Chinese Talent Programs are a vital part of Chinese industry. Talent programs recruit experts to fill technical jobs that drive innovation and growth in China’s economy. National, provincial, and municipal talent recruitment programs provide opportunities for experts to work in industry and academic organizations supporting key areas deemed critical to China’s development. The talent programs recruit experts globally from businesses, industry, and universities with multiple incentives to work in China. Associating with these talent programs is legal and breaks no laws; however, individuals who agree to the Chinese terms must understand what is and is not legal under US law when sharing information. A simple download of intellectual property (IP) or proprietary information has the potential to become criminal activity.
(U//FOUO) The large number of foreign students, researchers, scientists, and professionals in the United States, combined with current technological capabilities, allows foreign governments to contact and recruit individuals with the hopes to acquire advanced technology without research costs. While the majority of the population are law abiding individuals, anyone has the capability to acquire information. The theft of information can come from current or former employees, business partners, consultants, contractors, temporary hires, foreign agents, suppliers, or even vendors who have access to proprietary information.
(U) Recruiting these individuals allows China to:
- (U//FOUO) Gain access to research and expertise for cutting edge technology
- (U//FOUO) Benefit from years of scientific research conducted in the United States supported by US Government grants and private funding
- (U//FOUO) Severely impact the US economy.
(U) The goal of this SPIN is to provide an overview of the potential threats posed by the Chinese Talent Programs.
(U) THOUSAND TALENTS PROGRAM
(U//FOUO) China’s most prominent national talent recruitment program is the “Recruitment Program of Global Experts,” which is commonly known as the Thousand Talents Program. It focuses on identifying key national-level organizations and associ-ated personnel involved in implementation and management.
(U) Its goal is to recruit ethnic Chinese experts from Western universities, research cen-ters, and private companies to boost China’s national capabilities in the science and technology (S&T) fields and to move China forward as an innovative nation. The pro-gram also implemented sub-programs for both young and foreign (non-ethnic Chinese) experts.
(U//FOUO) Originally, this program had a five-to-ten year goal of recruiting 2,000 profes-sionals worldwide who could lead innovation and pioneering work in key technologies, and promote the development of emerging industries. However, this program expanded its scope — recruiting far more than the initial goal of 2,000 individuals — and extended its life through at least 2020.
(U) In order to be eligible as a candidate for the Thousand Talents Program, an individual must be in a field of study the Chi-nese Academy of Science (CAS) deems critical or meet the following criteria:
- (U) Expert or scholar with full professorship in a prestigious foreign university or research and development (R&D) insti-tute
- (U) Technical managerial professional in a senior position at an internationally known company or financial institution
- (U) Entrepreneur holding IP rights or key technologies and possesses overseas experience
(U) THREAT TO US BUSINESS AND UNIVERSITIES
(U//FOUO) Chinese Talent Programs pose a serious threat to US businesses and universities through economic espionage and theft of IP. The different programs focus on specific fields deemed critical to China, to boost China’s national capability in S&T fields. These subject mat-ter experts often are not required to sign non-disclosure agreements with US entities, which could result in lost of unprotected information that jeopardizes contracts or research funding. One of the greatest threats toward these experts is transferring or transporting proprietary, classified, or export-controlled information, or IP, which can lead to criminal charges.
(U//FOUO) The threat not only targets businesses or universities but potentially targets the researchers or scientists themselves. The technology researched or developed not only costs millions of dollars but costs years, if not decades to develop. Additionally, the theft of informa-tion or IP creates a risk that someone else could take credit for the researcher’s efforts. The information stolen can be recreated, resold or claimed by others, which in turn will cost the originator creditability and potential funding for future endeavors.
(U) Theft of intellectual property is an increasing threat to organizations and can go unnoticed for months or even years. In today’s society, technology affords easier access to every aspect of academia and business. Some of these tools have become effective for recruiting, such as social media. Social media websites often display large amounts of personal data, such as who an individual works for, phone numbers, known associates, previous jobs, and locations. Additionally, websites like LinkedIn have full resumes, detailing the history of an individual’s achievements and accomplishments.
(U) The FBI assesses each year the United States loses billions of dollars due to technology transfer. While it is important to conduct collaborative research, it is vital for the survival of US businesses and universities that they protect their information and mitigate lost or stolen in-formation.
The Joint Intelligence Bulletin (JIB) is planned to help bureaucratic, state, nearby, innate, and regional counterterrorism, digital, and law implementation authorities, and private segment accomplices, to viably stop, forestall, appropriate, or react to episodes, deadly tasks, or fear based oppressor assaults in the United States that could be led by or for the benefit of the Government of Iran (GOI) if the GOI were to see activities of the United States Government (USG) as demonstrations of war or existential dangers to the Iranian system. The GOI could act straightforwardly or enroll the participation of intermediaries and accomplices, for example, Lebanese Hizballah. The FBI, DHS, and NCTC had evaluated any active retaliatory assault would initially happen abroad. In the occasion the GOI were to decide to direct a Homeland assault, potential targets and strategies for assault in the Homeland could run from digital activities, to focused deaths of people considered dangers to the Iranian system, to damage of open or private foundation, including US army installations, oil and gas offices, and open tourist spots. USG activities may likewise incite vicious radical supporters of the GOI to submit assaults in retaliation, with next to zero notice, against US-based Iranian protesters, Jewish, Israeli, and Saudi people and interests, and USG faculty.
(U//FOUO) Immediate Response in Homeland Could Take Form of Cyber Operations
(U//FOUO) The FBI, DHS, and NCTC survey a prompt GOI reaction in the Homeland could appear as endeavored digital activities against USG offices and systems, including US military frameworks, and basic private part works, given that such tasks could be endeavored by Iran-based digital entertainers without the need of building up a US nearness. The US Intelligence Community has evaluated that Iran keeps on getting ready for digital assaults against the United States and partners. It is fit for causing confined, impermanent problematic impacts during a digital assault on unfortunate casualty systems. Verifiably, Iran has demonstrated the capacity to complete troublesome and ruinous digital assaults against open and private business systems, for example, expanded dispersed forswearing of-administration (DDoS) battles and information erasure assaults.
(U//FOUO) Iran speaks to a digital secret activities and assault risk, utilizing progressively refined digital methods and endeavoring to convey digital abilities that would empower assaults against basic foundation in the United States. Tehran’s general hazard math for a digital reaction likely will change dependent on the US strike, which Iranian pioneers have vocally depicted as escalatory, and hostile digital activities are probably going to be considered as retaliatory alternatives. Malignant action and observation may not really happen from Iranian Internet Protocol (IP) space, as on-screen characters may utilize midpoint framework in different nations. All things considered, traffic from Iranian IP locations may not be demonstrative of malignant movement. The FBI, DHS, and NCTC stress great digital cleanliness, for example, fixing frameworks and instructing work force to make preparations for generally utilized digital entertainer procedures, for example, social building and lance phishing.
(U//FOUO) Potential for GOI-Directed Lethal Attacks in the Homeland
(U//FOUO) as of late, the USG has captured a few people following up in the interest of either the GOI or Lebanese Hizballah who have directed reconnaissance demonstrative of possibility making arrangements for deadly assaults in the United States against offices and people.
» (U//FOUO) A specialist of the GOI captured in 2018 had led observation of Hillel CenterUSPER and Rohr Chabad CenterUSPER, Jewish establishments situated in Chicago, including shooting the security highlights encompassing the Chabad Center.
» (U//FOUO) Three Lebanese Hizballah External Security Organization (ESO) agents captured somewhere in the range of 2017 and 2019 had directed reconnaissance of US military and law implementation offices, basic foundation, private segment scenes, and open tourist spots in New York City, Boston, and Washington, DC.
(U//FOUO) The GOI likewise has a background marked by directing deaths and death endeavors against people in the United States it regards a danger to the Iranian system. The GOI killed the US-based previous representative for the Shah of the Iran in 1980 and plotted to kill the Saudi Arabian envoy to the United States in 2011. In August 2018, the USG captured two people for going about as operators of the GOI by directing incognito reconnaissance of Iranian protesters in New York City and Washington, DC, and the previously mentioned security highlights of Jewish offices in Chicago.
Following a week ago’s US airstrikes against Iranian military initiative, the FBI watched expanded revealing of site ruination movement spreading Pro-Iranian messages. The FBI accepts a few of the site disfigurement were the consequence of digital on-screen characters misusing realized vulnerabilities in content administration frameworks (CMSs) to transfer ruination documents. The FBI exhorts associations and individuals worried about Iranian digital focusing on be acquainted with the markers, strategies, and procedures gave in this FLASH, just as strategies and methods gave in as of late spread Private Industry Notification “Notice on Iranian Cyber Tactics and Techniques” (20200109-001, 9 January 2020).
The FBI recognized malevolent on-screen characters utilizing known vulnerabilities in CMSs to transfer ruination pictures onto injured individual sites. The FBI trusts one on-screen character utilized realized vulnerabilities permitting remote execution by means of treat and remote establishment. The FBI likewise distinguished that one of the records utilized in a destruction was presented on a site where the server facilitating the undermined site was designed so outer clients could direct HTTP POSTs. The FBI watched the utilization of a HTTP PUT direction to transfer a destruction document to an injured individual server.
The FBI notes various on-screen characters directed site mutilation movement with genius Iranian messages. Accordingly, the IP locations and procedures utilized will change. The FBI distinguished the underneath groupings of destruction movement.
One lot of mutilation action utilized the beneath record:
The accompanying connections, contact data, and strings were remembered for a disfigurement record:
The accompanying IP addresses are related with the on-screen character connected to the disfigurement action with the above referenced connections, contact data, and strings:
A second arrangement of destruction movement was distinguished utilizing the underneath record:
The FBI takes note of the above mutilation picture was transferred by means of a HTTP PUT order. The accompanying IP address is related with the on-screen character connected to this arrangement of ruination action:
A third arrangement of mutilation action was distinguished utilizing the underneath IP address:
The FBI notes for this mutilation action, the on-screen character had the option to direct a HTTP POST of a document utilized in a destruction.
Best Practices for Network Security and Defense:
Utilize customary updates to applications and the host working framework to guarantee insurance against known vulnerabilities.
Set up, and reinforcement disconnected, a “known decent” adaptation of the pertinent server and an ordinary change-the board arrangement to empower checking for modifications to servable substance with a document honesty framework.
Utilize client input approval to confine nearby and remote record incorporation vulnerabilities.
Execute a least-benefits approach on the Webserver to:
o Reduce foes’ capacity to raise benefits or turn horizontally to different hosts.
o Control creation and execution of records specifically catalogs.
If not effectively present, consider sending a peaceful area (DMZ) between the Web-confronting frameworks and corporate system. Constraining the communication and logging traffic between the two gives a technique to recognize conceivable noxious movement.
Guarantee a protected arrangement of Webservers. Every single pointless assistance and ports ought to be incapacitated or blocked. Every essential assistance and ports ought to be confined where plausible. This can incorporate whitelisting or blocking outside access to organization boards and not utilizing default login qualifications.
Utilize a switch intermediary or elective support of limit available URL ways to known authentic ones.
Direct customary framework and application weakness sweeps to build up regions of hazard. While this strategy doesn’t secure against multi day assaults, it will feature potential zones of concern.
Convey a Web application firewall, and direct ordinary infection signature checks, application fluffing, code audits, and server arrange examination.
The FBI has watched digital entertainers bypassing multifaceted verification through normal social building and specialized assaults. This Stick clarifies these techniques and offers relief procedures for associations and elements utilizing multifaceted confirmation in their security endeavors. Multifaceted validation keeps on being a solid and compelling safety effort to secure online records, as long as clients play it safe to guarantee they don’t succumb to these assaults.
Multifaceted validation is the utilization of an assortment of strategies to affirm a client’s personality rather than just utilizing a username and secret phrase. Regularly this sort of verification utilizes an optional token which changes after some time to give a one-time password, yet numerous organizations currently utilize biometrics or social data, for example, time of day, geolocation, or IP address—as a type of validation.
FBI detailing distinguished a few strategies digital on-screen characters use to go around prevalent multifaceted verification systems so as to acquire the one-time password and access ensured accounts. The essential techniques are social building assaults which assault the clients and specialized assaults which target web code.
In 2019 a US banking establishment was focused by a digital assailant who had the option to exploit a blemish in the bank’s site to evade the two-factor confirmation actualized to ensure accounts. The digital assailant signed in with taken injured individual accreditations and, when arriving at the optional page where the client would typically need to enter a Stick and answer a security question, the aggressor entered a controlled string into the Internet URL setting the PC as one perceived on the record. This enabled him to sidestep the Stick and security question pages and start wire moves
from the exploited people’s records.
In 2016 clients of a US banking establishment were focused by a digital assailant who ported their telephone numbers to a telephone he possessed—an assault called SIM swapping. The aggressor considered the telephone organizations’ client care delegates, discovering some who were all the more ready to give him data to finish the SIM swap. When the aggressor had command over the clients’ telephone numbers, he called the bank to demand a wire move from the unfortunate casualties’ records to another record he possessed. The bank,
perceiving the telephone number as having a place with the client, didn’t request full security questions yet mentioned a one-time code sent to the telephone number from which he was calling. He additionally mentioned to change PINs and passwords and had the option to connect unfortunate casualties’ charge card numbers to a versatile installment application.
Through the span of 2018 and 2019, the FBI’s Web Wrongdoing Grievance Center and FBI unfortunate casualty grumblings watched the above assault—SIM swapping—as a typical strategy from digital culprits trying to go around two-factor validation. Casualties of these assaults have had their telephone numbers taken, their financial balances depleted, and their passwords and PINs changed. A large number of these assaults depend on socially building client care agents for significant telephone organizations, who offer data to the assailants.
In February 2019 a digital security master at the RSA Gathering in San Francisco, exhibited a huge assortment of plans and assaults digital on-screen characters could use to dodge multifaceted validation. The security master exhibited ongoing instances of how digital entertainers could utilize man-in-the-center assaults and session capturing to block the traffic between a client and a site to lead these assaults and keep up access for whatever length of time that conceivable. He likewise showed social building assaults, including phishing plans or fake instant messages implying to be a bank or other help to make a client sign into a phony site and surrender their private data.
At the June 2019 Hack-in-the-Crate gathering in Amsterdam, digital security specialists exhibited a couple of devices—Muraena and NecroBrowser—which worked pair to robotize a phishing plan against clients of multifaceted confirmation. The Muraena instrument captures traffic between a client and an objective site where they are mentioned to enter login qualifications and a token code not surprisingly. When validated, NecroBrowser stores the information for the casualties of this assault and seizes the session treat, permitting digital on-screen characters to sign into these private records, take them over, and change client passwords and recuperation email addresses while keeping up access as far as might be feasible.
Guarding against multifaceted confirmation assaults requires consciousness of the assaults which evade the security and consistent watchfulness for social designing assaults.
Instruct clients and heads to distinguish social building deceit—how to perceive counterfeit sites, not tap on maverick connections in email, or square those connections altogether—and show them how to deal with basic social designing strategies.
Consider utilizing extra or progressively complex types of multifaceted validation for clients and overseers, for example, biometrics or conduct verification strategies, however this may add burden to these clients.
The FBI identified incidents over the past few months in which cyber actors scanned for and sought to exploit audio and visual communication devices on networks to identify vulnerabilities which could later be used to gain access and unlawfully acquire information about the organization. In addition to targeting corporate information, vulnerable devices may be targeted for compromise for use in botnets or other criminal activities. The types of devices targeted include: Voice over Internet Protocol (VoIP) phones, video conferencing equipment, conference phones, VoIP routers, and cloud-based communication systems. While cyber actors have targeted VoIP and other communication devices in the past, the FBI continues to see these devices scanned by cyber actors for vulnerabilities.
Specifically, the FBI observed cyber actors identifying and probing communication devices by issuing HTTP GET requestsa to a business server or network to retrieve device configuration files. Information contained in configuration files often reveals IP addresses, usernames, passwords, system management URLs, and assigned phone numbers – all of which could be used by cyber actors for malicious purposes. Many of the requests are specific to particular brands of devices. Victims will often receive several GET requests in succession with the actors scanning for multiple brands of devices.
In addition, cyber actors retrieve IP addresses for further exploitation by using businesses’ customer service VoIP hyperlinks, which are traditionally made available for customers to use in contacting the business. Once those hyperlinked calls are answered, the actor retrieves the IP address belonging to the phone which answered the call. Once the IP address is retrieved, an actor could send a large volume of packets to the IP address, overloading it and taking the service offline for the targeted business and its legitimate customers.
In addition to the above techniques, cyber actors target devices with brute-force attacks, attempting unauthorized access through the use of common usernames and passwords. Open source scanning tools can also be used to identify vulnerable communication devices and any associated ports.
All of the information obtained through scans and other methods are likely used for specific targeting efforts by cyber actors. This includes leveraging access to compromised audio and video devices to eavesdrop on meetings or conference calls, placing fraudulent international phone calls, leveraging the compromised device for use in botnets, and conducting man-in-the-middle attacks to redirect corporate network traffic.
The following recommendations may limit the success of these types of attacks:
Conduct daily server log reviews to identify unusual activity, including GET and POST requests from external IP addresses.
Work with the communication device/system providers to ensure servers are patched and updated regularly.
Consider restricting access to configuration files or configuring firewalls to block traffic from unauthorized IP addresses.
Restrict communication devices/systems to only non-sensitive business networks.
Conduct regular penetration testing exercises on communication devices to identify and address vulnerabilities in a timely matter.
Enable encryption on teleconference programs and applications and consider disabling auto-answer capabilities.
Password protect configuration files, if possible.
Regularly review and update users with access to administrative accounts.
Segment configuration files on the network. Be sure to protect configuration and other device-related files after getting the device out of the box. Don’t just plug and play.
This Joint Intelligence Bulletin (JIB) is intended to provide information on Australian national and violent extremist Brenton Tarrant’s 15 March 2019 attacks on two mosques in Christchurch, New Zealand. These attacks underscore the enduring nature of violent threats posed to faith-based communities. FBI, DHS, and NCTC advise federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners responsible for securing faith-based communities in the Homeland to remain vigilant in light of the enduring threat to faith-based communities posed by domestic extremists (DEs), as well as by homegrown violent extremists (HVEs) who may seek retaliation. This JIB is provided to assist federal, state, local, tribal, and territorial counterterrorism and law enforcement officials and private sector security partners to effectively deter, prevent, preempt, or respond to incidents and terrorist attacks in the United States.
(U) Attack Details
(U//FOUO) On 15 March 2019, New Zealand police arrested an Australian national who appeared to be inspired by a white supremacist ideology and who allegedly conducted a shooting attack on two mosques in Christchurch, New Zealand. This attack highlights the enduring threat of violence posed to faith-based communities. There are currently 49 victims deceased, and 20 others are listed as being in critical condition following the attack.
» (U//FOUO) On 15 March 2019, at about 1:40 PM local time, Australian national Brenton Tarrant used firearms to attack the Masjid Al Noor Mosque in the city of Christchurch, New Zealand, before conducting a similar shooting attack at the Linwood Masjid Mosque, approximately four miles away. Tarrant drove to the attack sites and livestreamed a video of the attack. Police also discovered improvised explosive devices in a vehicle connected with the attack. Tarrant is currently the only known perpetrator; however, investigation of his movements and associates continues.
» (U//FOUO) Tarrant disseminated a manifesto prior to the shooting which detailed his concerns of perceived “white genocide.” The manifesto contains a wide range of anti-immigrant and anti-Muslim views. One reason listed as to why he carried out the attack was “to create conflict…within the United States on the ownership of firearms in order to further the social, cultural, political, and racial divide within the United states [sic].”
» (U//FOUO) Tarrant claimed to have been planning the attack for two years and recently relocated to New Zealand to live temporarily while he “planned and trained.” He claimed to have chosen to conduct his attack in Christchurch three months prior to show such attacks could happen anywhere.
(U) Mosque Attacks Could Incite Like-Minded and Retaliatory Attacks
(U//FOUO) We are concerned online sharing of Tarrant’s livestreamed footage could amplify viewer reaction to the violent attack and possibly incite similar attacks by those adhering to violent extremist ideologies in the United States and abroad, as well as retaliatory attacks from HVEs and individuals otherwise affiliated with foreign terrorist organizations. Tarrant appeared to have been influenced by prior attacks by violent extremists in the United States and other countries, and we remain concerned that US-based DEs of similar ideologies could become inspired by this attack. Although most HVEs generally do not mobilize to violence in response to specific events and instead are usually influenced by a confluence of sociopolitical, ideological, and personal factors, exceptions may occur and we remain concerned for the potential of retaliatory attacks by some HVEs, as we have already seen calls for attacks by violent extremists online.
» (U//FOUO) Tarrant claimed Norwegian mass attacker Anders Brevik gave his “blessing” for the attack. Tarrant’s ammunition cases also displayed handwritten names of violent extremists in Canada and elsewhere who previously conducted violent attacks on Muslims or in support of violent extremist ideologies.
» (U//FOUO) An examination of online jihadist media following the mosque attacks indicates various al-Qa‘ida and ISIS supporters are posting attack images to express outrage and are calling upon all Muslims to respond to the New Zealand attacks by launching their own near-term attacks in retaliation.
The FBI has identified successful spearphishing campaigns directed at college and university students, especially during periods when financial aid funds are disbursed in large volumes. In general, the spearphishing emails request students’ login credentials for the University’s internal intranet. The cyber criminals then capture students’ login credentials, and after gaining access, change the students’ direct deposit destination to bank accounts within the threat actor’s control.
In February 2018, the FBI received notification of a spearphishing campaign targeting students at an identified University in the south eastern United States. The campaign occurred in January 2018 when an unidentified number of students attending the University received an email requesting their login credentials for the University’s internal intranet. Using the University’s intranet portal, the cyber criminals accessed a third-party vendor that manages the disbursement of financial aid to students and changed the direct deposit information for 21 identified students to bank accounts under the cyber criminal’s control. The threat actor stole approximately $75,000 from the 21 students. The student accounts were accessed by at least 13 identified US Internet Protocol (IP) addresses.
On 31 August 2018, the Department of Education identified a similar spearphishing campaign targeting multiple institutions of higher education. In this campaign, the cyber criminals sent students an email inviting them to view and confirm their updated billing statement by logging into the school’s student portal. After gaining access, the cyber criminals changed the students’ direct deposit destinations to bank accounts under the threat actor’s control.
The nature of the spearphishing emails indicates the cyber criminals conducted reconnaissance of the target institutions and understand the schools’ use of student portals and third-party vendors for processing student loan payment information. In addition, the timing of the campaigns indicates the cyber criminals almost certainly launched these campaigns to coincide with periods when financial aid funds are disseminated in large volumes.
The FBI recommends providers implement the preventative measures listed below to help secure their systems from attacks:
Notify all students of the phishing attempts and encourage them to be extra vigilant
Implement two-factor authentication for access to sensitive systems and information
Monitor student login attempts from unusual IP addresses and other anomalous activity
Educate students on appropriate preventative and reactive actions to known criminal schemes and social engineering threats
Apply extra scrutiny to e-mail messages with links or attachments directed toward students
Apply extra scrutiny to bank information initiated by the students seeking to update or change direct deposit credentials
Direct students to forward any suspicious requests for personal information to the information technology or security department
The FBI is the lead federal agency for investigating cyber attacks by criminals, overseas adversaries, and terrorists. The threat is incredibly serious—and growing. Cyber intrusions are becoming more commonplace, more dangerous, and more sophisticated. Our nation’s critical infrastructure, including both private and public sector networks, are targeted by adversaries. American companies are targeted for trade secrets and other sensitive corporate data, and universities for their cutting-edge research and development. Citizens are targeted by fraudsters and identity thieves, and children are targeted by online predators. Just as the FBI transformed itself to better address the terrorist threat after the 9/11 attacks, it is undertaking a similar transformation to address the pervasive and evolving cyber threat. This means enhancing the Cyber Division’s investigative capacity to sharpen its focus on intrusions into government and private computer networks.
For more information on the FBI’s cyber security efforts, read our “Addressing Threats to the Nation’s Cybersecurity” brochure.
Computer and Network Intrusions
The collective impact is staggering. Billions of dollars are lost every year repairing systems hit by such attacks. Some take down vital systems, disrupting and sometimes disabling the work of hospitals, banks, and 9-1-1 services around the country.
Who is behind such attacks? It runs the gamut—from computer geeks looking for bragging rights…to businesses trying to gain an upper hand in the marketplace by hacking competitor websites, from rings of criminals wanting to steal your personal information and sell it on black markets…to spies and terrorists looking to rob our nation of vital information or launch cyber strikes.
Today, these computer intrusion cases—counterterrorism, counterintelligence, and criminal—are the paramount priorities of our cyber program because of their potential relationship to national security.
Combating the threat. In recent years, we’ve built a whole new set of technological and investigative capabilities and partnerships—so we’re as comfortable chasing outlaws in cyberspace as we are down back alleys and across continents. That includes:
- A Cyber Division at FBI Headquarters “to address cyber crime in a coordinated and cohesive manner”;
- Specially trained cyber squads at FBI headquarters and in each of our 56 field offices, staffed with “agents and analysts who protect against investigate computer intrusions, theft of intellectual property and personal information, child pornography and exploitation, and online fraud”;
- New Cyber Action Teams that “travel around the world on a moment’s notice to assist in computer intrusion cases” and that “gather vital intelligence that helps us identify the cyber crimes that are most dangerous to our national security and to our economy;”
- Our Computer Crimes Task Forces nationwide that combine state-of-the-art technology and the resources of our federal, state, and local counterparts;
- A growing partnership with other federal agencies—including the Department of Defense, the Department of Homeland Security, and others—which share similar concerns and resolve in combating cyber crime.
Law enforcement at all levels has the legal authority to intercept and access communications and information pursuant to court orders, but often lacks the technical ability to carry out those orders because of a fundamental shift in communications services and technologies. This scenario is often called “Going Dark” and can hinder access to valuable information that may help identity and save victims, reveal evidence to convict perpetrators, or exonerate the innocent.
Read more about the FBI’s response to the Going Dark problem.
Identity theft—increasingly being facilitated by the Internet—occurs when someone unlawfully obtains another’s personal information and uses it to commit theft or fraud. The FBI uses both its cyber and criminal resources—along with its intelligence capabilities—to identify and stop crime groups in their early stages and to root out the many types of perpetrators, which span the Bureau’s investigative priorities.
More on the FBI’s efforts to combat identity theft.
The FBI’s online predators and child sexual exploitation investigations are managed under our Violent Crimes Against Children Program, Criminal Investigative Division. These investigations involve all areas of the Internet and online services, including social networking venues, websites that post child pornography, Internet news groups, Internet Relay Chat channels, online groups and organizations, peer-to-peer file-sharing programs, bulletin board systems, and other online forums.
Read more about our Violent Crimes Against Children Program.
The Internet Crime Complaint Center
The mission of the Internet Crime Complaint Center (IC3) is to provide the public with a reliable and convenient reporting mechanism to submit information to the FBI concerning suspected Internet-facilitated fraud schemes and to develop effective alliances with law enforcement and industry partners. Information is analyzed and disseminated for investigative and intelligence purposes to law enforcement and for public awareness.
Cyber Action Team
It can be a company’s worst nightmare—the discovery that hackers have infiltrated their computer networks and made off with trade secrets, customers’ personal information, and other critical data. Today’s hackers have become so sophisticated that they can overcome even the best network security measures. When such intrusions happen—and unfortunately, they occur frequently—the FBI can respond with a range of investigative assets, including the little-known Cyber Action Team (CAT). This rapid deployment group of cyber experts can be on the scene just about anywhere in the world within 48 hours, providing investigative support and helping to answer critical questions that can quickly move a case forward.
Established by the FBI’s Cyber Division in 2006 to provide rapid incident response on major computer intrusions and cyber-related emergencies, the team has approximately 50 members located in field offices around the country. They are either special agents or computer scientists, and all possess advanced training in computer languages, forensic investigations, and malware analysis. And since the team’s inception, the Bureau has investigated hundreds of cyber crimes, and a number of those cases were deemed of such significance that the rapid response and specialized skills of the Cyber Action Team were required. Some of those cases affected U.S. interests abroad, and the team deployed overseas, working through our legal attaché offices and with our international partners.
Members of the team make an initial assessment, and then call in additional experts as needed. Using cutting-edge tools, the team look’s for a hacker’s signature. In the cyber world, such signatures are called TTPs—tools, techniques, and procedures. The TTPs usually point to a specific group or person. The hackers may represent a criminal enterprise looking for financial gain or state-sponsored entities seeking a strategic advantage over the U.S.
National Cyber Forensics & Training Alliance
Long before cyber crime was acknowledged to be a significant criminal and national security threat, the FBI supported the establishment of a forward-looking organization to proactively address the issue. Called the National Cyber-Forensics & Training Alliance (NCFTA), this organization—created in 1997 and based in Pittsburgh—has become an international model for bringing together law enforcement, private industry, and academia to build and share resources, strategic information, and threat intelligence to identify and stop emerging cyber threats and mitigate existing ones.
Since its establishment, the NCFTA has evolved to keep up with the ever-changing cyber crime landscape. Today, the organization deals with threats from transnational criminal groups including spam, botnets, stock manipulation schemes, intellectual property theft, pharmaceutical fraud, telecommunications scams, and other financial fraud schemes that result in billions of dollars in losses to companies and consumers.
The FBI Cyber Division’s Cyber Initiative and Resource Fusion Unit (CIRFU) works with the NCFTA, which draws its intelligence from the hundreds of private sector NCFTA members, NCFTA intelligence analysts, Carnegie Mellon University’s Computer Emergency Response Team (CERT), and the FBI’s Internet Crime Complaint Center. This extensive knowledge base has helped CIRFU play a key strategic role in some of the FBI’s most significant cyber cases in the past several years.
Because of the global reach of cyber crime, no single organization, agency, or country can defend against it. Vital partnerships like the NCFTA are key to protecting cyberspace and ensuring a safer cyber future for our citizens and countries around the world.
With cyber threats continuing to emerge at the forefront of the FBI’s criminal and national security challenges, engaging public-private partners in information exchange alongside law enforcement and intelligence communities…
Each Cyber Task Force synchronizes domestic cyber threat investigations in the local community through information sharing, incident response…
In 2007, eGuardian was developed to help meet the challenges of collecting and sharing terrorism-related activities amongst law enforcement agencies across various jurisdictions. The eGuardian system is a sensitive but…
Below are some key steps to protecting your computer from intrusion:
Keep Your Firewall Turned On: A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection.
Install or Update Your Antivirus Software: Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users’ knowledge. Most types of antivirus software can be set up to update automatically.
Install or Update Your Antispyware Technology: Spyware is just what it sounds like—software that is surreptitiously installed on your computer to let others peer into your activities on the computer. Some spyware collects information about you without your consent or produces unwanted pop-up ads on your web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at your local computer store. Be wary of ads on the Internet offering downloadable antispyware—in some cases these products may be fake and may actually contain spyware or other malicious code. It’s like buying groceries—shop where you trust.
Keep Your Operating System Up to Date: Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection.
Be Careful What You Download: Carelessly downloading e-mail attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.
Turn Off Your Computer: With the growth of high-speed Internet connections, many opt to leave their computers on and ready for action. The downside is that being “always on” renders computers more susceptible. Beyond firewall protection, which is designed to fend off unwanted attacks, turning the computer off effectively severs an attacker’s connection—be it spyware or a botnet that employs your computer’s resources to reach out to other unwitting users.
Safe Online Surfing
The FBI Safe Online Surfing (FBI-SOS) program is a nationwide initiative designed to educate children in grades 3 to 8 about the dangers they face on the Internet and to help prevent crimes against children.
It promotes cyber citizenship among students by engaging them in a fun, age-appropriate, competitive online program where they learn how to safely and responsibly use the Internet.
The program emphasizes the importance of cyber safety topics such as password security, smart surfing habits, and the safeguarding of personal information.
In 2017 there were 30 separate active shootings in the United States, the largest number ever recorded by the FBI during a one-year period.1 With so many attacks occurring, it can become easy to believe that nothing can stop an active shooter determined to commit violence. “The offender just snapped” and “There’s no way that anyone could have seen this coming” are common reactions that can fuel a collective sense of a “new normal,” one punctuated by a sense of hopelessness and helplessness. Faced with so many tragedies, society routinely wrestles with a fundamental question: can anything be done to prevent attacks on our loved ones, our children, our schools, our churches, concerts, and communities?
There is cause for hope because there is something that can be done. In the weeks and months before an attack, many active shooters engage in behaviors that may signal impending violence. While some of these behaviors are intentionally concealed, others are observable and — if recognized and reported — may lead to a disruption prior to an attack. Unfortunately, well-meaning bystanders (often friends and family members of the active shooter) may struggle to appropriately categorize the observed behavior as malevolent. They may even resist taking action to report for fear of erroneously labeling a friend or family member as a potential killer. Once reported to law enforcement, those in authority may also struggle to decide how best to assess and intervene, particularly if no crime has yet been committed.
By articulating the concrete, observable pre-attack behaviors of many active shooters, the FBI hopes to make these warning signs more visible and easily identifiable. This information is intended to be used not only by law enforcement officials, mental health care practitioners, and threat assessment professionals, but also by parents, friends, teachers, employers and anyone who suspects that a person is moving towards violence.
Key Findings of the Phase II Study
- The 63 active shooters examined in this study did not appear to be uniform in any way such that they could be readily identified prior to attacking based on demographics alone.
- Active shooters take time to plan and prepare for the attack, with 77% of the subjects spending a week or longer planning their attack and 46% spending a week or longer actually preparing (procuring the means) for the attack.
- A majority of active shooters obtained their firearms legally, with only very small percentages obtaining a firearm illegally.
- The FBI could only verify that 25% of active shooters in the study had ever been diagnosed with a mental illness. Of those diagnosed, only three had been diagnosed with a psychotic disorder.
- Active shooters were typically experiencing multiple stressors (an average of 3.6 separate stressors) in the year before they attacked.
- On average, each active shooter displayed 4 to 5 concerning behaviors over time that were observable to others around the shooter. The most frequently occurring concerning behaviors were related to the active shooter’s mental health, problematic interpersonal interactions, and leakage of violent intent.
- For active shooters under age 18, school peers and teachers were more likely to observe concerning behaviors than family members. For active shooters 18 years old and over, spouses/domestic partners were the most likely to observe concerning behaviors.
- When concerning behavior was observed by others, the most common response was to communicate directly to the active shooter (83%) or do nothing (54%). In 41% of the cases the concerning behavior was reported to law enforcement. Therefore, just because concerning behavior was recognized does not necessarily mean that it was reported to law enforcement.
- In those cases where the active shooter’s primary grievance could be identified, the most common grievances were related to an adverse interpersonal or employment action against the shooter (49%).
- In the majority of cases (64%) at least one of the victims was specifically targeted by the active shooter.