from Iraq living in Tucson, Arizona, has been accused of making a bomb and instructing others how to do it themselves. According to the federal criminal complaint, FBI agents began investigating Ahmad Suhad Ahmad in December 2016 after he allegedly told an informant he knew how to detonate a bomb using a cellphone. The 30-year old said he learned how during the Iraq war, claiming it was easy. He later allegedly agreed to build a remote-controlled explosive device for undercover FBI agents. On April 26, 2017, Ahmad allegedly traveled to Las Vegas with two undercover agents to build the bomb at a condo there. The agents reportedly asked if he could instruct them on how to make a car bomb to kill a ranking member of a drug traf?cking organization during his visit to the United States from Mexico. Ahmad allegedly agreed and constructed one bomb and showed the agents how to build a second. Ahmad reportedly left Iraq more than ten years ago and ran a mechanic shop in Tucson. According to court documents, he was arrested on drug charges in December 2016 and June 2017. Found to have violated the term of his probation, he was sentenced to time in state prison in early 2018. More recently, prosecutors have presented new details on Ahmad?s alleged bomb-making instructions. These include his reported bragging about making bombs. Additionally, Ahmad allegedly threatened to blow up one of the confidential sources and his family should anything ever happened to him. Court ?lings state that Ahmad had a ?religious conversion? while serving his previous sentence to imprisonment for conviction of drug offenses. As of late November 2018, authorities determined Ahmad will remain in custody. An order granting the motion to seal 5le3". 331'." ft ?77 Ahmad?s case, inclusive of the complaint and arrest warrant, issued on October 26. A sealed ?nancial af?davit was submitted on October 29. Ahmad?s initial appearance in court occurred on that same day. A follow-on detention hearing was reportedly held on November 2. l_8, l_9, While there is currently no indication of why Ahmad?s case has been sealed, there are multiple news media reports indicating he entered the United States through the Diversity Visa Lottery program ?over a decade ago.? This program has garnered particular scrutiny in the contentious public debate on immigration laws and rules. An article published by Pew Research in August 2018 reports over 22.4 million people have applied for immigration under this program in 2017. This ?gure nearly matches the record-high number of applicants recorded in 2016. Terrorism charges have been brought up against additional individuals that gained entry into the United States under the Lottery program. Another group has been charged or convicted of criminal offenses, including murder, manslaughter, and other felonies. However, by far the larger proportion of entrants under the program have not been involved in any significant violations of law. a OFFICIAL USE ONLY Italy: Palestinian Man Arrested on Suspicion of Plotting Chemical Terror Attack According to published reports, a Palestinian man was arrested in Sardinia on suspicion that he planned to carry out a chemical attack or to introduce the poison ricin or anthrax into pipes transporting drinking water. State anti-terror prosecutor Federico a?ero de Raho told reporters on Wednesday, November 28, that the suspect, identi?ed as 38-year- old Alaji Amin, is believed to be af?liated to the Islamic State of Iraq and Syria (ISIS). Amin reportedly has a residence permit that allows him to reside legally in Italy. But he originally came from Lebanon and holds Palestinian identi?cation documents as well. He was reportedly arrested by an Italian anti-terrorism unit after he left his home and entered his van in the Sardinian town Macomer. The police investigation has reportedly determined that Amin has lived in the center of Macomer for several years. Throughout this period, he had never been known to have left the residence for work. Yet, he nevertheless had an income. Authorities believe that he moved to Sardinia to be with his partner, a Moroccan woman he met on social media. Italian law enforcement and security of?cials have described Amin to news media as a ?lone wolf,? adding that his online behavior showed he was fascinated by ISIS leader Abu Bakr al-Baghdadi and interested in Islamist extremism. At one point, he had reportedly tried to buy poisonous substances, such as the toxic pesticide Methomyl, online. Police reportedly began monitoring Amin?s activities after receiving a tip-off about the alleged plot from the international police organization, Interpol, which had learned of it from Lebanese authorities in September 2017 when Amin?s cousin and alleged accomplice was arrested. Anti-terror agents reportedly sprang into action and arrested Amin after he withdrew 5,700 euros (approximately $6,500 US) from his bank account and began desperately searching for his passport, which he had lost. Investigators have acknowledged that it was not clear when Amin planned to carry out the attack, but they have expressed the belief that he wanted the poisoning to coincide with a holiday. Q, 2 Recent disrupted plots have shown sustained interest by ISIS adherents or supporters in production and use of ricin in attacks. On June 13, 2018, authorities in Cologne, Germany, arrested Sief Allah H. for procuring materials needed to create the toxin ricin and launch a deadly attack. Search of the suspect?s apartment revealed over 900 castor bean seeds, the shell of which contains ingredients used to create ricin. Investigators assessed that Sief was working on a ?biological weapon? attack in Germany. On the same day, a Wisconsin woman was arrested for providing material support to ISIS. Waheba Issa Dais attempted to recruit individuals to carry out attacks for the terrorist group. The federal criminal complaint alleged Dias maintained a virtual library of instructions on how to make different explosive devices, including biological weapons. These actions came just two months after the foiling an alleged terror plot in France where, in May 2018, authorities arrested Mohamed M, a 20-year-old college student from Egypt, for allegedly ?preparing to commit an attack with [an] explosive or ricin.? a OFFICIAL USE ONLY Belgium: Report on Threat of Radicalization 1n Prisons and Homeschool Settings On Friday, November 29, 2018, Belgium?s State Security Service released its annual intelligence report, which warned that the country faces a persistent terror threat stemming from both the radicalization of prisoners and the exposure of homeschooled children to Islamist propaganda. According to the report, Belgium faces a ?considerable problem? of extremism in jails and high rates of recidivism among convicted terrorists. The country has already been hit by several attacks claimed by the Islamic State of Iraq and Syria (ISIS), including the bombings at Zaventem International Airport and a downtown metro rail station and train in Brussels in March 2016 that left 32 dead. Attacks across the border in France have been traced to Brussels- based terror cells, including the coordinated assaults targeting multiple sites on Friday night, November 13, 2015, in Paris that killed 130 people and wounded over 350. The Security Service has reported Belgium has ?never before seen a population of detainees jailed for terrorism? that poses a greater threat of ?contagion.? The Service further assessed that the Syrian war continues to serve as a ?catalyst? for radicalization, pushing extremists back into violence. Belgium is reportedly one of the primary sources of foreign fighters in Syria, with more than 400 departing since 2012 - about a third of whom have returned home. The report additionally notes that up to 20 percent of children who are registered as being homeschooled in Belgium could be exposed to extremist Islamist teachings. While the homeschooling environment 18 still supervised by education authorities, it allows more opp01tunity and freedom for extremists to come in contact with children and young people, the report asserts. Likewise, Flemish education A 2016 study found that more than half of Europe?s foreign ?ghters had criminal records and 27 percent had been radicalized in prisons and detention facilities. The United Nations has even warned of the heightened threat of prisons serving as ?incubators of terrorism and violent extremism.? Furthermore, in September of this year, authorities in Great Britain highlighted the growing risk posed by convicted terrorists who go unmonitored following their release from prison. Of note in this regard, Spain?s Interior Ministry - in October of this year - announced that police had dismantled a network of jihadists operating in 17 of the country?s prisons. E, E, 2 OFFICIAL USE ONLY On Thursday, November 15, 2018, authorities in Pasco County, Florida, reportedly announced they had arrested 39 white supremacist gang members from groups called the ?Unforgiven? and ?United Aryan Brotherhood? following a three-year police investigation dubbed ?Operation Blackjack.? Along with the arrests, police reportedly uncovered a stash of illegal ?rearms (including a rocket launcher), heroin, crack cocaine, methamphetamine, pipe bombs, and a garage full of bomb-making materials. Listed as a hate group and prison gang by the Anti-Defamation League (ADL), the ?Unforgiven? gang reportedly favors Nazi-style imagery. The United Aryan Brotherhood is also reportedly listed as a prison gang by the Southern Poverty Law Center (SPLC). The gang members arrested have reportedly been charged with various federal drugs and ?rearms offenses. Depending on the speci?c charges, they face sentences ranging from two years to life in prison. Last year - also in the Tampa Bay area - an 18-year-old man allegedly shot his roommates because he said he believed they were planning mass killings on behalf of the Atomwaffen neo?Nazi group. The shooter reportedly told a Tampa police detective that Atomwaffen planned to execute destructive acts targeting infrastructure and religious sites, speci?cally power lines, nuclear Reactors, and synagogues. OFFICIAL USE ONLY Florida: Dozens of White Supremacist Gang Members Arrested in Pasco County Department of Justice L15. .attornej' Offzce Middle District offlorida FOR I: RELEASE Thursday November 2018 Thirty-Nine ?Unforgiven? And ?United Aryan Brotherhood? Gang Members And Associates Indicted For Arms And Drug Traf?cking In Pasco ounty Tampa. Florida - United States Attornej' Liana Chapa Lope: announces the culmination of a long-tern: dubbed "Operation Blackjackf1nto arms and narcotics traffickmg centered in Paszo Countj' Florida. As a result 39 have been charged hith "carious federal firearms and drug 'ic-lattons. (?Pfease see chartfor The :ndictments also notif:? the defendants that the L'm?ted States :ntends to forfeit the ?rearms used in these offenses and at: proceeds traceable to the offenses. We hill continue to use e'er'j tool at our disposal to prosecute those who persist in pur-?eging 'iolent crime and drug trafficking on our streets said 113. Attornej' Chapa Lope; "We are committed to no: tag with our partners to render our communities safe for our citizens tn the Zniiddle of Florida." ATP pnmarj' focus is protecting the public bj' reducrng atolent name said Spectal Agent in Charge Dar: '1 2 ?033.11: ATP continues to aggressi?elj' pursue 'iolent offenders and work our Ian-v enforcement partners to protect and ser?e our communities. The Pasco Sheriffs Office is proud ofthe partnership it has With the Department ?ofJust1ce said Shersz Chris .\'occo. Taking illegally possessed guns and criminals or: the street 12111 have a p-ositn?e impact on the safetj' ofour communit'. Ar. :s merelj? a formal charge that a defendant has committed one or more 'Jolations of federal criminal law. and Her] defendant is presumed :nnvocent unless and until. pro'en gudt?. Though the shooter was subsequently booked on homicide charges, police reportedly released one of his roommates, who then immediately loaded his car with more than 1,000 rounds of ammunition, assault weapons, and body armor and headed for the Florida Keys with another Atomwaffen member. The two were later apprehended by the Monroe County Sheriff?s Department. According to the ADL, activity attributed to the Atomwaffen has been reported in multiple states, including Colorado, (I Florida, Illinois, Texas, Massachusetts, Washington, North Carolina, and Virginia. Q, OFFICIAL USE ONLY $333 1' DEPUTIES BUST NEARLY 40 GANG MEMBERS . rcmrou OFFICIAL USE ONLY g) New Industrial Espionage Campaign Targets Companies Using Malware Example of a plan from a [are package: Researchers at cyber securlty ?rm, Forcepoint, have reportedly identi?ed a malware distribution . . campaign that targets companies using AutoCAD-based software. AutoC AD is a commercial, computer-aided design and drafting software application often used in ?eld of architecture. Forcepoint has reported the campaign leveraging the software appears to have been -. active since 2014. The ?rm assesses that the group employing this attack tactic is likely very sophisticated and primarily interested in industrial espionage. . According to Forcepoint?s recent report detailing the campaign, the threat actors have ?successfully targeted multiple companies across multiple geolocations with at least one campaign likely having been focused on the energy sector.? Researchers? analyses have determined said the hacker group used spear-phishing emails that contained either archives of malicious files or links to websites at which victims could download the ZIP files themselves, in case the ?lure ?les needed to be larger than standard email servers? ?le attachments. Example of? ijec? render/90?" ?1 Pacmge? Forcepoint contends the spear-phishing campaign used ?already-stolen documents for major projects such as hotels, factory buildings, and even the Hong Kong?Zhuhai-Macau bridge as 'lures' to propagate further.? Victims typically get infected because the ZIP ?les with (.cad) projects they receive also contain hidden Fast-Load (.fas) modules, the report . . ., concludes. 1 .. . . Based on the Victim?s AutoC AD installation settings, the app will automatically execute these .fas scripting modules in two circumstances: when the user opens either the main .cad project or any .cad project. However, versions of software released after 2014 should reportedly show warnings when executing a .fas moduleo-n-,u OFFICIAL USE ONLY OFFICIAL USE ONLY New Industrial Espionage Campaign Targets Companies Using Malware Example of ast-L oad module: A . - ?v ..V9..-V?n' V. '6 6 6 '92. 33 3 5.-.. Li- I Table detailing 2 servers seen-to-date: Forcepoint notes that versions of starting with 2014 provide security variables that control what executable ?les (modules) can be loaded automatically, from what location, and whether to display a pop-up warning. According to Forcepoint, these features are easily controlled from within the application by the SECURITYOPTIONS command, by installing the external CAD Manager Control Utility, or by editing the corresponding registry entries manually If these capabilities are properly set and locked, the risk of unwanted module execution is greatly mitigated and so too is susceptibility to the malware attack tactic. Heatmap of affected countries based on GE OIP data for unique victim IP addresses: OFFICIAL USE ONLY Critical Infrastructure is Dependent on Local and State Government Systems A recent article authored by cyber security expert Timur Kovalev for Security Info Watch focuses on the importance of securing local and state government systems as a means of protecting critical infrastructure from potential attacks. Kovalev highlights the recent wave of ransomware attacks that have increasingly targeted agencies and emergency services, like utilities, police and ?re departments, school districts, and judicial and administrative functions. One particularly notable example provided by Kovalev is that of Matanuska-Susitna Borough, located near Anchorage, Alaska, which was hit with an attack that paralyzed its computer systems for weeks, costing an estimated $2 million. He noted that the borough serves a population of 100,000 Alaskan residents and encompasses Port MacKenzie, a ?massive new development of facilities and railway links designed for the export of petrochemicals and natural gas.? According to Kovalev, this attack demonstrated the hidden risks posed to critical infrastructure by the infiltration of local systems, which he says are ?almost always linked to larger networks, databases and resources.? Kovalev asserts that ?critical infrastructure? is often defined too narrowly by cyber security professionals, who typically View it in terms of ?power plants, water utilities, and urban public transportation.? He believes the concept instead needs to be thought of as an interdependency between all major systems, and the ?vulnerabilities and criminal opportunities they create.? Local and state governments play a range of roles in these systems as encompassed in the de?nition of ?critical infrastructure? used by the Department of Homeland Security. Lastly, Kovalev acknowledges the great cost and dif?culty faced by public institutions in defending their systems from the continuously evolving methods used by cyber attackers. He goes on to cite examples of past attacks that have targeted insecure vendors contracted by local governments, such as the billing services ClickZGov, and GovPayNow, and asserts the need for governments to work more closely with vendors on secure con?gurations, incident response plans, breach disclosures, and network monitoring. To improve the security of their systems, Kovalev suggests that local and state government agencies work together and share information about possible threats, vulnerabilities, and mitigation procedures. He additionally stresses the importance of maintaining basic ?cyber hygiene,? utilizing ?rewalls, monitoring networks and system logs for anomalous behavior, data, and backing up systems off-site. ?Employee training and policy enforcement is paramount,? he concludes. ?Many ransomware attacks can be avoided if employees know how to react to suspicious emails and follow protocol for responding to requests for sensitive information.? The State, Local, Tribal and Territorial Government Coordinating Council (SLTT-GCC), established pursuant to the National Infrastructure Protection Plan (N IPP), affords an effective forum for this collaboration among local and state government organizations. Coordination on cyber security priorities with the private sector is readily accomplished by engagement with the another link in the NIPP structure the Critical Infrastructure Cross Sector Council, comprised of representatives of each of the critical infrastructure sectors and sub-sectors. 3_4 OFFICIAL USE ONLY National Cyber Awareness System: Alwert on SamSam Ransomware The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (N CCIC) and the Federal Bureau of Investigation (FBI) have issued an Alert to inform computer network defenders about SamSam ransomware, also known as - The SamSam actors targeted multiple industries, including some within critical infrastructure. - Victims were located predominately in the United States, but also internationally. - Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. - Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms. The actors exploit Windows servers to gain persistent access to a Victim?s network and infect all reachable hosts. According to reporting from Victims in early 2016, cyber actors used the exBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of Victims? machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims? networks. Typically. actors either use brute force attacks (repeatedly submitting user name and passwords to ?nd a match and gain access) or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point. After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims? action or authorization. While many ransomware campaigns rely on a Victim completing an action, such as opening an email or Visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection. Analysis of tools found on Victims? networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces. FBI analysis of Victims? access logs revealed that the SamSam actors can infect a network within hours of purchasing the credentials. While remediating infected systems, several Victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible indicator that the victims? credentials were stolen, sold on the darknet, and used for other illegal activity. SamSam actors leave ransom notes on computers. These instructions direct Victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, Victims usually receive links to download keys and tools to their network. OFFICIAL USE ONLY National Cyber Awareness System: Alwert on SamSam Ransomware Technical Details: NCCIC recommends organizations review the DHS and FBI recommend that users and administrators consider using the following best following SamSam Malware Analysis Reports. The reports represent practices to strengthen the security posture of their organization's systems. System owners four SamSam malware variants- This is not an ?Mum"? ?Si- and administrators should review any con?guration changes before implementation to 7 3211118111111 531118111112 3211118111113 - Audit networks for systems that use RDP for remote communication. 53111531114 - Disable unneeded service or install available patches. Users may need to work with avoid unwanted impacts. technology venders to con?rm patches will not affect system processes. Verify that all cloud-based virtual machine instances with public internet protocol (IP) addresses have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a ?rewall and require users to use a virtual private network (V PN) to access that system. Enable strong passwords and account lockout policies to defend against brute force attacks. Where possible, apply two-factor authentication. Regularly apply system and software updates and maintain a good back-up strategy. Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a samaS/samsam/MSIL'B/C . Exploits known minimum of 90 days and review them regularly to detect intrusion attempts. vulnerabilities in unpatched When creating cloud-based virtual machines, adhere to the cloud provider?s best practices servers for remote access. . 1 1 .58.26 - - Ensure third parties requiring RDP access follow internal policies on remote access. .. . Nlinimize network exposure for all control system devices. Where possible, disable RDP 5 231;; . Once in, laterally moves to on critical devices. cause the most amount of Regulate and limit external-to-internal RDP connections. When external access to deStrUCtion internal resources is required, use secure methods such as VPNs. Restrict users' ability (permissions) to install and run unwanted software applications. Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true ?le type" the extension matches the ?le header). Disable ?le and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.