|Screenshot of texasarmytrail.com1 September 2020DHS Fusion Center China Problems1. Over 100 DHS Fusion Center sites were involved in the recent #BlueLeaks database breach. All of the sites were ultimately hosted on a computer server in a Data Foundry data center in Houston. Data Foundry, also called GigaNews, is a central Texas based operator of several data centers.2. Despite its small size, Data Foundry appears to be one of the larger distributors of child pornography in the world via the Usenet groups it hosts. This claim was already made before in some detail back in 2014 by a former engineer, as well as in 2018 by the OAG of New Mexico.3. Data Foundry at one time served as one of the world’s largest bulk intel metadata collection points for the NSA program “BOUNDLESS INFORMANT” and was given the codename WAXTITAN. This was revealed as part of the Snowden leaks in 2013.4. Data Foundry has an unusual history with mainland China. The Yokubaitis family, which runs the company (along with other related firms) have frequently attended Peking University. This school is probably the 2nd most prestigious in all of China (behind Tsinghua), and has developed most of the breakthroughs for China’s nuclear weapons program over the last three decades. During SXSW 2015 it was mentioned that their 2nd largest customer base is in China. This is unusual as no effective marketing seems to take place there, raising the question of how these customers are acquired. The sysadmin who first made claims against Data Foundry in 2014 alleged that their facilities would follow requests made from the datacenter in Hong Kong they colocate with, Powerline HK. Such requests could only come from the government of China, which raises serious questions regarding the independence and what could and could not be accessed.5. We find the story of Nick Caputo highly credible as all of the technical information can be verified, even years later. Other messages throughout the years on UseNet, Reddit, and elsewhere seem to corroborate the general story / character of the firm as well. Additionally the unregistered FBI office address he provides in his original message (12515 Research Blvd) actually turns up dozens of times in the #BlueLeaks files for FBI agents. We are unsure if these are police impersonators or simply a unit that is operating out of scope and without authority (more likely the latter). We have reached out to law enforcement officials in Australia and Britain in the meanwhile out of an abundance of firstname.lastname@example.org|
Date: July 28, 2020
Originating Organization: Cybersecurity and Infrastructure Security Agency, Department of Homeland Security
File Type: pdf
File Size: 577,002 bytes
File Hash (SHA-256): 4018616B3963268F457A9A294BF1A3A04EB90025898BC3C54B4785B048C873BB
All forms of voting – in this case mail-in voting – bring a variety of cyber and infrastructure risks. Risks to mail-in voting can be managed through various policies, procedures, and controls.
The outbound and inbound processing of mail-in ballots introduces additional infrastructure and technology, which increases the potential scalability of cyber attacks. Implementation of mail-in voting infrastructure and processes within a compressed timeline may also introduce new risk. To address this risk, election officials should focus on cyber risk management activities, including access controls and authentication best practices when implementing expanded mail-in voting.
Integrity attacks on voter registration data and systems represent a comparatively higher risk in a mail-in voting environment when compared to an in-person voting environment. This is because the voter is not present at the time of casting the ballot and cannot help to answer questions regarding their eligibility or identity verification.
Operational risk management responsibility differs with mail-in voting and in-person voting processes. For mail-in voting, some of the risk under the control of election officials during in-person voting shifts to outside entities, such as ballot printers, mail processing facilities, and the United States Postal Service (USPS).
Physical access at election offices and warehouses represents a risk in a mail-in voting environment. Completed ballots are returned to the election office and must be securely stored for days or weeks before processing through voter authentication and tabulation processes. Managing risks to these processes requires implementing secure procedures for storage, access controls, and chain of custody, such as ballot accounting.
Inbound mail-in ballot processes and tabulation take longer than in-person processing, causing tabulation of results to occur more slowly and resulting in more ballots to tabulate following election night. Media, candidates, and voters should expect less comprehensive results on election night, which creates additional risk of electoral uncertainty and confidence in results.
Disinformation risk to mail-in voting infrastructure and processes is similar to that of in-person voting while utilizing different content. Threat actors may leverage limited understanding regarding mail-in voting processes to mislead and confuse the public.
Election infrastructure includes a diverse set of systems, networks, and processes. Mail-in voting is a method of administering elections. When voting by mail, authorized voters receive a ballot in the mail, either automatically or after the application process. In most implementations, the voter marks the ballot, puts the ballot in an envelope, signs an affidavit, and returns the package via mail or by dropping off at a ballot drop box or other designated location.
Currently, five states (Colorado, Hawaii, Oregon, Utah, and Washington) automatically send every registered voter a ballot by mail. At least 21 other states have laws that allow at least some elections to be conducted by mail. In addition to the five states that send every voter a ballot, five states (Arizona, California, Montana, Nevada, and New Jersey) and the District of Columbia (D.C.) allow a voter to apply to receive a mail-in ballot permanently, so that voters do not have to apply each election.1 Currently, 34 states and D.C. allow any registered voter to request a mail-in ballot. There are 16 states that require voters to have an excuse such as temporary absence from the voting district, illness, or disability or require voters to be of a certain age (typically 65+) to be eligible to receive a ballot by mail. Some states are recognizing COVID-19 as a valid excuse.
Although they perform similar functions, mail-in voting processes and infrastructure vary from state to state and often differ even between counties, parishes, towns, or cities within a state or territory. While each state manages and conducts mail-in elections differently based on state and local legal requirements, common risks and mitigations exist across states and implementations.
Voter registration and mail ballot application processing collects data used to determine voter eligibility, the type of ballot a voter receives, the location or address for mailing the ballot to the voter, and whether election officials can accept the ballot. Either an integrity attack or an availability attack on a voter registration system could result in a voter not being able to cast a ballot or a voter’s ballot not being counted. Integrity attacks on voter registration data and systems represents a comparatively higher risk in a mail-in voting environment than an in-person voting environment. This is because the voter is not present at the time of casting the ballot and cannot help to resolve questions regarding eligibility or verification. Mail-in voters whose registration records are altered or deleted in an integrity attack do not have the opportunity to be issued a provisional ballot, which are available to in-person voters.
- An integrity attack that removed a voter from the voter registration, permanent mail, or absentee ballot request list could result in the voter not receiving a ballot, unless the voter proactively followed up to re-register, re-apply, or if the election official received the ballot as undeliverable and contacted the voter. The impact is that a voter may not receive a ballot or receipt of a ballot may be delayed, resulting in a jurisdiction potentially not accepting a voted ballot. The voter would still possess the ability to vote in person provisionally.
- An integrity attack on a voter’s name could result in the voter receiving a ballot package that is not addressed to the proper individual. If there was an integrity attack on a voter’s identifying information (i.e., date of birth [DOB], driver’s license number [DL], last four digits of Social Security number [SSN], etc.), the voter’s proof of ID, where required, would not match the voter’s record. The voter would either need to inform the election official and update his or her voter record (assuming that the voter registration deadline has not passed), or risk having their voted ballot rejected upon receipt.
- An integrity attack on a voter’s ballot mailing address may result in the voter not receiving a ballot, unless the voter proactively updated his or her registration with the correct address, or the election official received the ballot as undeliverable and contacted the voter. This assumes that the voter registration or ballot application deadline has not passed, allowing the voter to update his or her information. The impact is that a voter may not receive a ballot, or receipt of a ballot is delayed.
- An integrity attack on a voter’s signature on file could result in the voter having the ballot package rejected and their ballot uncounted. If the state is one of the 19 that requires a voter to receive notification when there is a discrepancy with their signature or the signature on the return ballot envelope is missing (a.k.a. “cure process”), the voter may have an opportunity to correct the situation by being notified that the ballot was rejected and taking action to resolve the issue. This can be done by an election official notifying the voter or a voter checking a ballot tracking system, if available.
- An availability attack on the voter registration database or specific information, such as a list of mail voters, voter names, or addresses could result in the delay of voters receiving their ballots, and further impact voters’ ability to return ballots on time to ensure they are counted. In most states, a ballot may be returned in person, in which case the impact of an availability attack may only affect the outbound process providing a measure of resilience.
Date: September 3, 2020
Restriction: For Official Use Only
Originating Organization: Cyber Mission Center, Office of Intelligence and Analysis, Department of Homeland Security
File Type: pdf
File Size: 167,819 bytes
File Hash (SHA-256): CD0E044E731342D57AB13DCBB9C8B56D2D5A6295D1E51F6409461D1CAB55C61A
(U//FOUO) We assess that Russia is likely to continue amplifying criticisms of vote-by-mail and shifting voting processes amidst the COVID-19 pandemic to undermine public trust in the electoral process. Decisions made by state election officials on expanding vote-by-mail and adjusting in-person voting to accommodate challenges posed by COVID-19 have become topics of public debate. This public discussion represents a target for foreign malign influence operations that seeks to undermine faith in the electoral process by spreading disinformation about the accuracy of voter data for expanded vote-by-mail, outbound/inbound mail ballot process, signature verification and cure process, modifying scale of in-person voting, and safety and health concerns at polling places, according to CISA guidance documents provided to state and local election officials. Since at least March 2020, Russian malign influence actors have been amplifying allegations of election integrity issues in new voting processes and vote-by-mail programs.
(U//FOUO) Russian state media and proxy websites in mid-August 2020 criticized the integrity of expanded and universal vote-by-mail, claiming ineligible voters could receive ballots due to out-of-date voter rolls, leaving a vast amount of ballots unaccounted for and vulnerable to tampering.b These websites also alleged that vote-by-mail processes would overburden the US Postal Service and local boards of election, delaying vote tabulation and
creating more opportunities for fraud and error.
(U//FOUO) Since March 2020, Russian state media and proxy websites have denigrated vote-by-mail processes, alleging they lack transparency and procedural oversight, creating vast opportunities for voter fraud. These outlets also claimed that state election officials and policymakers leveraged the COVID-19 pandemic to justify politically-expedient decisions made on holding primary elections and implementing new voting processes and vote-by-mail programs allegedly designed to benefit specific candidates and influence election outcomes.
(U//FOUO) Throughout the 2020 primary elections, Russian state media and proxy websites amplified public narratives about shortcomings in ballot delivery and processing, such as claims that voters would not receive their mail ballot in time to cast their vote. These websites highlighted reductions in the number of in-person polling places in large cities due to the pandemic and the long lines this caused, claiming this
would disproportionately suppress voting among African-Americans and expose them to the spread of COVID-19.
(U//FOUO) We assess that Russian state media, proxies, and Russian-controlled social media trolls are likely to promote allegations of corruption, system failure, and foreign malign interference to sow distrust in democratic institutions and election outcomes. We base this assessment on content analysis of narratives and themes promoted by Russian state media and proxy websites throughout the 2020 election cycle concerning system integrity issues and parallels with observed Russian troll activity leading up to the 2018 and 2016 elections.
(U//FOUO) Russia continues to spread disinformation in the United States designed to undermine American confidence in democratic processes and denigrate a perceived anti-Russia establishment, using efforts such as Russian-controlled internet trolls and other proxies, according to an ODNI press statement. In the Iowa Caucuses in February, Russian state media and proxy websites claimed that the contest was fixed in favor of establishment candidates and that technical difficulties with the caucusing mobile voting application led to ballot manipulation. These outlets continued this narrative into March 2020, claiming that the Democratic Party made a corrupt back-room deal to orchestrate the exit of establishment candidates to consolidate the vote behind former Vice President BidenUSPER in advance of the Super Tuesday primary elections.
(U) Russian malign influence actors during the 2018 US midterm election claimed they controlled the US voting systems to prompt election integrity concerns, according to press reporting. In the 2016 US presidential election, Russian social media trolls targeted specific communities and claimed the election was rigged by the establishment, encouraging these voters to stay at home or vote for third-party candidates in order to influence the election outcome, according to reports by firms with expertise in social media network analysis.
This Joint Intelligence Bulletin (JIB) is intended to provide information on Australian national and violent extremist Brenton Tarrant’s 15 March 2019 attacks on two mosques in Christchurch, New Zealand. These attacks underscore the enduring nature of violent threats posed to faith-based communities. FBI, DHS, and NCTC advise federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners responsible for securing faith-based communities in the Homeland to remain vigilant in light of the enduring threat to faith-based communities posed by domestic extremists (DEs), as well as by homegrown violent extremists (HVEs) who may seek retaliation. This JIB is provided to assist federal, state, local, tribal, and territorial counterterrorism and law enforcement officials and private sector security partners to effectively deter, prevent, preempt, or respond to incidents and terrorist attacks in the United States.
(U) Attack Details
(U//FOUO) On 15 March 2019, New Zealand police arrested an Australian national who appeared to be inspired by a white supremacist ideology and who allegedly conducted a shooting attack on two mosques in Christchurch, New Zealand. This attack highlights the enduring threat of violence posed to faith-based communities. There are currently 49 victims deceased, and 20 others are listed as being in critical condition following the attack.
» (U//FOUO) On 15 March 2019, at about 1:40 PM local time, Australian national Brenton Tarrant used firearms to attack the Masjid Al Noor Mosque in the city of Christchurch, New Zealand, before conducting a similar shooting attack at the Linwood Masjid Mosque, approximately four miles away. Tarrant drove to the attack sites and livestreamed a video of the attack. Police also discovered improvised explosive devices in a vehicle connected with the attack. Tarrant is currently the only known perpetrator; however, investigation of his movements and associates continues.
» (U//FOUO) Tarrant disseminated a manifesto prior to the shooting which detailed his concerns of perceived “white genocide.” The manifesto contains a wide range of anti-immigrant and anti-Muslim views. One reason listed as to why he carried out the attack was “to create conflict…within the United States on the ownership of firearms in order to further the social, cultural, political, and racial divide within the United states [sic].”
» (U//FOUO) Tarrant claimed to have been planning the attack for two years and recently relocated to New Zealand to live temporarily while he “planned and trained.” He claimed to have chosen to conduct his attack in Christchurch three months prior to show such attacks could happen anywhere.
(U) Mosque Attacks Could Incite Like-Minded and Retaliatory Attacks
(U//FOUO) We are concerned online sharing of Tarrant’s livestreamed footage could amplify viewer reaction to the violent attack and possibly incite similar attacks by those adhering to violent extremist ideologies in the United States and abroad, as well as retaliatory attacks from HVEs and individuals otherwise affiliated with foreign terrorist organizations. Tarrant appeared to have been influenced by prior attacks by violent extremists in the United States and other countries, and we remain concerned that US-based DEs of similar ideologies could become inspired by this attack. Although most HVEs generally do not mobilize to violence in response to specific events and instead are usually influenced by a confluence of sociopolitical, ideological, and personal factors, exceptions may occur and we remain concerned for the potential of retaliatory attacks by some HVEs, as we have already seen calls for attacks by violent extremists online.
» (U//FOUO) Tarrant claimed Norwegian mass attacker Anders Brevik gave his “blessing” for the attack. Tarrant’s ammunition cases also displayed handwritten names of violent extremists in Canada and elsewhere who previously conducted violent attacks on Muslims or in support of violent extremist ideologies.
» (U//FOUO) An examination of online jihadist media following the mosque attacks indicates various al-Qa‘ida and ISIS supporters are posting attack images to express outrage and are calling upon all Muslims to respond to the New Zealand attacks by launching their own near-term attacks in retaliation.