Documents
(TLP GREEN) Cyber Threat to Law Enforcement and State Government Computer Systems Amid Civil Unrest
Aug. 17, 2020
20200601-001
The following information is being provided by the FBI, with no
guarantees or warranties, for potential use at the sole discretion
of recipients to protect against cyber threats. This data is
provided to help cyber security professionals and system
administrators guard against the persistent malicious actions of
cyber actors. This PIN was coordinated with DHS-CISA.
Please contact the FBI with
any questions related to this
Private Industry Notification
at either your local Cyber
Task Force or FBI CyWatch.
This PIN has been released TLP: GREEN: Recipients may share
TLP:GREEN information with peers and partner organizations
within their sector or community, but not via publicly accessible
channels.
Local Field Offices:
www.fbi.gov/contact-us/field
Cyber Threat to Law Enforcement and State
Government Computer Systems Amid Civil
Unrest
1 June 2020
PIN Number
E-mail:
cywatch@fbi.gov
Phone:
1-855-292-3937
Summary
Due to ongoing civil unrest, hacktivist groups are actively
threatening and endorsing cyber attacks against law
enforcement and state government networks. The FBI is
providing this Private Industry Notification to law enforcement
partners to increase cyber vigilance and recommend mitigation
to protect computer networks, outward facing webpages, and
social media accounts against a cyber attack.
Threat
Hacktivist groups have historically conducted and advocated for
cyber attacks following high-profile and controversial political or
socioeconomic events. Groups such as “Anonymous” are actively
leveraging societal and political unrest to encourage global cyber
20200601-001
The following information is being provided by the FBI, with no
guarantees or warranties, for potential use at the sole discretion
of recipients to protect against cyber threats. This data is
provided to help cyber security professionals and system
administrators guard against the persistent malicious actions of
cyber actors. This PIN was coordinated with DHS-CISA.
Please contact the FBI with
any questions related to this
Private Industry Notification
at either your local Cyber
Task Force or FBI CyWatch.
This PIN has been released TLP: GREEN: Recipients may share
TLP:GREEN information with peers and partner organizations
within their sector or community, but not via publicly accessible
channels.
Local Field Offices:
www.fbi.gov/contact-us/field
Cyber Threat to Law Enforcement and State
Government Computer Systems Amid Civil
Unrest
1 June 2020
PIN Number
E-mail:
cywatch@fbi.gov
Phone:
1-855-292-3937
Summary
Due to ongoing civil unrest, hacktivist groups are actively
threatening and endorsing cyber attacks against law
enforcement and state government networks. The FBI is
providing this Private Industry Notification to law enforcement
partners to increase cyber vigilance and recommend mitigation
to protect computer networks, outward facing webpages, and
social media accounts against a cyber attack.
Threat
Hacktivist groups have historically conducted and advocated for
cyber attacks following high-profile and controversial political or
socioeconomic events. Groups such as “Anonymous” are actively
leveraging societal and political unrest to encourage global cyber
TLP: GREEN
action against law enforcement and government computer networks, outward facing
web pages, and social media accounts. The FBI has identified active target lists
published by individuals affiliating themselves with hacktivist groups, to include police
departments and local and state government computer networks.
Historically, hacktivists have provided tools and guidance on cyber attack methodology
and techniques to anyone willing to conduct an attack on behalf of their cause.
Distributed denial of service attacks along with web page and social media profile
defacement are a preferred tactic for hacktivist operations, but attackers have also
conducted data exfiltration of emails and sensitive files for public release. Following the
shooting of Michael Brown in 2014, individuals claiming affiliation with Anonymous
attacked Ferguson City Hall’s website and released personally identifiable information
(PII) and personal family information for the St. Louis County police chief. Criminals used
the PII to open fraudulent credit card accounts in the chief’s name.
Hacktivist operations are conducted by sophisticated and non-sophisticated cyber actors
globally, with followers receiving targets from individuals conducting extensive
reconnaissance. Reconnaissance can include the use of web scanning tools to identify
open network ports or unpatched vulnerabilities. This phase of activity can also target
social media accounts of officers, government officials, and employees to create
targeted phishing emails aimed at infecting networks through malicious attachments
and links, creating an initial intrusion vector for follow-on cyber operations.
Recommended Mitigations
General Cyber Recommendations
Update and patch all systems, to include operating systems, software, and any
third-party code running as part of your website.
Keep anti-virus and anti-malware up to date and firewalls properly configured.
Create a disaster recovery plan to ensure successful and efficient communication,
mitigation, and recovery in the event of an attack.
TLP: GREEN
TLP: GREEN
action against law enforcement and government computer networks, outward facing
web pages, and social media accounts. The FBI has identified active target lists
published by individuals affiliating themselves with hacktivist groups, to include police
departments and local and state government computer networks.
Historically, hacktivists have provided tools and guidance on cyber attack methodology
and techniques to anyone willing to conduct an attack on behalf of their cause.
Distributed denial of service attacks along with web page and social media profile
defacement are a preferred tactic for hacktivist operations, but attackers have also
conducted data exfiltration of emails and sensitive files for public release. Following the
shooting of Michael Brown in 2014, individuals claiming affiliation with Anonymous
attacked Ferguson City Hall’s website and released personally identifiable information
(PII) and personal family information for the St. Louis County police chief. Criminals used
the PII to open fraudulent credit card accounts in the chief’s name.
Hacktivist operations are conducted by sophisticated and non-sophisticated cyber actors
globally, with followers receiving targets from individuals conducting extensive
reconnaissance. Reconnaissance can include the use of web scanning tools to identify
open network ports or unpatched vulnerabilities. This phase of activity can also target
social media accounts of officers, government officials, and employees to create
targeted phishing emails aimed at infecting networks through malicious attachments
and links, creating an initial intrusion vector for follow-on cyber operations.
Recommended Mitigations
General Cyber Recommendations
Update and patch all systems, to include operating systems, software, and any
third-party code running as part of your website.
Keep anti-virus and anti-malware up to date and firewalls properly configured.
Create a disaster recovery plan to ensure successful and efficient communication,
mitigation, and recovery in the event of an attack.
TLP: GREEN
TLP: GREEN
Implement a password policy that requires passwords to be at least 14 characters
or longer preferably using a passphrase to increase complexity while assisting
user recall.
Email Phishing Recommendations
Be wary of unsolicited attachments, even from people you know. Cyber actors
can "spoof" the return address, making it look like the message came from a
trusted associate.
Keep software up to date. Install software patches so that attackers can't take
advantage of known problems or vulnerabilities.
If an email or email attachment seems suspicious, don't open it, even if your
antivirus software indicates that the message is clean. Attackers are constantly
releasing new viruses, and the antivirus software might not have the signature.
Save and scan any attachments before opening them.
Turn off the option to automatically download attachments. To simplify the
process of reading email, many email programs offer the feature to automatically
download attachments. Check your settings to see if your software offers the
option, and disable it.
Distributed Denial of Service Identification and Recommendations
Identification
o Unusually slow network performance (opening files or accessing websites)
o Unavailability of a particular website or the inability to access any website.
Mitigation
o Enroll in a Denial of Service protection service that detects abnormal
traffic flows and redirects traffic away from your network.
o Create a partnership with your local internet service provider (ISP) prior to
an event and work with your ISP to control network traffic attacking your
network during an event.
TLP: GREEN
TLP: GREEN
Implement a password policy that requires passwords to be at least 14 characters
or longer preferably using a passphrase to increase complexity while assisting
user recall.
Email Phishing Recommendations
Be wary of unsolicited attachments, even from people you know. Cyber actors
can "spoof" the return address, making it look like the message came from a
trusted associate.
Keep software up to date. Install software patches so that attackers can't take
advantage of known problems or vulnerabilities.
If an email or email attachment seems suspicious, don't open it, even if your
antivirus software indicates that the message is clean. Attackers are constantly
releasing new viruses, and the antivirus software might not have the signature.
Save and scan any attachments before opening them.
Turn off the option to automatically download attachments. To simplify the
process of reading email, many email programs offer the feature to automatically
download attachments. Check your settings to see if your software offers the
option, and disable it.
Distributed Denial of Service Identification and Recommendations
Identification
o Unusually slow network performance (opening files or accessing websites)
o Unavailability of a particular website or the inability to access any website.
Mitigation
o Enroll in a Denial of Service protection service that detects abnormal
traffic flows and redirects traffic away from your network.
o Create a partnership with your local internet service provider (ISP) prior to
an event and work with your ISP to control network traffic attacking your
network during an event.
TLP: GREEN
TLP: GREEN
Reporting Notice
The FBI encourages recipients of this document to report information concerning
suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch
(CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field.
CyWatch can be contacted by phone at (855) 292-3937 or by email at CyWatch@fbi.gov.
When available, each report submitted should include the date, time, location, type of
activity, number of people, and type of equipment used for the activity, the name of the
submitting company or organization, and a designated point of contact. Press inquiries
should be directed to the FBI’s National Press Office at npo@fbi.gov or (202) 324-3691.
Administrative Note
This product is marked TLP:GREEN. Recipients may share TLP:GREEN information with
peers and partner organizations within their sector or community, but not via publicly
accessible channels. Information in this category can be circulated widely within a
particular community. TLP: GREEN information may not be released outside of the
community.
Your Feedback Regarding this Product is Critical
Please take a few minutes to send us your feedback. Your feedback
submission may be anonymous. We read each submission carefully, and your
feedback will be extremely valuable to the FBI. Feedback should be specific to
your experience with our written products to enable the FBI to make quick
and continuous improvements to these products. Feedback may be
submitted online here: https://www.ic3.gov/PIFSurvey
TLP: GREEN
TLP: GREEN
Reporting Notice
The FBI encourages recipients of this document to report information concerning
suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch
(CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field.
CyWatch can be contacted by phone at (855) 292-3937 or by email at CyWatch@fbi.gov.
When available, each report submitted should include the date, time, location, type of
activity, number of people, and type of equipment used for the activity, the name of the
submitting company or organization, and a designated point of contact. Press inquiries
should be directed to the FBI’s National Press Office at npo@fbi.gov or (202) 324-3691.
Administrative Note
This product is marked TLP:GREEN. Recipients may share TLP:GREEN information with
peers and partner organizations within their sector or community, but not via publicly
accessible channels. Information in this category can be circulated widely within a
particular community. TLP: GREEN information may not be released outside of the
community.
Your Feedback Regarding this Product is Critical
Please take a few minutes to send us your feedback. Your feedback
submission may be anonymous. We read each submission carefully, and your
feedback will be extremely valuable to the FBI. Feedback should be specific to
your experience with our written products to enable the FBI to make quick
and continuous improvements to these products. Feedback may be
submitted online here: https://www.ic3.gov/PIFSurvey
TLP: GREEN