FBI Counterintelligence Note Warns About Chinese Talent Programs

FBI Counterintelligence Note Warns About Chinese Talent Programs

 

Chinese Talent Programs are a vital part of Chinese industry. Talent programs recruit experts to fill technical jobs that drive innovation and growth in China’s economy. National, provincial, and municipal talent recruitment programs provide opportunities for experts to work in industry and academic organizations supporting key areas deemed critical to China’s development. The talent programs recruit experts globally from businesses, industry, and universities with multiple incentives to work in China. Associating with these talent programs is legal and breaks no laws; however, individuals who agree to the Chinese terms must understand what is and is not legal under US law when sharing information. A simple download of intellectual property (IP) or proprietary information has the potential to become criminal activity.

(U//FOUO) The large number of foreign students, researchers, scientists, and professionals in the United States, combined with current technological capabilities, allows foreign governments to contact and recruit individuals with the hopes to acquire advanced technology without research costs. While the majority of the population are law abiding individuals, anyone has the capability to acquire information. The theft of information can come from current or former employees, business partners, consultants, contractors, temporary hires, foreign agents, suppliers, or even vendors who have access to proprietary information.

(U) Recruiting these individuals allows China to:

  • (U//FOUO) Gain access to research and expertise for cutting edge technology
  • (U//FOUO) Benefit from years of scientific research conducted in the United States supported by US Government grants and private funding
  • (U//FOUO) Severely impact the US economy.

(U) The goal of this SPIN is to provide an overview of the potential threats posed by the Chinese Talent Programs.

(U) THOUSAND TALENTS PROGRAM

(U//FOUO) China’s most prominent national talent recruitment program is the “Recruitment Program of Global Experts,” which is commonly known as the Thousand Talents Program. It focuses on identifying key national-level organizations and associ-ated personnel involved in implementation and management.

(U) Its goal is to recruit ethnic Chinese experts from Western universities, research cen-ters, and private companies to boost China’s national capabilities in the science and technology (S&T) fields and to move China forward as an innovative nation. The pro-gram also implemented sub-programs for both young and foreign (non-ethnic Chinese) experts.

(U//FOUO) Originally, this program had a five-to-ten year goal of recruiting 2,000 profes-sionals worldwide who could lead innovation and pioneering work in key technologies, and promote the development of emerging industries. However, this program expanded its scope — recruiting far more than the initial goal of 2,000 individuals — and extended its life through at least 2020.

(U) In order to be eligible as a candidate for the Thousand Talents Program, an individual must be in a field of study the Chi-nese Academy of Science (CAS) deems critical or meet the following criteria:

  • (U) Expert or scholar with full professorship in a prestigious foreign university or research and development (R&D) insti-tute
  • (U) Technical managerial professional in a senior position at an internationally known company or financial institution
  • (U) Entrepreneur holding IP rights or key technologies and possesses overseas experience

(U) THREAT TO US BUSINESS AND UNIVERSITIES

(U//FOUO) Chinese Talent Programs pose a serious threat to US businesses and universities through economic espionage and theft of IP. The different programs focus on specific fields deemed critical to China, to boost China’s national capability in S&T fields. These subject mat-ter experts often are not required to sign non-disclosure agreements with US entities, which could result in lost of unprotected information that jeopardizes contracts or research funding. One of the greatest threats toward these experts is transferring or transporting proprietary, classified, or export-controlled information, or IP, which can lead to criminal charges.

(U//FOUO) The threat not only targets businesses or universities but potentially targets the researchers or scientists themselves. The technology researched or developed not only costs millions of dollars but costs years, if not decades to develop. Additionally, the theft of informa-tion or IP creates a risk that someone else could take credit for the researcher’s efforts. The information stolen can be recreated, resold or claimed by others, which in turn will cost the originator creditability and potential funding for future endeavors.

(U) Theft of intellectual property is an increasing threat to organizations and can go unnoticed for months or even years. In today’s society, technology affords easier access to every aspect of academia and business. Some of these tools have become effective for recruiting, such as social media. Social media websites often display large amounts of personal data, such as who an individual works for, phone numbers, known associates, previous jobs, and locations. Additionally, websites like LinkedIn have full resumes, detailing the history of an individual’s achievements and accomplishments.

(U) The FBI assesses each year the United States loses billions of dollars due to technology transfer. While it is important to conduct collaborative research, it is vital for the survival of US businesses and universities that they protect their information and mitigate lost or stolen in-formation.

Escalating Tensions Between the United States and Iran Pose Potential Threats to the United States

Escalating Tensions Between the United States and Iran Pose Potential Threats to the United States

 

 

The Joint Intelligence Bulletin (JIB) is planned to help bureaucratic, state, nearby, innate, and regional counterterrorism, digital, and law implementation authorities, and private segment accomplices, to viably stop, forestall, appropriate, or react to episodes, deadly tasks, or fear based oppressor assaults in the United States that could be led by or for the benefit of the Government of Iran (GOI) if the GOI were to see activities of the United States Government (USG) as demonstrations of war or existential dangers to the Iranian system. The GOI could act straightforwardly or enroll the participation of intermediaries and accomplices, for example, Lebanese Hizballah. The FBI, DHS, and NCTC had evaluated any active retaliatory assault would initially happen abroad. In the occasion the GOI were to decide to direct a Homeland assault, potential targets and strategies for assault in the Homeland could run from digital activities, to focused deaths of people considered dangers to the Iranian system, to damage of open or private foundation, including US army installations, oil and gas offices, and open tourist spots. USG activities may likewise incite vicious radical supporters of the GOI to submit assaults in retaliation, with next to zero notice, against US-based Iranian protesters, Jewish, Israeli, and Saudi people and interests, and USG faculty.

(U//FOUO) Immediate Response in Homeland Could Take Form of Cyber Operations

(U//FOUO) The FBI, DHS, and NCTC survey a prompt GOI reaction in the Homeland could appear as endeavored digital activities against USG offices and systems, including US military frameworks, and basic private part works, given that such tasks could be endeavored by Iran-based digital entertainers without the need of building up a US nearness. The US Intelligence Community has evaluated that Iran keeps on getting ready for digital assaults against the United States and partners. It is fit for causing confined, impermanent problematic impacts during a digital assault on unfortunate casualty systems. Verifiably, Iran has demonstrated the capacity to complete troublesome and ruinous digital assaults against open and private business systems, for example, expanded dispersed forswearing of-administration (DDoS) battles and information erasure assaults.

(U//FOUO) Iran speaks to a digital secret activities and assault risk, utilizing progressively refined digital methods and endeavoring to convey digital abilities that would empower assaults against basic foundation in the United States. Tehran’s general hazard math for a digital reaction likely will change dependent on the US strike, which Iranian pioneers have vocally depicted as escalatory, and hostile digital activities are probably going to be considered as retaliatory alternatives. Malignant action and observation may not really happen from Iranian Internet Protocol (IP) space, as on-screen characters may utilize midpoint framework in different nations. All things considered, traffic from Iranian IP locations may not be demonstrative of malignant movement. The FBI, DHS, and NCTC stress great digital cleanliness, for example, fixing frameworks and instructing work force to make preparations for generally utilized digital entertainer procedures, for example, social building and lance phishing.

(U//FOUO) Potential for GOI-Directed Lethal Attacks in the Homeland

(U//FOUO) as of late, the USG has captured a few people following up in the interest of either the GOI or Lebanese Hizballah who have directed reconnaissance demonstrative of possibility making arrangements for deadly assaults in the United States against offices and people.

» (U//FOUO) A specialist of the GOI captured in 2018 had led observation of Hillel CenterUSPER and Rohr Chabad CenterUSPER, Jewish establishments situated in Chicago, including shooting the security highlights encompassing the Chabad Center.

» (U//FOUO) Three Lebanese Hizballah External Security Organization (ESO) agents captured somewhere in the range of 2017 and 2019 had directed reconnaissance of US military and law implementation offices, basic foundation, private segment scenes, and open tourist spots in New York City, Boston, and Washington, DC.

(U//FOUO) The GOI likewise has a background marked by directing deaths and death endeavors against people in the United States it regards a danger to the Iranian system. The GOI killed the US-based previous representative for the Shah of the Iran in 1980 and plotted to kill the Saudi Arabian envoy to the United States in 2011. In August 2018, the USG captured two people for going about as operators of the GOI by directing incognito reconnaissance of Iranian protesters in New York City and Washington, DC, and the previously mentioned security highlights of Jewish offices in Chicago.

 

Website Defacement Activity Indicators of Compromise and Techniques Used to Disseminate Pro-Iranian Messages

Website Defacement Activity Indicators of Compromise and Techniques Used to Disseminate Pro-Iranian Messages

Following a week ago’s US airstrikes against Iranian military initiative, the FBI watched expanded revealing of site ruination movement spreading Pro-Iranian messages. The FBI accepts a few of the site disfigurement were the consequence of digital on-screen characters misusing realized vulnerabilities in content administration frameworks (CMSs) to transfer ruination documents. The FBI exhorts associations and individuals worried about Iranian digital focusing on be acquainted with the markers, strategies, and procedures gave in this FLASH, just as strategies and methods gave in as of late spread Private Industry Notification “Notice on Iranian Cyber Tactics and Techniques” (20200109-001, 9 January 2020).

Specialized Details:

The FBI recognized malevolent on-screen characters utilizing known vulnerabilities in CMSs to transfer ruination pictures onto injured individual sites. The FBI trusts one on-screen character utilized realized vulnerabilities permitting remote execution by means of treat and remote establishment. The FBI likewise distinguished that one of the records utilized in a destruction was presented on a site where the server facilitating the undermined site was designed so outer clients could direct HTTP POSTs. The FBI watched the utilization of a HTTP PUT direction to transfer a destruction document to an injured individual server.

The FBI notes various on-screen characters directed site mutilation movement with genius Iranian messages. Accordingly, the IP locations and procedures utilized will change. The FBI distinguished the underneath groupings of destruction movement.

One lot of mutilation action utilized the beneath record:

Filename MD5

Default.aspx

87b3b80bb214c0f5cfa20771dd6625f2

The accompanying connections, contact data, and strings were remembered for a disfigurement record:

http://yon%5B.%5Dir/6YL2X

https://t%5B.%5Dme/ZetaTech_iR2

https://instagram%5B.%5Dcom/Mrb3hz4d

hackedbymrb3hz4d(at)gmail[.]com

The accompanying IP addresses are related with the on-screen character connected to the disfigurement action with the above referenced connections, contact data, and strings:

IP Address

83.123.83[.]61

196.64.50[.]13

A second arrangement of destruction movement was distinguished utilizing the underneath record:

Filename

hardrevenge11.html

The FBI takes note of the above mutilation picture was transferred by means of a HTTP PUT order. The accompanying IP address is related with the on-screen character connected to this arrangement of ruination action:

IP Address

2.182.188[.]39

A third arrangement of mutilation action was distinguished utilizing the underneath IP address:

IP Address

212.92.114[.]228

The FBI notes for this mutilation action, the on-screen character had the option to direct a HTTP POST of a document utilized in a destruction.

Best Practices for Network Security and Defense:

Utilize customary updates to applications and the host working framework to guarantee insurance against known vulnerabilities.

Set up, and reinforcement disconnected, a “known decent” adaptation of the pertinent server and an ordinary change-the board arrangement to empower checking for modifications to servable substance with a document honesty framework.

Utilize client input approval to confine nearby and remote record incorporation vulnerabilities.

Execute a least-benefits approach on the Webserver to:

o Reduce foes’ capacity to raise benefits or turn horizontally to different hosts.

o Control creation and execution of records specifically catalogs.

If not effectively present, consider sending a peaceful area (DMZ) between the Web-confronting frameworks and corporate system. Constraining the communication and logging traffic between the two gives a technique to recognize conceivable noxious movement.

Guarantee a protected arrangement of Webservers. Every single pointless assistance and ports ought to be incapacitated or blocked. Every essential assistance and ports ought to be confined where plausible. This can incorporate whitelisting or blocking outside access to organization boards and not utilizing default login qualifications.

Utilize a switch intermediary or elective support of limit available URL ways to known authentic ones.

Direct customary framework and application weakness sweeps to build up regions of hazard. While this strategy doesn’t secure against multi day assaults, it will feature potential zones of concern.

Convey a Web application firewall, and direct ordinary infection signature checks, application fluffing, code audits, and server arrange examination.

Cyber Criminals Use Social Engineering and Technical Attacks to Circumvent Multi-Factor Authentication

The FBI has watched digital entertainers bypassing multifaceted verification through normal social building and specialized assaults. This Stick clarifies these techniques and offers relief procedures for associations and elements utilizing multifaceted confirmation in their security endeavors. Multifaceted validation keeps on being a solid and compelling safety effort to secure online records, as long as clients play it safe to guarantee they don’t succumb to these assaults.

Multifaceted validation is the utilization of an assortment of strategies to affirm a client’s personality rather than just utilizing a username and secret phrase. Regularly this sort of verification utilizes an optional token which changes after some time to give a one-time password, yet numerous organizations currently utilize biometrics or social data, for example, time of day, geolocation, or IP address—as a type of validation.

Danger Diagram

FBI detailing distinguished a few strategies digital on-screen characters use to go around prevalent multifaceted verification systems so as to acquire the one-time password and access ensured accounts. The essential techniques are social building assaults which assault the clients and specialized assaults which target web code.

In 2019 a US banking establishment was focused by a digital assailant who had the option to exploit a blemish in the bank’s site to evade the two-factor confirmation actualized to ensure accounts. The digital assailant signed in with taken injured individual accreditations and, when arriving at the optional page where the client would typically need to enter a Stick and answer a security question, the aggressor entered a controlled string into the Internet URL setting the PC as one perceived on the record. This enabled him to sidestep the Stick and security question pages and start wire moves

from the exploited people’s records.

In 2016 clients of a US banking establishment were focused by a digital assailant who ported their telephone numbers to a telephone he possessed—an assault called SIM swapping. The aggressor considered the telephone organizations’ client care delegates, discovering some who were all the more ready to give him data to finish the SIM swap. When the aggressor had command over the clients’ telephone numbers, he called the bank to demand a wire move from the unfortunate casualties’ records to another record he possessed. The bank,

perceiving the telephone number as having a place with the client, didn’t request full security questions yet mentioned a one-time code sent to the telephone number from which he was calling. He additionally mentioned to change PINs and passwords and had the option to connect unfortunate casualties’ charge card numbers to a versatile installment application.

Through the span of 2018 and 2019, the FBI’s Web Wrongdoing Grievance Center and FBI unfortunate casualty grumblings watched the above assault—SIM swapping—as a typical strategy from digital culprits trying to go around two-factor validation. Casualties of these assaults have had their telephone numbers taken, their financial balances depleted, and their passwords and PINs changed. A large number of these assaults depend on socially building client care agents for significant telephone organizations, who offer data to the assailants.

In February 2019 a digital security master at the RSA Gathering in San Francisco, exhibited a huge assortment of plans and assaults digital on-screen characters could use to dodge multifaceted validation. The security master exhibited ongoing instances of how digital entertainers could utilize man-in-the-center assaults and session capturing to block the traffic between a client and a site to lead these assaults and keep up access for whatever length of time that conceivable. He likewise showed social building assaults, including phishing plans or fake instant messages implying to be a bank or other help to make a client sign into a phony site and surrender their private data.

At the June 2019 Hack-in-the-Crate gathering in Amsterdam, digital security specialists exhibited a couple of devices—Muraena and NecroBrowser—which worked pair to robotize a phishing plan against clients of multifaceted confirmation. The Muraena instrument captures traffic between a client and an objective site where they are mentioned to enter login qualifications and a token code not surprisingly. When validated, NecroBrowser stores the information for the casualties of this assault and seizes the session treat, permitting digital on-screen characters to sign into these private records, take them over, and change client passwords and recuperation email addresses while keeping up access as far as might be feasible.

Moderation Systems

Guarding against multifaceted confirmation assaults requires consciousness of the assaults which evade the security and consistent watchfulness for social designing assaults.

Instruct clients and heads to distinguish social building deceit—how to perceive counterfeit sites, not tap on maverick connections in email, or square those connections altogether—and show them how to deal with basic social designing strategies.

Consider utilizing extra or progressively complex types of multifaceted validation for clients and overseers, for example, biometrics or conduct verification strategies, however this may add burden to these clients.

FBI Cyber Research revealed

The FBI identified incidents over the past few months in which cyber actors scanned for and sought to exploit audio and visual communication devices on networks to identify vulnerabilities which could later be used to gain access and unlawfully acquire information about the organization. In addition to targeting corporate information, vulnerable devices may be targeted for compromise for use in botnets or other criminal activities. The types of devices targeted include: Voice over Internet Protocol (VoIP) phones, video conferencing equipment, conference phones, VoIP routers, and cloud-based communication systems. While cyber actors have targeted VoIP and other communication devices in the past, the FBI continues to see these devices scanned by cyber actors for vulnerabilities.

Threat

Specifically, the FBI observed cyber actors identifying and probing communication devices by issuing HTTP GET requestsa to a business server or network to retrieve device configuration files. Information contained in configuration files often reveals IP addresses, usernames, passwords, system management URLs, and assigned phone numbers – all of which could be used by cyber actors for malicious purposes. Many of the requests are specific to particular brands of devices. Victims will often receive several GET requests in succession with the actors scanning for multiple brands of devices.

In addition, cyber actors retrieve IP addresses for further exploitation by using businesses’ customer service VoIP hyperlinks, which are traditionally made available for customers to use in contacting the business. Once those hyperlinked calls are answered, the actor retrieves the IP address belonging to the phone which answered the call. Once the IP address is retrieved, an actor could send a large volume of packets to the IP address, overloading it and taking the service offline for the targeted business and its legitimate customers.

In addition to the above techniques, cyber actors target devices with brute-force attacks, attempting unauthorized access through the use of common usernames and passwords. Open source scanning tools can also be used to identify vulnerable communication devices and any associated ports.

All of the information obtained through scans and other methods are likely used for specific targeting efforts by cyber actors. This includes leveraging access to compromised audio and video devices to eavesdrop on meetings or conference calls, placing fraudulent international phone calls, leveraging the compromised device for use in botnets, and conducting man-in-the-middle attacks to redirect corporate network traffic.

Recommendations

The following recommendations may limit the success of these types of attacks:

Conduct daily server log reviews to identify unusual activity, including GET and POST requests from external IP addresses.

Work with the communication device/system providers to ensure servers are patched and updated regularly.

Consider restricting access to configuration files or configuring firewalls to block traffic from unauthorized IP addresses.

Restrict communication devices/systems to only non-sensitive business networks.

Conduct regular penetration testing exercises on communication devices to identify and address vulnerabilities in a timely matter.

Enable encryption on teleconference programs and applications and consider disabling auto-answer capabilities.

Password protect configuration files, if possible.

Regularly review and update users with access to administrative accounts.

Segment configuration files on the network. Be sure to protect configuration and other device-related files after getting the device out of the box. Don’t just plug and play.

 

DHS & FBI about ISIS Leader Baghdadi’s current Situation

Image result for baghdadi video

Executive Summary:
(U//FOUO) This Joint Intelligence Bulletin (JIB) is intended to provide information on the recent video appearance by the Islamic State of Iraq and ash-Sham (ISIS) leader Abu Bakr al-Baghdadi. The video addresses the group’s territorial defeat in Syria, discusses the acceptance of pledges of allegiance from ISIS supporters, and praises recent attacks in Sri Lanka and Saudi Arabia. This JIB is provided by the FBI, DHS, and NCTC to support their respective activities and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners in deterring, preventing, or disrupting terrorist attacks against the United States. All video details described in this JIB are taken from the translated transcript of Baghdadi’s speech. The information cutoff date is 1 May 2019.

(U) Details of ISIS Leader Abu Bakr al-Baghdadi’s Video Message

(U//FOUO) On 29 April 2019, ISIS’s al-Furqan Media Establishment publicly released an 18-minute video message in Arabic titled “In the Company of the Amir of the Believers”, which shows ISIS leader Abu Bakr al-Baghdadi sitting on a carpet in an undisclosed location with an assault rifle at his side. This is Baghdadi’s first public statement since his August 2018 audio message, and his first video appearance since July 2014, when Baghdadi was filmed introducing himself as “caliph” of the newly-declared caliphate at the Grand Mosque in Mosul, Iraq.

(U) Baghdadi Vows a “Long Battle Ahead” Despite Defeat in Syria

• (U//FOUO) Baghdadi emphasizes that ISIS’s fight is not over, stating, “In truth, the battle between Islam and its people with the Cross and its people is long.” He further explains that ISIS is engaged in a multigenerational struggle and they plan to wear down their enemies with attrition, emphasizing that “jihad will continue until Judgement Day” and that “God Almighty ordered us to wage jihad and did not order us to achieve victory.”

• (U//FOUO) Baghdadi acknowledges that ISIS lost the war in Baghuz, Syria, but emphasizes that the “bravery, steadfastness, and endurance of the Ummah of Islam was evident.” He states that ISIS’s soldiers did not abandon their faith during the battle, and sacrificed their lives rather than giving away land to ISIS’s enemies.

• (U//FOUO) Baghdadi praises the members in all of ISIS’s provinces for their “unified raid to avenge their brothers in Syria, which amounted to 92 operations in eight countries.” He states these attacks indicate the cohesion and steadfastness of the “mujahedeen.” Baghdadi praises and thanks the now-deceased emirs, provincial governors, military personnel, and media members from various countries for their support to ISIS.

(U) Baghdadi Praised the Attacks in Sri Lanka and Saudi Arabia and Calls for Additional Operations

• (U//FOUO) Video footage displays the Sri Lanka attackers—who conducted a series of suicide bombings against luxury hotels and Christian churches in Sri Lanka on 21 April, killing approximately 250 people—pledging allegiance to Baghdadi, while audio of purportedly Baghdadi’s voice is heard stating, “You brothers in Sri Lanka have pleased the monotheists by their commando operations that unsettled the Crusaders in their Easter celebrate to avenge their brothers in Baghuz.” Baghdadi continues with “praise be to God, for among those killed were some Americans and Europeans.” Baghdadi congratulates the Sri Lanka attackers on their pledge of allegiance to join the “caliphate,” and asked God to accept them as martyrs.

• (U//FOUO) Baghdadi acknowledges the attack in Saudi Arabia—where ISIS fighters attacked a Saudi security building in Az Zulfi on 21 April—and asked God that it be “followed by another one.” He calls on members in Saudi Arabia “to continue down the path of jihad” against the Saudi regime.

• (U//FOUO) While Baghdadi appears in discussion with unidentified men, text on the screen indicates he was giving directives to “double the effort and intensify the blows against the Crusaders, apostates, and their supporters.”

(U) Baghdadi Accepts Pledges of Allegiance and Praises Global Network

• (U//FOUO) The video shows Baghdadi being handed booklets by one of the unidentified men which are labeled with the names of ISIS provinces, including Libya, Khorasan, Somalia, Yemen, Caucasus, West Africa, Central Africa, and Turkey, as well as Tunisia, which is not publicly identified as a province. This is the first time ISIS has referred to Turkey as an official province, or “wilayah,” in its media releases.

• (U//FOUO) Additionally, Baghdadi accepts pledges of allegiance from ISIS members in Burkina Faso and Mali, and congratulates them for joining the “caliphate.” He recommends they intensify their attacks against France and its allies and to avenge their brothers in Iraq and Syria.

• (U//FOUO) Baghdadi congratulates ISIS members in Libya for their resoluteness and their raid on the town of Al Fugaha, Libya. He states that despite their withdrawal from it, they have shown their enemies that they are capable of taking the initiative, knowing their battle today is a battle of attrition.

(U) Baghdadi’s Image Starkly Contrasts with Last Appearance in 2014

(U//FOUO) The video’s presentation of Baghdadi as an insurgent leader—similar to the images of now-deceased al-Qa‘ida (AQ) leader Usama Bin Laden and now-deceased AQ in Iraq leader Abu Musab al-Zarqawi from prior videos—contrasts with Baghdadi’s July 2014 appearance at the Grand Mosque in Mosul, Iraq, where he delivered a formal address from the mosque’s pulpit wearing a black turban and robe probably to evoke images of the last caliphs who ruled from Baghdad.

(U) Outlook

(U//FOUO) The FBI, DHS, and NCTC assess Baghdadi’s appearance almost certainly will bolster the morale for ISIS’s existing supporters around the world, including those in the United States, by indicating Baghdadi is alive and in control of the group as of late April 2019. Most homegrown violent extremists (HVEs) generally do not mobilize to violence in response to specific events and instead are usually influenced by a confluence of sociopolitical, ideological, and personal factors.a However, those wavering in their commitment to ISIS might feel a sense of renewed devotion to the group as Baghdadi is alive and apparently still managing ISIS.

Christchurch May Inspire Other Terrorists – DHS-FBI

Christchurch May Inspire Other Terrorists – DHS-FBI

This Joint Intelligence Bulletin (JIB) is intended to provide information on Australian national and violent extremist Brenton Tarrant’s 15 March 2019 attacks on two mosques in Christchurch, New Zealand. These attacks underscore the enduring nature of violent threats posed to faith-based communities. FBI, DHS, and NCTC advise federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials and private sector security partners responsible for securing faith-based communities in the Homeland to remain vigilant in light of the enduring threat to faith-based communities posed by domestic extremists (DEs), as well as by homegrown violent extremists (HVEs) who may seek retaliation. This JIB is provided to assist federal, state, local, tribal, and territorial counterterrorism and law enforcement officials and private sector security partners to effectively deter, prevent, preempt, or respond to incidents and terrorist attacks in the United States.

(U) Attack Details

(U//FOUO) On 15 March 2019, New Zealand police arrested an Australian national who appeared to be inspired by a white supremacist ideology and who allegedly conducted a shooting attack on two mosques in Christchurch, New Zealand. This attack highlights the enduring threat of violence posed to faith-based communities. There are currently 49 victims deceased, and 20 others are listed as being in critical condition following the attack.

» (U//FOUO) On 15 March 2019, at about 1:40 PM local time, Australian national Brenton Tarrant used firearms to attack the Masjid Al Noor Mosque in the city of Christchurch, New Zealand, before conducting a similar shooting attack at the Linwood Masjid Mosque, approximately four miles away. Tarrant drove to the attack sites and livestreamed a video of the attack. Police also discovered improvised explosive devices in a vehicle connected with the attack. Tarrant is currently the only known perpetrator; however, investigation of his movements and associates continues.

» (U//FOUO) Tarrant disseminated a manifesto prior to the shooting which detailed his concerns of perceived “white genocide.” The manifesto contains a wide range of anti-immigrant and anti-Muslim views. One reason listed as to why he carried out the attack was “to create conflict…within the United States on the ownership of firearms in order to further the social, cultural, political, and racial divide within the United states [sic].”

» (U//FOUO) Tarrant claimed to have been planning the attack for two years and recently relocated to New Zealand to live temporarily while he “planned and trained.” He claimed to have chosen to conduct his attack in Christchurch three months prior to show such attacks could happen anywhere.

(U) Mosque Attacks Could Incite Like-Minded and Retaliatory Attacks

(U//FOUO) We are concerned online sharing of Tarrant’s livestreamed footage could amplify viewer reaction to the violent attack and possibly incite similar attacks by those adhering to violent extremist ideologies in the United States and abroad, as well as retaliatory attacks from HVEs and individuals otherwise affiliated with foreign terrorist organizations. Tarrant appeared to have been influenced by prior attacks by violent extremists in the United States and other countries, and we remain concerned that US-based DEs of similar ideologies could become inspired by this attack. Although most HVEs generally do not mobilize to violence in response to specific events and instead are usually influenced by a confluence of sociopolitical, ideological, and personal factors, exceptions may occur and we remain concerned for the potential of retaliatory attacks by some HVEs, as we have already seen calls for attacks by violent extremists online.

» (U//FOUO) Tarrant claimed Norwegian mass attacker Anders Brevik gave his “blessing” for the attack. Tarrant’s ammunition cases also displayed handwritten names of violent extremists in Canada and elsewhere who previously conducted violent attacks on Muslims or in support of violent extremist ideologies.

» (U//FOUO) An examination of online jihadist media following the mosque attacks indicates various al-Qa‘ida and ISIS supporters are posting attack images to express outrage and are calling upon all Muslims to respond to the New Zealand attacks by launching their own near-term attacks in retaliation.