OFFICIAL USE ONLY ASSOCIATION OF AMERICAN RAILROADS RAIL AWARENESS DAILY ANALYTIC REPORT (RADAR) February 21, 2020 - . . 5' 1; ?519$ OFFICIAL USE ONLY OFFICIAL USE ONLY Summary of Content Direct Action Awareness - Canada: Update on Rail Blockade Actions As of Friday morning, February 21, 2020, Canadian National Railway identifies infrastructure track sites continue to be impeded by blockade actions purportedly intended to support the opposition of some Wet?suwet?en First Nations members to construction of the Coastal GasLink pipeline in British Columbia. Canada: Counter Protesters in Alberta Tear Down Anti-Pipeline Barricades On Wednesday, February 19, counter protesters in Alberta clashed with anti-pipeline demonstrators blocking Canadian National rail tracks near Edmonton. Canada: Anarchists Issue Call to Action in Solidaritv \Vith First Nations On Saturday February 15, an anonymous submission posted to the anarchist website North Shore Counter-Info includes a six?page publication urging supporters of First Nations to rise up and take action against the Canadian government, to include the Royal Canadian Mounted Police. Canada: Anarchist ?"ebsite Publishes Manifesto Justifving CN Rail Blockades On Saturday February 15, an anonymous submission was made to the anarchist website North Shore ounter-Info in which anarchists called on those in support of First Nations and against the Canadian government (including the RCMP) to rise up and take action. Global: Guide to Destroy Cell Phone Towers Published on Anarchist Website On Thursday, February 12, 2020, an instruction manual about how to destroy cell phone towers was published on the anarchist website, 325.com. Terrorism/Extremism - Switzerland: ?"orst Potential Terrorist Attack in Countrv?s History Thwarted According to a recent investigation carried out by a local newspaper, Le Temps, Swiss authorities, with the assistance of the US intelligence community, foiled a plot by Swiss extremists af?liated with the Islamic State of Iraq and Syria (ISIS) to destroy the Vernier cisterns a large oil storage depot near the Cointrin airport. OFFICIAL USE ONLY Summary of Content Terrorism/Extremism - Germanv: Police Deployments Due to ?Verv High? Far-Right Threat Germany will deploy extra police to protect mosques, railway stations, airports and other sensitive sites because of a "very high" far- right threat following the shooting attacks in Hanau on Wednesday night, February 19, 2020. - ?"orldwide: Online Manosphere Communities Becoming More Toxic A recent study has found that the ?Manosphere? online community has become much more toxic, with their usage of anti-women rhetoric. Cyber - United States: President Trump Issues Order Regarding PNT Services On Wednesday, February 12, 2020, US. President Donald Trump signed an executive order directing federal agencies to strengthen the resilience of critical infrastructure that relies on positioning, navigation, and timing services (PNT). Global: Emotet Troian Evolves to Use ??i?Fi Networks to Spread On Tuesday, February 10, 2020, researchers at Binary Defense reported cybercriminals have altered the Emotet trojan, allowing it to use Wi-Fi networks to spread malware more ef?ciently by allowing it to join other Wi-Fi networks and compromise the devices connected to those networks. The success of the malwares ability to compromise Wi-Fi networks is dependent on users using weak passwords. Global: Hundreds of l\Iillions of PC Components Still Have Hackable Firmware On Tuesday, February 18, 2020, the security ?rm released a report on the security of PC peripherals and components inside of and connected to hundreds of millions of computers, from around the world. Northern Ireland: Bus and Rail Authority Targeted in Ransomware Attack 0:0 On Wednesday, February 12, 2020, it was reported that Translink staff in Northern Ireland have outsourced to cybersecurity experts after the transportation authority was targeted in a ransomware attack, leaving their computer systems locked United States: Amex Chase Fraud Emails Being Used to Phish User Credentials 02? On Tuesday, February 11, 2020, it was reported that a new phishing campaign has been identi?ed which utilizes fake American Express and Chase fraud protection emails to lure victims into disclosing their personal login credentials OFFICIAL USE ONLY Canada: Update on Rail Blockade Actions As of Friday morning, February 21, 2020, CN Canadian National, the Class I freight railroad whose infrastructure has been predominantly targeted in track blockade actions purportedly intended to support the opposition of some Wet?suwet?en First Nations members to construction of the Coastal GasLink pipeline in British Columbia, reports blockades in two areas: - Two blockades on the Kingston Subdivision in the area of mile post (MP) 209 in Tyendinaga, Ontario. Signi?cantly, the hereditary chiefs from Wet?suwet?en, who have led the opposition in their territory to the Coastal GasLink pipeline, are meeting with the Mohawks in Tyendinaga on Friday, February 21. The meeting is expected to last all day. These blockades have been persistently maintained since February 6. CN obtained a court injunction directing local authorities to remove the blockade. Authorities in Ontario have engaged the participants in the blockade in discussions; while these discussions have not led to a dismantling of the blockades, they have prevented an escalation in tensions. Members and supporters of the Mohawk First Nations group are sustaining these blockades. A posting by the group online depicted the burning of the court injunction. The effects of these blockades are the impetus for the announcement by CN on February 13 of a progressive shutdown of operations in the portion of its network in eastern Canada. These blockades caused suspensions in service across most of VIA Rail Canada?s network. Metrolinx (commuter railroad in the Toronto area) and EXO (commuter railroad in the Montreal area) remained largely unaffected by decision. - As indicated below, VIA Rail has resumed some of its intercity passenger rail services in eastern Canada as of Thursday, February 20. One blockade on the St-Hyancinthe Subdivision in the area of MP 69.5 in St?Lambert, Quebec. - This blockade prompted VIA Rail to delay the planned resumption of intercity service between Montreal and Quebec, as well as Montreal to Halifax, Nova Scotia, long haul service. Otherwise, VIA Rail maintained its service resumption plan for eastern Canada as indicated below. There were no reports or indications of blockades on Thursday, February 20, in areas of the provinces of British Columbia, Alberta, and Manitoba at which they have been established periodically since February 6. VIA Rail, Canada?s national passenger rail carrier, reports resumption of service on multiple routes in eastern Canada: - Full service: Toronto London Windsor in Ontario; Toronto Sarnia in Ontario; and Toronto Niagara Falls in Ontario. - Partial resumption of service between Montreal and Ottawa, Ontario. Full resumption currently projected for Saturday, February 22. OFFICIAL USE ONLY Canada: Update on Rail Blockade Actions ??et?suwet?en demonstration against the blockades: On Wednesday, February 19, an estimated 200 members of the Wet?suwet?en First Nation in Houston, a town of about 3,000 residents in northwestern British Columbia, an area described as the ?heart of the Wet?suwet?en Nation,? assembled for some three hours during the afternoon to demonstrate their opposition to the rail blockades and other disruptive actions taken in their name by self-proclaimed supporters. - The Wet'suwet'en people at this event told news media that they resent the ongoing blockades and other actions because they aren't helping their community, which they say already has fractured governance. - Further, they assert that these actions have ampli?ed divisions within the community and distracted Wet'suwet?en people from resolving these differences. Related Activity in the United States: Social media postings on February 15 cited rail blockades in the United States as a way to support the Wet?suwet?en campaign and to oppose colonization. On Sunday, February 16, a group purporting to support the Wet?suwet?en trespassed on and blocked BNSF Railway track in the vicinity of Broad Street in Seattle. This action delayed freight trains. But none were canceled; operations were maintained. - No other signi?cant related actions against rail operations have been reported by railroads in the United States. - Amtrak canceled multiple trains due to effects of blockade actions in Ontario, the Vancouver, British Columbia, area, and Seattle, Washington. Noti?cations posted on Amtrak?s public website and via Twitter alerted passengers to these impacts. Impacted trains included Amtrak?s Maple Leaf service from Niagara Falls to Toronto and the Cascades route between Seattle and Vancouver. Regular service is resumed on both routes. . yang" Planned Actions Friday, February 21: In postings to 1ts public website and Facebook page, identi?ed as of Tuesday, February 18, the environmental activist group Wild Idaho Rising Tide announced three actions EYES ON in Idaho and Washington state to demonstrate solidarity with the Wet?suwet?en First Nations group in . INTERNATIONAL Canada. These events, in which participation is urged under the mantra of an ?International Callout for . .. CALLO UT FOR Solidarity Actions.? Two of the three announced actions, planned for Friday, February 21, are projected . . SOLIDARITY ACTIONS to take place in close proximity to BNSF tracks: -. 0' '0 i - 12:00 noon local time Sandpoint, Idaho: Intersection of 3rd Avenue and Oak Street near Farmin i 3" a m. Park. This location is within approximately 1/4 mile of BNSF track. - 3:00 pm local time Spokane, Washington: Intersection of North Division Street and East Martin Luther King, Way a site within less than 1/10 of a mile of BNSF track. mammxmum OFFICIAL USE ONLY Canada: Counter Protesters in Alberta Tear Down Anti-Pipeline Barricades On Wednesday, February 19, 2020, counter?demonstrators in Alberta clashed with anti-pipeline demonstrators blocking CN rail tracks near Edmonton. CN Canadian National is a Class I freight railroad with an extensive network throughout Canada and operations in the United States as well. Anti-pipeline activists, who purport to act in solidarity with the Wet?suwet?en, had established the blockade earlier that morning, using wooden palettes and signs that read ?No Consent? and ?No Pipelines on Stolen Land.? However, the counter-demonstrators soon arrived at the site of the blockade and began to remove the objects obstructing the railroad tracks. Initially, the anti-pipeline activists linked arms across the tracks in an effort to prevent counter-demonstrators from removing the blockade. However, progressively the anti-pipeline activists stepped away from the tracks in an apparent effort to prevent escalation between the competing groups. A smaller counter-protest was also held at a railway crossing in Tyendinaga on Monday, February 17, 2020. The participants in this counter-demonstration expressed frustration with the ongoing actions, arguing that ?a lot of people are out of work? due to the blockades. Reportedly, a man driving by the February 19 counter- demonstration near Edmonton, Alberta, voiced similar sentiments at those participating in that blockade. The driver is reported to have yelled at the anti-pipeline activists that there are ?a lot of hard-working people out of work? due to the disruptions caused to rail. One of the February 19 direct action organizers, a man who identified himself as Poundmaker, told local media that those opposed to the blockades generally believe that anti-pipeline activists are blocking trains in opposition to oil and gas. He asserted, however, that these activists are really working on securing ?justice for indigenous people right now.? Canadian Premier Jason Kenney has called the blockades ?anarchy? and argued that the people losing their jobs are ?vulnerable? blue-collar workers. The Confederacy of Treaty Six First Nations, which represents tribes in Alberta, has also recognized the developing hardships experienced by rail workers and has called for a quick and peaceful resolution for both sides. 1, OFFICIAL USE ONLY Canada: Anarchists Issue Call to Action in Solidarity With First Nations On Saturday February 15, 2020, an anonymous submission posted to the anarchist website North Shore Counter-Info includes a six-page publication entitled, ?Reconciliation is Dead: A Call for Revolt after the Raid.? This publication urges supporters of First Nations to rise up and take action against the Canadian government, to include the Royal Canadian Mounted Police. Signi?cantly, publicatlon expressly calls for direct action tactics, employing asymmetric methods, (Ireatingabattletield with multiple fronts mu divide theirenergies. 'lhe rail blockadesare working! It the night time rail sabotage and the copper wire and the blockades keep coming. against transport modes rail, highway, and ports in Canada. Further, the content clearly communicates \s?illshutdown all mi nan.- across thisawl?uleconomy. More that?. But do not just for the Wet?suwet?en. do it for the rivers and streams that weave themselves under the rails. Do it anger and frustration towards ?indigenous nations that signed pipeline agreements and stand by in silence.? tortheancestors who saw the encroaching railroad when coming demise. And as a critique out of Montreal wrote: don't settle for symbolic and intentional arrest. The product states that ?the ?rst thing we need to do is stop stabbing each other in the back? and ?the second thing we need to do is act,? emphasizing criminal acts of vandalism, sabotage and arson as appropriate means of opposition. Actions urged in solidarity with the First Nations members include blocking construction of proposed pipelines, sabotaging ?sh farms, tearing down a dam ?interrupting the river,? and sending an . . - cc )7 Stav free and fierce. 'Ihe folks at L'nist'ot'en and (Jitdum?ten didn?t have the option to. but you ev1ction notice and setting up camp 1n response to cottagers 11V1ng by a lake. do.'Anticipatetheirnextmove and stay ahead ot?them. When they come to enforce an injunction. move to another part ot?the rail. When they come with a second injunction. block the biggest highway nearby. When they come with a third injunction. move to the nearest port. Speci?cally castigated is the purported disdain of the territorial rights or privileges of indigenous peoples. Highlighted as one particular example is the Chippewa of the Thames First Nations? lack of consent to construction of the Line 9 pipeline on its territory. The ?Reconciliation is Dead? publication asserts ?the Supreme court ruled against them, saying that Indigenous peoples do not have the right to say no to industrial projects in their territories.? In contrast, the product notes ?the Wet?suwet?en won probably the most signi?cant legal challenge in Canadian they hold title and legal jurisdiction, and yet look at how Canada honors that.? As a result, illegal acts, even destructive violence often advocated by anarchists claiming to support First Nations are justi?ed. The submission concludes with sections stating that ?this is not only about Unist?ot?en anymore?, further indicating ?it is time to shut everything the fuck down? in an attempt to call on people to ?show them [Canada] how clear our Vision is? and stating that ?there are many dangerous days ahead?. 5, i This anonymous submission to North Shore Counter-Info appears to have been made in connection with direct actions across Canada, including rail blockades that have disrupted freight and passenger train operations in multiple provinces, held in support of efforts by the Wet?suwet?en hereditary chiefs and their supporters in British Columbia to halt work on the Coastal GasLink pipeline. The 416-mile pipeline would link interior gas extraction ?elds with ports for export. The pro?le of these actions and the adverse economic impacts they have in?icted as one example, Class I freight railroad CN has laid off workers and announced a progressive shutdown of its network in eastern Canada are providing examples to emulate for anarchists and for activists supportive of virtually any cause. The message of the ongoing rail blockades in Canada is clear if you want attention for your cause, block railroad track. OFFICIAL USE ONLY Canada: Anarchist Website Publishes Manifesto ustifying CN Rail Blockades A manifesto posted on anarchist websites justi?es blockades of tracks and extensive disruptions to train operations as appropriate action to support First Nations groups and oppose ?colonization.? Entitled ?#Canada: ?From Sea to Sea? - Train Blockades, Colonialism and the Canadian Railways History,? manifesto further asserts that, even in the current era, Canadian railroads support the ?colonial state? by enabling energy corporations to build pipelines on First Nations lands. - Intended to encourage expansion of such direct action tactics, the manifesto contends blockades, halts of freight and passenger trains, and resulting economic costs are warranted because Canadian railway companies purportedly played ?an integral part in the colonization of Canada in the late 19th century.? Analysis indicates that the manifesto was originally posted on Saturday, February 15, on a site called CONTREPOINTS, which publishes in English and manifesto gained more pro?le among interested audiences with its posting on the anarchist website, Enough 14, on Sunday, February 16. The opening segment of the manifesto highlights the disruptive effects that rail blockades have had on the Canadian economy since the start of the ongoing campaign. Speci?cally cited are actions executed since February 6 by the Mohawk community of Tyendinaga, Ontario; the blockade at New Hazelton, British Columbia, that shut down the Port of Prince Rupert; and several others disruptive incidents. The successes and adverse impacts of these actions are touted as the cause for the decision by CN Canadian National, 3 Class I freight railroad to initiate a progressive closure of its network in eastern Canada and for the suspension of VIA Rail?s national passenger rail services. The conclusion of the manifesto serves as its rallying cry, urging actions to bring about the shutting down of Canada. The product concludes by stating, ?The WITH NEW BLOCKADES FOPPING UP EVERYDAY train blockades of the past week highlight not only the colonialist foundations of Canadian territory, but also its weaknesses, its dependence on its transportation infrastructure and the ef?ciency with which it can be shut down.? i, 9,1, A separate posting, also identi?ed on Monday, February 17, presents a video depicting recorded footage of the recent and ongoing rail blockades in Canada. Alongside the video link is an image of the theme increasingly prevalent in communications among sympathizers with the campaign against the Coastal GasLink pipeline: ?\Vhen All Else Fails, Wet?suwet?en Supporters Block the Rails.? OFFICIAL USE ONLY Global: Guide on How to Destroy Cell Phone Towers Published on Anarchist Website On Thursday, February 12, 2020, the anarchist website, 325.com, posted an instruction manual specifying how to destroy cell phone towers. The manual presents these instructions in four stages: reconnaissance; entry of the site and climbing the mast; exiting; and igniting to in?ict destruction through arson or ?re. How to destroy cell phone towers Initially presented are the lists of necessary ?ingredients,? presented as a recipe calling for ?2-3 comrades? and a range of hardware, tools, and materials. - ?Stage 1? provides detailed instructions on how to visually identify vulnerabilities in the towers, especially from the electrical source, as well as items for planning purposes ?note estimated timings, entry and exit points, security cameras, motion sensors, lighting etc.? ?Stage 2? outlines entry and sabotage for the ?weak point you located earlier? and preparations with ingredients listed ?tyre?, rags, fuel and if applicable, a pre-made timed incendiary device for burning accessible cables and, if possible, the cell phone mast itself. Instructions urge individuals to ?Take care not to cover yourself with fuel traces, prevent unneeded forensic evidence and do not set yourself on .. ?Stage 3? then advises expeditious exit from the area. At the time, though, this segment recommends that the perpetrator, if a timing device is not being used, perform a second check of the rigging and possible exit points ?to Again? 5 d? the world Whid? needs it prevent any detection, unnecessary injuries or death due to the extended nature of the action.? ?Stage 4? applies to those not using a timed device and references measures in ?Stage telling the reader to light the fuel-soaked rags around the tire. This stage also clari?es that Benzine is the preferred fuel type as it will hold out better in the wind. Adherents to the instruction guide are advised to practice lighting similar setups in different altitudes with different wind levels in order to increase effectiveness when attempting the destruction of a cell phone tower. The instruction guide concludes by advising those that attempt to destroy a cell phone tower must get rid of all materials used in the attempt. Further, they should exercise prudence by staying away from the targeted location afterward. Finally, the manual notes that the ?recipe? may be adapted to be used on more complex targets. 2, l_0, At the bottom of the ?recipe? to guide actions to damage or destroy cell phone towers and supporting equipment is the phrase ?against 5G and the world which needs it.? 5G technology has become increasingly controversial since its introduction in 2018, with critics arguing that radiation emitted could cause seriously adverse health effects and that the technology could be used by state-actors in illegal surveillance activities. OFFICIAL USE ONLY Switzerland: Worst Potential Terrorist Attack in Country?s History Thwarted According to a recent investigation carried out by the newspaper, Le Temps, in 2019, Swiss authorities, with the assistance of the US intelligence community, foiled a plot by Swiss extremists af?liated with the Islamic State of Iraq and Syria (ISIS) to destroy the Vernier cisterns near the Cointrin Airport. The cisterns store oil at a large depot near Geneva International Airport. The intelligence provided reportedly indicated the planned bombing would be executed in April or May 2019. The organizers of the plot were a group of extremist Muslims that sympathized with the violent jihad movement in Syrian? and Iraq and had wanted to leave Switzerland to ?ght in those countries alongside ISIS. The Swiss Islamist extremists were radicalized domestically at the Petit-Saconnex mosque in Switzerland. The leader of this radicalized group of ISIS is known as Daniel D. In 2014, Daniel took ?my? 0? 'esm'o?? Februatj'2020 charge of a dozen boys who, like him, had been radicalized in the Petit-Saconnex mosque to Mecca. Thus began Daniel?s travels which would later bring him to Syria to join ISIS in 2015. While in Syria, Daniel received the indoctrination into the ideology of violence speci?cally, that carrying out attacks abroad, especially in Europe, met the goals of ISIS. To start preparations for such an attack, his handlers required Daniel to contact all of his radicalized friends in Geneva and instruct them identify potential targets. His training, and further outreach to Geneva, focused on logistical arrangements to create favorable conditions for execution of The Petit-Saconnex Mosque in October 2009 lethal terrorist acts. Q, In 2018, the United States intelligence community transferred information to its Swiss government counterparts on the developing threat of an ISIS attack in Geneva. Around this time, Swiss authorities arrested two Albanian men on their way to Geneva who were suspected of being part of the plot. The investigation of these suspects led Swiss authorities back to Daniel D. and his circle of radicalized Islamist cohorts. Published reporting notes that a hard drive taken from one of the ISIS headquarters in Syria had revealed other potential targets in Switzerland, including pipelines, fuel depots, and other energy-related targets. An eerily similar ISIS plot, detected and disrupted in 2018, had envisioned an attack targeting oil storage cisterns at Basel Harbor in Switzerland. Unlike other countries in Europe, most notably neighboring France, Germany, and Italy, Switzerland has been spared terrorist violence. The last terrorist attack in Switzerland occurred in 1976 by Armenian terrorists against Turkish diplomats. l_4, l_5 OFFICIAL USE ONLY Switzerland: Worst Potential Terrorist Attack in Country?s History Thwarted An informant among the circle of radicalized friends reportedly received a voice message from Daniel D. stating that the informant should expect a package to be arriving from him shortly. This message forced authorities to act as it indicated that preparations may have proceeded to a stage where execution of the planned bombing attack could have occurred in April or May 2019. The security threat level was raised at all of the potential targets identi?ed on the hard drives seized from the ISIS headquarters in Syria. In a coordinated multi-national operation, Daniel D. was arrested in Syria in June 2019. Plots like these have inspired the Swiss authorities to more closely monitor people who have left Switzerland for travel to Syria and Iraq, including their family members, friends, and acquaintances that remain in Switzerland. Of?cials assess that a wounded ISIS, under pressure with capabilities diminished, remains committed to trying to conduct attacks on internationally. Europeans who chose to ?ght with ISIS in Syria and Iraq represent a pool of trained and experienced potential recruits for plotting and executing attacks in their home countries. Another potential source of recruits are those Europeans who sought to travel to ?ght with ISIS but were blocked from doing so by law enforcement and immigration authorities. l_6, l_7 Swiss authorities claim that there are 92 jihadists who have left Switzerland since 2001 to serve as foreign ?ghters, including Artist Depiction ofDanieI D. 16 who have returned to the country and 31 who have died. As of May 2019, an estimated 66 people in the country were assessed to pose a serious security risk. 51:5" According to the Swiss Intelligence Service, around 20 Swiss nationals are currently in the Iraqi- Syrian zone. Three men are incarcerated in prisons held by the Kurds in Syria. Three women, Geneve A?roport including one who lost her nationality in January, and six children are in camps. Geneve OFFICIAL USE ONLY Germany: Police Deployments Due to ?Very High? Far-Right Threat ?my- First shooting Midnight shisha bar I?w A Ig?r "r - Bertuno GERMANY Hanau. Germany will deploy extra police to protect mosques, railway stations, airports and other sensitive sites because of a "very high" far-right threat following the shooting I attacks in Hanau on Wednesday night, February 19, 2020, by a gunmen authorities allege had been motivated by xenophobia and racism. Interior Minister Horst Seehofer stated that he had agreed to implementation of the measures with regional leaders in an effort to prevent any copycat attacks. Prosecutors have described the suspected gunman, now dead, was ?deeply racist.? Nine people were killed in shisha bars (hookah lounges) the western German city. "The security threat from right-wing extremism, anti?Semitism and racism is very high," Mr. Seehofer said. He called it "the biggest security threat facing Germany.? Muhammed B, a wounded survivor, described from his hospital bed how the gunman took careful aim at the victims in the Arena Bar Cafe. "Everyone he saw, he just shot them straight in the head. He laid down, then he ?red at all of us. I hid behind a wall, and as I was moving to hide he shot me in the arm," he told a Turkish TV interviewer. ?It was a We were all lying on top of each other. The guy lying under me had a hole in his neck, he said can't breathe, I can't feel my tongue'," Muhammad recalled through tears. He told the young man to recite a ?nal prayer, which he did. Second shooting . The shootings began around 10:00 pm local time. The first target was the Midnight shisha bar in Hanau. The suspect then travelled by car to the Kesselstadt neighborhood, some 2.5km (1.5 miles) away, and opened ?re at the Arena Bar Cafe. Shisha bars are places where people gather to smoke a pipe known as shisha or hookah. Traditionally found in Nliddle Eastern and Asian countries, they are also popular in many other parts of the world. Police identified the gunman through information from witnesses and surveillance cameras. Early on Thursday, February 20, they stormed the suspect's apartment, near the scene of the second shooting. The suspect and his 72-year-old mother were found, both also shot. A gun was found next to the suspect's body. The investigation is now focusing on whether others knew about or helped organize the attack. The suspect may have had far-right contacts in Germany or abroad. l_8 OFFICIAL USE ONLY Germany: Police Deployments Due to ?Very High? Far-Right Threat Tobias had posted videos and a kind of manifesto on his website, the federal prosecutor said. In the document he wrote that people from more than 20 countries including Turkey and Israel should be ?destroyed.? London-based German counter-terrorism expert Peter Neumann said the text contained ?various, but mostly extreme right views, with a do-it-yourself ideology cobbled together out of parts found on the internet.? According to federal prosecutor Peter Frank, Tobias contacted the prosecutors in November, urging them to act against a big secret organization, which he claimed was tapping into people's brains in order to control world events. No action was taken in response. The Bild tabloid reports that Tobias had a firearms license, and that ammunition and gun magazines were found in his car. Gun laws in Germany are among the most stringent in the world, and were tightened further in recent years after other mass shootings. The Hanau shootings occurred just ?ve days after 12 men were arrested during counter?terrorism raids in Germany for planning attacks on mosques across the country. The suspects arrested are accused of having formed a right?wing terrorist organization, named ?Der Harte Kern,? and maintaining connections to other far?right groups, such as Soldiers of Odin. During the week of February 10, 2020, German police announced that they were monitoring 53 persons of interest associated with the far?right, an increase of 31 persons over those being monitored in 2016. Despite increasing initiatives sponsored by German intelligence agencies, incidents involving far-right extremism have continued to demonstrate growth over the last few years. Recent far-right attacks in Germany include the following: - October 2019: In Halle, an attacker kills two and tries to storm a synagogue, broadcasting the assault live online. He later admits a far-right, anti- Semitic motive for the attack. June 2019: Walter Liibcke, a pro-migrant politician, is shot in the head at close range and found dead in his garden. A suspect with far-right links later confesses to the murder. July 2016: An 18-year?old shoots dead nine people at a shopping mall in Munich before killing himself. Bavarian authorities later classify the attack as ?politically motivated,? saying the teen had ?radical right-wing and racist Views.? 1_9, 2_1, Q, OFFICIAL USE ONLY Worldwide: Online ?Manosphere? Communities Becoming More Toxic A recent study has found that the ?Manosphere? online community has become much more toxic regarding anti-women rhetoric. The ?Manosphere? is de?ned by a collection of male supremacy groups that belong to the involuntary celibate (referred to as incel) community. The incel community is not limited to individuals that post online. Some have crossed from the rhetoric and in?uence of the incel belief structure to execute Violent attacks. In 2018, a man killed 10 people in Toronto, Ontario, Canada, using the ?Incel Rebellion? tagline for his attack. Notably, Elliot Rodger, responsible for the May 2014 killing rampage in Isla Vista, outside Santa Barbara, in California, is considered a hero to the incel community. Rodger killed six college students, including two women he shot to death outside of a sorority. The incel community is considered to be a place where members can gather anonymously and blame their lack of intimate relationships on women, as well as sometimes advocate for physical and sexual violence as revenge for their situations. Groups formed with these types of grievances are not necessarily new. What is concerning, however, is the large shift indicated of members of more conservative, but generally non-Violent, forums to advocacy of extremism and violence. Researchers have reportedly created a database where they could assemble posted communications that incorporate known incel chatrooms and threads on various websites to build a repository for analysis. This database eventually reached around 7.5 million posts from seven incel forums and over 30 million posts from 57 Reddit pages. The ensuing analysis demonstrated that the newer forums were garnering the most users in comparison to the older ones. The prevalent themes in these newer, well-followed forums emphasized a stronger, nihilistic, and extreme anti-women ideology. A 2018 investigation by the Southern Poverty Law Center (SPLC) into the ?manosphere? found a strong overlap between the members of the alt?right and the members of these ?male supremacist? circles. Both groups share the ideology that feminism is the cause of the decline in Western civilization. The SPLC reports that, as there is violence and extremism in the alt-right community, it will likely carry over into the ?manosphere? community as well. The study also determined that the much of the current ?manosphere? rhetoric falls into the ?Very toxic? category based on a scale produced for the report ranging from ?Very toxic? to ?Very healthy.? A ?Very toxic? atmosphere creates conditions that can in?uence and facilitate the pathway to violence. a On Wednesday, February 12, 2020, President Donald Trump signed an executive order directing federal agencies to strengthen the resilience of critical infrastructure that relies on positioning, navigation, and timing services (PNT). The Order?s statement of ?Purpose? highlights its justifying factors: UNCLASSIFIED United States: Executive Order on Responsible Use of PNT Services The national and economic security of the United States depends on the reliable and ef?cient functioning of critical infrastructure. Since the United States made the Global Positioning System available worldwide, PNT services provided by space- based systems have become a largely invisible utility for technology and infrastructure, including the electrical power grid, communications infrastructure and mobile devices, all modes of transportation, precision agriculture, weather forecasting, and emergency response. Because of the widespread adoption of PNT services, the disruption or manipulation of these services has the potential to adversely affect the national and economic security of the United States. To strengthen national resilience, the Federal Government must foster the responsible use of PNT services by critical infrastructure owners and operators. For key implementing actions, the Executive Order directs the following: By February 12, 2021 (one year), the Department of Commerce, in coordination with the heads of sector speci?c agencies (SSAs) for the critical infrastructure sectors and in consultation, as appropriate, with the private sector, shall develop and make available, to at least the appropriate agencies and private sector users, PNT pro?les. These pro?les will enable the public and private sectors to identify systems, networks, and assets dependent on PNT services; determine which PNT services are appropriate; detect the disruption and manipulation of PNT services; and manage the associated risks to the systems, networks, and assets. Once produced, the PNT pro?les shall be reviewed every two years and, as necessary, updated. Within one year of the date the PNT pro?les are issued and every two years thereafter the heads of SSAs, through the Secretary of Homeland Security, shall submit a report to the Assistant to the President for National Security Affairs and the Director of the Of?ce of Science and Technology Policy (OSTP) on the adoption of the PNT pro?les by respective federal agencies and, as practicable, by owners and operators of critical infrastructure. Within 180 days of the date of this order (by August 9, 2020), the Secretaries of Transportation, Energy, and Homeland Security shall each develop plans to engage with critical infrastructure owners or operators to evaluate the responsible use of PNT services. Within one year of this engagement, pilot programs to develop, test, and re?ne capabilities and practices for responsible use of PNT must be completed. Lessons learned will be applied to inform the development of the relevant PNT pro?le and research and development opportunities. OFFICIAL USE ONLY United States: President Trump Issues Order Regarding PNT Services Within one year of the date of the Order (February 12, 2021), the Director of OSTP shall coordinate the development of a national plan, informed by existing initiatives, for the research and development and pilot testing of additional, robust, PNT and secure PNT services not dependent on global navigation satellite systems (GNSS). The plan must address . approaches to integrate and use multiple PNT services to enhance the resilience of critical infrastructure. The Dn?ector 3. of OSTP shall coordinate updates to the plan every four years, or as appropriate by relevant circumstances. . in 3?99an Beyond Within 180 days of the date of the Order (by August 9, 2020), the Secretary of Commerce shall make available a GNSS- 1? i independent source of Coordinated I'niversal Time, to support the needs of critical infrastructure owners and operators, for the public and private sectors to access. i The Department of Defense in the United States has previously issued warnings regarding the extensive reliance of industries across critical infrastructure sectors on GPS to support essential capabilities, functions, and services. DHS established a joint task group with the private sector through the Critical Infrastructure Cross-Sector Council to assess reliance upon GPS and security risk of exploitation of potential vulnerabilities. More recently, in June 2019, RTI International, sponsored by the National Institute of Standards of Technologv (NIST), published a report on the possible effects of a 30-day GPS outage in the United States. The RTI researchers estimated a potential $45 billion impact to the economy from such an outage, particularly if it occurs during the ?critical agricultural planting seasons.? While concluding the agricultural sector faced the most substantial adverse impact, the report determined the maritime sector could potentially experience losses of up to $10 billion. Ports in Los Angeles and Long Beach in California would be affected most. In reviewing industry experience with functioning and performance, the report did stress that GPS outages experienced through June 2019 had lasted for a maxim um period of only 1 day. In a teleconference with representative of the critical infrastructure sectors, hosted by Cybersecurity and Infrastructure Security Agency (CISA) on February 18, officials with the departments and agencies charged with responsibilities for actions under the recently issued Executive Order on Strengthening National Resilience through Responsible Use of Positioning, Navigation, and Timing Services addressed implementation. These efforts will be taken in coordination with the National Institute of Standards and Technology (N IST), specifically the component that developed and now maintains and updates the National Cybersecurity Framework. This approach is consistent with an earlier Executive Order by President Trump EO 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, issued on May 11, 2017 which established the policy of the United States to manage cybersecurity risk as a Federal enterprise and mandated the use of NIST Cybersecurity Framework across government, emphasizing the same high standards are recommended for private industry are applied everywhere. During the CISA teleconference earlier this week, participating government officials highlighted a key outcome cooperative efforts to develop alternative, non spaced based sources for PNT services as a back up in the event of a disruption or manipulation of satellite signals. OFFICIAL USE ONLY Global: Emotet Trojan Evolves to Use Wi?Fi Networks to Spread On Monday, February 10, 2020, researchers at Binary Defense reported cybercriminals have altered the Emotet trojan, enabling the malicious software (malware) to use Wi?Fi networks to propagate attacks employing varied forms of malware more ef?ciently by linking with other Wi-Fi networks and compromising devices connected networks. Emotet?s success in this altered variant derives primarily from users maintaining weak passwords. In this case, the new loader type takes advantage of the wlanAPI (module belonging to WLANAPI a ij . Dynamic Link Library) interface to enumerate all i-Fi networks within proximity. The malware then attempts .. ?1 to spread across these networks, eventually infecting all devices it is able to access. This process is done by way - of brute-force attempts using two internal lists of easy to guess passwords. The enumerated Wi-Fi networks are bombarded with these common and easily guessed passwords and network and device compromises follow. After the trojan worm has in?ltrated the network, it drops a self extracting ?le that contains two ?les, ?services.exe? and ?worm.exe? (the main executable) onto a target computer and installs ?Windows Defender System Service.? This service then begins by executing ?service.exe? as ?my.exe? on a remote system. According to the report, the worm.exe has likely been operating undetected for the past two years, due to the worm?s timestamp of April 16, 2018. The researchers explained, ?This may be in part due to how infrequently the binary is dropped. Based on our records, 01/23/2020 was the ?rst time that Binary Defense observed this ?le being delivered by Emotet, despite having data going back to when Emotet ?rst came back in late August of 2019.? Originally developed as a banking Trojan to target organizations in the Financial Services Sector, Emotet is also utilized as a distributor of other malware or malicious campaigns to gain sensitive information or cause ?nancial loss. Emotet uses multiple methods to maintain persistence and employs evasion techniques to avoid detection. The trojan can also spread through phishing and spam emails containing malicious attachments or links. As a representative example, Emotet is currently being spread through emails exploiting the ongoing health and medical concerns driven by the broad spread internationally of Coronavirus Disease 2019 (CVID-19). Cybersecurity professionals offer several recommendations for network users and businesses generally to implement as effective means for mitigating the risk posed to networks and devices. These recommendations include employing strong passwords, of electronic communications and ?les, and continuous monitoring of network traf?c to detect anomalies and indicators of compromise or concern. Additional mitigation techniques that should be implemented are malware detection, spam ?lters, ?rewalls, sandboxing, and the use of arti?cial intelligence for spear-phishing protection. E, OFFICIAL USE ONLY Global: Hundreds of Millions of PC Components Still Have Hackable Firmware On Tuesday, February 18, 2020, the security ?rm released a report on the security of peripherals and components inside of and connected to hundreds of millions of personal computers in use around the world. The report focused on ?ve components: Wi?Fi adapters from Dell laptops; a Broadcom network interface card; trackpoints and touchpads in Lenovo laptops; a Via Labs USB hub; and webcams found in HP laptops. The striking conclusion of the report: all of these components had ?rmware that was vulnerable to hacking. The components assessed in the report were all potentially vulnerable to ?rmware hacking, in which a component run?J) could potentially be updated with ?signed? code lacking veri?cation. This kind of ?rmware hacking could in 1 . turn potentially allow any malware running on a computer to take control of affected components and enable malicious - activities, such as spying through a computer?s webcam or intercepting the affected computer?s network communications. -. Researchers assessed that the USB hub or \Vi-Fi adapter could intercept a user?s communications, the trackpad could take control over a computer?s mouse movements, and that the webcam could spy on the affected computer user. While the researchers only showed that they were able to make an arbitrary change to the ?rmware of concern and, notably, they did not "There isn?t a single device in the market write proof-of-concept malware for this analysis they contended in the report that hijacking the ?rmware in these components thf?t '5 em'j'eiy secured'" could allow for the hijacking of all of a component?s functionality. Rick Altherr, a principal engineer for who worked on the ?rmware research, stated, ?an unprivileged user can actually modify the ?rmware on these devices, and there are not checks to where that ?rmware came from or what it does.? Karsten Nohl, a researcher for SRLabs, has pointed out that ?rmware hacking remains rare outside of research settings. However, Nohl has also argued that it is a failing of the computing industry that the codes for many components do not have any security. Previously, in 2014, SRLabs exposed the lack of veri?cation for the ?rmware used in USB thumb drives. The report argues that, while computer manufacturers may act to secure their own software, few have been able to persuade the suppliers of components to secure their ?rmware. This situation highlights a serious cyber security concern across sectors and industries design and con?guration ?aws in hardware and software subject to illicit cyber actors encompassing nation-states, criminals, and hackers motivated by varying causes and objectives. In an effort to address this persistent problem, some industries have developed effective practices compilations to guide procurements of equipment, capabilities, and services reliant upon information technology. The version developed and used by the railroad industry?s Rail Information Security Committee Cyber Security Effective Practices for Information Technology Procurements, which ?owed from cooperative with the Electricity Sector, accompanies this report as an attachment. 3_1 OFFICIAL USE ONLY Northern Ireland: Bus and Rail Authority Targeted in Ransomware Attack On Wednesday, February 12, 2020, Northern Ireland public transport operator Translink suffered a network compromise in a ransomware attack, leaving the agency?s computer systems locked due to illicitly applied For more than a week, experts from Microsoft and the United Kingdom?s Government ommunications Headquarters (GC HQ) have been working to regain control of Translink?s internal network. Several employees reported not being able to access system ?les, as well as seeing a ransom note appear demanding the company negotiate ?a deal?. The cybercriminals said that unless a ransom is paid, all of the Translink?s publicly owned data will not be Below: Ransom note from attackers targeting Translink Fortunately, the ransomware attack did not affect operations of the public transportation systems that Translink manages NI Railways, Ulsterbus, or Metro services. Nor, signi?cantly, did Translink?s public website experience any adverse effects. As a result, Translink maintained its in details and YPTED with the srnta(t somg?nf fr?m IT department- usual, and effective, means for communicating relevant information to its riders and fac111tat1ng - NAME lgorithmjcause their use of passenger rail and bus serv1ces, including ticketing or fare payments. yber security You can send Profess10nals and software spec1alists from Microsoft have worked in coordination With Britain?s 5? ?0 doubts in 2'51?? ?Wat it non ruse . . . . systems ANY TIME. 05 fr0m all FF Rational Cyber Security Centre, a d1v1310n of the government 3 GCHQ intelligence agency, 1n the We SHOULD NOT contain mm,- a large documents, technical data, etc) ve Informal? (databases response and recovery efforts on this incident. data be available to you AVMENT. ?911?, Tr?ar1511'nkl backups, Contact us ONLY if you are authorized to make Translink, which employs 4,200 staff, stated that business has remained as usual for passengers. network. a deal from the who 1e a fetted The ONLY attachments we accept are There are no residual effects from the attack or indications of compromised personal or ?nancial data. Speak ENGLISH when contacting Us. ?10s Fer {m amm- 10". A spokesperson with the National yber Security Centre stated, ?We are aware of the cyber incident affecting Translink and are working with partners to get a full understanding of the situation.? Police have warned that organizations in Northern Ireland are being targeted ?daily? with ransomware attacks originating from various parts of the world. Q, Ransomware continues to be a top cyber threat perpetrated by cyber criminals or nation state actors. Although the later is not as common, nation state actors such as North Korea use ransomware as a means of generating revenue for the North Korean regime. Additionally, the Zeppelin ransomware is believed to be used by a nation state to obfuscate the intentions and to complicate attribution. Researchers at Blackberry Cylance note that although the ransomware displays a ransom note, no ransom amount is provided. Furthermore, the ransomware targets are focused in Europe and the United States and is destructive in nature, destroying any back up files. a OFFICIAL USE ONLY United States: Amex Chase Fraud Emails Being Used to Phish User Credentials As of Tuesday, February 11, 2020, published reports indicated that a new phishing campaign has been identi?ed which utilizes fake American Express and Chase fraud protection emails to lure victims into disclosing their personal or professional 2:53., 5:23.; .. v- network login credentials. .A a secureoach-asesytesnet a secweOSch-asosytosnet c, In this newly detected phishing campaign, discovered by MalwareHunterTeam. cybercriminals send fake 0 email messages, represented as Chase or Amex fraud protection alerts, that purport to warn I recipients that their credit card accounts have been misused. The fake email requests veri?cation of several credit card transactions, identi?ed as potential misuse of the credit card account. Charges used in the fake email alerts are purported to be from Best Buy, TOP UP RV, and SQC ASH APP. Although the indicated charges are all fake, the recipient may well believe that credit card information has been stolen precisely because the listed transactions will be unknown or unfamiliar. In the body of the fraudulent email, the user is prompted with two options, one button reading I recognize all these transactions? and I don?t recognize one or more of these transactions.? For targeted victims who click to dispute the charges as unauthorized, they are transferred to a fake Amex or Chase login portal that appears legitimate where they are put through a long ?veri?cation? process requesting such details as network login information, home address, date of birth, social security number, and banking and credit card information. If victims submit the requested information, it is delivered to a server controlled by the scammers. The collected information is used to perpetrate identity theft or to make illicit pro?ts through sales of the personal and ?nancial data on the dark web. Researchers emphasize that the threat actors conducting Above: Fake Chase Phishing Pom] Page this campaign do a very good job at formatting the fake emails and portals to look legitimate. Researchers note that as phishing email campaigns become more sophisticated and harder to detect, it is important for users to carefully read the messages to see if there are any grammatical or spelling errors, and stylistic discrepancies, either from misaligned text, awkward English, or strange looking URLs. It is advised that if there are any indicators that the email appears to be somewhat suspicious, customers should not click anything and immediately contact their credit card provider and report the issue. OFFICIAL USE ONLY United States: Amex Chase Fraud Emails Being Used to Phish User Credentials CHASE 0 werelecng ?mum weve Jetected some -nusud Intense FRAUD PROTECTION =or y3u? secrrt). :Iease red) the ?omm1rarsac:ow(s) some! you :an :3nt'r-ue t: LS-I- you :31! SERVICES . A Fraud Protectton Dear Cusromer . Hr; no.3. 4, . FC150159CJIW I ?r I -4 . 4 590? a h: ?935? 3" atter'pe. charge 02'09'2020 Foryour secutty. trarsacttoqs) sotharyou cart contmue to useyoutcam . . SF 3 T4 2 '25: Appate?t'arsactrnaSQC?CA APtriZo 9n0?106 2 Chase A d. . ktemLted Late h'e'd 3t 0r 9 oz! :te'us Dec re: rarsarmn a: TOP JP ?or $24.1; or 02' 2:0 SAFESAFE 39 91 USO Appmec rarsactim BESTBUV ?or $124 59 on 22062020 I . Do you reeomize this Do you recognize all otthesetransaction(s)? YES I HI 0' these Please te? US If you or someone authonzed' used your Wed transacnortat APP 106223119 on 021092020 Chase card tor: Ye Deched tmsactton at TOP LP 8 tor $624.11 on 021092020 YES Will make your card immediately ready :0 use again. Approved transactm at aesreuv for $124.59 on 02/09/2020 Apprmed October22 3 Cl . 1. IC 2 Great! Click Yes . YES, I recognize all ottnesotmsacuons NO I rezogmze are or ?tore 0' 3, 'hese t?snsactors . . an: we errat .. 7 . Do you recognize this charge. 33? soon 1/ to YES W111 make your card unmedtately ready to use agam. N0 allow vou to complete the vert?catlon process and ?le a fraud . 1 Onl' \t bu nkin a?orze: oa'fy n55 a'read/ accessed tins co'ce'r :Iease dere;a'a ~40, I don't recognlze me or more of Ms these ransacnons . Your card remains active, - We'll biock your card and Dease do on em, I: t'Is armour, gere'aec ressage It you me an] :uestms. ?eas:- cal If a purchase was declined. call . . .s a: the ?ume' neared ire to: or state'ner-L you will not be marged - It you need to speak 'Mih LS. 731 u, 95. us ~o pasc- re sewn, ct new N0 allow you to complete the xen?catJon process and ?le a fraud un ess you try again. call me Home on the back claim in Online or Mobile Banking. Kindly Follow the veri?cation 01 card. :nse yo Are'ncar Express Mow Prztecwcn Sevces process to cancel the transactloms) Above: Comparative presentation -fake and legitimate??aud veri?cation Above: Comparative presentation -fa/re and legitimate??aud verification email message??om Chase. The . email message??om American Express. The OFFICIAL USE ONLY