OFFICIAL USE ONLY ASSOCIATION OF AMERICAN RAILROADS RAIL AWARENESS DAILY ANALYTIC REPORT (RADAR) July 6 - 16, 2018 - . . 5' 1; ?519$ I-. OFFICIAL USE ONLY OFFICIAL USE ONLY Summary of Content ??eeklv Incident Map Direct Action - ??orldwide: Guide to Forming Anarchist Black Cross Groups Posted Online 02? An anonymous post of ?Starting an Anarchist Black Cross Group: A Guide? to an anarchist website instructs followers on how to raise capital and establish their own regional Anarchist Black Cross (ABC) group. ABC is described as ?an international network of anarchist groups and individuals engaged in practical solidarity with prisoners and broader anti-repression struggles.? - North America: Blogger Argues that Lac-Me'gantic Disaster Could Happen Again 02? On Wednesday, July 11, 2018, an article posted to the environmentalist website DeSmogBlog addressed ?3 Reasons the Deadly Lac? M?gantic Oil Train Disaster Could Happen Again.? In this post, the author, Justin Mikulka, delineates purported physical risks and flaws in regulation of the oil-by?rail industry that he contends could lead to another fatal derailment disaster. Rail Security - Nebraska: Suspected Neo?Nazi Pleads Guilty in Amtrak Attack Case 02? On Friday, July 13, 26-year old Taylor Michael Wilson pled guilty to federal terrorism charges for actions on board an Amtrak train in Nebraska in October 2017. Wilson entered a secured compartment, manipulated controls, cut?off on board lights, and affected operation of the train. Amtrak employees found Wilson and subdued and held him for an extended period until his eventual arrest. - France: ?Train Marshals? Deploved on French Trains 02? As of Monday, July 9, national government of?cials in France have ordered the deployment of specialized counter-terrorism police of?cers on board passenger trains throughout the country. This enhanced security regime goes into effect immediately in order to coincide with the summer season when the volume of passengers using trains nationally increases due to tourism and vacations. Terrorism - United States: Former Details Al Qaeda Plot to Attack New York Citv Subway 02? On Thursday, July 12, an article published by CNN provided an excerpt from a book, titled ?Nine Lives,? written by former jihadist- turned-spy, Aimen Dean. The excerpt focuses on preparations by terrorists af?liated with al Qaeda to use a poison gas dispersal weapon, known as the ?mubtakkar,? to kill commuters on the New York subway shortly after the 9/11 attacks. OFFICIAL USE ONLY Summary of Content Terrorism - Middle East: \Vaning ISIS Said to Return to Assassination Tactic ?39 With the collapse of the self-proclaimed ?caliphate,? loss of territorial control, and overall waning of power and in?uence, the Islamic State of Iraq and Syria (ISIS) is reportedly returning to a tactic employed early in its existence targeted assassinations. . India: Counterintelligence Of?cials Thwart ISIS Terror Plot 03? Indian security forces thwarted a terror attack by ISIS in an extensive, multi-national counterintelligence operation. The 20-year-old attacker sought to use an explosive similar to that employed in the Manchester Arena suicide bombing in May 2017. Cyber - I'kraine: Of?cials Claim to Have Thwarted VPNFilter Attack on Chemical Plant ?39 Ukraine?s Security Service claims to have stopped a cyber attack against a chlorine plant using VPNFilter malware. The attempted breach, and the malware, are attributed to Russian sources. A recent DHS Intelligence Article assesses that Russia has the capability to conduct disruptive or destructive attacks against US critical infrastructure networks with attacks in Ukraine among the indicators. Israel: Center Set Up to Combat vaer Attacks Against Rail Svstem 0:0 In the face of data showing an expansion in attempted cyber breaches, some 10 million a month, as of Tuesday, July 16, a center has been established to ?ght potential cyber attacks against the national rail system, passenger and freight. The driving factor is concern that adversaries could seek to compromise operating networks to affect train movements, train control, or related functions. \Vorldwide: Cloud Services Targeted bv Hackers for Supplv Chain Attacks 03? According to a special report published in the Financial Times, foreign hackers are attempting to target cloud service providers in order to use their networks to spread spying tools to a wide number of companies. Cyber: Technical Analvsis on Lokibot Sample Published on GitHub 02? As of Friday, July 6, technical analysis via Ginub on a Lokibot malware sample supports assessments of its regular usage in recent malspam campaigns. The analysis supports the assessment that a third party has modi?ed an original Lokibot sample to sell online. Cyber: Trend Micro Reports on [In?nished Malware Using Desktop Shortcuts 03? A blog posted on Trend lVIicro in early July 2018 details how an unsophisticated malware, seemingly in "un?nished development," is searching for and using unspeci?c desktop shortcuts to redirect for downloading malware when the user selects the shortcut. OFFICIAL USE ONLY Worldwide: Weekly Incident Map RADAR Map July 2018 3 Tumey: At Least Twenty-Four leed 3 France 'Tra Marshals Deployed 0'1 Freh Micdle East Waning ISIS Said to Returnt . Cyter: USB Cables Said t3 be Vulnerab?e . lylassachusettS: Delays at Rail-Crossing Isree' Isamzc Sentenced to P'is . . . Ind a: Man A'rested for Creating l-ale M.. 'v?i'o?dwide GL de to Fo'ming Anarctist .. Afer'd, F'UllLt? ?Ht-51:93:18 DurJ'ci'I . United States FBI Releases Study o?Act . . . . Cal?o'nia Aucit Reveals Cybersecu?ity . xi," 9 - ?i?i'o?dwide Islamic CyoerTerrorsts Targ . #3 3 . Auctra to Expert: Exam no Sexua? Cffen . I District of Columbia: Feds C'itiCIze Ra: . Ind Of?cials Thwa.. Nortn America B?ogge'ArguestnatLac- . July 16 - 20, 2018 United States Qae. 3 Pakistan More Than MC People Kil ed i f5 Ukraine: O??cials Claim to have Th'wa'te. 'i?i'O'idwide Cloud Se'vices ?argetec Dy . . l-lorzda Suspened Neo-Nazr Arrested At. Nebraska: Suspected Ne>?Nazi Pleads . Afrrca: Pr vate Am?ed buards to P. Isree? Center Set Up to Combat Cyter At. OFFICIAL USE ONLY OFFICIAL USE ONLY Worldwide: Guide to Forming Anarchist Black Cross Groups Posted Online On Monday, July 9. 2018. an anonymous contributor posted a PDF document, titled ?Starting an Anarchist Black Cross Group: A Guide,? to the anarchist website, It?s Going Down. This guide. or ?zine,? is meant to instruct anarchist followers on how to raise capital and establish their own regional Anarchist Black Cross (ABC) group. The ?zine? opens with an explanation of the mission of the ABC. describing it as ?an international network of anarchist groups and individuals engaged in practical solidarity with prisoners and broader anti- repression struggles.? In the sections that follow. the guide provides information on topics such as history, organizing techniques, international days of solidarity, and tips for fundraising. among other subjects. ABC is believed to have been founded in czarist Russia, between 1900-1905 as the Anarchist Red Cross. Its original purpose was to aid Russian anarchist prisoners prior to the revolutions that ousted the czar and later the subsequent provisional government and brought the Bolsheviks to power in 1917. However, ABC ?5 ideology progressively spread to other countries. all the while maintaining the theme of defending against oppression particularly in defense ofpolitical prisoners. In 2001, an offshoot organization called the Anarchist Black Cross Network was formed to pursue more general prison issues, with looser requirements for membership. 1 Worldwide anarchist demonstrations in support of prison reform have been on the rise in recent years. On STARTING AN June 19, 2018, the Revolutionary Abolitionist Movement (RAM) called for direct actions to be taken as part of ANARC I ST BLACK its ?Capture the Flag? campaign, meant to protest against forced prisoner labor, Immigration and Customs CROSS GROU P: A GU I DE: \1 Enforcement (ICE) detention camps, and other alleged atrocities taking place within the American prison system. Next month, on August 21, 2018, anarchists are calling for a ?ve-day-long prison strike, through which 9/ they openly express the hope the action will spark ?violent reprisals, media distortions, and extended lockdowns.? With the spread of widely popular campaigns, such as the ongoing #OccupyICE movement, anarchists and anti-fascists have shown success in attracting broader support across activist communities which can have the effect of increasing their numbers and boosting impacts of future actions and demonstrations. OFFICIAL USE ONLY North America: Blogger Argues that Lac-M?gantic Disaster Could Happen Again 011 Wednesday, July 11, 2018, an article posted to the environmentalist website DeSmogB/og addressed ?3 Reasons the Deadly Lac-M?gantic Oil Train Disaster Could Happen Again.? In this post, the author, Justin Mikulka, delineates purported physical risks and ?aws in regulation of the oil-by-rail industry that he contends could lead to another fatal derailment disaster. Mikulka sta1 ts off by decrying the current ?inadequate safety regulations? maintained fo1 1ail tianspOIt of crude oil by both the US. and Canada, pointing to the lack of a requirement for crude oil stabilization, continued use of old tank car models (citing the recent BNSF Railway oil spill in Doon, Iowa), delays in installing positive train control (PTC), and failure to upgrade oil train braking systems to electronically controlled pneumatic (ECP) brakes. Throughout the article, Mikulka insinuates greed of rail companies, combined with government inaction, is to blame for the persistent deficiencies. Mikulka goes 011 to claim that oil trains are derailing more often due to the movement of liquid inside increasingly heavier tank cars (again citing the recent derailment in Iowa). He further maintains that ?activist investors? in the rail industry are attempting to push oil trains to unsafe and weights as a means to maximize pro?ts. Lastly, Mikulka assigns blame to the ?rail barons,? who he says have lobbied for decreased safety regulations and bene?ted under President Trump?s Administration. Highlighted in this vein is the appointment of a former Conrail executive as the ?new top regulator at the Federal Railroad Administration.? 1 The signi?cance of Mikulka?s article is not in its lacking factual basis, but rather the potential to in?uence and inspire anti-fossil fuels activists to direct their attention to actions that disrupt and delay train operations. Direct action tactics, such as encampments and blockades on rights-of?way and shunting of tracks, force stoppages of trains at unplanned sites and cause disruptions to communities over an area that can extend for hundreds of miles. The effect of this criminal activity is to escalate the very risk that Mikulka professes he wishes to avoid for the potential for derailment escalates dramatically when people and objects are present on tracks. At the same time, in view of his clear agenda, Mikulka wholly disregards extensive efforts dedicated by railroads, at their own initiative and investment, to enhance safety of rail transportation of crude oil. These actions include: thorough safety and security risk assessments of routes used by oil trains in high threat urban areas; increased inspections of tracks on such routes; shorter de?ned distance for wayside detectors, which identify defects in wheel quality or performance, on tracks used by oil trains; consolidated inventory of support resources contracted by railroads for emergency response, enabling expanded use in mutual aid for more timely action to address effects of a derailment or other form of accident; extensive training of ?rst responders on incidents involving crude oil trains through the industry?s Security and Emergency Response Training Center at the Transportation Technology Center, Inc (TTCI) at Pueblo, Colorado, and by railroads through their community outreach, training, and exercise initiative; and development and widespread issuance of a mobile device application AskRail that enables ?rst responders to obtain immediate information on the consist of a train in the event of a derailment or other type of accident. That some of these actions subsequently became key elements of regulations in Canada and the United States attests to their assessed impact in elevating safety of transport of high volumes of crude oil and other ?ammable liquids. OFFICIAL USE ONLY Nebraska: Suspected Neo-Nazi Pleads Guilty in Amtrak Attack Case On Friday, July 13, 2018, twenty-six year old Taylor IVIichael Wilson pled guilty to federal terrorism charges for his actions on board an Amtrak train traveling in Nebraska on October 23, 2017. According to court documents: - Wilson got on the train on or about October 19. He brought on board a respiratory mask, a hammer and knife, .380 caliber ammunition, a sleeping bag, and identi?cation related to the National Socialist Movement. Against Amtrak passenger policy, he also had a handgun. On October 23, with the gun tucked into the waistband of his pants, Wilson made his way into a secured engine compartment on the train, posted by signs as off-limits to unauthorized personnel. He later told a cellmate that he ?dropped acid? before loading the gun and entering the compartment. Manipulating controls in the compartment, Wilson affected the operation of the train and disabled lights in the passenger cars. Reports state that passengers and train crew members then activated emergency alerts, with some escaping through open windows. A train conductor observed Wilson in the compartment. A group of as many as three conductors acted to subdue him Wilson reached for his waist band, where he had placed the handgun, during this altercation. The initiative of the Amtrak e111p10}.ees on board the train in identifying the compal tment b1 each, acting to restrain the offendel, pe1 iod, and safely ev acuating and accounting for passengel re?ect the bene?ts of training, exercises, and experience. Wilson claimed to be under the in?uence of LSD at the time of the attack. He stated his goal was to ?save? the train from black people. Additionally, Wilson stated that a year prior to the attack, he planned to travel to Syria and ?ght with the Islamic State of Iraq and Sham (ISIS). When police searched Wilson?s residence in St Charles, Missouri after his arrest, they discovered that his walls were covered with Nazi posters. Seized items included body armor, ammunition, and materials for the construction of explosive devices. Numerous ?rearms were also found as well, some not legally registered, such as a fully automatic machine gun. Police further reported ?nding emails on Wilson?s computer indicating that he had purchased plane tickets to Syria. 5, OFFICIAL USE ONLY France: ?Train Marshals? Deployed on French Trains On Monday, July 9, 2018, news media sources in France reported that national government of?cials have ordered the deployment of specialized counter-terrorism police of?cers on board passenger trains throughout the country. This enhanced security regime goes into effect immediately in order to coincide with the summer season when the volume of passengers using trains nationally increases due to tourism and vacations. Deployed counter?terrorism forces will be armed but wear plain clothes. Their principal responsibility is to focus on identifying any person that appears to be acting suspiciously at or near railway stations or on board passenger trains. French government of?cials have emphasized that this expanded deployment of skilled and experienced anti-terrorist of?cers does not re?ect actions on any intelligence indicating a current plot to attack French trains or stations to in?ict mass casualties. Rather. the bolstered security presence and activities recognize the high threat of terrorist violence that persists in France. as manifested in the numerous attacks that have occurred since late 2014. Further. the deployments are part of a series of enhanced security measures implemented during the same time period. some of which have been directed in enactments of security laws by the French national legislature. A speci?c impetus for these deployments derives from the August 2015 attempt by an Islamist extremist. who claimed to be acting on behalf of the Islamic State of Iraq and Syria (ISIS). to execute a mass shooting attack on a Thalys high speed train. bound from Amsterdam through Brussels to Paris. as it traveled in northeastern France. Intervention by passengers. including American military personnel on leave. prevented the terrorist from achieving success. French authorities remain concerned with the scale of the continuing threat posed by individuals acting on urgings to commit attacks by Islamist extremist terrorist groups and the receptive audiences found in France, Belgium, and Germany. 1 The attempted attack on board the Thalys high speed train highlighted both the potential vulnerability of passenger trains to an armed assault as well as a means for timely and effective action for prevention. The passengers who acted to approach, tackle, and subdue the shooter demonstrated the kind of initiative the expanded ?train marshals? will provide on board passenger trains operating in France - with the vital difference that the assigned counter-terrorism of?cers will use ?rearms and apply training and experience speci?cally geared to the unique factors that pertain in con?ned spaces on board trains and in rail stations. The new ?train marshals? will retain an advantage that the intervening passengers had in dress and appearance, they will ?blend in? as travelers giving no overt indication of law enforcement or security status. An effective deterrent measure, employed in particular by Amtrak and rail transit and commuter systems in larger metropolitan areas in the United States, entails recurring, unannounced deployments of uniformed police and security of?cers randomly and unpredictably in timing, locations, and actions. This approach disrupts the ability of plotters to discern the exploitable patterns on which terrorism thrives. In some cases, undercover of?cers on trains or in stations bolster these efforts with random patrolling to monitor for suspect activity. On Thursday, July 12, 2018, CNN reported on and provided an excerpt from a book entitled, ?Nine Lives,? OFFICIAL USE ONLY Former Spy Details Al Qaeda Plot to Attack New York City Subway written by former jihadist-turned-spy, Aimen Dean. The chosen excerpt focuses on an alleged plot by terrorists af?liated with al Qaeda to use a poison gas weapon to kill commuters in the New York subway system shortly after the 9/11 attacks. Though Al Qaeda leadership ultimately dismissed the plan in 2003, signi?cant preparations for the attack had proceeded. Dean uses his book to detail his involvement in those preparations testing of the planned weapon; review of its design and function in dispersing a lethal chemical; and background information on prior plotting that envisioned attempting to use it for (U) External Vaw with Cutaway OFFICIAL USE ONLY terroristic purposes. I I IBTAK IF. Designed by al-Qaida operatives for potential deployment in attack against the New York City subway system After becoming a spy for the British counterintelligence service, MI6, Dean moved to Bahrain with the hope of in?ltrating members of al Qaeda?s upper echelons, who had taken refuge there after the post-9/11 American-led invasion of Afghanistan that expelled the terrorist organization and the formerly ruling Taliban. Once in Bahrain, Dean was quickly invited to dinner by a Saudi chemistry teacher named Akhil, who asked if he could verify blueprints for a cyanogen chloride weapon (dubbed ?mubtakkar? by Islamist extremists), which he had once assisted in testing while living in Afghanistan. In his review, Dean veri?ed the blueprints. Further, he compared the effects of cyanogen chloride with those in?icted by Zyklon B, the gas used to kill Jews and other ?undesirables? in the Nazi death camps during World War II. Cyanogen chloride causes victims lungs to ?ll with ?uid, eventually leading to an agonizing death. Akhil then inquired on how effective Dean thought the weapon would be if it were used in the New York City subway system. 2 OFFICIAL USE ONLY United States: Former Spy Details Al Qaeda Plot to Attack New York City Subway Describing the 2003 plot to use the ?mubtakkar? in the New York City subway system, Dean ROLL CALL RELEASE recounted the discussions of further dinner meetings with Akhil. In the course of these '3 conversations, Akhil revealed that four Saudi terrorists living in Morocco were to be taught how to November 20w build the ?mubtakkar? weapon and travel to United States on ten-year visas which each prospective terrorist had already obtained. Meanwhile, Dean shared the information gathered - ?jg,?1 '35 13I3?ij . from the meetings with M6. The British service then provided intelligence on the developing plot, sharks i' enciose?d scares so? as 'estaxa'ts Test-3's 0' 2.1V ca's 'I'e 3r IS mile?d we: tee-?recaneefe a he; e- .- .erre tr: planned attack tactics, and weapons and chemicals to be used to United States intelligence agencies. ?5 9'1: - '3 F-C-I 3 1" F?Ce??'dtl? 5.1 --2 3L5 GENRE-S .3: 3L. 51 0" 'T?Lazf?b?' que?es ?cr dam 'c 9.15.0"! yer?? 3r-? ?0 we: . 11.2. Prior to execution, al Qaeda?s deputy leader, Ayman i I al?Zawahiri, grew concerned that an attack in New York would somehow be used to make a false ?claim that Saddam Hussein had given al Qaeda weapons of mass destruction so that the Americans could legitimize the invasion of Iraq, .13..-.9 however ridiculous the link.? For this reason, he purportedly canceled the operation and instructed all involved to simply (U) Imam over-moo 08 Elm.? Wu momma rec-WW?weeomumeeom: emuwwm ?keep knowledge about the mubtakkar under tight control.? l_0 WW) 1emun? -L3 LOCMEIWWI nasty! 3t} 92? 7?81""1( CNEIK :nw: 98 5933?": mu, m. The Department of Homeland Security (DHS) subsequently produced both classi?ed and 2 mm Elm lira .r t: 09:2 a We mar: D: row: be 00er mac unclassi?ed/F or Of?cial Use Only assessments of the ?mubtakkar? device its appearance, ?3 were ?1 35?952?: Artur 3 my 12 emu-.32: 391114?!? enema components, and intended usage and functioning for purposes of informing security awareness. 35" ?Dilf?. 3132 12 :59? (3 km 301')? 02? 21 3" Frag. mu! Emmi-er! . . . . Adv1sor1es focused on the types of gas that could be dlspensed hydrogen cyamde, cyanogen - - .9: ~oI Hy! 'eodw: c111 nun-arr. ?uu- -,.rr32 E3: :tmrx?: mno'r'vn: ??uarm 23': :rmner awe-mu: Ft- 2) Geese "marrmex-c 2'9?1) . . . . ewe-"M? chloride, and chlorlne gases; use of one or more of the dev1ces 1n enclosed spaces, such as e. .. .. restaurants, theaters, or passenger train cars or stations; and the small size of the device and its .m W:u not?. ?3533 components, allowing for carriage and concealment in a bag or box and assembly at or near an 7" Inn?17-1% FOR OFFICIAL USE ONLY intended attack Site. 1 1 OFFICIAL USE ONLY OFFICIAL USE ONLY Middle East: Waning ISIS Said to Return to Assassination Tactic On Monday, July 9, 2018, a published report asserted that, with the collapse of the self-proclaimed ?caliphate,? loss of territorial control, and overall waning of power and in?uence, the Islamic State of Iraq and Syria (ISIS) is reportedly returning to a tactic employed early in its existence targeted assassinations. In 2013, elements of the terrorist group, operating as Al-Qaeda in Iraq (AQI), ?rst started to emerge as a signi?cant threat. However, its operations differed markedly from those pursue by main Al Qaeda and its other af?liates. One of these differing tactics was the targeted assassinations of Iraqi security personnel. By 2014, with its reincarnation as ISIS, the group?s notoriety began to grow exponentially, due primarily to the aggressiveness, lethality, brutality, and scale of its killings and destruction. With the increasing pro?le came greater attractiveness to potential recruits, expanding numbers of ?ghters, and ensuing seizures of territory. Control of land in Iraq and Syria added to the group?s allure, especially when it proclaimed a restored Muslim homeland, or ?caliphate.? Territorial control afforded sanctuary as well to organize, plan, and prepare acts of terrorism and a springboard for access to Europe for execution of attacks. However, since 2016, ISIS has lost vast amounts of territory and been degraded as a ?ghting force by Western coalition actions in Syria and coordinated operations by security forces and coalition airstrikes in Iraq. In an effort to alleviate some of the continuing pressure, ISIS has reportedly renewed the tactic of identifying and targeting nu-n I IS Dryer-mm: ISIS lost territory in MI members of the Iraqi security forces, as well as local, regional and national government of?cials, for assassinations. Reinstatement of this tactic seems a likely attempt to restore the foundation for 1818?s territorial gains during 2013 through 2016. Despite the group?s weakened state, caution that ISIS can still carry out attacks in Europe, mostly due to its effective and ongoing propaganda campaigns targeting young Muslims via the internet. For support, ISIS is increasingly turning to the use of like Bitcoin, to fund operations. OFFICIAL USE ONLY India: Counterintelligence Of?cials Thwart ISIS Terror Plot Indian security forces reportedly thwarted a terror attack by the Islamic State of Iraq and Syria (ISIS) through an extensive counterintelligence operation. Authorities have arrested a 20?year-old Afghan national and ISIS operative who lived in Delhi?s Lajpat Nagar while studying as an engineering student. He had been befriended by an undercover Indian agent who provided him with triggerless explosives for a planned suicide attack plus accommodations at a hostel in the city. Indian law enforcement agencies executed the arrest of the aspiring terrorist in September 2017. Subsequently, the suspect was transported to a United States military base in Afghanistan. His admissions and related details provided under interrogation there reportedly played a key role in the recent successes of American forces against the Taliban in Afghanistan. In a signi?cant commonality in planning and preparations, this Afghan suspect plotting a suicide bombing in Dehli, India, sought to prepare an explosive similar in construct and expected impact to that used in the suicide bombing at the concert arena in lV?Ianchester, England, in May 2017. That attack killed a reported 23 people and wounded or injured more than 130 others, mostly children. Indicators and progressively more detailed information on the ISIS plot were uncovered through an 18-month-long surveillance operation in Afghanistan, Dubai, and New Delhi. Intelligence agencies determined that a group of 12 ISIS operatives had been trained in Pakistan for subsequent travel to execute bombing attacks around the world. The Research and Analysis Wing of the Indian intelligence service ?rst discovered a link by tracking a suspicious transfer of a total of $50,000 by multiple individuals from Dubai to a location in Afghanistan. The Afghani ISIS operative reportedly visited the Delhi Airport, Ansal Plaza mall, a mall in Vasant Kunj and South Extension market, among other places in Delhi, as reconnaissance of potential targets for the attack. All are crowded public areas, consistent with the consistent emphasis by ISIS in target selection since 2014. He regularly sent feedback on his mission to handlers in Afghanistan. l_3, l_4 OFFICIAL USE ONLY Ukraine: Of?cials Claim to Have Thwarted VPNFilter Attack on Chemical Plant According to published reports, Ukraine?s SBU Security Service claims to have stopped a cyber attack against a chlorine plant that was launched using VPNFilter malware. The attack reportedly targeted network equipment belonging to the LLC Aulska chlorine plant in Auly, central Ukraine. The apparent intent was to disrupt the stable operation of the plant, which provides sodium hypochlorite (liquid chlorine) for water treatment. Ukrainian cybersecurity of?cials have reported that the enterprise's process control system and system for detecting signs of emergencies were deliberately infected by the VPNFilter computer virus. They further assert that the virus originated from Russia. The VPNFilter malware, ?rst detected in May, is estimated to have hijacked half a million Internet of Things devices notably including routers and network-attached storage (NAS) devices. The malware is capable of snooping on web traf?c, as well as establishing a backdoor for on compromised devices for repeated and persistent access and compromise. The code of some versions of VPNFilter overlaps with versions of BlackEnergy malware, which has been previously linked to attacks on Ukrainian power distribution stations. Intelligence and cyber security agencies in multiple nations have attributed these attacks to Russian sources. According to the Cisco Talos security team, the VPNFilter malware has the ability to individually or multitudinously render infected devices unusable, with the added potential of cutting off internet access for hundreds of thousands of victims worldwide. Both Western and Ukrainian intelligence agencies have assessed that a unit of Russian military intelligence, the GRU, both created VPNFilter and used or distributed it for cyber attacks. The designation APT-28 has been assigned to this Russian hacking group. The abbreviation denotes ?Advanced Persistent Threat,? indicating a level of sophistication and capabilities in tactics and effectiveness normally displayed by well-funded and experienced nation-state actors. OFFICIAL USE ONLY - Homeland - Security HOMELAND Anncu 2bJune 2018 (U) Cybersecurity Russia Likely Capable of Disruptive or Destructive Cyber Attacks Against US Critical Infrastructure Networks In an analysis dated June 25, 2018, the Department of Homeland Security?s (DHS) Intelligence Enterprise issued an article captioned, ?Russia Likely Capable of Disruptive or Destructive Cyber Attacks Against Critical Infrastructure Networks.? The article assesses that ?Russian Government cyber actors likely have the capability to conduct disruptive or destructive attacks against US critical infrastructure networks.? This conclusion is based on the assessed ?ability of Russian Government cyber actors to access critical infrastructure networks, conduct network reconnaissance, extract data pertaining to industrial control systems (ICS), and exploit routers to conduct man-in-the-middle attacks.? OFFICIAL USE ONLY OFFICIAL USE ONLY Ukraine: Of?cials Claim to Have Thwarted VPNFilter Attack on Chemical Plant Three demonstrated areas of activity are cited in support of the assessed capability. 1) Access and Reconnaissance of US Critical Infrastructure Networks: A March 2018 joint technical alert by the National Cybersecurity and Communications Integration Center (N CCIC) assessed that ?Russian Government cyber actors in March 2016 obtained access to US critical infrastructure networks through a multi?stage intrusion campaign, compromising the infrastructure of peripheral organizations, such as trusted third-party suppliers, to reach intended targets.? This same alert concluded that, once in the network, these attackers ?conducted network reconnaissance, moved laterally through the network, and collected information pertaining to IC industrial control systems. 2) Compromise of Network Infrastructure Devices: The FBI has assessed with high con?dence that ?cyber actors supported by the Russian Government since 2015 have exploited routers worldwide? in a concerted campaign ?to conduct man-in-the?middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay the foundation for future offensive operations.? An April 2018 NCCIC joint technical alert delineated these concerns a product of the analytical efforts of the FBI, DHS, and the British National vaer Securitv Centre. 3) Likelv Russian vaer Activities in Ukraine Applicable to the Homeland: Russian government cyber attackers in late June and early July 2017 used NotPetya ransomware to conduct a disruptive cyber attack, predominately against Ukraine?s ?nancial sector. The NotPetya campaign affected US state and local government agencies and multi-national entities in the ?nancial services, transportation, energy, and utilities industries. Russian-af?liated cyber actors have been attributed to be responsible for the December 2015 disruptive cyber attack against the Ukrainian electric grid. The attack compromised ICS and caused a power outage affecting 225,000 customers. Suspected Russian cyber actors in December 2016 directed an attack against Ukrainian electric infrastructure, disrupting power by maliciously operating circuit breakers, deleting ICS-speci?c con?guration ?les, and wiping human-machine interfaces. OFFICIAL USE ONLY Israel: Center Set Up to Combat Cyber Attacks Against Rail System As of Tuesday, July 16. 2018. published accounts have reported on the establishment in Israel ofa center to ?ght potential cyber attack campaigns and general hacking against the national rail system, passenger and freight. The reports state that the center has been created through the efforts of Rafael, a defense technology company owned by the Israeli government. The new center. to be located in the central city of Lod. will work in conjunction with Israel Railways. Of?cials from the railroad?s cyber defense unit will operate the center. The principal impetus for establishing the new center derives from emerging data indicating that Israel Railways is increasingly becoming a popular target of cyber attacks. Available reporting indicates that the railway?s computers are targeted 10 million times every month. Some of these attacks are simply attempts to steal personal data; however, others have entailed efforts to plant powerful malicious software (malware) in the business and operating networks of Israeli Railways. Concerns that success in breaching operations networks could potentially allow adversaries to control or adversely impact train movements, train control, or related functions have driven the initiative to establish a cyber threat detection and prevention center for the railroad. While Israel Railways has yet to be successfully breached by hackers, the train system has in the past been targeted with various acts of terrorism from Palestinian groups. As an example, in 2001, a train station in Nahariya was targeted in a suicide bombing that killed three civilians. The establishment of the cyber center recognizes the prospect that Palestinian or other terrorist groups or foreign adversaries could seek to use cyber means to facilitate success in physical attacks. l_6 OFFICIAL USE ONLY OFFICIAL USE ONLY g) Worldwide: Cloud Services Targeted by Hackers for Supply Chain Attacks According to a special report published in the Financial Times, foreign hackers are attempting to target cloud service providers in order to use their networks to spread spying tools to a wide number of companies. - Cited as a most recent example, a Chinese hacking group, nicknamed ?Red Apollo,? launched a cyber espionage campaign, dubbed ?Operation Cloud Hopper.? This campaign targeted information technology (IT) service providers whose networks could be hijacked potentially to spread malware to their client companies? systems in 15 different countries including the United States, Canada, Britain, France, Switzerland, Australia and Japan. A report issued by the cyber security ?rm, Symantec, shows that these types of supply chain attacks are becoming more common. Calendar year 2017 saw a 200 percent increase in supply chain attacks in compared to 2016. yber security experts say that Cloud Hopper did not cause serious damage to the networks of those IT service providers who suffered compromise. However, just in the past year. an attack in the latter part of June and early July in 2017, dubbed ?NotPetya,? did constitute an example of a supply chain attack that produced damaging and costly effects. Intelligence and security authorities in the United States and Britain attributed NotPetya to the Russian military, which had primarily targeted Ukraine. The hackers in that particular case breached a Ukrainian software provider and inserted a ?back door? into its next update. Once the update had been installed. the attackers downloaded malicious code onto the affected networks, which then spread within about 60 minutes. ["1100110011001010 1 .1001. - 3,01011001100. ilOllOOllOOll\ 01100110011001010 10 This year, the National vaer Securitv Center (NCSC) published guidance on how to protect against the four most prevalent supply chain attacks. The guidance highlights third party software providers, website builders and external data stores as the most risky links in any company?s IT supply chain. UIICLASSIFIEDHFOR OFFICIAL USE ONLY OFFICIAL USE ONLY Cyber: Technical Analysis on Lokibot Sample Published on GitHub As of Friday, July 6, 2018, has published technical analysis via Ginub on a Lokibot sample the author claims is being regularly used in recent malspam campaigns. The analysis provided supports the product?s Malicious email assessment that a third party has modi?ed an original Lokibot sample to sell online. Gel okrbatrom a malrurlrs lea I Prices for Lokibot samples have reportedly dropped from a high of $300 in 2015 to approximately $80 in 2018. MW The sharp decrease in purchasing cost, coupled with multiple resellers' distributing the malware, supports the conclusion that the Lokibot code has been leaked. Indeed, YouTube tutorials on how to establish a Lokibot 3 Egg-5m? data control panel are now readily access1ble online. (9.61% 081C the system unmclurg This publication?s technical analysis states that Lokibot obtains application credentials, to include FTP clients, web Browsers, and SSH clients, relaying via HTTP within a customized packet to a command and control server. Lockibot has de?ned functions, calling each in a loop to gain access to credentials, saving the data within a buffer. The malware comm. (5x Asklorgommams v' to the use modi?es a registry key and copies itself in a subfolder (unique name generated with the MachineGuid MDS, also used as a Mutex) under the folder, gaining 7- SUSPICIOUS summon perSiStent access Within the SyStem- As a malware analyst I reversec many pleces of malware. After I analyzed deeper LokiBot samples. I started to think there was something wrong in its behavior. ?Deep Analysis? regarding suspicious behavior exhibited by the malware is provided the follow ng use . enumerate the behavlor that trigger my uriosity. within the product, for which the author asserts in an observation that "this behavior 1, The m. me. e, pane, protection (XOR) in comparison with the fl stronger protected uls. [seems as If] someone hOOked [a SpeCi?C] funCtion, as if a third person mOdi?ed 2) The BDES protected urts are always the same in the all of LokiBot LOKIBOT INFOSTEALER samples Ol this ve'sion. In addition ["058 Ul?lS are never used. VERSION wm manually the code for patching the control panel URL with its custom control panel 1 Comparative analyses depict the old Lokibot code and functions with the "last 55;; g; 553; g; Li.? version" found, prov1d1ng V1sual 1nd1catlons of "Lokibot malware hijacking," further indication or two bugs Within the program. E, 3) As described. l'okil-Zot has some strings?proterted'with AUTHOR: RM) Imaql 'he lru new shuns 5 cc OFFICIAL USE ONLY Cyber: Trend Micro Reports on Un?nished Malware Using Desktop Shortcuts A blog posted on Trend Micro in early July 2018 details how an unsophisticated malware, seemingly in "un?nished development." is searching for and using unspecific desktop ?n shortcuts to redirect for downloading malware when the user selects the shortcut. Once executed, the malware then opens the correct application by recovering the original shortcut Malicious?le Macros is enabled Shortcut file is Shortcut .s clicked . . . . IS received to fully open the tile replaced ?le in an attempt to Circumvent detection. The malware next assembles "its payloads," malware installer comprised of "various Windows tools, and Ammyy Admin to gather information and send back via E, A Malrcrous servrce Another malware Remote desktop File dump IS created rs started Installer rs downloaded tool rs downloaded and sent back and installed vra SMTP The user needs to enable the macro for it to work. since Microsoft disabled macros by default speci?cally to avoid potential security risks. Enabling macros, as Microsoft security notification will state, makes the user's computer vulnerable to potentially malicious code. How the macro helps hijack shortcuts Once the user enables macros. it then tries to search for shortcut files on the user?s desktop lacc to its corrcs ondin linked files. It tar mainl fivo shortcuts, that of c, Goo Ic While information technology professmnals are well aware that NIicrosoft Chrome, Mozrlla Frrefox, Opera. and Internet Explorer. Once rt finds a match, rt downloads the macros are an extremely common mechanism leveraged by cyber criminals malware according to its name and envrronment from Google Drive and Grtl?lub. Upon checking, the to deliver malic10us payloads, the various methods used merit continuing . . . . malware files seem to have been removed or are no longer present onlrne. attention for sustained awareness and for proactive implementation of measures to mitigate this well?known, but still regularly and successfully Going into more detail: If. for example, it finds the shortcut for Google Chrome on the user?s desktop exploited, attack vector. it will go through the following steps.