FBI Cyber Research revealed

The FBI identified incidents over the past few months in which cyber actors scanned for and sought to exploit audio and visual communication devices on networks to identify vulnerabilities which could later be used to gain access and unlawfully acquire information about the organization. In addition to targeting corporate information, vulnerable devices may be targeted for compromise for use in botnets or other criminal activities. The types of devices targeted include: Voice over Internet Protocol (VoIP) phones, video conferencing equipment, conference phones, VoIP routers, and cloud-based communication systems. While cyber actors have targeted VoIP and other communication devices in the past, the FBI continues to see these devices scanned by cyber actors for vulnerabilities.


Specifically, the FBI observed cyber actors identifying and probing communication devices by issuing HTTP GET requestsa to a business server or network to retrieve device configuration files. Information contained in configuration files often reveals IP addresses, usernames, passwords, system management URLs, and assigned phone numbers – all of which could be used by cyber actors for malicious purposes. Many of the requests are specific to particular brands of devices. Victims will often receive several GET requests in succession with the actors scanning for multiple brands of devices.

In addition, cyber actors retrieve IP addresses for further exploitation by using businesses’ customer service VoIP hyperlinks, which are traditionally made available for customers to use in contacting the business. Once those hyperlinked calls are answered, the actor retrieves the IP address belonging to the phone which answered the call. Once the IP address is retrieved, an actor could send a large volume of packets to the IP address, overloading it and taking the service offline for the targeted business and its legitimate customers.

In addition to the above techniques, cyber actors target devices with brute-force attacks, attempting unauthorized access through the use of common usernames and passwords. Open source scanning tools can also be used to identify vulnerable communication devices and any associated ports.

All of the information obtained through scans and other methods are likely used for specific targeting efforts by cyber actors. This includes leveraging access to compromised audio and video devices to eavesdrop on meetings or conference calls, placing fraudulent international phone calls, leveraging the compromised device for use in botnets, and conducting man-in-the-middle attacks to redirect corporate network traffic.


The following recommendations may limit the success of these types of attacks:

Conduct daily server log reviews to identify unusual activity, including GET and POST requests from external IP addresses.

Work with the communication device/system providers to ensure servers are patched and updated regularly.

Consider restricting access to configuration files or configuring firewalls to block traffic from unauthorized IP addresses.

Restrict communication devices/systems to only non-sensitive business networks.

Conduct regular penetration testing exercises on communication devices to identify and address vulnerabilities in a timely matter.

Enable encryption on teleconference programs and applications and consider disabling auto-answer capabilities.

Password protect configuration files, if possible.

Regularly review and update users with access to administrative accounts.

Segment configuration files on the network. Be sure to protect configuration and other device-related files after getting the device out of the box. Don’t just plug and play.


Joint Chiefs of Staff Briefing about China’s “System Attack”

This paper explores the PLA’s theory of victory in modern warfare and its implications for how China plans to fight the United States. It is a primer on the theory’s foundational concepts, and on what the theory reveals about China’s strategic intent and ambitions.

(U) Executive Summary

(U//FOUO/RELIDO) China plans to defeat powerful adversaries by systematically targeting the linkages and nodes that hold an advanced network-centric force together as a cohesive whole. The PLA calls this theory of victory “systems attack and destruction warfare,” hereafter, “system attack. Authoritative PLA doctrine emphasizes importance of system attack as China’s “basic operational method” of warfare. System attack is perhaps best remembered as “the American way of war with Chinese characteristics,” since the PLA developed the concept based on observing U.S. military victories In the 1990s. Some of the PLA’s writings on systems attack are clearly aspirational, but this does not preclude the effectiveness of the approach, and the doctrine shows that the Pl.A is thinking seriously and realistically about how to defeat.an advanced adversary. The requirements of system attack are actively driving PLA reform, acquisitions, operations and training, and the doctrine telegraphs how Chine intends to fight.

(U) China’s Theory of War: “‘Systems Confrontation•

• (U//FOUO/RELIDO) 1 +1>2. Operational Systems are Greater Than the Sum of their Parts. Fundamental to China’s theory of victory is the PLA’s concept that modem military forces are “‘systems of systems” which are stronger and more efficient than their components would be in isolation because they are linked and networked together through communications and information systems architecture.

• (U//FOUO/RELIDO) Systems Confrontation: The PLA’s theory of modern warfare, therefore, is “systems confrontation,” or competition between these rival “systems of systems,” rather than as a linear contest between discrete units or services of competing armies.

(U) China’s Theory of Victory: System Attack – Win by Fragmenting the Enemy’s Force

(U//FOUO/RELIDO) Create the Conditions for Winning the War: Make 1 +1<2. The PLA plans to defeat an advanced adversary by thoroughly fragmenting the adversary’s system into isolated component parts. The first step of systems attack, therefore, Is to break the essential links and nodes that promote system cohesion in order to sow confusion, degrade communications and disorient adversary leadership. System attack’s ultimate goal ls to paralyze the adversary force, degrading its ability to resist, eroding leadership will to fight and slowing adversary decision-making. China believes that whichever side has a more networked, integrated and cohesive force will have a shorter OODA loop, be able to act more efficiently, and have a better likelihood of victory. Attacks will take place across all domains to degrade the system as a whole rather than focusing on attrition.

• (U//FOUO/REUDO) Fragment the Force: Degrade Data-Flow and C2. The PLA prioritizes degrading or denying an adversary’s use of information early in a crisis and with greater intensity through a conflict. The PLA envisions using kinetic and non-kinetic operations to target an opponent’s data links, communications, military networks, and information systems architecture early in the conflict. Degrading adversary communications amplifies the effects of missile and air strikes against command and control (C2) nodes, including command centers, flagships, and military and civilian leadership.

• (U//FOUO/REUDO) Blind the Enemy. Deny ISR and Early Warning. China will try to degrade adversary decision-making and awareness by targeting its intelligence, surveillance and reconnaissance (ISR) and early warning capabilities, including key space-based collection systems, theater ISR platforms, intelligence centers and satellites.

• (U//FOUO/RELIDO) Own the Initiative: Getting Inside the Adversary OODA Loop. China plans to seize first mover advantage by initiating conflict when the adversary is not prepared. The PLA will try to maintain battlefield initiative by forcing adversaries into a reactive cycle driven by a rapid tempo of unexpected long-range strikes, asymmetric attacks, and harassing attacks.

• (U//FOUO/RELIDO) More Return on Investment Precision Strikes Enable Outsized Effects. The PLA will rely on highly targeted precision strikes against key links and nodes to achieve an outsized effect on the enemy force’s overall stability and effectiveness. Kinetic precision strikes will be complemented by non-kinetic attacks, especially against adversary networks, datalinks, and information systems.

(U/FOUO/RELIDO) Using the Full Against the Fragmentary, Defeating the Slow with the Rapid. System attacks are designed to enable following operations. Once system attacks have fragmented the adversary military so that it cannot operate as a cohesive force, the PLA will commit its broader intact and networked force to combat. Having tilted the battlefield In its own favor, the PLA will carry out supplemental attacks that ensure the adversary•s system does not recover while gradually attriting the adversary’s aircraft, ships, submarines, and other long-range-strike platforms. Sequencing system attacks first enables the PLA to achieve greater effect with lower risk to its force or mission.

• (U//FOUO/RELIDO) China Expects to Have Its System Targeted Too. China expects that the U.S. will try to degrade the PLA’s ability to operate as a coherent force, having developed the systems attack doctrine described above by watching how the United States fights. The PLA therefore is training and equipping the force to operate independently, autonomously, and resiliently, with a notable emphasis on operating in a complex electromagnetic environment.

(U//FOUO/RELIDO) Aspiration Does Not Equal Capability, but It Signals Intent. In PLA doctrine, the rough sequence of operations enabled by systems attacks would be familiar to U.S. military operators: achieve air superiority, then use air superiority to seize maritime superiority and enable ground operations, then use maritime superiority to execute attacks from the sea to the land. The last part of this sequence is aspirational, since China does not currently field ship-launched land attack cruise missiles and its nascent aircraft carrier program is unable to carry out strike warfare. It is, however, how the PLA says it wants to be able to fight, and its acquisitions and training reflect this ambition. China’s doctrine is reflected in its acquisitions and training patterns today. Tomorrow it will be reflected in its operations. The PLA is progressing rapidly. This is how they will fight.

(U) A Note on Sources:

(U//FOUO) The findings of this paper are derived from China’s most authoritative government and military doctrinal writings: The Importance of system of systems confrontation is evident in its inclusion In the 2015 Defense White Paper on Military Strategy. All other details are derived from the 2015 and 2013 editions of the Science of Military Strategy, and .from an unclassified 2018 RAND Corporation study, Systems Confrontation and System Destruction Warfare: How the Chinese People’s Liberation .Army Seeks to Wage Modem Warfare. General assessments on PLA acquisitions, training and operations are reflected in a wide body of unclassified open source materials from 2000 through the present For ease of sourcing, we cited the 2017 Department of Defense Annual Report to Congress on Military and Security Developments Involving the People’s Republic of China.

TOP SECRET – U.S. Joint Chiefs of Staff new Doc about Operations Security

Executive Summary:

Commanders ensure operational security (OPSEC) is practiced during all phases of operations. OPSEC is a capability that identifies and controls critical information, indicators of friendly force actions attendant to military operations, and incorporates countermeasures to reduce the risk of an adversary exploiting vulnerabilities. As adversary analysts apply more information to an analytical model, the likelihood increases that the analytical model will replicate the observed force. Thus, current and future capabilities and courses of action can be revealed and compromised.

2. Operational Context

a. Joint forces often display personnel, organizations, assets, and actions to public view and to a variety of adversary intelligence collection activities, including sensors and systems. Joint forces can be under observation at their peacetime bases and locations, in training or exercises, while moving, or when deployed conducting actual operations. The actions or behavior of military family members and businesses associated with or supporting military operations are also subject to observation by adversaries, which could equally be associated with activities or operations of the joint force. Frequently, when a force performs a particular activity or operation a number of times, it establishes a pattern of behavior. Within this pattern, certain unique, particular, or special types of information might be associated with an activity or operation. Even though this information may be unclassified, it can expose US military operations to observation and/or attack. Commanders ensure OPSEC is practiced during all phases of operations. OPSEC is a capability that identifies and controls critical information, indicators of friendly force actions attendant to military operations, and incorporates countermeasures to reduce the risk of an adversary exploiting vulnerabilities. In addition, the adversary could compile and correlate enough information to predict and counter US operations.

b. Commanders cannot limit their protection efforts to a particular operational area or threat. With continuing rapid advancement and global use of communications systems and information technology, easily obtainable technical collection tools, and the growing use of the Internet and various social and mass media outlets, the ability to collect critical information virtually from anywhere in the world and threaten US military operations continues to expand. To prevent or reduce successful adversary collection and exploitation of US critical information, the commander should formulate a prudent, practical, timely, and effective OPSEC program. Additionally, the commander’s OPSEC program must establish, resource, and maintain formal OPSEC programs. The commander should formulate these OPSEC programs to be prudent, practical, timely, and effective.

c. In OPSEC usage, an indicator is data derived from friendly detectable actions and open-source information that adversaries can interpret and piece together to reach conclusions or estimates of friendly intentions, capabilities, or activities. Selected indicators can be developed into an analytical model or profile of how a force prepares and how it operates. An indication is an observed specific occurrence or instance of an indicator. OPSEC indicators are friendly detectable actions and open-source information that can be interpreted or pieced together by an adversary to derive critical information.

d. Adversary intelligence personnel continuously analyze and interpret collected information to validate and/or refine the model. As adversary analysts apply more information to the analytical model, the likelihood increases that the analytical model will replicate the observed force. Thus, current and future capabilities and courses of action (COAs) can be revealed and compromised. Critical information consists of specific facts about friendly intentions, capabilities, and activities needed by adversaries to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment. Critical information can be either classified or unclassified.

e. OPSEC considerations must also be observed while working with interagency partners.

DHS & FBI about ISIS Leader Baghdadi’s current Situation

Image result for baghdadi video

Executive Summary:
(U//FOUO) This Joint Intelligence Bulletin (JIB) is intended to provide information on the recent video appearance by the Islamic State of Iraq and ash-Sham (ISIS) leader Abu Bakr al-Baghdadi. The video addresses the group’s territorial defeat in Syria, discusses the acceptance of pledges of allegiance from ISIS supporters, and praises recent attacks in Sri Lanka and Saudi Arabia. This JIB is provided by the FBI, DHS, and NCTC to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners in deterring, preventing, or disrupting terrorist attacks against the United States. All video details described in this JIB are taken from the translated transcript of Baghdadi’s speech. The information cutoff date is 1 May 2019.

(U) Details of ISIS Leader Abu Bakr al-Baghdadi’s Video Message

(U//FOUO) On 29 April 2019, ISIS’s al-Furqan Media Establishment publicly released an 18-minute video message in Arabic titled “In the Company of the Amir of the Believers”, which shows ISIS leader Abu Bakr al-Baghdadi sitting on a carpet in an undisclosed location with an assault rifle at his side. This is Baghdadi’s first public statement since his August 2018 audio message, and his first video appearance since July 2014, when Baghdadi was filmed introducing himself as “caliph” of the newly-declared caliphate at the Grand Mosque in Mosul, Iraq.

(U) Baghdadi Vows a “Long Battle Ahead” Despite Defeat in Syria

• (U//FOUO) Baghdadi emphasizes that ISIS’s fight is not over, stating, “In truth, the battle between Islam and its people with the Cross and its people is long.” He further explains that ISIS is engaged in a multigenerational struggle and they plan to wear down their enemies with attrition, emphasizing that “jihad will continue until Judgement Day” and that “God Almighty ordered us to wage jihad and did not order us to achieve victory.”

• (U//FOUO) Baghdadi acknowledges that ISIS lost the war in Baghuz, Syria, but emphasizes that the “bravery, steadfastness, and endurance of the Ummah of Islam was evident.” He states that ISIS’s soldiers did not abandon their faith during the battle, and sacrificed their lives rather than giving away land to ISIS’s enemies.

• (U//FOUO) Baghdadi praises the members in all of ISIS’s provinces for their “unified raid to avenge their brothers in Syria, which amounted to 92 operations in eight countries.” He states these attacks indicate the cohesion and steadfastness of the “mujahedeen.” Baghdadi praises and thanks the now-deceased emirs, provincial governors, military personnel, and media members from various countries for their support to ISIS.

(U) Baghdadi Praised the Attacks in Sri Lanka and Saudi Arabia and Calls for Additional Operations

• (U//FOUO) Video footage displays the Sri Lanka attackers—who conducted a series of suicide bombings against luxury hotels and Christian churches in Sri Lanka on 21 April, killing approximately 250 people—pledging allegiance to Baghdadi, while audio of purportedly Baghdadi’s voice is heard stating, “You brothers in Sri Lanka have pleased the monotheists by their commando operations that unsettled the Crusaders in their Easter celebrate to avenge their brothers in Baghuz.” Baghdadi continues with “praise be to God, for among those killed were some Americans and Europeans.” Baghdadi congratulates the Sri Lanka attackers on their pledge of allegiance to join the “caliphate,” and asked God to accept them as martyrs.

• (U//FOUO) Baghdadi acknowledges the attack in Saudi Arabia—where ISIS fighters attacked a Saudi security building in Az Zulfi on 21 April—and asked God that it be “followed by another one.” He calls on members in Saudi Arabia “to continue down the path of jihad” against the Saudi regime.

• (U//FOUO) While Baghdadi appears in discussion with unidentified men, text on the screen indicates he was giving directives to “double the effort and intensify the blows against the Crusaders, apostates, and their supporters.”

(U) Baghdadi Accepts Pledges of Allegiance and Praises Global Network

• (U//FOUO) The video shows Baghdadi being handed booklets by one of the unidentified men which are labeled with the names of ISIS provinces, including Libya, Khorasan, Somalia, Yemen, Caucasus, West Africa, Central Africa, and Turkey, as well as Tunisia, which is not publicly identified as a province. This is the first time ISIS has referred to Turkey as an official province, or “wilayah,” in its media releases.

• (U//FOUO) Additionally, Baghdadi accepts pledges of allegiance from ISIS members in Burkina Faso and Mali, and congratulates them for joining the “caliphate.” He recommends they intensify their attacks against France and its allies and to avenge their brothers in Iraq and Syria.

• (U//FOUO) Baghdadi congratulates ISIS members in Libya for their resoluteness and their raid on the town of Al Fugaha, Libya. He states that despite their withdrawal from it, they have shown their enemies that they are capable of taking the initiative, knowing their battle today is a battle of attrition.

(U) Baghdadi’s Image Starkly Contrasts with Last Appearance in 2014

(U//FOUO) The video’s presentation of Baghdadi as an insurgent leader—similar to the images of now-deceased al-Qa‘ida (AQ) leader Usama Bin Laden and now-deceased AQ in Iraq leader Abu Musab al-Zarqawi from prior videos—contrasts with Baghdadi’s July 2014 appearance at the Grand Mosque in Mosul, Iraq, where he delivered a formal address from the mosque’s pulpit wearing a black turban and robe probably to evoke images of the last caliphs who ruled from Baghdad.

(U) Outlook

(U//FOUO) The FBI, DHS, and NCTC assess Baghdadi’s appearance almost certainly will bolster the morale for ISIS’s existing supporters around the world, including those in the United States, by indicating Baghdadi is alive and in control of the group as of late April 2019. Most homegrown violent extremists (HVEs) generally do not mobilize to violence in response to specific events and instead are usually influenced by a confluence of sociopolitical, ideological, and personal factors.a However, those wavering in their commitment to ISIS might feel a sense of renewed devotion to the group as Baghdadi is alive and apparently still managing ISIS.

NCC – Sunni Extremist Attacks in the USA before 9/11

(U//FOUO) NCTC (National Counterterrorism) assesses that the Sunni extremist threat to the US before 9/11 was characterized by diverse extremist organizations and lone actors motivated by multiple ideological narratives and other factors, including Salafi jihadism, Palestinian nationalism, theological disputes within Islam, anti-Semitism, and anti-Hindu sentiments. We have identified a dozen successful attacks, four disrupted plots, and one attempt to set up an extremist training camp in the US between 1973 and 2001, underscoring the persistent threat from al-Qa‘ida–associated extremists, Palestinian terrorist groups, and Sunni extremist lone actors in the decades leading up to 9/11.



These extremists chose a wide array of targets, with the majority of their attacks before 1993 focused on Hindu, Jewish, or Muslim individuals or institutions. Most attacks after that date were against civilian or US Government targets, because of al-Qa‘ida–associated extremists’ focus on indiscriminate mass casualty attacks. In some cases, we lack clear insight into the attackers’ motivations because of information gaps, and FBI disagrees about the motivations underlying two of these attacks.