Tag: Cyber Extortion

Revealed by Cryptome – Cyber Warriors in the Middle East: Syrian E-Army

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

The Vocabulary of Cyber War by U.S. Strategic Command

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

https://publicintelligence.net/wp-content/uploads/2014/04/dod-network-admin1.jpgA restricted document from U.S. Strategic Command provides insight into the underlying philosophy of military efforts to wage cyber warfare.

At the 39th Joint Doctrine Planning Conference, a semiannual meeting on topics related to military doctrine and planning held in May 2007, a contractor for Booz Allan Hamilton named Paul Schuh gave a short presentation discussing doctrinal issues related to “cyberspace” and the military’s increasing effort to define its operations involving computer networks.  Schuh, who would later become chief of the Doctrine Branch at U.S. Cyber Command, argued that military terminology related to cyberspace operations was inadequate and failed to address the expansive nature of cyberspace.  According to Schuh, the existing definition of cyberspace as “the notional environment in which digitized information is communicated over computer networks” was imprecise.  Instead, he proposed that cyberspace be defined as “a domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures.”

Amid the disagreements about “notional environments” and “operational domains,” Schuh informed the conference that “experience gleaned from recent cyberspace operations” had revealed “the necessity for development of a lexicon to accommodate cyberspace operations, cyber warfare and various related terms” such as “weapons consequence” or “target vulnerability.”  The lexicon needed to explain how the “‘four D’s (deny, degrade, disrupt, destroy)” and other core terms in military terminology could be applied to cyber weapons.  The document that would later be produced to fill this void is The Cyber Warfare Lexicon, a relatively short compendium designed to “consolidate the core terminology of cyberspace operations.”  Produced by the U.S. Strategic Command’s Joint Functional Command Component – Network Warfare, a predecessor to the current U.S. Cyber Command, the lexicon documents early attempts by the U.S. military to define its own cyber operations and place them within the larger context of traditional warfighting.  A version of the lexicon from January 2009 obtained by Public Intelligence includes a complete listing of terms related to the process of creating, classifying and analyzing the effects of cyber weapons.  An attachment to the lexicon includes a series of discussions on the evolution of military commanders’ conceptual understanding of cyber warfare and its accompanying terminology, attempting to align the actions of software with the outcomes of traditional weaponry.

Defining Cyber Warfare

One of the primary reasons for creating a lexicon devoted to cyber warfare is that there are “significant underlying differences” between traditional military operations and so-called “non-traditional weapons” such as those employed in cyber warfare.  The lexicon was intended to reduce these differences by integrating and standardizing the “use of these non-traditional weapons” while providing “developers, testers, planners, targeteers, decision-makers, and battlefield operators . . . a comprehensive but flexible cyber lexicon that accounts for the unique aspects of cyber warfare while minimizing the requirement to learn new terms for each new technology of the future.”  Described as a Language to Support the Development, Testing, Planning, and Employment of Cyber Weapons and Other Modern Warfare Capabilities, the lexicon is designed to facilitate the construction and employment of cyber weapons:

The cyber warfare community needs a precise language that both meets their unique requirements and allows them to interoperate in a world historically dominated by kinetic warfare. Mission planners must be able to discuss cyber weapons with their commanders, the intelligence analysts, the targeteers, and the operators, using terms that will be understood not just because they have been defined somewhere in doctrine, but also because they make sense. Giving the weapons planners a well-founded lexicon enables them to have far-reaching discussions about all manner of weapons and make important decisions with a significantly reduced likelihood of misunderstanding and operational error.

To understand what exactly constitutes a cyber weapon and what makes it so different from the kind of weapons employed in traditional warfare, it is important to understand the objectives of cyber warfare.  Cyber warfare is defined in the lexicon as the creation of “effects in and through cyberspace in support of a combatant commander’s military objectives, to ensure friendly forces freedom of action in cyberspace while denying adversaries these same freedoms.”  This can be accomplished through cyber attacks, cyber defense as well as cyber exploitation, with each option providing its own unique set of associated capabilities and potential outcomes.  Cyber attacks bare the greatest resemblance to popular notions of cyber war, incorporating actions to “deny or manipulate information and/or infrastructure in cyberspace” through methods like a computer network attack (CNA) that are intended to “disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.”  Cyber defense is primarily focused on defending U.S. military networks from similar attacks conducted by other nations or non-state actors and protecting the integrity of the Department of Defense’s Global Information Grid (GIG) which carries military communications worldwide.  Cyber exploitation is focused primarily on the collection of intelligence and other useful data from targeted computer systems to enable improved “threat recognition” that can contribute to future operations in cyberspace.

These components of cyber warfare rely on capabilities that are used to construct cyber weapon systems.  A cyber warfare capability is a “device, computer program or technique” that includes any combination of “software, firmware, and hardware” that is “designed to create an effect in cyberspace, but has not been weaponized.”  Weaponization is a process that takes these capabilities and implements “control methods, test and evaluation, safeguards, security classification guidance, interface/delivery method” and other tactical considerations to ensure that the capability can be properly employed to produce the intended effect.  A completed cyber weapon system is a combination of one or more of these capabilities that have been weaponized and are ready for deployment.  These weapons can then be categorized based upon specific uses and issues related to their employment, such as who is authorized to use them.  One suggested schema in the lexicon provides three categories: the first for weapons that require approval from the combatant commander, a second for weapons that are pre-approved for specific uses and a third that requires the approval of the President or Secretary of Defense before the weapon can be utilized.

Brig. Gen. Robert Brooks, director of the Massachusetts Air National Guard gets a eyes-on 3D tutorial of how to analyze data in the Virtual Reality Center at the University of Arkansas at Little Rock, May 2, 2014. Senior leaders from the National Guard toured the University's Emerging Analytics Center and learned about the partnership to allow students at the National Guard Professional Education Center an opportunity to earn their bachelor's, master's or post-doctoral degrees in information technology.

One of the “Discussions on Cyberspace Operations” contained in the lexicon follows the military’s historical apprehension toward describing software programs and other cyber capabilities as weapons.  Throughout the early 1990s, the term “tool” was widely favored in the initial phases of the military’s cyber warfare mission.  One reason for this reluctance was military commanders’ concerns about the lack of authority under Title 10 for conducting cyber operations.  However, given that there are six “Joint functions” recognized in military doctrine “C2 [command and control], Intel, Fires, Maneuver, Protection and Sustainment,” the use of any offensive cyber capabilities “unquestionably” is a form of fires, making the cyber capability itself a kind of weapon.  The idea that software and computer hardware could be considered a weapon is further complicated by the fact that many offensive cyber capabilities consist of nothing more than “cyber techniques” that involve “keystrokes, but where no hardware or software is introduced into the target system.”  When “last minute changes in the target render the approved weapon inert, an operator might need to use cyber techniques to complete an assigned mission, particularly one that has been approved for effect or objective,” making the certification process and training of the “operator” critical to considering cyber capabilities as a “weapon system.”  There must be control methods, testing and evaluation, safeguards, certified personnel, mission logs, a concept of operations as well as tactics, techniques and procedures on how to employ the weapon system.  This is similar to the situation with conventional weapons as “the very first M-16 rifle ever made, while a ‘weapon’ in the dictionary sense of the word, was not deployed until it was operationally tested, had a training program, spare parts inventory, etc.”  It was only after this process that “each new M-16 was part of a ‘weapon system’ and could be crated and shipped to the front lines directly from the assembly line.”

Cyber Weapons and Their Effects

A fundamental distinction discussed in the lexicon, one which separates cyber weapons from those used in conventional warfare, is the distinction between kinetic and non-kinetic weaponry.  Kinetic weapons are those that “use forces of dynamic motion and/or energy upon material bodies” whereas non-kinetic weapons are those that “create their effects based upon the laws of logic or principles other than the laws of physics.”  Within each of these broad categories, there are further distinctions based upon the lethality of the weapon being described.  For example, a Mark-84 bomb is an example of a lethal kinetic weapon capable of inflicting physical damage to material entities based upon the use of motion and force.  The Active Denial System, a directed-energy weapon which uses millimeter waves to create a sensation of heat on the skin of human targets, is an example of a non-lethal kinetic weapon.  As a non-kinetic weapon creates its effect through the use of logic or other principles, the category necessarily encompasses a much wider array of weapon systems from diverse fields like information warfare and psychological operations.  Biological and chemical weapons are examples of lethal non-kinetic weapons that rely upon biological factors rather than physical force to create their effect.  Computer network attack (CNA) software, on the other hand, is an example of a non-lethal non-kinetic weapon, creating an effect based solely on the logical operations it performs on a targeted computer system.

While cyber weapons are considered to be non-lethal in their effects, this doesn’t mean that non-lethal weapons are “required to have zero probability of causing fatalities, permanent injuries, or destruction.”  To better understand the effects that non-lethal non-kinetic weapons can have, the lexicon attempts to align cyber weapons with the traditional terminology of the “Four D’s” used throughout the information operations community: deny, destroy, degrade and disrupt.  One discussion in the lexicon introduces a construct to understand these effects in terms of a scope, level and time of “denial” in a targeted system, causing “reduction, restriction, or refusal of target operations.”  Using this framework, “degrade, disrupt, and destroy” would all be considered different forms of denial that have varying scopes.  Disrupt introduces a “time aspect of denial” and degrade adds an “amount or level of denial.”  The final term “destroy” is saved for the “special case that includes the maximum time and maximum amount of denial.”  The lexicon even proposes a function for calculating denial:

Quantitatively, denial (D) can be expressed as a function of scope (s), level (l), and time (t), i.e. D(s,l,t). Defining effects in this manner makes it clear to the planning staff that each of the parameters of the function must be considered and specified as necessary as indicated by, or derived from, commander’s objective. As the level (l) or amount approaches 100% and time (t) approaches infinity, destruction is achieved.

The true effects of a cyber weapon often differ significantly from simply denying or even destroying an enemy system.  Every weapon “takes an action” when it is triggered and this action is “intended to have an effect.”  For a traditional bomb, that action is a “kinetic explosion and the effect is normally target damage,” whereas a cyber weapon may result in “the execution of some software and the effects, some form of denial or manipulation.”  However, weapons also have “outcomes that are not expected and are not required to achieve the objective.”  The lexicon describes these as indirect effects that can result in consequences for unintended targets.  When these consequences affect unlawful targets or cause “damage to persons or objects that would not be lawful military targets,” they are considered “collateral effects” that are similar to the traditional notion of collateral damage.

unintended-consequencesVulnerabilities and Target States

Past worries about collateral damage from cyber weapons have proven to be well founded.  In the summer of 2010, copies of an unknown computer worm began replicating throughout the internet using a vulnerability in Microsoft Windows to find its way into the control systems of major corporations like Chevron.  However, the malicious program was not the work of Chinese hackers or sophisticated cyber criminals, it was a cyber weapon called Stuxnet created as part of a joint U.S. and Israeli intelligence operation targeting Iran’s nuclear program that was codenamed “Olympic Games.”  Stuxnet would later claim other unintended targets, including a Russian nuclear power plant.  Unintended effects associated with cyber weapons are dangerous for a number of reasons, including the risk that an adversary might be able to use the weapon, once discovered, against the originator of the attack.  According to the lexicon, these vulnerabilities of cyber weapons can be separated into six distinct categories:

  • (U//FOUO) Detectability risk – The risk that a weapon will be unable to elude discovery or suspicion of its existence. This includes the adverse illumination risk of hardware weapons.
  • (U//FOUO) Attribution risk – The risk that the discoverer of a weapon or weapon data will be able to identify the source and/or originator of the attack or the source of the weapon used in the attack.
  • (U//FOUO) Co-optability risk – The risk that, once discovered, the weapon or its fires will be able to be recruited, used, or reused without authorization.
  • (U//FOUO) Security Vulnerability risk – The risk that, once discovered, an unauthorized user could uncover a security vulnerability in the weapon that allows access to resources of the weapon or its launch platform. This includes the risk of an adversary establishing covert channels over a weapon’s C2 link.
  • (U//FOUO) Misuse risk – The risk that the weapon can be configured such that an authorized user could unintentionally use it improperly, insecurely, unsafely, etc.
  • (U//FOUO) Policy, Law, & Regulation (PLR) risk – The risk that the weapon can be configured such that an authorized user could intentionally use it in violation of existing policy, laws, and regulations.

These vulnerabilities are “mostly unfamiliar to the kinetic weapons community, and are due to the complexity of the weapons, the dynamic nature of the ‘atmosphere’ of cyberspace, and the difficulty of gathering detailed intelligence about cyber targets.”  A discussion on cyber weapon vulnerabilities in the lexicon argues that “the crowded nature of cyberspace and the proliferation of anonymizing technologies can work to both our advantage and disadvantage, in that attribution can be very difficult for both our adversaries and ourselves.”  Once a network target has been “accessed and subverted,” the implanted cyber weapon should be “considered like a mine or an improvised explosive device (lED) where there are no longer any delivery considerations for the weapon, but only survivability and transferring of commands and updates.”

In several portions of the lexicon, attacking unaffiliated infrastructure that happens to be used by an adversary is discussed as a viable means of creating a “second order” effect on the target.  For example, if “privileged access in not possible, we may still be able to create our desired effect in the first order by using public access to the target” such as “a distributed denial of service (DDOS) that floods a port on the target.”  When the intended target “cannot be directly accessed via either public or privileged means, the desired effect can still be achieved by targeting an intermediating link or node so that the desired effect cascades from the first order effect.”  An example of this is “conducting a DDOS attack on a critical link” leading to the target or “degradation through packet flooding” by assuming the “maximum data bus speed and a maximum input/output processor throughput on the target.”  A ping flood attack can be “directed at a single IP address or broadcast to a whole Class B IP domain with thousands of recipients.”

The effectiveness of a cyber weapon corresponds to its ability to place a target into a particular state of operation.  The target state “corresponds to the condition of the target with respect to a military objective” such as creating a root shell for privileged access.  A typical cyberspace target state can typically be considered to operate in one of the following “five states relative to achieving a commander’s primary objective”:

  • Unconfirmed: Unknown if there is an access path to target.
  • Confirmed/Nominal: Access path to target established.
  • Unprivileged access: Unprivileged access to target established.
  • Privileged access/At risk: Privileged access to target established.
  • Goal/Other condition: Target has been placed in the desired or other intermediate condition.

Using a real world example, the lexicon asks us to “consider the use of a ‘buffer overflow’ capability to achieve ‘root’ level (privileged) access on a computer operating system in order to disable an adversary’s computer program.”  The use of a “buffer overflow creates an initial effect (access to unauthorized portion of memory) and, by including in the buffer overflow capability other carefully crafted code, it can also enable another effect (e.g. gaining root access) and place the target in a different state.”  Whereas the previous state of the target was “nominal,” the new state of the target is “compromised.”  If the system administrator has implemented “a mechanism to log and report all creations of a root shell,” the outcome can still create unintended consequences because the cyber weapon could be detected and then be susceptible to attribution or manipulation.  With certain types of cyber weapons this sort of discovery or attribution could present serious problems, though with others it may prove to be of little use to the weapon’s discoverer.  As cyber weapons only “deliver information or some other information-related effect to the target and not high explosive or high energy,” they can be used “as long as we have electrical power.”

Document
Pages
Text

Zoom

p. 1
p. 2
p. 3

«

Page 1 of  45

»

 

 

U.S. Strategic Command Cyber Warfare Lexicon

Select a term from the following list to read the full definition. All definitions are taken from U.S. Strategic Command (USSTRATCOM) Cyber Warfare Lexicon Version 1.7.6.

cyberspace

cyberspace operations (CO)

cyber warfare (CW)

cyber warfare capability

cyber weapon system

cyber weaponization

cyber weapon characterization

cyber weapon categorization

cyber weapon delivery mode

cyber weapon flexibility

cyber weapon identification

 cyber weapon vulnerability

access

collateral effect

deny

dud

effects assessment (EA)

intended cyber effect

 kinetic

non-kinetic

lethal

non-lethal

manipulate

misfire

probability of effect (PE)

target state

targeted vulnerability

weapon action

weapon effect

 

cyberspace

(U//FOUO) cyberspace: a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. (from 12 May 2008 SECDEF memo)

[(U//FOUO) Previous version – cyberspace: A domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures. (from NMS-CO)]

↑ Return to the top

 

cyberspace operations (CO)

(U//FOUO) cyberspace operations (CO): All activities conducted in and through cyberspace in support of the military, intelligence, and business operations of the Department. (based on NMS-CO description)

(U//FOUO) cyberspace operations (CO): The employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the global information grid. (from 29 Sep 2008 VJCS Memo, however it is inconsistent with NMS-CO and improperly limited)

↑ Return to the top

 

cyber warfare (CW)

(U//FOUO) cyber warfare (CW): Creation of effects in and through cyberspace in support of a combatant commander’s military objectives, to ensure friendly forces freedom of action in cyberspace while denying adversaries these same freedoms. Composed of cyber attack (CA), cyber defense (CD), and cyber exploitation (CE).

↑ Return to the top

 

cyber attack (CA)

(U//FOUO) cyber attack (CA): Cyber warfare actions intended to deny or manipulate information and/ or infrastructure in cyberspace. Cyber attack is considered a form of fires.

↑ Return to the top

 

cyber defense (CD)

(U//FOUO) cyber defense (CD): Cyber warfare actions to protect, monitor, detect, analyze, and respond to any uses of cyberspace that deny friendly combat capability and unauthorized activity within the DOD global information grid (GIG).

↑ Return to the top

 

cyber exploitation (CE)

(U//FOUO) cyber exploitation (CE): Cyber warfare enabling operations and intelligence collection activities to search for, collect data from, identify, and locate targets in cyberspace for threat recognition, targeting, planning, and conduct of future operations.

↑ Return to the top

 

cyber warfare capability

(U//FOUO) cyber warfare capability: A capability (e.g. device, computer program, or technique), including any combination of software, firmware, and hardware, designed to create an effect in cyberspace, but that has not been weaponized. Not all cyber capabilities are weapons or potential weapons.

↑ Return to the top

 

cyber weapon system

(U//FOUO) cyber weapon system: A combination of one or more weaponized offensive cyber capabilities with all related equipment, materials, services, personnel, and means of delivery and deployment (if applicable) required for self-sufficiency. (Note: adapted directly from JP 1-02 of weapon system.)

↑ Return to the top

 

cyber weaponization

(U//FOUO) cyber weaponization: The process of taking an offensive cyber capability from development to operationally ready by incorporating control methods, test and evaluation, safeguards, security classification guidance, interface/ delivery method, certified and trained personnel, employment recorder, CONOP, TIP, life-cycle support, and launch platform.

↑ Return to the top

 

cyber weapon characterization

(U//FOUO) cyber weapon characterization: The process of determining and documenting the effect producing mechanisms and assurance factors of cyber weapons. Characterization includes aspects of technical assurance evaluation, OT&E, risk/protection assessments, and other screening processes. Answers the question: “What do I need to know about this weapon before I can use it?” [Note: Cyber Weapon Characterization is one step in the Cyber Weaponization process.]

↑ Return to the top

 

cyber weapon categorization

(U//FOUO) cyber weapon categorization: A binning of cyber weapon capabilities into categories, based on risk assessment and the release authority required for their use. Useful for answering the question: “Who can authorize use of this weapon?” Example categories might be:

• Category I- Combatant commander release

• Category II – Pre-approved for combatant commander use in specific OPLANs

• Category III- President/SECDEF release only

↑ Return to the top

 

cyber weapon delivery mode

(U//FOUO) cyber weapon delivery mode: The method via which a cyber weapon (or a command to such a weapon) is delivered to the target. Delivery may be via direct implant or remote launch. Hardware cyber weapons often require direct implant. Remote launched cyber weapons and/or commands may be placed via wired and/or wireless paths.

↑ Return to the top

 

cyber weapon flexibility

(U//FOUO) cyber weapon flexibility: The extent to which the cyber weapon’s design enables operator reconfiguration to account for changes in the target environment.

↑ Return to the top

 

cyber weapon identification

(U//FOUO) cyber weapon identification: The manner in which a cyber weapon is represented for inventory control purposes, based on the weapon’s forensic attributes (e.g. for software: file name, file size, creation date, hash value, etc., for hardware: serial number, gram weight, stimulus response, x-ray image, unique markings, etc.).

↑ Return to the top

 

cyber weapon vulnerability

(U//FOUO) cyber weapon vulnerability: An exploitable weakness inherent in the design of a cyber weapon. Weaknesses are often in one of the following risk areas:

  • detectability risk – The risk that a weapon will be unable to elude discovery or suspicion of its existence. This includes the adverse illumination risk of hardware weapons.
  • attribution risk – The risk that the discoverer of a weapon or its effect will be able to identify the source and/or originator of the attack or the source of the weapon used in the attack.
  • co-optability risk – The risk that, once discovered, the weapon or its fires will be able to be recruited, used, or reused without authorization.
  • security vulnerability risk – The risk that, once discovered, an unauthorized user could uncover a security vulnerability in the weapon that allows access to resources of the weapon or its launch platform. This includes the risk of an adversary establishing covert channels over a weapon’s C2 link.
  • misuse risk – The risk that the weapon can be configured such that an authorized user could unintentionally use it improperly, insecurely, unsafely, etc.
  • policy, law, & regulation (PLR) risk – The risk that the weapon could be configured such that an authorized user could intentionally use it in violation of existing policy, laws, and regulations.

↑ Return to the top

access

(U) access: Sufficient level of exposure to or entry into a target to enable the intended effect.

↑ Return to the top

collateral effect

(U) collateral effect: Unintentional or incidental effects, including injury or damage, to persons or objects that would not be lawful military targets in the circumstances ruling at the time.

↑ Return to the top

deny

(U) deny: To attack by degrading, disrupting, or destroying access to or operation of a targeted function by a specified level for a specified time. Denial is concerned with preventing adversary use of resources.

  • degrade(U) degrade: (a function of amount) To deny access to or operation of a targeted function to a level represented as a percentage of capacity. Desired level of degradation is normally specified.
  • disrupt(U) disrupt: (a function of time) To completely but temporarily deny access to or operation of a targeted function for a period represented as a function of time. Disruption can be considered a special case of degradation where the degradation level selected is 100%.
  • destroy(U) destroy: To permanently, completely, and irreparably deny access to, or operation of, a target. Destruction is the denial effect where time and level are both maximized.

↑ Return to the top

dud

(U) dud: A munition that has not been armed or activated as intended or that failed to take an expected action after being armed or activated. (Note: adapted directly from JP 1-02 of dud.)

↑ Return to the top

effects assessment (EA)

(U) effects assessment (EA): The timely and accurate evaluation of effects resulting from the application of lethal or non-lethal force against a military objective. Effect assessment can be applied to the employment of all types of weapon systems (air, ground, naval, special forces, and cyber weapon systems) throughout the range of military operations. Effects assessment is primarily an intelligence responsibility with required inputs and coordination from the operators. Effects assessment is composed of physical effect assessment, functional effect assessment, and target system assessment. Note: Battle Damage Assessment (BDA) is a specific type of effects assessment for damage effects. ” (This is a direct adaptation from the JP 1-02 definition of BDA.)

↑ Return to the top

intended cyber effect

(U//FOUO) intended cyber effect: A sorting of cyber capabilities into broad operational categories based on the outcomes they were designed to create. These categories are used to guide capability selection decisions. Answers the question: “What kind of capability is this?” Specifically:

• denial – degrade, disrupt, or destroy access to, operation, quality of service, or availability of target resources, processes, and/or data.

• manipulation – manipulate, distort, or falsify trusted information on a target.

• command and control – provide operator control of deployed cyber capabilities.

• information/data collection – obtain targeting information about targets or target environments.

• access – establish unauthorized access to a target.

• enabling – provide resources or create conditions that support the use of other capabilities.

↑ Return to the top

kinetic

(U) kinetic: Of or pertaining to a weapon that uses, or effects created by, forces of dynamic motion and/ or energy upon material bodies. Includes traditional explosive weapons/ effects as well as capabilities that can create kinetic RF effects, such as continuous wave jammers, lasers, directed energy, and pulsed RF weapons.

↑ Return to the top

non-kinetic

(U) non-kinetic: Of or pertaining to a weapon that does not use, or effects not created by, forces of dynamic motion and/ or energy upon material bodies.

↑ Return to the top

lethal

(U) lethal: Of or pertaining to a weapon or effect intended to cause death or permanent injuries to personnel.

↑ Return to the top

non-lethal

(U) non-lethal: Of or pertaining to a weapon or effect not intended to cause death or permanent injuries to personnel. Nonlethal effects may be reversible and are not required to have zero probability of causing fatalities, permanent injuries, or destruction of property.

↑ Return to the top

manipulate

(U//FOUO) manipulate: To attack by controlling or changing a target’s functions in a manner that supports the commander’s objectives; includes deception, decoying, conditioning, spoofing, falsification, etc. Manipulation is concerned with using an adversary’s resources for friendly purposes and is distinct from influence operations (e.g. PSYOP, etc.).

↑ Return to the top

misfire

(U) misfire: The failure of a weapon to take its designed action; failure of a primer, propelling charge, transmitter, emitter, computer software, or other munitions component to properly function, wholly or in part. (Note: adapted directly from JP 1-02 of misfire.)

↑ Return to the top

probability of effect (PE)

(U) probability of effect (PE): The chance of a specific functional or behavioral impact on a target given a weapon action.

↑ Return to the top

target state

(U) target state: The condition of a target described with respect to a military objective or set of objectives.

↑ Return to the top

targeted vulnerability

(U) targeted vulnerability: An exploitable weakness in the target required by a specific weapon.

  • objective vulnerabilityobjective vulnerability: A vulnerability whose exploitation directly accomplishes part or all of an actual military objective.
  • access vulnerabilityaccess vulnerability: A vulnerability whose exploitation allows access to an objective vulnerability.

↑ Return to the top

weapon action

(U) weapon action: The effect-producing mechanisms or functions initiated by a weapon when triggered. The weapon actions of a kinetic weapon are blast, heat, fragmentation, etc. The weapon actions of a cyber attack weapon might be writing to a memory register or transmission of a radio frequency (RF) waveform.

↑ Return to the top

weapon effect

(U) weapon effect: A direct or indirect objective (intended) outcome of a weapon action. In warfare, the actions of a weapon are intended to create effects, typically against the functional capabilities of a material target or to the behavior of individuals. Effect-based tasking is specified by a specific target scope, desired effect level, and start time and duration.

  • direct effectdirect effect: An outcome that is created directly by the weapon’s action. Also known as a first order effect.
  • indirect effectindirect effect: An outcome that cascades from one or more direct effects or other indirect effects of the weapon’s action. Also known as second, third, Nth order effects, etc.

↑ Return to the top

Revealed – DHS National Cybersecurity and Communications Integration Center Heartbleed Advisories

Become a Patron!
True Information is the most valuable resource and we ask you to give back.

The following advisories were issued by the National Cybersecurity and Communications Integration Center on April 10, 2014.  Both notices are marked with distribution restrictions based on US-CERT Traffic Light Protocol.  The advisory marked with TLP: GREEN is not intended for public distribution.

“Heartbleed” OpenSSL Vulnerability TLP: GREEN 4 pages Download
“Heartbleed” OpenSSL Vulnerability TLP: WHITE 2 pages Download

Security researchers from Google Security recently discovered a vulnerability with the Heartbeat extension (RFC6520) to OpenSSL’s Transport Layer Security (TLS) and the Datagram Transport Layer Security (DTLS) protocols. According to open source reports, the vulnerability has existed within certain OpenSSL frameworks since at least 2012. The Heartbeat extension is functionally a “keep-alive” between end-users and the secure server. It works by sending periodic “data pulses” of 64KB in size to the secure server and once the server receives that data; it reciprocates by re-sending the same data at the same size. The out-of-bounds “read” vulnerability exists because the Heartbeat extension in OpenSSL versions 1.0.1 through and 1.0.2-beta (including 1.0.1f and 1.0.2-beta1) do not properly validate the data being sent from the end-user. As a result, a malicious actor could send a specially-crafted heartbeat request to the vulnerable server and obtain sensitive information stored in memory on the server. Furthermore, even though each heartbeat only allows requests to have a data size limited to 64KB segments, it is possible to send repeated requests to retrieve more 64KB segments, which could include encryption keys used for certificates, passwords, usernames, and even sensitive content that were stored at the time. An attacker could harvest enough data from the 64KB segments to piece together larger groupings of information which could help an attacker develop a broader understanding of the information being acquired.

According to a Trusted Third Party, exploit code written in Python Script has been observed in publicly available online outlets. There have also been a number of underground forums discussing the vulnerability, which indicates interest from nefarious actors. Internal Trusted Third Party assessments reveal that the code is 100% effective against the specific versions of SSL protocol noted above. However, at this time it has not been observed having the capability to compromise all SSL protocols. It is also important to note that at this time there have been no reported malicious attacks that exploit this vulnerability.

The following vendors and products may include vulnerable OpenSSL versions within their product distributions:8
• CentOS Project – CentOS 6
• Debian Project – Debian GNU/Linux 7.0
• FreeBSD Project – FreeBSD 10.0 and prior
• Gentoo Foundation – Gentoo releases through 8 April 2014
• Novell, Inc – openSUSE 12.3 and 13.1
• Red Hat Inc – Fedora 19 and 20, Enterprise Linux/Desktop/HPC Node/Server/Workstation v.6; Enterprise Linux Server AUS v.6.5; Enterprise Linux Sever EUS v.6.5.z Enterprise Virtualization 3; and Storage Server 2.1
• Android mobile devices
• Third Party code using Python/Perl/Ruby
• OpenVPN
• Aruba Networks: ArubeOS 6.3.x and 6.4.x; ClearPass 6.1.x, 6.2.x, and 6.3.x
• Check Point Software Technologies: All versions of Security Gateway, Security Management, Multi-Domain Management/Provider-1, Data Center Security appliances, Endpoint Security Server, Endpoint Connect and SSL Network Extender, Gaia, Gaia Embedded, SecurePlatform 2.6, SecurePlatform Embedded, IPSO 4.x, IPSO 5.x, IPSO 6.2
• Cisco Systems: AnyConnect Secure Mobility Client for iOSl Desktop Collaboration Experience DX650, Unified 7900, 8900, 9900 series IP Phones, TelePresence Video Communication Server (VCS)
• Fortinet Inc: FortiGate (FortiOS) 5.0 and higher, FortiAuthenticator 3.0 and higher, FortiMail 5.0 and higher, FortiVoice, and FortiRecorder
• Juniper Networks: JUNOS OS 13.3R1, Odyssey Client 5.6r5 and later, IVEOS 7.4r1 and later as well as 8.0r1 and later, UAD 4.4ra and layer as well as 5.0r1 and later, JUNOS Pulse (Desktop) 4.0r5 and later as well as 5.0r1 and later, Network Connect 7.4r5 through 7.4r9.1 and 8.0r1 through 8.0r3.1, JUNOS Pulse (Mobile) for Android and iOS 4.2r1 and later
• F5 Networks: BIG-IP AAM 11.5.0 – 11.5.1; BIG-IP AFM 11.5.0 – 11.5.1; BIG-IP Analytics 11.5.0 – 11.5.1; BIG-IP APM 11.5.0 – 11.5.1; BIG-IP ASM 11.5.0 – 11.5.1; BIG-IP Edge Clients for Apple iOS 1.0.5, 2.0.0 – 2.0.1; BIG-IP Edge Clients for Linux 7080 – 7101; BIG-IP Edge Clients for MAC OS X 7080 – 7101; BIG-IP Edge Clients for Windows 7080 – 7101; BIG-IP GTM 11.5.0 – 11.5.1; BIG-IP Link Controller 11.5.0 – 11.5.1; BIG-IP LTM 11.5.0 – 11.5.1; BIG-IP PEM 11.5.0 – 11.5.1; BIG-IP PSM 11.5.0 – 11.5.1

Many of the vulnerable vendors noted above have already begun issuing patches and have information posted on their websites and portals addressing the vulnerability and a plan of action.

On a more positive note, the web browsers Firefox, Chrome, and Internet Explorer on Windows OS all use Windows cryptographic implementation, not OpenSSL.

The nature of this vulnerability is such that if encryption keys are captured by a malicious actor, then previously captured transmissions including usernames, passwords, and other sensitive content could be obtained and decrypted. From an end-user’s perspective, changing passwords before system patches have been implemented could still leave SSL transmissions vulnerable. Until patches are fully implemented, closely monitoring email accounts, bank accounts, social media accounts, and other assets are strongly recommended. End-users can set their web browsers so that they automatically detect revoked certificates; Firefox does this automatically.

Can I share this product?

Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.

SECRET – U.S. Army Cyber Electromagnetic Activities (CEMA) Manual

The following manual was released by the U.S. Army on February 12, 2014.  The manual was first reported by Steven Aftergood of the Federation of American Scientists.

FM 3-38 Cyber Electromagnetic Activities

  • 96 pages
  • February 12, 2014

Download

FM 3-38, Cyber Electromagnetic Activities, provides overarching doctrinal guidance and direction for conducting cyber electromagnetic activities (CEMA). This manual describes the importance of cyberspace and the electromagnetic spectrum (EMS) to Army forces and provides the tactics and procedures commanders and staffs use in planning, integrating, and synchronizing CEMA.

This manual provides the information necessary for Army forces to conduct CEMA that enable them to shape their operational environment and conduct unified land operations. It provides enough guidance for commanders and their staffs to develop innovative approaches to seize, retain, and exploit advantages throughout an operational environment. CEMA enable the Army to achieve desired effects in support of the commander’s objectives and intent.

The principal audience for FM 3-38 is all members of the profession of arms. Commanders and staffs of Army headquarters serving as joint task force or multinational headquarters should see applicable joint or multinational doctrine concerning cyberspace operations, electronic warfare (EW), and spectrum management operations (SMO). Trainers and educators throughout the Army will also use this manual.

CYBER ELECTROMAGNETIC ACTIVITIES DEFINED
1-1. Cyber electromagnetic activities are activities leveraged to seize, retain, and exploit an advantage over adversaries and enemies in both cyberspace and the electromagnetic spectrum, while simultaneously denying and degrading adversary and enemy use of the same and protecting the mission command system (ADRP 3-0). CEMA consist of cyberspace operations (CO), electronic warfare (EW), and spectrum management operations (SMO) (see figure 1-1 on page 1-2).

1-2. Army forces conduct CEMA as a unified effort. Integration is the arrangement of military forces and their actions to create a force that operates by engaging as a whole (JP 1-02). Synchronization is the arrangement of military actions in time, space, and purpose to produce maximum relative combat power at a decisive place and time (JP 1-02). CEMA integrates and synchronizes the functions and capabilities of CO, EW, and SMO to produce complementary and reinforcing effects. Conducting these activities independently may detract from their efficient employment. If uncoordinated, these activities may result in conflicts and mutual interference between them and with other entities that use the electromagnetic spectrum (EMS). CO, EW, and SMO are synchronized to cause specific effects at decisive points to support the overall operation.

1-3. The CEMA element is responsible for planning, integrating, and synchronizing CO, EW, and SMO to support the commander’s mission and desired end state within cyberspace and the EMS. During execution the CEMA element is responsible for synchronizing CEMA to best facilitate mission accomplishment. (See chapter 2 for more information on the CEMA element.)

1-4. Cyberspace operations, EW, and SMO are essential to the conduct of unified land operations. While these activities differ in their employment and tactics, their functions and capabilities must be integrated and synchronized to maximize their support to unified land operations. The integration of these activities requires an understanding of the functions and capabilities being employed.

CYBERSPACE OPERATIONS

1-5. Cyberspace operations are the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace (JP 3-0). Cyberspace operations consist of three functions: offensive cyberspace operations, defensive cyberspace operations, and Department of Defense information network operations (see chapter 3).

ELECTRONIC WARFARE

1-6. Electronic warfare is any military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy (JP 3-13.1). EW consists of three functions: electronic attack, electronic protection, and electronic warfare support. These functions are referred to as divisions in joint doctrine (see chapter 4).

SPECTRUM MANAGEMENT OPERATIONS

1-7. SMO are the interrelated functions of spectrum management, frequency assignment, host-nation coordination, and policy that enable the planning, management, and execution of operations within the electromagnetic operational environment during all phases of military operations. SMO are the management portions of electromagnetic spectrum operations (EMSO). EMSO also include electronic warfare (see chapter 5)

FUNCTIONS OF CYBERSPACE OPERATIONS

3-1. Army forces coordinate and integrate CO through CEMA. They do this to gain and maintain freedom of action in cyberspace and as required to achieve periods of cyberspace superiority.

3-2. Cyberspace superiority is the degree of dominance in cyberspace by one force that permits the secure, reliable conduct of operations by that force, and its related land, air, maritime, and space forces at a given time and place without prohibitive interference by an adversary (JP 1-02). Such interference is possible because large portions of cyberspace are not under the control of friendly forces. Cyberspace superiority establishes conditions describing friendly force freedom of action while denying this same freedom of action to enemy and adversary actors. Ultimately, Army forces conduct CO to create and achieve effects in support of the commander’s objectives and desired end state.

3-3. CO are categorized into three functions including offensive cyberspace operations (OCO), defensive cyberspace operations (DCO), and Department of Defense information network operations. These functions are described in joint doctrine as missions in cyberspace that require specific actions in cyberspace (see joint doctrine for CO). Figure 3-1 on page 3-2 depicts the three interdependent functions of CO.

OFFENSIVE CYBERSPACE OPERATIONS

3-4. Offensive cyberspace operations are cyberspace operations intended to project power by the application of force in or through cyberspace (JP 1-02). Army forces conduct OCO across the range of military operations by targeting enemy and hostile adversary activity and related capabilities in and through cyberspace. OCO are designed to support the commander’s objectives and intent consistent with applicable authorities and legal frameworks. (See paragraph 3-38 for additional information on authorities and other legal considerations.)

3-5. OCO are conducted in and through cyberspace where information technology infrastructures, along with the people and systems that use them, exist in an area of operations and pervade an operational environment. To varying degrees, host-nation populations, governments, security forces, businesses and other actors rely upon these infrastructures and supporting networks or systems. Given these conditions, OCO require deliberate coordination and integration to ensure desired effects (changes in behavior which do not suggest the ways or means those changes were created) are created and focused at the right place and time in support of the commander’s objectives.

3-6. Using OCO, commanders can mass effects through the employment of lethal and nonlethal actions leveraging all capabilities available to gain advantages in cyberspace that support objectives on land. For example, cyberspace capabilities and other information-related capabilities may be directed at an enemy weapons system consisting of the targeted platform and its operators. The cyberspace capability could create degrading effects on the platform while an information-related capability influences, disrupts, corrupts, or usurps the decisionmaking of the operator. (See FM 3-13 for additional information on inform and influence activities (IIA) and information-related capabilities.)

CYBERSPACE ATTACK

3-7. A cyberspace attack consists of actions that create various direct denial effects in cyberspace (for example, degradation, disruption, or destruction) and manipulation that leads to denial that is hidden or that manifests in the physical domains. For the Army, cyberspace attacks are a type of cyberspace operation employed primarily in support of OCO. Cyberspace attacks are primarily employed outside of LandWarNet, but they are coordinated and deconflicted inside of the Department of Defense information networks (DODIN). (See paragraph 3-24 for additional information on the DODIN.)

3-8. Army forces conduct or facilitate cyberspace attacks in support of OCO within designated areas of operation. For example, when employed as part of an offensive cyberspace operation, a cyberspace attack may be directed at information resident in, or in transit between, computers (including mobile phones and personal digital assistants) and computer networks used by an enemy or adversary. Enemy or adversary actors may be denied the ability to use resources or have their information resources used for friendly proposes as a result of a cyberspace attack. In every instance, commanders and staffs follow appropriate authorities and legal guidance. (See paragraph 3-38 for additional information on authorities and other legal considerations.)

3-9. Using specific portions of cyberspace and the electromagnetic spectrum (EMS) as primary pathways or avenues of approach, cyberspace attacks may employ capabilities such as tailored computer code in and through various network nodes such as servers, bridges, firewalls, sensors, protocols, operating systems, and hardware associated with computers or processors. Tailored computer code is only one example of a cyberspace capability (a device, computer program, or technique, including any combination of software, firmware, or hardware) designed to create an effect in or through cyberspace. The development and employment of tailored computer code represents the core and unique technical nature of CO capabilities. Computer code is designed to create specific effects, and when employed this code moves in the form of data packets in and through cyberspace across wired and wireless driven communication technology and systems. Cyberspace attacks must therefore be coordinated and integrated in support of the commander’s objectives and consistent with applicable assessment measures and indicators.

3-10. Cyberspace attack capabilities are employed to support maneuver operations by creating simultaneous and complementary effects. For example, a cyberspace attack capability may be employed in conjunction with electronic attack, offensive space control, fires, and information related capabilities to deceive, degrade, destroy, and disrupt a specific enemy integrated air defense system or enemy safe haven (see table 3-1 on page 3-4).

 

UNVEILED – Cyber Command Suffers Second Defeat, Dump It

Cyber Command Suffers Second Defeat, Dump It

First Cyber Command Defeat:

http://cryptome.org/0002/uscybercom/uscybercom-defeat.htm

Cyber Command suffered its second defeat with the win of Edward Snowden. The first defeat was won by Bradley Manning. This suggests Cybercom deserves dissolution and a better command instituted, or, best, nothing like it.

The commander for both losses, General Keith Alexander, has to go. And a new, agile Cybercom, if it is to endure, needs to be separated from the venerable, deeply experienced, albeit sclerotic, National Security Agency. Different missions require different enabling legislation, leadership, funding, policy, staffing, training, operation and security.

An effective Cybercom may not be possible within the military culture of tradition, over-staffing, minutely specified military occupation specialty, heirarchical rank, medieval separation of officers from enlisted members, advancement in rank by longevity and favoritism, special training for combat, and further divided between military and civilian — the latter further fragmented between inside civilians and outside contractors with multiple sub-contractors.

The legislation and implementation of this complex traditional, command-driven organization assures it will not be capable of handling the challenges of cyber swarming, rapid evolution of technology and techniques — much of it grown outside established institutions — youthful contempt for authority, national and international disloyalty and disinterest, and most of all, ingrained insurgency.

For this insurgency, outwitting national security establishments is considered to be sport, a game, a test of prowess, bragging rights, and it is winning in cyber space, only periodically, laughingly infrequently, defeated, caputured and imprisoned by use of legacy, lumbering, clumsy, expensive, failure-and-excuse-prone mechanisms, in which legacy leaders like NSA, FBI, CIA, White House and Congress — supported by contractors, lobbyists and donors — can only dissimulate, apologize and promise to do better with more funding and more draconian crack-down on civil liberties.

Cyber Command is a failure — sibling of Department of Homeland Security — a boondoggle, a huge transfer of funds to the cybersecurity (and homeland security) industry from legacy military pork barrels. Thousands of suitably-skilled youngsters — most self-trained by a subversive culture hostile to authority — have been enlisted, hired and contracted to run cyber offensive and defensive operations under the rigidly ranked command of military officers accustomed to obedience and respect of rank.

Cybersecurity contracting — commercial and institutional — is an equally great failure. It too is a boondoggle, spoiled rotten with generous and laxly-overseen funding, often led by ex-military officers and those long accustomed to military grade perquisites, protected by secrecy, back-slapping, insider favoritism, laziness, lack of competition, forgiveness of corruption, shallow and classified IG investigation, all the attributes of its single customer, the national security consortium beloved of governments and autocrats.

No wonder the coddled and well-paid youngsters defy, dance around, ridicule and outrun these balloon-headed officers and liquored-contractors, this is what they have done most of their teenage and adult lives. Their loyalty is to their own culture, open, non-secret, disputatious, daring and fun-filled, most emphatically not venerated-military or rich-contractor grade.

What would a replacement for Cybercom be like? Not military, not commercial, not NGO, then what?

Plenty of cyber initiatives are underway which demonstrate effective alternatives to heirarchical military, commercial and NGO cyber deadwood. They have been created and are run by some of the most brilliant brains and imaginations in the world, agile, cheap, mostly volunteer and leaderless, disputatious, humorous, dismissive of authority of any kind, gov, mil, com, edu, org.

Don’t expect to hire or contract or academicize them. The best of them do not go inside institutions — except to social engineer and disclose the secrets of authoritative corruption.

Examples abound: just read the official demonizations of outsiders spilling insider secrets of gov, mil, com and ngo.

Instead of wasting treasure on dim-witted cybercommands listen to those secret-spilling demons, better understood as angels out-dancing the pinheads.

TOP-SECRET – Defense Security Service Cybersecurity Operations Division Counterintelligence Presentation

https://publicintelligence.net/wp-content/uploads/2013/05/DSS-CyberCI.png

 

Defense Security Service Cybersecurity Operations Division

  • 33 pages
  • For Official Use Only
  • December 2012

Download

DSS Supports national security and the warfighter, secures the nation’s technological base, and oversees the protection of U.S. and foreign classified information in the hands of Industry

CI Mission

DSS CI identifies unlawful penetrators of cleared U.S. defense industry and articulates the threat for industry and government leaders

Scope

-10K+ firms; 13K+ facilities; 1.2m personnel
-1 CI professional / 261 facilities
-10.5% of facilities report

Capability

• (U) 11 personnel conducting analysis, liaison, field support, strategic development and program management
• (U) Wide range of skill sets – CI, CT, LE, Cyber, Security, Intel, IA, CNO and more
• (U) Direct access to cleared industry across 25 DSS field offices nationwide
• (U) Large roles at U.S. Cyber Command, National Security Agency, National Cyber Investigative Joint Task Force and the Department of Homeland Security

Challenges

• (U) Secure sharing of threat information with industry partners
• (U) Identifying and reporting suspicious network activity
• (U) Limited resources to execute for an quickly expanding mission area Significant Achievements and Notable Events
• (U) Since September, 2009 – Assessed over 3,000 cyber-related suspicious contact reports from Industry and the Intelligence Community; facilitating action on over 170 federal investigations/operations
• (U) Developed four benchmark product lines for Industry and the Intelligence Community to include the 3rd edition of the DSS Cyber Trends
• (U) Briefed at 24 venues and over 1,000 personnel in FY12 on the cyber threat
• (U) In FY12, delivered over 350 threat notifications to industry, detailing adversary activity occurring on their networks.

(U) FY12 Industry Cyber Reporting

• (U//FOUO) 1,678 suspicious contact reports (SCR) categorized as cyber incidents (+102% from FY11)
• (U//FOUO) 1,322 of these were assessed as having a counterintelligence (CI) nexus or were of some positive intelligence (PI) value (+186% increase from FY11)
• (U//FOUO) 263 were categorized as successful intrusions (+78% increase from FY11)
• (U//FOUO) 82 SCRs resulted in an official investigation or operation by an action agency (+37% increase from FY11)

TOP-SECRET- Identifying IP Addresses, Hostnames Associated With Malicious Cyber Activity

DHS-FBI Bulletins Identifying IP Addresses, Hostnames Associated With Malicious Cyber Activity Against the U.S. Government

May 2, 2013 in Department of Homeland Security, Federal Bureau of Investigation

The following bulletins were released in February 2013 by the U.S. Computer Emergency Readiness Team (US-CERT) on a limited basis to “confirmed members of the cybersecurity community of practice, which may include critical infrastructure owners and operators, systems administrators, and information security practitioners.” Both versions of the bulletin were found to be available on a number of public websites associated with various professional associations and trade groups.

Joint Indicator Bulletin (JIB) – INC260425 27 pages February 18, 2013 Download
Joint Indicator Bulletin (JIB) – INC260425-2 10 pages February 26, 2013 Download

Various cyber actors have engaged in malicious activity against Government and Private Sector entities. The apparent objective of this activity has been the theft of intellectual property, trade secrets, and other sensitive business information. To this end, the malicious actors have employed a variety of techniques in order to infiltrate targeted organizations, establish a foothold, move laterally through the targets’ networks, and exfiltrate confidential or proprietary data. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation and other partners, has created this Joint Indicator Bulletin, containing cyber indicators related to this activity. Organizations are advised to examine current and historical security logs for evidence of malicious activity related to the indicators in this bulletin and deploy additional protections as appropriate. In addition, DHS would welcome any additional information your organization may be able to share regarding this or similar activity, which may be provided to the US Computer Emergency Readiness Team (US-CERT) at soc@uscert.gov.

Document Overview

This Joint Indicator Bulletin is comprised of several sections covering malware indicators, network traffic, tool indicators, hostnames, and IP addresses known to be associated with the ongoing malicious activity. If suspicious network traffic or malware is identified based on these indicators, affected systems should be investigated for signs of compromise.

To support developing shared situational awareness of cyber threats, DHS welcomes any additional information your organization may be able to share regarding this or similar activity. Such information can be provided to the United States Computer Emergency Readiness Team (US-CERT) at soc@us-cert.gov.

Indicator Descriptions

As a general matter, malicious cyber actors have multiple tools at their disposal and can represent a significant threat to targeted victim organizations. Such actors frequently compromise victim organizations with targeted spear-phishing campaigns, understand how to move laterally within a network to acquire targeted data, and often maintain undetected persistence on victim networks for months or even years. The indicators provided in this Bulletin include malware and compromised IP addresses and domains used by such actors.

Malware

Malicious activity like that described in this Bulletin usually originates via targeted spear phishing email campaigns that compromise victim organizations. These emails can result in the installation of one or more pieces of malware used to enable complete control of those systems. The presence of such malware is a strong indication the computer or network has been compromised.

Client Tools

During the course of a computer intrusion, malicious actors often download additional tools to victim systems for the purpose of evading local security measures and to compromise additional computers on victim networks. These tools might have legitimate uses, but, when combined with other indications of an intrusion, could indicate that the computer has been compromised. The presence of these tools alone is not necessarily a positive indication of malicious activity, but may enable an organization to identify malicious activity.
IP Addresses, Hostnames and Second-Level Domains

Malicious actors routinely compromise hosts on the Internet for the purpose of obscuring their activity, particularly the exfiltration of computer files from end-point victims. The majority of these compromised hosts have been configured to prevent identification of the source of the intrusion activity. The traffic from these hosts is generally legitimate, but, because they have been compromised, activity to and from these IPs should be reviewed for indications of malicious traffic.

Malicious actors also make use of numerous Internet hostnames for the purpose of compromising and controlling victim systems. Actors have been known to register second-level domains for their exclusive use in these activities. In addition, malicious actors have been known to use DNS providers that allow the use of specific hostnames that are part of shared second-level domains.

Many of these hostnames and domains may be legitimate hosts or domains that have been co-opted by malicious actors. Any number of the IP addresses or domains in this Bulletin may have been remediated prior to publication of this list. In some cases, a single IP address from this indicator list may represent hundreds or even thousands of legitimate independent websites, or may represent a small business network. A number of indicators contained in this Bulletin resolve back to large scale service providers whose services are being abused. For these reasons, outright blocking of these indicators is not recommended. Rather, traffic from these IPs or domains should be investigated for signs of compromise.

******************************
IP Address Awareness List
******************************

107[.]6[.]38[.]55
108[.]171[.]207[.]62
108[.]171[.]244[.]138
108[.]171[.]246[.]87
108[.]171[.]248[.]182
108[.]171[.]248[.]83
108[.]171[.]248[.]86
108[.]171[.]252[.]41
108[.]171[.]254[.]76
112[.]121[.]164[.]2
112[.]133[.]203[.]215
112[.]133[.]203[.]250
115[.]119[.]92[.]178
115[.]178[.]60[.]19
116[.]212[.]100[.]94
117[.]121[.]241[.]186
119[.]75[.]5[.]132
119[.]75[.]5[.]134
12[.]10[.]250[.]105
12[.]10[.]250[.]109
12[.]10[.]250[.]110
12[.]10[.]250[.]97
12[.]100[.]63[.]135
12[.]147[.]51[.]99
12[.]162[.]189[.]184
12[.]173[.]220[.]231
12[.]173[.]220[.]233
12[.]182[.]10[.]124
12[.]218[.]86[.]2
12[.]233[.]148[.]145
12[.]233[.]148[.]185
12[.]235[.]72[.]138
12[.]235[.]72[.]140
12[.]36[.]96[.]236
12[.]51[.]6[.]132
12[.]7[.]168[.]121
122[.]126[.]32[.]234
122[.]155[.]3[.]147
122[.]160[.]137[.]76
124[.]122[.]156[.]219
128[.]173[.]95[.]6
128[.]95[.]9[.]2
129[.]25[.]5[.]200
129[.]44[.]254[.]145
134[.]208[.]10[.]195
141[.]151[.]164[.]87
142[.]0[.]143[.]207
146[.]145[.]183[.]100
150[.]176[.]56[.]194
158[.]255[.]208[.]211
161[.]58[.]179[.]230
164[.]106[.]102[.]188
164[.]119[.]10[.]170
164[.]119[.]11[.]2
164[.]119[.]54[.]244
164[.]119[.]54[.]247
165[.]165[.]38[.]19
168[.]215[.]137[.]6
168[.]93[.]98[.]3
173[.]10[.]48[.]243
173[.]224[.]208[.]155
173[.]224[.]211[.]14
173[.]224[.]211[.]16
173[.]224[.]214[.]70
173[.]224[.]215[.]73
173[.]224[.]216[.]217
173[.]252[.]255[.]52
182[.]173[.]77[.]26
184[.]105[.]135[.]166
184[.]22[.]26[.]50
184[.]72[.]82[.]144
184[.]82[.]164[.]104
184[.]82[.]47[.]200
189[.]87[.]87[.]3
190[.]13[.]160[.]114
193[.]219[.]90[.]29
194[.]106[.]162[.]203
195[.]22[.]21[.]72
195[.]29[.]247[.]78
196[.]36[.]199[.]217
198[.]15[.]88[.]37
198[.]15[.]88[.]39
198[.]69[.]219[.]173
199[.]119[.]201[.]162
199[.]119[.]201[.]167
199[.]119[.]201[.]67
199[.]119[.]206[.]11
199[.]119[.]206[.]111
199[.]119[.]206[.]19
199[.]119[.]206[.]99
199[.]119[.]207[.]237
199[.]15[.]113[.]218
199[.]15[.]117[.]98
199[.]67[.]16[.]122
199[.]67[.]23[.]45
199[.]71[.]213[.]17
199[.]71[.]213[.]91
199[.]83[.]88[.]98
199[.]83[.]89[.]45
199[.]83[.]93[.]22
199[.]83[.]93[.]51
199[.]83[.]93[.]88
199[.]83[.]95[.]51
199[.]83[.]95[.]60
200[.]53[.]40[.]219
202[.]176[.]81[.]175
202[.]180[.]175[.]16
202[.]43[.]33[.]5
202[.]95[.]222[.]143
202[.]95[.]222[.]145
202[.]95[.]222[.]158
202[.]95[.]222[.]182
202[.]95[.]222[.]183
203[.]118[.]56[.]213
203[.]123[.]147[.]34
203[.]146[.]102[.]166
203[.]146[.]249[.]189
203[.]150[.]230[.]121
203[.]238[.]57[.]1
203[.]64[.]84[.]226
203[.]81[.]38[.]54
203[.]81[.]53[.]14
203[.]82[.]57[.]109
204[.]111[.]73[.]156
204[.]111[.]75[.]107
204[.]12[.]11[.]212
204[.]12[.]11[.]54
204[.]12[.]116[.]166
204[.]12[.]208[.]122
204[.]12[.]208[.]125
204[.]12[.]21[.]69
204[.]12[.]22[.]114
204[.]12[.]224[.]75
204[.]12[.]236[.]182
204[.]12[.]236[.]183
204[.]12[.]63[.]133
204[.]12[.]9[.]251
204[.]13[.]24[.]14
204[.]15[.]132[.]254
204[.]152[.]198[.]194
204[.]16[.]139[.]5
204[.]17[.]34[.]150
204[.]180[.]235[.]103
204[.]180[.]235[.]106
204[.]45[.]101[.]246
204[.]45[.]108[.]237
204[.]45[.]117[.]174
204[.]45[.]123[.]141
204[.]45[.]124[.]100
204[.]45[.]124[.]162
204[.]45[.]124[.]163
204[.]45[.]137[.]74
204[.]45[.]146[.]250
204[.]45[.]147[.]19
204[.]45[.]153[.]52
204[.]45[.]190[.]89
204[.]45[.]198[.]18
204[.]45[.]201[.]107
204[.]45[.]205[.]44
204[.]45[.]230[.]75
204[.]45[.]39[.]4
204[.]45[.]52[.]20
204[.]45[.]64[.]66
204[.]45[.]75[.]250
204[.]45[.]79[.]180
204[.]45[.]79[.]20
204[.]45[.]79[.]218
205[.]159[.]83[.]11
205[.]159[.]83[.]31
205[.]159[.]83[.]91
205[.]164[.]0[.]34
205[.]172[.]20[.]42
205[.]196[.]178[.]23
205[.]209[.]161[.]195
205[.]209[.]161[.]5
205[.]237[.]192[.]123
205[.]242[.]114[.]4
206[.]125[.]45[.]187
206[.]192[.]55[.]117
206[.]204[.]190[.]237
207[.]150[.]197[.]155
207[.]179[.]111[.]5
207[.]182[.]238[.]195
207[.]210[.]252[.]17
207[.]250[.]229[.]52
207[.]250[.]49[.]172
207[.]250[.]49[.]173
207[.]36[.]0[.]193
207[.]36[.]17[.]15
207[.]46[.]17[.]125
207[.]59[.]239[.]122
207[.]65[.]231[.]21
207[.]75[.]209[.]108
207[.]97[.]226[.]130
208[.]106[.]145[.]153
208[.]106[.]146[.]98
208[.]106[.]82[.]119
208[.]109[.]238[.]15
208[.]109[.]238[.]72
208[.]109[.]238[.]80
208[.]109[.]238[.]96
208[.]109[.]49[.]66
208[.]118[.]188[.]166
208[.]118[.]188[.]179
208[.]118[.]188[.]57
208[.]186[.]112[.]40
208[.]221[.]198[.]12
208[.]43[.]154[.]7
208[.]43[.]175[.]82
208[.]43[.]208[.]14
208[.]43[.]225[.]196
208[.]43[.]255[.]135
208[.]43[.]54[.]164
208[.]43[.]71[.]116
208[.]44[.]238[.]249
208[.]57[.]237[.]141
208[.]67[.]248[.]66
208[.]69[.]32[.]230
208[.]77[.]45[.]61
208[.]77[.]45[.]69
208[.]87[.]242[.]93
209[.]104[.]217[.]69
209[.]104[.]217[.]72
209[.]104[.]217[.]76
209[.]114[.]160[.]115
209[.]114[.]222[.]100
209[.]116[.]102[.]225
209[.]158[.]71[.]20
209[.]175[.]175[.]227
209[.]175[.]175[.]230
209[.]200[.]117[.]198
209[.]208[.]95[.]158
209[.]208[.]95[.]86
209[.]212[.]104[.]171
209[.]234[.]81[.]205
209[.]242[.]13[.]230
209[.]242[.]21[.]134
209[.]34[.]224[.]52
209[.]34[.]231[.]197
209[.]34[.]231[.]59
209[.]34[.]233[.]26
209[.]67[.]56[.]252
209[.]75[.]160[.]176
209[.]75[.]160[.]98
210[.]184[.]116[.]198
210[.]193[.]52[.]160
210[.]202[.]22[.]129
210[.]205[.]6[.]219
210[.]220[.]197[.]2
210[.]245[.]64[.]107
210[.]249[.]80[.]141
211[.]115[.]70[.]114
211[.]232[.]57[.]150
211[.]232[.]57[.]235
211[.]232[.]57[.]249
211[.]233[.]58[.]69
212[.]116[.]151[.]146
212[.]150[.]22[.]228
213[.]79[.]32[.]179
216[.]134[.]222[.]200
216[.]136[.]62[.]143
216[.]174[.]25[.]177
216[.]183[.]190[.]162
216[.]183[.]40[.]56
216[.]185[.]0[.]220
216[.]185[.]0[.]9
216[.]196[.]249[.]210
216[.]213[.]99[.]218
216[.]215[.]112[.]83
216[.]226[.]191[.]103
216[.]24[.]192[.]117
216[.]24[.]192[.]121
216[.]24[.]192[.]206
216[.]24[.]192[.]28
216[.]24[.]192[.]44
216[.]24[.]192[.]7
216[.]24[.]192[.]81
216[.]24[.]192[.]83
216[.]24[.]192[.]95
216[.]24[.]196[.]113
216[.]24[.]198[.]14
216[.]24[.]198[.]20
216[.]24[.]199[.]243
216[.]24[.]199[.]62
216[.]24[.]200[.]180
216[.]24[.]201[.]166
216[.]24[.]201[.]198
216[.]24[.]203[.]58
216[.]24[.]204[.]124
216[.]24[.]205[.]30
216[.]24[.]205[.]36
216[.]24[.]205[.]69
216[.]36[.]123[.]12
216[.]68[.]165[.]14
216[.]83[.]42[.]66
216[.]9[.]65[.]6
216[.]99[.]146[.]18
216[.]99[.]148[.]18
217[.]20[.]138[.]42
217[.]22[.]119[.]13
217[.]23[.]9[.]215
218[.]233[.]206[.]2
218[.]234[.]17[.]30
218[.]234[.]21[.]219
220[.]68[.]224[.]116
222[.]231[.]46[.]51
24[.]120[.]244[.]9
24[.]123[.]91[.]130
24[.]123[.]91[.]198
24[.]123[.]91[.]206
24[.]123[.]91[.]6
24[.]123[.]91[.]70
24[.]123[.]91[.]98
24[.]129[.]188[.]158
24[.]172[.]220[.]130
24[.]173[.]220[.]130
24[.]173[.]34[.]139
24[.]199[.]240[.]74
24[.]227[.]145[.]210
24[.]248[.]197[.]112
24[.]249[.]191[.]150
24[.]39[.]42[.]50
24[.]39[.]5[.]85
24[.]43[.]98[.]12
24[.]73[.]123[.]50
24[.]96[.]236[.]182
24[.]97[.]167[.]250
27[.]254[.]34[.]246
38[.]104[.]203[.]222
38[.]104[.]203[.]242
38[.]107[.]179[.]5
4[.]22[.]103[.]26
59[.]116[.]133[.]122
59[.]12[.]137[.]111
59[.]12[.]137[.]146
59[.]12[.]137[.]148
59[.]12[.]137[.]149
59[.]12[.]137[.]150
59[.]12[.]137[.]181
59[.]12[.]137[.]182
59[.]12[.]137[.]183
59[.]12[.]137[.]194
59[.]120[.]140[.]156
59[.]120[.]199[.]82
60[.]51[.]214[.]129
61[.]19[.]248[.]201
61[.]19[.]248[.]203
61[.]218[.]191[.]55
61[.]218[.]191[.]60
61[.]219[.]136[.]132
61[.]72[.]144[.]248
61[.]78[.]60[.]130
62[.]2[.]205[.]146
62[.]244[.]209[.]98
63[.]102[.]52[.]138
63[.]105[.]34[.]53
63[.]105[.]34[.]59
63[.]126[.]12[.]3
63[.]134[.]215[.]111
63[.]134[.]215[.]34
63[.]139[.]221[.]10
63[.]139[.]45[.]83
63[.]147[.]185[.]60
63[.]147[.]31[.]177
63[.]149[.]11[.]233
63[.]149[.]120[.]135
63[.]150[.]10[.]200
63[.]175[.]119[.]46
63[.]200[.]116[.]50
63[.]202[.]58[.]43
63[.]209[.]10[.]247
63[.]224[.]141[.]199
63[.]64[.]153[.]68
63[.]73[.]10[.]131
63[.]73[.]11[.]12
63[.]73[.]11[.]6
63[.]84[.]30[.]211
63[.]86[.]122[.]121
63[.]93[.]109[.]217
63[.]97[.]151[.]230
64[.]124[.]105[.]75
64[.]14[.]253[.]120
64[.]151[.]127[.]68
64[.]151[.]127[.]70
64[.]198[.]120[.]50
64[.]2[.]115[.]238
64[.]222[.]187[.]237
64[.]233[.]222[.]39
64[.]28[.]82[.]36
64[.]3[.]53[.]146
64[.]3[.]53[.]148
64[.]30[.]223[.]147
64[.]45[.]251[.]11
64[.]5[.]38[.]17
64[.]52[.]255[.]20
64[.]6[.]188[.]250
64[.]6[.]188[.]253
64[.]62[.]136[.]154
64[.]62[.]136[.]157
64[.]73[.]238[.]72
64[.]8[.]114[.]123
64[.]80[.]153[.]108
64[.]85[.]177[.]5
64[.]85[.]19[.]6
64[.]88[.]7[.]113
64[.]9[.]204[.]233
65[.]107[.]54[.]151
65[.]114[.]166[.]37
65[.]14[.]25[.]67
65[.]183[.]217[.]55
65[.]49[.]145[.]3
65[.]66[.]118[.]57
65[.]89[.]156[.]126
65[.]97[.]169[.]210
66[.]0[.]135[.]16
66[.]109[.]21[.]182
66[.]111[.]37[.]26
66[.]116[.]58[.]230
66[.]124[.]120[.]193
66[.]129[.]222[.]10
66[.]139[.]186[.]199
66[.]140[.]144[.]70
66[.]153[.]20[.]170
66[.]159[.]250[.]224
66[.]178[.]7[.]201
66[.]181[.]65[.]4
66[.]197[.]231[.]160
66[.]197[.]242[.]218
66[.]197[.]242[.]221
66[.]197[.]242[.]222
66[.]199[.]231[.]210
66[.]199[.]231[.]243
66[.]202[.]107[.]117
66[.]202[.]29[.]73
66[.]220[.]10[.]72
66[.]220[.]10[.]93
66[.]220[.]242[.]230
66[.]228[.]114[.]54
66[.]235[.]214[.]66
66[.]35[.]32[.]70
66[.]36[.]28[.]222
66[.]39[.]205[.]171
66[.]52[.]140[.]13
66[.]55[.]14[.]77
66[.]59[.]109[.]179
66[.]79[.]165[.]158
66[.]92[.]181[.]123
66[.]92[.]241[.]200
66[.]93[.]151[.]226
66[.]93[.]75[.]206
67[.]102[.]105[.]76
67[.]102[.]7[.]4
67[.]107[.]22[.]67
67[.]112[.]49[.]250
67[.]114[.]87[.]218
67[.]135[.]235[.]198
67[.]159[.]164[.]124
67[.]159[.]49[.]188
67[.]159[.]8[.]36
67[.]210[.]105[.]137
67[.]210[.]105[.]216
67[.]210[.]68[.]122
67[.]215[.]163[.]66
67[.]215[.]181[.]130
67[.]215[.]181[.]150
67[.]222[.]165[.]4
67[.]42[.]55[.]113
67[.]76[.]57[.]77
67[.]77[.]204[.]97
67[.]91[.]212[.]115
67[.]93[.]1[.]197
67[.]93[.]1[.]204
67[.]93[.]1[.]228
67[.]93[.]15[.]229
67[.]93[.]15[.]235
67[.]93[.]15[.]240
67[.]93[.]16[.]219
67[.]93[.]255[.]249
67[.]93[.]3[.]3
67[.]93[.]30[.]146
67[.]93[.]30[.]189
67[.]93[.]4[.]27
67[.]93[.]4[.]71
67[.]93[.]4[.]72
67[.]93[.]4[.]89
67[.]93[.]54[.]130
67[.]93[.]54[.]98
69[.]105[.]31[.]51
69[.]106[.]172[.]188
69[.]175[.]28[.]12
69[.]2[.]43[.]123
69[.]2[.]71[.]205
69[.]20[.]125[.]16
69[.]20[.]20[.]129
69[.]20[.]5[.]213
69[.]20[.]57[.]71
69[.]3[.]160[.]20
69[.]3[.]160[.]30
69[.]3[.]160[.]50
69[.]3[.]160[.]60
69[.]48[.]233[.]181
69[.]48[.]233[.]187
69[.]57[.]60[.]42
69[.]68[.]56[.]35
69[.]69[.]94[.]20
69[.]72[.]146[.]33
69[.]94[.]112[.]253
69[.]94[.]65[.]101
69[.]94[.]69[.]101
70[.]166[.]13[.]132
70[.]166[.]13[.]148
70[.]168[.]88[.]230
70[.]85[.]134[.]234
70[.]86[.]77[.]114
70[.]89[.]213[.]145
70[.]89[.]213[.]181
70[.]89[.]213[.]201
70[.]89[.]213[.]22
70[.]89[.]213[.]227
70[.]89[.]213[.]241
70[.]89[.]213[.]249
70[.]89[.]213[.]66
70[.]90[.]53[.]170
71[.]183[.]201[.]26
71[.]2[.]214[.]46
71[.]4[.]109[.]162
71[.]8[.]243[.]14
71[.]8[.]243[.]16
72[.]148[.]171[.]41
72[.]151[.]101[.]55
72[.]167[.]146[.]235
72[.]167[.]34[.]212
72[.]167[.]37[.]238
72[.]167[.]47[.]217
72[.]22[.]11[.]2
72[.]242[.]187[.]211
72[.]242[.]59[.]164
72[.]248[.]173[.]82
72[.]248[.]239[.]146
72[.]32[.]197[.]150
72[.]35[.]85[.]32
72[.]37[.]215[.]244
72[.]52[.]116[.]106
72[.]52[.]209[.]143
72[.]52[.]209[.]145
72[.]52[.]221[.]158
72[.]93[.]90[.]44
74[.]10[.]186[.]7
74[.]112[.]123[.]171
74[.]117[.]58[.]92
74[.]117[.]60[.]141
74[.]117[.]62[.]210
74[.]117[.]62[.]88
74[.]117[.]63[.]250
74[.]208[.]111[.]135
74[.]208[.]148[.]125
74[.]208[.]65[.]251
74[.]208[.]67[.]95
74[.]213[.]40[.]2
74[.]52[.]63[.]114
74[.]52[.]63[.]138
75[.]146[.]252[.]217
75[.]146[.]252[.]218
75[.]148[.]254[.]115
75[.]149[.]183[.]228
75[.]52[.]111[.]62
75[.]77[.]82[.]225
75[.]77[.]82[.]242
75[.]77[.]82[.]70
76[.]12[.]37[.]97
76[.]164[.]171[.]3
76[.]164[.]171[.]5
76[.]164[.]171[.]6
76[.]76[.]146[.]89
76[.]76[.]54[.]137
8[.]4[.]112[.]2
82[.]165[.]181[.]105
83[.]238[.]134[.]58
87[.]229[.]126[.]60
89[.]175[.]175[.]186
89[.]175[.]175[.]187
89[.]175[.]175[.]188
93[.]152[.]156[.]106
96[.]10[.]19[.]210
96[.]47[.]232[.]16
96[.]47[.]232[.]161
96[.]57[.]145[.]11
98[.]110[.]71[.]108
98[.]126[.]0[.]12
98[.]126[.]0[.]163
98[.]126[.]10[.]124
98[.]126[.]103[.]164
98[.]126[.]106[.]19
98[.]126[.]114[.]4
98[.]126[.]15[.]250
98[.]126[.]18[.]74
98[.]126[.]18[.]82
98[.]126[.]18[.]83
98[.]126[.]19[.]163
98[.]126[.]203[.]45
98[.]126[.]21[.]116
98[.]126[.]25[.]35
98[.]126[.]28[.]245
98[.]126[.]3[.]235
98[.]126[.]3[.]236
98[.]126[.]3[.]237
98[.]126[.]41[.]178
98[.]126[.]5[.]35
98[.]126[.]6[.]104
98[.]126[.]6[.]105
98[.]126[.]66[.]147
98[.]126[.]68[.]186
98[.]126[.]7[.]220
98[.]126[.]7[.]250
98[.]126[.]7[.]251
98[.]126[.]91[.]27
98[.]126[.]97[.]197
99[.]13[.]110[.]214
99[.]4[.]102[.]249

******************************
Domain Name Awareness List
******************************

a-af[.]arrowservice[.]net
able[.]arrowservice[.]net
a-cl[.]arrowservice[.]net
a-dl[.]arrowservice[.]net
admin[.]arrowservice[.]net
adtkl[.]bigish[.]net
adtkl[.]gmailboxes[.]com
a-ep[.]arrowservice[.]net
a-ex[.]arrowservice[.]net
a-f[.]gmailboxes[.]com
afghanistan[.]toutges[.]us
aga[.]toh[.]info
a-gon[.]arrowservice[.]net
a-he[.]arrowservice[.]net
a-if[.]arrowservice[.]net
a-iho[.]arrowservice[.]net
aiic[.]arrowservice[.]net
a-ip[.]arrowservice[.]net
ait[.]busketball[.]com
alarm[.]arrowservice[.]net
amne[.]purpledaily[.]com
ams[.]busketball[.]com
a-ne[.]arrowservice[.]net
anglo[.]arrowservice[.]net
aol[.]arrowservice[.]net
a-ol[.]arrowservice[.]net
apejack[.]bigish[.]net
a-pep[.]arrowservice[.]net
a-rdr[.]arrowservice[.]net
arm[.]armed[.]us
ascn[.]arrowservice[.]net
asp[.]arrowservice[.]net
asp[.]busketball[.]com
a-te[.]arrowservice[.]net
atom[.]busketball[.]com
atomic[.]bigish[.]net
a-uac[.]arrowservice[.]net
auto[.]gmailboxes[.]com
a-za[.]arrowservice[.]net
backsun[.]busketball[.]com
barity[.]gmailboxes[.]com
bass[.]busketball[.]com
bbs[.]busketball[.]com
bbs[.]marsbrother[.]com
bda[.]arrowservice[.]net
blacman[.]busketball[.]com
blog[.]arrowservice[.]net
blog[.]busketball[.]com
bring[.]busketball[.]com
built[.]arrowservice[.]net
busketball[.]com
buycow[.]busketball[.]com
buyer[.]arrowservice[.]net
buywater[.]busketball[.]com
bwbc[.]bigish[.]net
center[.]arrowservice[.]net
chamus[.]gmailboxes[.]com
cirfsun[.]gmailboxes[.]com
city[.]gmailboxes[.]com
class[.]arrowservice[.]net
cleanbeef[.]gmailboxes[.]com
cliffkl[.]gmailboxes[.]com
cmf[.]busketball[.]com
cmf[.]gmailboxes[.]com
cmp[.]gmailboxes[.]com
contact[.]arrowservice[.]net
contact[.]bigish[.]net
corn[.]busketball[.]com
cov[.]arrowservice[.]net
covclient[.]arrowservice[.]net
cow[.]arrowservice[.]net
cowboy[.]bigish[.]net
crab[.]arrowservice[.]net
ctimoon[.]marsbrother[.]com
ctisu[.]bigish[.]net
ctisun[.]gmailboxes[.]com
ctx[.]bigish[.]net
ctx-na[.]purpledaily[.]com
cws[.]gmailboxes[.]com
date[.]gmailboxes[.]com
dec[.]globalsecuriy[.]org
default[.]arrowservice[.]net
demavda[.]arrowservice[.]net
diaup[.]gmailboxes[.]com
diplomatism[.]nsmp[.]ru
documents[.]busketball[.]com
domain[.]arrowservice[.]net
domain[.]busketball[.]com
dowjs[.]busketball[.]com
dowjs[.]gmailboxes[.]com
download[.]gmailboxes[.]com
downupdate[.]bigish[.]net
dowph[.]bigish[.]net
drb[.]arrowservice[.]net
drinkwater[.]gmailboxes[.]com
eatbeef[.]gmailboxes[.]com
eciie[.]marsbrother[.]com
ecliar[.]marsbrother[.]com
eclimx[.]marsbrother[.]com
ecli-mxcdb[.]arrowservice[.]net
ecli-newf[.]marsbrother[.]com
ecli-noa[.]marsbrother[.]com
ecli-tda[.]marsbrother[.]com
ecli-tmp[.]marsbrother[.]com
ecli-un[.]marsbrother[.]com
eshop[.]gmailboxes[.]com
ever[.]arrowservice[.]net
fbtel[.]gmailboxes[.]com
finekl[.]bigish[.]net
fme[.]busketball[.]com
fmp[.]bigish[.]net
fn[.]bigish[.]net
follow[.]purpledaily[.]com
food[.]busketball[.]com
foreignpolicy[.]zonet[.]us
free[.]gmailboxes[.]com
frickl[.]purpledaily[.]com
friends[.]arrowservice[.]net
fsol[.]businessformars[.]com
ftel[.]businessformars[.]com
gao[.]gaokew[.]com
gatu[.]arrowservice[.]net
gg[.]arrowservice[.]net
gl[.]gmailboxes[.]com
glj[.]purpledaily[.]com
gmailboxes[.]com
happy[.]arrowservice[.]net
help[.]gmailboxes[.]com
hill[.]arrowservice[.]net
home[.]arrowservice[.]net
honeywater[.]keren[.]la
host[.]arrowservice[.]net
house[.]gmailboxes[.]com
index[.]arrowservice[.]net
info[.]bigish[.]net
info[.]hj-spa[.]com
information[.]trickip[.]org
int[.]busketball[.]com
intel[.]busketball[.]com
intel[.]gmailboxes[.]com
invest[.]gmailboxes[.]com
itlove[.]bigish[.]net
jackhouse[.]bigish[.]net
junier[.]busketball[.]com
kbwfj[.]arrowservice[.]net
klbis[.]bigish[.]net
kl-hqun[.]gmailboxes[.]com
kllhd[.]bigish[.]net
klwest[.]purpledaily[.]com
klzafin[.]bigish[.]net
loading[.]bigish[.]net
love[.]arrowservice[.]net
love[.]busketball[.]com
lovecow[.]homenet[.]org
lovewater[.]now[.]im
mail[.]bigish[.]net
mail[.]gmailboxes[.]com
mail-na[.]businessformars[.]com
main[.]busketball[.]com
main[.]gmailboxes[.]com
max[.]arrowservice[.]net
mbc[.]busketball[.]com
mc[.]bigish[.]net
me[.]busketball[.]com
micyuisyahooapis[.]com
midstate[.]arrowservice[.]net
milk[.]arrowservice[.]net
mini[.]arrowservice[.]net
miss[.]pwnz[.]org
mko[.]busketball[.]com
mkx[.]arrowservice[.]net
mkx[.]gmailboxes[.]com
monewf[.]bigish[.]net
monlc[.]marsbrother[.]com
mos[.]arrowservice[.]net
moto[.]busketball[.]com
mpe[.]arrowservice[.]net
msdn[.]bigish[.]net
new[.]arrowservice[.]net
newfe[.]purpledaily[.]com
news[.]busketball[.]com
newspappers[.]org
nokkia[.]bigish[.]net
nousage[.]arrowservice[.]net
nrcod[.]arrowservice[.]net
oliver[.]arrowservice[.]net
omin[.]marsbrother[.]com
ope[.]coastmaritime[.]org
opp[.]coastmaritime[.]org
opp[.]globalsecuriy[.]org
orca[.]arrowservice[.]net
paekl[.]gmailboxes[.]com
pdns[.]info[.]tm
phb[.]arrowservice[.]net
pieckl[.]bigish[.]net
point[.]gmailboxes[.]com
ppt[.]arrowservice[.]net
ppt[.]ezua[.]com
purpledaily[.]com
qhun-mons[.]businessformars[.]com
records[.]marsbrother[.]com
release[.]busketball[.]com
repid[.]arrowservice[.]net
rfckl[.]bigish[.]net
rice[.]bigish[.]net
rixiokl[.]bigish[.]net
russiaactions[.]summitnato[.]ro
saltlakenews[.]org
sbasun[.]busketball[.]com
scpkl[.]bigish[.]net
sea[.]arrowservice[.]net
service[.]arrowservice[.]net
service[.]purpledaily[.]com
services[.]busketball[.]com
services[.]gmailboxes[.]com
skill[.]arrowservice[.]net
sksucc[.]arrowservice[.]net
sona[.]arrowservice[.]net
spckl[.]bigish[.]net
spcmon[.]marsbrother[.]com
sremx[.]bigish[.]net
ssun[.]arrowservice[.]net
stock[.]bigish[.]net
stoneal[.]bigish[.]net
stulaw[.]bigish[.]net
stuwal[.]gmailboxes[.]com
suicide[.]suicide-forum[.]com
sun[.]arrowservice[.]net
suncirf[.]bigish[.]net
suntop[.]arrowservice[.]net
sword[.]bigish[.]net
tclient[.]arrowservice[.]net
tia[.]gmailboxes[.]com
topbox[.]gmailboxes[.]com
topbus[.]busketball[.]com
topkl[.]bigish[.]net
topmoney[.]purpledaily[.]com
tour[.]bigish[.]net
trb[.]arrowservice[.]net
trip[.]arrowservice[.]net
ttestt[.]arrowservice[.]net
ug-rj[.]arrowservice[.]net
update[.]busketball[.]com
updating[.]ddns[.]info
usapappers[.]com
ustop[.]bigish[.]net
vipmx[.]businessformars[.]com
vockl[.]bigish[.]net
walk[.]bigish[.]net
walstb[.]gmailboxes[.]com
was[.]arrowservice[.]net
wasa[.]arrowservice[.]net
wcasekl[.]gmailboxes[.]com
web[.]arrowservice[.]net
weblog[.]bigish[.]net
webmail[.]arrowservice[.]net
westjoe[.]purpledaily[.]com
westking[.]bigish[.]net
westnew[.]marsbrother[.]com
what[.]arrowservice[.]net
whl[.]bigish[.]net
wk[.]gmailboxes[.]com
works[.]myddns[.]com
workstation[.]arrowservice[.]net
www[.]arrowservice[.]net
www[.]globalsecuriy[.]org
www-01[.]marsbrother[.]com
www-02[.]marsbrother[.]com
www2[.]dsmtp[.]com
www2[.]wikaba[.]com
www-dell[.]marsbrother[.]com
www-hp[.]marsbrother[.]com
www-ibm[.]busketball[.]com
wwww[.]arrowservice[.]net
zgrshy[.]zyns[.]com
zgrshy10[.]zyns[.]com
zgrshy11[.]zyns[.]com

******************************
Malware Indicator Awareness List
******************************

MD5 Checksum

242946ed32dc3749e5b4f7827b905e5e
b2ddcf194cacc69ee7bcd3f9989f6162
5c58a8d8cab00ad3fac419da03644b59
1cc0ce317edad8521c236c84b74e14f8
9d42ce823fc711eaeb542f4050f17125
8845cb5b4e450cb10a3b6ca41a9b4319
1fe90bd6a1092ec74f78181785e785f8
a6e7504315f5dada56189635cd7a27b1
957b13cffeea1722a2369e2bb5e79287
0e98cffc64a1e822946066f62e1fd02c
1a87d955bc876098f50b8a48d8db4aaf
a207590fdcec8018c5a902483b651302
9087f73602d81be177b568e15f6b033b
a884545277cae36928f36c372f6a18ac
051967e8a92a6e1b02a6c8b2225b01c5
314d5943e55c065e40f3a20ab56de7a3
697b18e734740ad9129ebd241040492a
7f7cc1a8d7a6bbe6a52c94bb7f41f727
b8988e23d4d8427584637d1f9ab78a8e
e6446d52e9f4b5c2c5a9ac850281cae8
bf778439895829ff986207900bfcfe02
1d69504a3d3ac32275fa4df8af25d1f7
cf96139290c09963a32506cd85825ed3
3b266b165468b810cd456cdf88ca8619
88c0e5a4ca408ac12acaaf7a9ef9eb49
08ac41ce00bf436a3dc23c4639d5f5ed
2a8f14ed1cb6fdb49ab946fc54fc8c86
4a54d7878d4170c3d4e3c3606365c42c
659fb07c70034571de7a1b4b5ac86b01
7c6443e646c973ac10a1048d521a70a9
82c598abdf848c6fef03c63f5cf7feaf
888eadff6982de01c60891ce185473b7
9a847c1f54359ffd3c335e97600f6f5d
a19e68e72084d867a39776faaa6f5fce
e27f0975fd3278e7303102783767c508
d36427db95cd055a5a25f445d80c27ee
e3faff9149fed468aa63f10a40b935d6
c7f7d8bf633a1b81088315b93831e82d
7f90942ace185ca1ba5610f6eddf3376
ad95f613fc4b644bd5e3230eb0b5dbcc
4943a255952e107fec41e9c29a5b2724
c7d5845718c7fa5a777bcd801d8e00f4
34062335f95d074272a5487be37ee701
3f82f1cba90d320af90d965a321a1187
45a4141f603c8bfa7950e15a074ef976
4bc894e369f31b7190eaeb99c23eb000
55f41be09de5dcd5aaa0132804506868
6eb99bed5b5fcb3fdb26f37aff2c9adb
87cf89742ef0a1c1f76664caa6c0a1a7
b9f20ff30ce6dbb461ab6d27fe8c4bda
bcc6addece28265390b2d535d65c49b8
fc277785c49d743697adc06a3db77c5d
2de36fa400225c39481283daf4a686d8
324a7d63a178f3ac8dde5b59675ef282
37bd6fceaf412427db8c8a34c5ad9ba7
3a33dbe37292a1cbfa760d1892812e08
c243a7c1cf23b91f73100bb9e947439e
caafdafdd17abe0f0303a456bcd4ab01
e194a6d7f1aa6671d2134047050a4322
e35414a5cb10bccf6424ee51f0cdd6cc
21e35f309f7d6368fd8346ba409fab73
3fa99e50933ce584d010ec194229764a
41b551d30321a5ae1342180d1e73e82e
7cd15bb31ff889e81f370d0535e02493
9428a54a7acd6adc3f9b662ef432edf4
f82d3b270b16780044817978f4f3fe1a
22e10cbe46f406f5f1be0d613db4c2c3
a6cba31fcca49ff9ed6fd9894644de9e
48fc61a8f94c6e7c9c8965817f57af7e
00b61db083b07a64fb6072b42aa83dc1
aea5dc22e706c836d056f4ba1f13dea3
3599a78c7e99b451c00d3490f17f842f
137aad4c7c4e0d8ba0ad74c34cf8434c
14095f921f50cf639bf00b389ea79959
2d2876bd1f263babe9d09e8e950916cc
ac9e0b2af215821f7223b6eaeaea03db
c5851c22c2a2e4bccf015a20e0af6cac
c9645367f032bf12b251e4f30e21b936
cec766518fa5b607157e92e9c24c0d03
da521200a939a9fe85f467d65d419990
6428ac60d1eea0f20073cfb869674266
affc4d42a6a66f6a745c5702608d0442
c296ae9220c44e51cfbeb029b6103d1b
cfdd9241adcda8755c54032fd2b5757d
db22512d361a339cfadaa275c550b385
e2a557b39231ee91724c150e3ec4b493
491db327f479a1a34898229811fa8a5d
6b6a9062e9c74a98a1f1a2fe7c2adcd7
D46D261EC92DAF703CD584F10037198C
ce2f4abe8b4f3a57891ca865c4fe6ece
3de1bd0f2107198931177b2b23877df4
a207590fdceb8018b5a902483b651302
0ba71b7dbf0394f509ef6174faa0bbf0
1a8ee0ec99320e213432a26a91df8811
232d1be2d8cbbd1cf57494a934628504
6ae05937bce80b7d16497cb82e6a52d6
73e81b099f9b469a07063555e822dac1
39f1ac84ad939fb72cc6e438ecea9729
3a2cdf3c09c061a5cf6a58069506955a
f3c6c797ef80787e6cbeeaa77496a3cb
217c9dc682018c7055c660dd5dd0f8ca
1cb4b79e338bec06e65ff8d37de53c55
dd2aec3803ce39c4a148325d33f575e3
5474e37159b1a438659e7e5bf1f45389
48437eb28ff1bfff5c0a4661a8c3055d
310cba19e6f7fd07adf203c27e46a0c9
9cb4ee95948292be131f7c4ee3bdcf21
7ce22cb797d2940818154ce0dcc48306
53f1e2e5f0152a3a119e112b6cf5426e
204c13f7ed2d3e5c78f3ef8a44eb561c
ca6fe7a1315af5afeac2961460a80569
53f49c58613669f25921de0b6dae1268
82e0472271500713cd2457921ab1c565
93e33bf0417a857ae894ed294aa0e15a
9e5df2cfd0c8def21c9e114d1d2696dd
******************************
IP Address Awareness List
******************************

100[.]42[.]216[.]230
108[.]166[.]200[.]130
108[.]171[.]211[.]152
108[.]171[.]251[.]102
113[.]196[.]231[.]13
12[.]11[.]239[.]25
12[.]14[.]129[.]91
12[.]15[.]0[.]131
12[.]167[.]251[.]84
12[.]2[.]49[.]115
12[.]232[.]138[.]23
12[.]30[.]41[.]134
12[.]33[.]114[.]160
12[.]33[.]114[.]224
121[.]55[.]220[.]79
122[.]146[.]219[.]130
129[.]44[.]254[.]139
140[.]112[.]19[.]195
140[.]116[.]72[.]95
161[.]58[.]177[.]111
161[.]58[.]93[.]50
163[.]20[.]172[.]230
172[.]254[.]222[.]138
173[.]10[.]39[.]53
173[.]160[.]48[.]149
173[.]163[.]133[.]177
173[.]224[.]213[.]184
173[.]224[.]213[.]247
173[.]224[.]215[.]177
173[.]231[.]45[.]231
173[.]254[.]222[.]138
199[.]119[.]201[.]124
203[.]170[.]198[.]56
204[.]11[.]236[.]81
204[.]111[.]73[.]150
204[.]111[.]73[.]155
204[.]12[.]248[.]2
204[.]13[.]68[.]10
204[.]14[.]142[.]210
204[.]14[.]88[.]45
204[.]215[.]64[.]28
204[.]249[.]169[.]4
204[.]249[.]169[.]5
204[.]45[.]16[.]204
204[.]74[.]218[.]145
204[.]9[.]208[.]14
205[.]159[.]83[.]12
205[.]209[.]161[.]13
205[.]209[.]172[.]204
205[.]234[.]168[.]48
207[.]173[.]155[.]44
207[.]36[.]209[.]221
207[.]40[.]43[.]102
207[.]71[.]209[.]148
208[.]109[.]50[.]151
208[.]185[.]233[.]163
208[.]239[.]156[.]123
208[.]37[.]108[.]211
208[.]53[.]100[.]162
208[.]68[.]171[.]220
208[.]69[.]32[.]231
208[.]77[.]45[.]131
208[.]77[.]45[.]142
208[.]77[.]45[.]82
208[.]77[.]51[.]210
208[.]87[.]241[.]135
209[.]113[.]219[.]6
209[.]18[.]107[.]90
209[.]208[.]114[.]83
209[.]208[.]95[.]7
209[.]247[.]221[.]40
209[.]247[.]221[.]50
209[.]25[.]220[.]42
209[.]74[.]45[.]226
209[.]75[.]160[.]64
210[.]244[.]193[.]249
211[.]21[.]210[.]220
216[.]1[.]59[.]4
216[.]143[.]158[.]107
216[.]145[.]228[.]153
216[.]213[.]199[.]194
216[.]215[.]103[.]2
216[.]36[.]123[.]11
216[.]62[.]168[.]249
216[.]65[.]11[.]111
218[.]32[.]87[.]100
219[.]87[.]141[.]74
24[.]249[.]171[.]231
46[.]105[.]227[.]80
50[.]62[.]130[.]15
58[.]86[.]239[.]103
60[.]251[.]74[.]9
61[.]218[.]144[.]43
61[.]221[.]67[.]184
63[.]102[.]52[.]130
63[.]111[.]125[.]50
63[.]114[.]150[.]17
63[.]120[.]209[.]85
63[.]126[.]244[.]253
63[.]134[.]229[.]137
63[.]134[.]229[.]138
63[.]134[.]233[.]60
63[.]134[.]233[.]62
63[.]138[.]249[.]244
63[.]139[.]221[.]130
63[.]139[.]221[.]26
63[.]147[.]185[.]40
63[.]147[.]31[.]178
63[.]162[.]4[.]2
63[.]162[.]42[.]46
63[.]163[.]61[.]9
63[.]171[.]89[.]5
63[.]195[.]112[.]159
63[.]200[.]159[.]118
63[.]211[.]192[.]150
63[.]211[.]192[.]181
63[.]225[.]225[.]42
63[.]228[.]128[.]19
63[.]245[.]62[.]11
63[.]246[.]147[.]11
63[.]64[.]175[.]136
63[.]73[.]10[.]130
63[.]73[.]11[.]15
63[.]82[.]1[.]226
63[.]84[.]24[.]72
63[.]84[.]24[.]77
63[.]97[.]51[.]121
64[.]122[.]68[.]213
64[.]126[.]12[.]2
64[.]14[.]81[.]30
64[.]184[.]2[.]3
64[.]25[.]15[.]226
64[.]32[.]164[.]43
64[.]34[.]172[.]210
64[.]4[.]217[.]138
64[.]50[.]130[.]74
64[.]65[.]230[.]242
64[.]81[.]194[.]171
64[.]81[.]252[.]163
65[.]107[.]54[.]158
65[.]112[.]75[.]130
65[.]114[.]195[.]226
65[.]116[.]58[.]5
65[.]119[.]5[.]3
65[.]124[.]105[.]76
65[.]17[.]233[.]30
65[.]207[.]215[.]10
66[.]0[.]167[.]105
66[.]153[.]38[.]202
66[.]155[.]114[.]145
66[.]16[.]75[.]201
66[.]167[.]118[.]29
66[.]179[.]156[.]10
66[.]181[.]8[.]162
66[.]23[.]224[.]213
66[.]28[.]12[.]144
66[.]55[.]14[.]78
66[.]85[.]185[.]201
66[.]92[.]12[.]252
66[.]93[.]91[.]235
67[.]102[.]7[.]3
67[.]109[.]132[.]202
67[.]109[.]90[.]99
67[.]132[.]222[.]231
67[.]133[.]107[.]131
67[.]19[.]22[.]82
67[.]88[.]107[.]8
67[.]93[.]14[.]2
68[.]165[.]209[.]227
68[.]72[.]242[.]130
69[.]11[.]244[.]91
69[.]152[.]184[.]182
69[.]20[.]4[.]85
69[.]20[.]5[.]223
69[.]20[.]6[.]142
69[.]20[.]61[.]230
69[.]25[.]176[.]110
69[.]25[.]50[.]10
69[.]28[.]168[.]10
69[.]3[.]32[.]220
69[.]39[.]133[.]114
69[.]39[.]133[.]115
69[.]39[.]133[.]117
69[.]5[.]38[.]37
69[.]53[.]120[.]170
69[.]55[.]180[.]4
69[.]69[.]94[.]3
69[.]74[.]43[.]87
69[.]90[.]123[.]6
69[.]95[.]204[.]2
70[.]62[.]232[.]98
70[.]86[.]21[.]146
71[.]130[.]117[.]49
71[.]16[.]27[.]212
71[.]6[.]141[.]230
71[.]6[.]51[.]180
71[.]6[.]51[.]181
71[.]63[.]28[.]61
72[.]167[.]162[.]96
72[.]167[.]33[.]182
72[.]22[.]11[.]30
72[.]236[.]177[.]171
72[.]242[.]59[.]163
72[.]245[.]176[.]82
72[.]9[.]145[.]216
72[.]91[.]193[.]160
72[.]94[.]51[.]6
74[.]115[.]0[.]29
74[.]115[.]6[.]20
74[.]165[.]93[.]5
74[.]200[.]213[.]110
74[.]206[.]99[.]189
74[.]208[.]227[.]72
74[.]208[.]45[.]82
74[.]211[.]195[.]39
74[.]213[.]52[.]10
74[.]55[.]160[.]98
74[.]55[.]178[.]42
74[.]63[.]87[.]106
74[.]86[.]197[.]56
74[.]86[.]31[.]98
74[.]9[.]137[.]146
74[.]92[.]102[.]227
74[.]94[.]16[.]166
74[.]94[.]52[.]114
75[.]126[.]166[.]204
75[.]145[.]139[.]19
75[.]148[.]254[.]114
75[.]52[.]208[.]225
75[.]77[.]82[.]115
75[.]77[.]82[.]219
76[.]160[.]133[.]60
76[.]161[.]97[.]99
77[.]247[.]180[.]154
94[.]195[.]239[.]81
98[.]126[.]107[.]34

******************************
Domain Name Awareness List
******************************

advanbusiness[.]com
aoldaily[.]com
applesoftupdate[.]com
arrowservice[.]net
articles[.]twilightparadox[.]com
aunewsonline[.]com
bechtel[.]chickenkiller[.]com
bigish[.]net
businessconsults[.]net
businessformars[.]com
canadatvsite[.]com
canoedaily[.]com
chileexe77[.]com
climate[.]undo[.]it
cnndaily[.]com
cnndaily[.]net
comrepair[.]net
defenceonline[.]net
downloadsite[.]me
e-cardsshop[.]com
economic[.]mooo[.]com
firefoxupdata[.]com
freshreaders[.]net
honeycow[.]keren[.]la
hugesoft[.]org
info[.]serveusers[.]com
issnbgkit[.]net
jobsadvanced[.]com
marsbrother[.]com
mcafeepaying[.]com
news[.]trickip[.]org
newsonet[.]net
newsonlinesite[.]com
niemannews[.]com
nytimesnews[.]net
pop-musicsite[.]com
rssadvanced[.]org
satellitebbs[.]com
staycools[.]net
symanteconline[.]net
thehealthmood[.]net
todayusa[.]org
upload[.]ignorelist[.]com
usabbs[.]org
usnewssite[.]com
voiceofman[.]com
work[.]myftp[.]name
yahoodaily[.]com