FBI Counterintelligence Note Warns About Chinese Talent Programs

FBI Counterintelligence Note Warns About Chinese Talent Programs

 

Chinese Talent Programs are a vital part of Chinese industry. Talent programs recruit experts to fill technical jobs that drive innovation and growth in China’s economy. National, provincial, and municipal talent recruitment programs provide opportunities for experts to work in industry and academic organizations supporting key areas deemed critical to China’s development. The talent programs recruit experts globally from businesses, industry, and universities with multiple incentives to work in China. Associating with these talent programs is legal and breaks no laws; however, individuals who agree to the Chinese terms must understand what is and is not legal under US law when sharing information. A simple download of intellectual property (IP) or proprietary information has the potential to become criminal activity.

(U//FOUO) The large number of foreign students, researchers, scientists, and professionals in the United States, combined with current technological capabilities, allows foreign governments to contact and recruit individuals with the hopes to acquire advanced technology without research costs. While the majority of the population are law abiding individuals, anyone has the capability to acquire information. The theft of information can come from current or former employees, business partners, consultants, contractors, temporary hires, foreign agents, suppliers, or even vendors who have access to proprietary information.

(U) Recruiting these individuals allows China to:

  • (U//FOUO) Gain access to research and expertise for cutting edge technology
  • (U//FOUO) Benefit from years of scientific research conducted in the United States supported by US Government grants and private funding
  • (U//FOUO) Severely impact the US economy.

(U) The goal of this SPIN is to provide an overview of the potential threats posed by the Chinese Talent Programs.

(U) THOUSAND TALENTS PROGRAM

(U//FOUO) China’s most prominent national talent recruitment program is the “Recruitment Program of Global Experts,” which is commonly known as the Thousand Talents Program. It focuses on identifying key national-level organizations and associ-ated personnel involved in implementation and management.

(U) Its goal is to recruit ethnic Chinese experts from Western universities, research cen-ters, and private companies to boost China’s national capabilities in the science and technology (S&T) fields and to move China forward as an innovative nation. The pro-gram also implemented sub-programs for both young and foreign (non-ethnic Chinese) experts.

(U//FOUO) Originally, this program had a five-to-ten year goal of recruiting 2,000 profes-sionals worldwide who could lead innovation and pioneering work in key technologies, and promote the development of emerging industries. However, this program expanded its scope — recruiting far more than the initial goal of 2,000 individuals — and extended its life through at least 2020.

(U) In order to be eligible as a candidate for the Thousand Talents Program, an individual must be in a field of study the Chi-nese Academy of Science (CAS) deems critical or meet the following criteria:

  • (U) Expert or scholar with full professorship in a prestigious foreign university or research and development (R&D) insti-tute
  • (U) Technical managerial professional in a senior position at an internationally known company or financial institution
  • (U) Entrepreneur holding IP rights or key technologies and possesses overseas experience

(U) THREAT TO US BUSINESS AND UNIVERSITIES

(U//FOUO) Chinese Talent Programs pose a serious threat to US businesses and universities through economic espionage and theft of IP. The different programs focus on specific fields deemed critical to China, to boost China’s national capability in S&T fields. These subject mat-ter experts often are not required to sign non-disclosure agreements with US entities, which could result in lost of unprotected information that jeopardizes contracts or research funding. One of the greatest threats toward these experts is transferring or transporting proprietary, classified, or export-controlled information, or IP, which can lead to criminal charges.

(U//FOUO) The threat not only targets businesses or universities but potentially targets the researchers or scientists themselves. The technology researched or developed not only costs millions of dollars but costs years, if not decades to develop. Additionally, the theft of informa-tion or IP creates a risk that someone else could take credit for the researcher’s efforts. The information stolen can be recreated, resold or claimed by others, which in turn will cost the originator creditability and potential funding for future endeavors.

(U) Theft of intellectual property is an increasing threat to organizations and can go unnoticed for months or even years. In today’s society, technology affords easier access to every aspect of academia and business. Some of these tools have become effective for recruiting, such as social media. Social media websites often display large amounts of personal data, such as who an individual works for, phone numbers, known associates, previous jobs, and locations. Additionally, websites like LinkedIn have full resumes, detailing the history of an individual’s achievements and accomplishments.

(U) The FBI assesses each year the United States loses billions of dollars due to technology transfer. While it is important to conduct collaborative research, it is vital for the survival of US businesses and universities that they protect their information and mitigate lost or stolen in-formation.

Escalating Tensions Between the United States and Iran Pose Potential Threats to the United States

Escalating Tensions Between the United States and Iran Pose Potential Threats to the United States

 

 

The Joint Intelligence Bulletin (JIB) is planned to help bureaucratic, state, nearby, innate, and regional counterterrorism, digital, and law implementation authorities, and private segment accomplices, to viably stop, forestall, appropriate, or react to episodes, deadly tasks, or fear based oppressor assaults in the United States that could be led by or for the benefit of the Government of Iran (GOI) if the GOI were to see activities of the United States Government (USG) as demonstrations of war or existential dangers to the Iranian system. The GOI could act straightforwardly or enroll the participation of intermediaries and accomplices, for example, Lebanese Hizballah. The FBI, DHS, and NCTC had evaluated any active retaliatory assault would initially happen abroad. In the occasion the GOI were to decide to direct a Homeland assault, potential targets and strategies for assault in the Homeland could run from digital activities, to focused deaths of people considered dangers to the Iranian system, to damage of open or private foundation, including US army installations, oil and gas offices, and open tourist spots. USG activities may likewise incite vicious radical supporters of the GOI to submit assaults in retaliation, with next to zero notice, against US-based Iranian protesters, Jewish, Israeli, and Saudi people and interests, and USG faculty.

(U//FOUO) Immediate Response in Homeland Could Take Form of Cyber Operations

(U//FOUO) The FBI, DHS, and NCTC survey a prompt GOI reaction in the Homeland could appear as endeavored digital activities against USG offices and systems, including US military frameworks, and basic private part works, given that such tasks could be endeavored by Iran-based digital entertainers without the need of building up a US nearness. The US Intelligence Community has evaluated that Iran keeps on getting ready for digital assaults against the United States and partners. It is fit for causing confined, impermanent problematic impacts during a digital assault on unfortunate casualty systems. Verifiably, Iran has demonstrated the capacity to complete troublesome and ruinous digital assaults against open and private business systems, for example, expanded dispersed forswearing of-administration (DDoS) battles and information erasure assaults.

(U//FOUO) Iran speaks to a digital secret activities and assault risk, utilizing progressively refined digital methods and endeavoring to convey digital abilities that would empower assaults against basic foundation in the United States. Tehran’s general hazard math for a digital reaction likely will change dependent on the US strike, which Iranian pioneers have vocally depicted as escalatory, and hostile digital activities are probably going to be considered as retaliatory alternatives. Malignant action and observation may not really happen from Iranian Internet Protocol (IP) space, as on-screen characters may utilize midpoint framework in different nations. All things considered, traffic from Iranian IP locations may not be demonstrative of malignant movement. The FBI, DHS, and NCTC stress great digital cleanliness, for example, fixing frameworks and instructing work force to make preparations for generally utilized digital entertainer procedures, for example, social building and lance phishing.

(U//FOUO) Potential for GOI-Directed Lethal Attacks in the Homeland

(U//FOUO) as of late, the USG has captured a few people following up in the interest of either the GOI or Lebanese Hizballah who have directed reconnaissance demonstrative of possibility making arrangements for deadly assaults in the United States against offices and people.

» (U//FOUO) A specialist of the GOI captured in 2018 had led observation of Hillel CenterUSPER and Rohr Chabad CenterUSPER, Jewish establishments situated in Chicago, including shooting the security highlights encompassing the Chabad Center.

» (U//FOUO) Three Lebanese Hizballah External Security Organization (ESO) agents captured somewhere in the range of 2017 and 2019 had directed reconnaissance of US military and law implementation offices, basic foundation, private segment scenes, and open tourist spots in New York City, Boston, and Washington, DC.

(U//FOUO) The GOI likewise has a background marked by directing deaths and death endeavors against people in the United States it regards a danger to the Iranian system. The GOI killed the US-based previous representative for the Shah of the Iran in 1980 and plotted to kill the Saudi Arabian envoy to the United States in 2011. In August 2018, the USG captured two people for going about as operators of the GOI by directing incognito reconnaissance of Iranian protesters in New York City and Washington, DC, and the previously mentioned security highlights of Jewish offices in Chicago.

 

Website Defacement Activity Indicators of Compromise and Techniques Used to Disseminate Pro-Iranian Messages

Website Defacement Activity Indicators of Compromise and Techniques Used to Disseminate Pro-Iranian Messages

Following a week ago’s US airstrikes against Iranian military initiative, the FBI watched expanded revealing of site ruination movement spreading Pro-Iranian messages. The FBI accepts a few of the site disfigurement were the consequence of digital on-screen characters misusing realized vulnerabilities in content administration frameworks (CMSs) to transfer ruination documents. The FBI exhorts associations and individuals worried about Iranian digital focusing on be acquainted with the markers, strategies, and procedures gave in this FLASH, just as strategies and methods gave in as of late spread Private Industry Notification “Notice on Iranian Cyber Tactics and Techniques” (20200109-001, 9 January 2020).

Specialized Details:

The FBI recognized malevolent on-screen characters utilizing known vulnerabilities in CMSs to transfer ruination pictures onto injured individual sites. The FBI trusts one on-screen character utilized realized vulnerabilities permitting remote execution by means of treat and remote establishment. The FBI likewise distinguished that one of the records utilized in a destruction was presented on a site where the server facilitating the undermined site was designed so outer clients could direct HTTP POSTs. The FBI watched the utilization of a HTTP PUT direction to transfer a destruction document to an injured individual server.

The FBI notes various on-screen characters directed site mutilation movement with genius Iranian messages. Accordingly, the IP locations and procedures utilized will change. The FBI distinguished the underneath groupings of destruction movement.

One lot of mutilation action utilized the beneath record:

Filename MD5

Default.aspx

87b3b80bb214c0f5cfa20771dd6625f2

The accompanying connections, contact data, and strings were remembered for a disfigurement record:

http://yon%5B.%5Dir/6YL2X

https://t%5B.%5Dme/ZetaTech_iR2

https://instagram%5B.%5Dcom/Mrb3hz4d

hackedbymrb3hz4d(at)gmail[.]com

The accompanying IP addresses are related with the on-screen character connected to the disfigurement action with the above referenced connections, contact data, and strings:

IP Address

83.123.83[.]61

196.64.50[.]13

A second arrangement of destruction movement was distinguished utilizing the underneath record:

Filename

hardrevenge11.html

The FBI takes note of the above mutilation picture was transferred by means of a HTTP PUT order. The accompanying IP address is related with the on-screen character connected to this arrangement of ruination action:

IP Address

2.182.188[.]39

A third arrangement of mutilation action was distinguished utilizing the underneath IP address:

IP Address

212.92.114[.]228

The FBI notes for this mutilation action, the on-screen character had the option to direct a HTTP POST of a document utilized in a destruction.

Best Practices for Network Security and Defense:

Utilize customary updates to applications and the host working framework to guarantee insurance against known vulnerabilities.

Set up, and reinforcement disconnected, a “known decent” adaptation of the pertinent server and an ordinary change-the board arrangement to empower checking for modifications to servable substance with a document honesty framework.

Utilize client input approval to confine nearby and remote record incorporation vulnerabilities.

Execute a least-benefits approach on the Webserver to:

o Reduce foes’ capacity to raise benefits or turn horizontally to different hosts.

o Control creation and execution of records specifically catalogs.

If not effectively present, consider sending a peaceful area (DMZ) between the Web-confronting frameworks and corporate system. Constraining the communication and logging traffic between the two gives a technique to recognize conceivable noxious movement.

Guarantee a protected arrangement of Webservers. Every single pointless assistance and ports ought to be incapacitated or blocked. Every essential assistance and ports ought to be confined where plausible. This can incorporate whitelisting or blocking outside access to organization boards and not utilizing default login qualifications.

Utilize a switch intermediary or elective support of limit available URL ways to known authentic ones.

Direct customary framework and application weakness sweeps to build up regions of hazard. While this strategy doesn’t secure against multi day assaults, it will feature potential zones of concern.

Convey a Web application firewall, and direct ordinary infection signature checks, application fluffing, code audits, and server arrange examination.

Cyber Criminals Use Social Engineering and Technical Attacks to Circumvent Multi-Factor Authentication

The FBI has watched digital entertainers bypassing multifaceted verification through normal social building and specialized assaults. This Stick clarifies these techniques and offers relief procedures for associations and elements utilizing multifaceted confirmation in their security endeavors. Multifaceted validation keeps on being a solid and compelling safety effort to secure online records, as long as clients play it safe to guarantee they don’t succumb to these assaults.

Multifaceted validation is the utilization of an assortment of strategies to affirm a client’s personality rather than just utilizing a username and secret phrase. Regularly this sort of verification utilizes an optional token which changes after some time to give a one-time password, yet numerous organizations currently utilize biometrics or social data, for example, time of day, geolocation, or IP address—as a type of validation.

Danger Diagram

FBI detailing distinguished a few strategies digital on-screen characters use to go around prevalent multifaceted verification systems so as to acquire the one-time password and access ensured accounts. The essential techniques are social building assaults which assault the clients and specialized assaults which target web code.

In 2019 a US banking establishment was focused by a digital assailant who had the option to exploit a blemish in the bank’s site to evade the two-factor confirmation actualized to ensure accounts. The digital assailant signed in with taken injured individual accreditations and, when arriving at the optional page where the client would typically need to enter a Stick and answer a security question, the aggressor entered a controlled string into the Internet URL setting the PC as one perceived on the record. This enabled him to sidestep the Stick and security question pages and start wire moves

from the exploited people’s records.

In 2016 clients of a US banking establishment were focused by a digital assailant who ported their telephone numbers to a telephone he possessed—an assault called SIM swapping. The aggressor considered the telephone organizations’ client care delegates, discovering some who were all the more ready to give him data to finish the SIM swap. When the aggressor had command over the clients’ telephone numbers, he called the bank to demand a wire move from the unfortunate casualties’ records to another record he possessed. The bank,

perceiving the telephone number as having a place with the client, didn’t request full security questions yet mentioned a one-time code sent to the telephone number from which he was calling. He additionally mentioned to change PINs and passwords and had the option to connect unfortunate casualties’ charge card numbers to a versatile installment application.

Through the span of 2018 and 2019, the FBI’s Web Wrongdoing Grievance Center and FBI unfortunate casualty grumblings watched the above assault—SIM swapping—as a typical strategy from digital culprits trying to go around two-factor validation. Casualties of these assaults have had their telephone numbers taken, their financial balances depleted, and their passwords and PINs changed. A large number of these assaults depend on socially building client care agents for significant telephone organizations, who offer data to the assailants.

In February 2019 a digital security master at the RSA Gathering in San Francisco, exhibited a huge assortment of plans and assaults digital on-screen characters could use to dodge multifaceted validation. The security master exhibited ongoing instances of how digital entertainers could utilize man-in-the-center assaults and session capturing to block the traffic between a client and a site to lead these assaults and keep up access for whatever length of time that conceivable. He likewise showed social building assaults, including phishing plans or fake instant messages implying to be a bank or other help to make a client sign into a phony site and surrender their private data.

At the June 2019 Hack-in-the-Crate gathering in Amsterdam, digital security specialists exhibited a couple of devices—Muraena and NecroBrowser—which worked pair to robotize a phishing plan against clients of multifaceted confirmation. The Muraena instrument captures traffic between a client and an objective site where they are mentioned to enter login qualifications and a token code not surprisingly. When validated, NecroBrowser stores the information for the casualties of this assault and seizes the session treat, permitting digital on-screen characters to sign into these private records, take them over, and change client passwords and recuperation email addresses while keeping up access as far as might be feasible.

Moderation Systems

Guarding against multifaceted confirmation assaults requires consciousness of the assaults which evade the security and consistent watchfulness for social designing assaults.

Instruct clients and heads to distinguish social building deceit—how to perceive counterfeit sites, not tap on maverick connections in email, or square those connections altogether—and show them how to deal with basic social designing strategies.

Consider utilizing extra or progressively complex types of multifaceted validation for clients and overseers, for example, biometrics or conduct verification strategies, however this may add burden to these clients.

FBI Cyber Research revealed

The FBI identified incidents over the past few months in which cyber actors scanned for and sought to exploit audio and visual communication devices on networks to identify vulnerabilities which could later be used to gain access and unlawfully acquire information about the organization. In addition to targeting corporate information, vulnerable devices may be targeted for compromise for use in botnets or other criminal activities. The types of devices targeted include: Voice over Internet Protocol (VoIP) phones, video conferencing equipment, conference phones, VoIP routers, and cloud-based communication systems. While cyber actors have targeted VoIP and other communication devices in the past, the FBI continues to see these devices scanned by cyber actors for vulnerabilities.

Threat

Specifically, the FBI observed cyber actors identifying and probing communication devices by issuing HTTP GET requestsa to a business server or network to retrieve device configuration files. Information contained in configuration files often reveals IP addresses, usernames, passwords, system management URLs, and assigned phone numbers – all of which could be used by cyber actors for malicious purposes. Many of the requests are specific to particular brands of devices. Victims will often receive several GET requests in succession with the actors scanning for multiple brands of devices.

In addition, cyber actors retrieve IP addresses for further exploitation by using businesses’ customer service VoIP hyperlinks, which are traditionally made available for customers to use in contacting the business. Once those hyperlinked calls are answered, the actor retrieves the IP address belonging to the phone which answered the call. Once the IP address is retrieved, an actor could send a large volume of packets to the IP address, overloading it and taking the service offline for the targeted business and its legitimate customers.

In addition to the above techniques, cyber actors target devices with brute-force attacks, attempting unauthorized access through the use of common usernames and passwords. Open source scanning tools can also be used to identify vulnerable communication devices and any associated ports.

All of the information obtained through scans and other methods are likely used for specific targeting efforts by cyber actors. This includes leveraging access to compromised audio and video devices to eavesdrop on meetings or conference calls, placing fraudulent international phone calls, leveraging the compromised device for use in botnets, and conducting man-in-the-middle attacks to redirect corporate network traffic.

Recommendations

The following recommendations may limit the success of these types of attacks:

Conduct daily server log reviews to identify unusual activity, including GET and POST requests from external IP addresses.

Work with the communication device/system providers to ensure servers are patched and updated regularly.

Consider restricting access to configuration files or configuring firewalls to block traffic from unauthorized IP addresses.

Restrict communication devices/systems to only non-sensitive business networks.

Conduct regular penetration testing exercises on communication devices to identify and address vulnerabilities in a timely matter.

Enable encryption on teleconference programs and applications and consider disabling auto-answer capabilities.

Password protect configuration files, if possible.

Regularly review and update users with access to administrative accounts.

Segment configuration files on the network. Be sure to protect configuration and other device-related files after getting the device out of the box. Don’t just plug and play.

 

Christchurch May Inspire Other Terrorists – DHS-FBI

Christchurch May Inspire Other Terrorists – DHS-FBI

This Joint Intelligence Bulletin (JIB) is intended to provide information on Australian national and violent extremist Brenton Tarrant’s 15 March 2019 attacks on two mosques in Christchurch, New Zealand. These attacks underscore the enduring nature of violent threats posed to faith-based communities. FBI, DHS, and NCTC advise federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners responsible for securing faith-based communities in the Homeland to remain vigilant in light of the enduring threat to faith-based communities posed by domestic extremists (DEs), as well as by homegrown violent extremists (HVEs) who may seek retaliation. This JIB is provided to assist federal, state, local, tribal, and territorial counterterrorism and law enforcement officials and private sector security partners to effectively deter, prevent, preempt, or respond to incidents and terrorist attacks in the United States.

(U) Attack Details

(U//FOUO) On 15 March 2019, New Zealand police arrested an Australian national who appeared to be inspired by a white supremacist ideology and who allegedly conducted a shooting attack on two mosques in Christchurch, New Zealand. This attack highlights the enduring threat of violence posed to faith-based communities. There are currently 49 victims deceased, and 20 others are listed as being in critical condition following the attack.

» (U//FOUO) On 15 March 2019, at about 1:40 PM local time, Australian national Brenton Tarrant used firearms to attack the Masjid Al Noor Mosque in the city of Christchurch, New Zealand, before conducting a similar shooting attack at the Linwood Masjid Mosque, approximately four miles away. Tarrant drove to the attack sites and livestreamed a video of the attack. Police also discovered improvised explosive devices in a vehicle connected with the attack. Tarrant is currently the only known perpetrator; however, investigation of his movements and associates continues.

» (U//FOUO) Tarrant disseminated a manifesto prior to the shooting which detailed his concerns of perceived “white genocide.” The manifesto contains a wide range of anti-immigrant and anti-Muslim views. One reason listed as to why he carried out the attack was “to create conflict…within the United States on the ownership of firearms in order to further the social, cultural, political, and racial divide within the United states [sic].”

» (U//FOUO) Tarrant claimed to have been planning the attack for two years and recently relocated to New Zealand to live temporarily while he “planned and trained.” He claimed to have chosen to conduct his attack in Christchurch three months prior to show such attacks could happen anywhere.

(U) Mosque Attacks Could Incite Like-Minded and Retaliatory Attacks

(U//FOUO) We are concerned online sharing of Tarrant’s livestreamed footage could amplify viewer reaction to the violent attack and possibly incite similar attacks by those adhering to violent extremist ideologies in the United States and abroad, as well as retaliatory attacks from HVEs and individuals otherwise affiliated with foreign terrorist organizations. Tarrant appeared to have been influenced by prior attacks by violent extremists in the United States and other countries, and we remain concerned that US-based DEs of similar ideologies could become inspired by this attack. Although most HVEs generally do not mobilize to violence in response to specific events and instead are usually influenced by a confluence of sociopolitical, ideological, and personal factors, exceptions may occur and we remain concerned for the potential of retaliatory attacks by some HVEs, as we have already seen calls for attacks by violent extremists online.

» (U//FOUO) Tarrant claimed Norwegian mass attacker Anders Brevik gave his “blessing” for the attack. Tarrant’s ammunition cases also displayed handwritten names of violent extremists in Canada and elsewhere who previously conducted violent attacks on Muslims or in support of violent extremist ideologies.

» (U//FOUO) An examination of online jihadist media following the mosque attacks indicates various al-Qa‘ida and ISIS supporters are posting attack images to express outrage and are calling upon all Muslims to respond to the New Zealand attacks by launching their own near-term attacks in retaliation.

FBI Cyber Unit Identifies Campaigns Against Students

Image result for fbi cyber crimes

The FBI has identified successful spearphishing campaigns directed at college and university students, especially during periods when financial aid funds are disbursed in large volumes. In general, the spearphishing emails request students’ login credentials for the University’s internal intranet. The cyber criminals then capture students’ login credentials, and after gaining access, change the students’ direct deposit destination to bank accounts within the threat actor’s control.

Threat

In February 2018, the FBI received notification of a spearphishing campaign targeting students at an identified University in the south eastern United States. The campaign occurred in January 2018 when an unidentified number of students attending the University received an email requesting their login credentials for the University’s internal intranet. Using the University’s intranet portal, the cyber criminals accessed a third-party vendor that manages the disbursement of financial aid to students and changed the direct deposit information for 21 identified students to bank accounts under the cyber criminal’s control. The threat actor stole approximately $75,000 from the 21 students. The student accounts were accessed by at least 13 identified US Internet Protocol (IP) addresses.

On 31 August 2018, the Department of Education identified a similar spearphishing campaign targeting multiple institutions of higher education. In this campaign, the cyber criminals sent students an email inviting them to view and confirm their updated billing statement by logging into the school’s student portal. After gaining access, the cyber criminals changed the students’ direct deposit destinations to bank accounts under the threat actor’s control.

The nature of the spearphishing emails indicates the cyber criminals conducted reconnaissance of the target institutions and understand the schools’ use of student portals and third-party vendors for processing student loan payment information. In addition, the timing of the campaigns indicates the cyber criminals almost certainly launched these campaigns to coincide with periods when financial aid funds are disseminated in large volumes.

Recommendations

The FBI recommends providers implement the preventative measures listed below to help secure their systems from attacks:

Notify all students of the phishing attempts and encourage them to be extra vigilant
Implement two-factor authentication for access to sensitive systems and information
Monitor student login attempts from unusual IP addresses and other anomalous activity
Educate students on appropriate preventative and reactive actions to known criminal schemes and social engineering threats
Apply extra scrutiny to e-mail messages with links or attachments directed toward students
Apply extra scrutiny to bank information initiated by the students seeking to update or change direct deposit credentials
Direct students to forward any suspicious requests for personal information to the information technology or security department