April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Federal | Agencies | Legislative
The greater Boston area is shut down with bus and subway service suspended and local businesses and universities closed, as federal and local authorities chase down two men believed to have carried out the Boston Marathon bombings.
One suspect, pictured in photos and video released by the FBI the evening of April 18, is dead, apparently after a shootout and car chase with police. The other suspect, who was also in the released pictures and video, remains at large prompting early morning warnings from police for residents in the Boston suburb of Watertown and adjacent suburban towns to remain indoors.
Reportedly, the men shot and killed a campus police officer at the Massachusetts Institute of Technology in Cambridge (MIT), MA, and wounded a transit authority officer the night of April 18, about five hours after the FBI publicly released the suspects’ photos. The two men also reportedly carjacked a vehicle and lead police on a chase in which the suspects reportedly hurled explosives at their pursuers.
One suspect was pronounced dead at a local hospital after the shootout.
Police and federal authorities have called both suspects extremely dangerous and “terrorists,” with reports saying the remaining man could have explosives with him, or on him.
The Associated Press reported early on April 19, that the men are brothers from Chechnya and have lived in the U.S. for one year and also identified the living suspect as Dzhokhar A. Tsarnaev, 19, of Cambridge, MA.
The unprecedented, dramatic events began to unfold just after 5 p.m. on April 18 after the FBI at a press conference unveiled video capture and photos of the two men captured by private security cameras at a downtown department store near the finish line of the April 15 marathon.
At around 10 p.m., reports of a shooting near the MIT campus at a 7-11 store in Middlesex County, MA, came in and a subsequent carjacking. A statement from the Middlesex County district attorney the evening of April 18 said an MIT campus police officer responding to a report of a disturbance in the area of Vasser and Main streets was reportedly shot. According to authorities, the officer was found evidencing multiple gunshot wounds. He was transported to the hospital and pronounced dead.
“During the exchange of the gunfire, we believe that one of the suspects was struck and ultimately taken into custody. A second suspect was able to flee from that car and there is an active search going on at this point in time," Colonel Timothy Alben, superintendent of the Massachusetts State Police, told a news conference later that night.
Federal, state and local investigators are in the initial stages of tracking down the person or persons responsible for two bombs detonated near the finish line of the Boston Marathon on April 15 that killed three people and wounded over 100, but said no one has claimed responsibility for the attack.
The latest details to emerge from the afternoon of chaos in the city included news that the bombs -- which were stuffed in trashcans near the race route -- contained ball bearings or BBs meant to cause even more substantial injuries to bystanders.
A third device, which didn’t detonate, was found near the race grandstand at the finish line. Federal authorities have also told news organizations that the explosive devices were small and didn’t contain high explosives like C-4.
The New York Times reported two additional explosive devices were found in downtown Boston. Security measures in other U.S. cities, including Washington, D.C. and New York City, have been stepped up in response to potential future attacks, as have security measures in cities across the world, including London, where another marathon event is scheduled in the coming weeks.
Three people, including an eight year old boy, were killed in the blasts that occurred within 100 yards of one another near Boston’s Copley Square. More than 140 were injured, some grievously, with shrapnel injuries that first responders likened to battlefield wounds.
Many of the wounded included children and a two-year-old child was being treated at Boston’s Children’s Hospital for critical head injuries.
A motive for the attacks has yet to be determined. No person or organization, foreign or domestic, has claimed responsibility.
The Pakistan Taliban, which has threatened to carry out domestic attacks on the U.S. denied responsibility for the attack the evening of April 15.
“The situation remains fluid, and it remains too early to establish the cause and motivation,” said an FBI statement issued at 9 p.m. on April 15.
Hours before, in a televised statement president Obama said it was unclear who was behind it, but whoever it was would “feel the full weight of justice.” White House officials have called the incident an act of terrorism.
Department of Homeland Security secretary Janet Napolitano, like other federal agency officials in Washington sent her condolences to the families of the dead and injured and added that her agency is providing “any support necessary” for the investigation. She also encouraged vigilance in the aftermath of the attack.
House Homeland Security Committee chairman Michael McCaul (R-TX) and other members of the committee, including ranking member Bennie Thompson (D-MS) in an April 15 statement said much the same, offering thoughts and prayers for the victims and thanks to first responders and the public for their actions in the minutes after the bombs went off and as the investigation moved forward.
The chairman of the Senate Homeland Security and Governmental Affairs Committee Sen. Tom Carper (D-DE) vowed to “get to the bottom of this” and use the information gathered along the way to bolster future defenses.
GSN 2012 Awards announced: White House deputy of homeland security recognized for leadership at annual gala
GSN Awards 2012
Hundreds of the best of the homeland security community’s federal, state and municipal government officials, government contractors, systems integrators, IT vendors and physical security product and solutions providers all came together the night of November 29 in a ballroom of the Washington, D.C. convention center to receive accolades.
The GSN awards dinner, which has become a Washington tradition over the last four years, offered a chance for the excellence and civic-minded spirit of homeland security efforts nationwide to be recognized.
Not only were the best tools and technologies acknowledged , but the people and groups who use them, from local police departments in Florida and Washington state, to the White House, were honored at the event.
During the awards ceremonies, Richard Reed, Deputy Assistant to President Obama for Homeland Security, received the second annual Government Security News/Raytheon Award for Distinguished Leadership and Innovation in Public Safety and Security. Reed was chosen for tireless work in his key role in leading the development of national policy related to resilience, transborder security and community partnerships. He has been described as the president’s eyes and ears during disasters. In crises, such as the Gulf oil spill, H1N1 pandemic, and Haiti earthquake, Reed has sprung into action at the White House, coordinating information and gathering people to cope with these catastrophes.
Reed told Government Security News in an interview after the dinner that gatherings like GSN’s awards ceremony were invaluable in demonstrating that the hard work of creating a resilient, strong response to crises is performed by thousands of individuals, like those in attendance. Gatherings that bring the diverse emergency response and homeland security communities together can broaden perspectives and spur new ideas, he said.
Reed has been a determined, mostly behind-the-scenes, captain of federal emergency response efforts during the Bush and Obama administrations, helping prepare for, and respond to, some of the worst natural disasters the nation has known, from one of the deadliest tornado seasons in history in the Midwest, to historic wild fires in the west, and massive storms in the eastern U.S.
Reed said the key to capable response to such staggering events lies not only in federal hands, but in enabling state, local and even personal responses. Getting resources and training in place before disasters happen goes a long way in an effective response and recovery, he said. “The true first responders are friends, neighbors and co-workers” in the immediate aftermath of a disaster, said Reed. Local police, firefighters and other agencies arrive second, he said. Enabling people with information concerning what resources are available or where they can go for help or supplies empowers them, said Reed.
Government Security News managing partner Adrian Courtenay has made the GSN/Raytheon award an annual tradition. The prize is sponsored by the Raytheon Company, a technology and innovation leader specializing in defense, homeland security and other government markets throughout the world, which is headquartered in Waltham, MA.
Notable 2012 government excellence award winners included the local police departments in Tampa and St. Petersburg, FL, for their ground-breaking work in preparing for the Republican National Convention in Tampa this past summer. The departments put together comprehensive plans to gently defuse potentially volatile political demonstrations at the event. Both departments were also praised for implementing an innovative interoperable communications network during the GOP convention.
The Lawrence Livermore National Laboratory was recognized for its groundbreaking work on a small radiation detector. The Naval Air Systems Command won an award for its work on the Kestrel Wide Area Persistent Surveillance program, which developed an aerostat for long-term surveillance capabilities to protect ground soldiers in Afghanistan.
The complete list of GSN’s 2012 Award winners appears below:
CATEGORY 1 – VENDORS OF IT SECURITY PRODUCTS AND SOLUTIONS
Best Anti-Malware Solution
Best Identity Management Platform
Best Certificate Management Solution
Best Compliance /Vulnerability Assessment Solution
Best Data Security/Loss Management Solution
Best Endpoint Security Solution
Best Forensic Software
Best Intelligence Data Fusion and Collaborative Analysis Solution
Lookingglass Cyber Solutions
Best Intrusion Detection/Prevention Solution
Vanguard Integrity Professionals
Best Network Security/Enterprise Firewall
Best Privileged Access Management Solution
Best Real-Time Dynamic Network Analysis
Best Continuous Monitoring Solution
Best Security Incident/Event Management Solution (SIEM)
CATEGORY 2 – VENDORS OF PHYSICAL SECURITY PRODUCTS & SOLUTIONS
PHYSICAL SECURITY ACCESS CONTROL & INDENTIFICATION
Best Biometric Identification Solution
Best Integrated System for HSPD 12/FIPS 201 Compliance
Best Platform for Physical and Logical Access
Best Interoperable First Responder Communications
Best Mass Notification Systems
Best Regional or National Public Safety Communications Deployment
Best Explosives Detection Solution
Best Long Range Detection Systems
Best Nuclear/Radiation Detection
Lawrence Livermore National Laboratory
Best Intelligent Video Surveillance Solution
Best Thermal/Night Vision/Infrared Cameras
HGH Infrared Systems
Best Network IP Cameras
Best Video Storage/Digital Transmission Systems
Best Perimeter Protection Solution
Best Crash Barriers
Best Physical Security Information Management (PSIM) Solution
Best Disaster Preparedness or Disaster Recovery & Clean-up Service
High-Rise Escape Systems
Best Facility Security/Force Protection Service
Best Homeland Security Training/Higher Education Solutions
Category 3: Government Security News 2012 Government Excellence Awards
Most Notable Airport Security Award
Defense Manpower Agency
Most Notable Maritime/Port Security Program
Ohio Department of Public Safety/Northern Border Initiative
Most Notable Railroad/Mass Transit Security Program
Denver Regional Transportation Authority
Most Notable Critical Infrastructure Program, Project or Initiative
U.S. Veterans Administration Hospital, Tucson, AZ
Most Notable Cyber Security Program, Project or Initiative
U.S. Department of Energy
Most Notable Emergency Response Implementation
U.S. National Guard
Federal Emergency Management Agency (FEMA)
Most Notable Law Enforcement Interdiction, Arrest or Counter-Terrorism Program
Orange County Intelligence Assessment Fusion Center
Most Notable Municipal/County Programs, Projects or Initiatives
Seattle, Washington Police Department
Tampa and St. Petersburg, Florida Police Departments
Naval Air Systems Command (Kestrel Wide Area Persistent Surveillance)
The Government Security News 2012 Homeland Security Awards Program officially opened for entries on May 1, once again featuring 45 Awards in three broad Categories:Best Vendors of IT Security Products and Solutions, Best Vendors of Physical Security Products and Solutions and the 2011 Government Excellence Awards.
Returning as corporate Sponsors of the 2012 Program are BRS Laboratories of Houston, TX -- a leading software development company for video behavioral recognition software that deploys easily and rapidly on large scale video networks and provides actionable information without inundating end users with false alarms -- and Entrust, Inc. , of Dallas, TX, which offers physical/logical access, mobile security, certificate management and other identity-based solutions to governments and large enterprises. Additional sponsors will be announced, and profiles of all 2012 sponsors, will be published in coming weeks. Companies interested in joining the ranks of sponsors of the 2012 Awards Program should contact GSN Publisher and World Business Media President, Edward Tyler, at 212-344-0759, ext. 2001.
The cost to submit an entry in the 2012 program is $295 for vendors of IT security and physical security products and solutions. As in previous years, there is no cost for entries in the 10 categories of awards for federal, state and local government agencies. Vendors of IT and physical security products and solutions may nominate themselves or be nominated by colleagues or government clients, while government agencies or departments may similarly nominate themselves or be nominated by other agencies, colleagues or vendors.
According Adrian Courtenay, managing partner of World Business Media, several new categories created in 2011 to acknowledge successful initiatives of federal, state or local agencies in responding to emergencies, countering terrorism and preventing crime will again be included in 2012. These categories are “Most Notable Emergency Response Implementation – Federal, State or Local”; “Most Notable Law Enforcement Interdiction, Arrest or Counter Terrorism Program – Federal, State or Local”; and “Most Notable Counter Terrorism or Crime Prevention Program”.
In the 2011 contest, the Bastrop Country, TX, Unified Command (including county, state and federal government agencies) was awarded the trophy for “Most Notable Emergency Response Implementation” in battling 2011 Texas wildfires in Bastrop County. The United States Customs and Border Protection, Detroit Sector, was winner in the “Most Notable Law Enforcement Interdiction or Arrest” category for a dramatic arrest on St. Clair River in Detroit, and the Los Angeles Police Department was recognized for having the “Most Notable Law Enforcement Counter Terrorism or Crime Prevention Program.”
Another category that was new in 2011, “Most Notable Cyber Security Program or Technology – Government or Military”, will also be continued, in recognition of the emergence of Cyber Security as a vitally important component of overall security for any nation. The winner of this award in 2011 was the National Oceanic and Atmospheric Administration.
The 2012 Awards Program will once again culminate with a gala awards dinner in the fall, at a venue to be announced shortly. In the 2011 program, the “GSN/Raytheon Award for Distinguished Leadership and Innovation” was introduced and presented to Admiral Thad Allen (US Coast Guard-ret.), who came out of retirement twice in recent years to serve his country, first in heading up the federal response to Hurricanes Katrina and Rita, and later in managing the response to the Deepwater Horizon oil spill in the Gulf of Mexico.
In remarks for the 2011 Awards Dinner audience, Admiral Allen said the continuing work of technology companies and first responders was key in any disaster. He urged everyone to become a “lifelong rapid learner” to better cope with disasters, both man-made and natural. He also said “reconciling opportunity and competency” when disaster strikes is essential to any effective recovery, and being on top of the latest, most effective technology is a product of being a lifelong rapid learner. He also said clear communications is also a key to effective response and amplified his call for a nationwide interoperable first responder radio network.
Photos of the 2010 awards reception and dinner are available at www.flickr.com/photos/[email protected]/, and video interviews with Admiral Allen, as well as sponsors and winners in the 2011 Awards program, are available at the GSN Video Center at www.gsnmagazine.com/videocenter.
Entry forms and other information about the 2012 Awards Program are available at www.gsnmagazine.com/hsa2012/welcome.
Government Security News has announced that its 2011 Homeland Security Awards Program will officially open for business and start accepting entries in the program’s 45 awards categories on Tuesday, April 26.
The 2011 program contains a number of exciting new categories, reflecting the dynamically changing threat environment, in all three of the overall awards groupings: Best Vendors of IT Security Products and Solutions, Best Vendors of Physical Security Products and Solutions, and the 2011 Government Excellence Awards.
The cost for each entry in the 2011 program is $295 for vendors of IT security and physical security products and solutions. As in previous years, there is no cost for entries in the 10 categories of awards for federal, state and local government agencies.
Vendors of IT and physical security products and solutions may nominate themselves or be nominated by colleagues or government clients, while government agencies or departments may similarly nominate themselves or be nominated by other agencies, colleagues or vendors.
Adrian Courtenay, Managing Partner of GSN’s parent company, World Business Media, LLC, cited two intriguing new categories in the government sector that have been selected to acknowledge solid “boots on the ground” achievements of federal, state or local agencies in responding to emergencies, countering terrorism and stopping crime. These categories are “Most Notable Emergency Response Implementation – Federal, State or Local” and “Most Notable Law Enforcement Interdiction, Arrest or Counter Terrorism Program – Federal, State or Local.”
Acknowledging the increasing importance of cyber security and the threat of cyber war among nation-states, Courtenay also pointed out that the government awards in 2010 have been expanded to include a category titled, “Most Notable Cyber Security Program or Technology – Government or Military.”
Returning for its third year as a sponsor of the GSN Awards Program is founding sponsor ArcSight, now a business unit of Hewlett Packard Software and Solutions, whose enterprise threat and risk platform is an integrated product for collecting, analyzing and assessing security and risk information. ArcSight is also a repeat winner in the GSN awards program for its Security Incident Event Management (SIEM) products for collecting, analyzing and assessing security incident event information.
Also returning as event sponsors are General Dynamics C4, located in Phoenix, AZ, a major developer and integrator of secure communications and information systems and technology; and Mutualink, another GSN award winner, which creates networks of interoperable communities that can instantly share radio, voice, text, video and data files, and telephone communications in a secure environment.
The fourth and final sponsor to date in the 2011 Awards Program is Behavioral Recognition Systems, Inc., of Houston, TX, also known as BRS Labs, whose software uses the fascinating, scientifically developed cognitive reasoning and artificial intelligence of behavioral analytics to leverage a stream of intelligence from millions of surveillance cameras worldwide, in order to provide alerts regarding abnormal or suspicious behavior.
Profiles of each of the 2011 sponsors will be posted on the GSN Web site in the coming weeks.
Additional companies or organizations interested in joining the ranks of 2011 sponsors of the GSN 2011 Homeland Security Awards Program should contact GSN Publisher and World Business Media President, Edward Tyler, at 212-344-0759, ext. 2001.
According to Courtenay, the 2011 Awards Program will culminate with the annual awards dinner in early November at a venue to be announced shortly. “It’s going to be hard to top last year’s elegant dinner and spectacular after-dinner keynote presentation by four-star General Barry McCaffrey (USA-Ret.). But we’re going to try!”
In 2010, the GSN awards were presented to a sold-out ballroom at the JW Marriott Hotel in Washington, DC, that included many distinguished government and military officials, academics, law enforcement and public safety professionals from across the country, along with the systems integrators, defense contractors and vendors of products and solutions used in homeland security.
Photos of the 2010 awards reception and dinner are available at:
Further information and entry forms for the 2011 Awards Program are available at:
Despite official murmurings a few months ago that the fiscal year 2011 budget request for DHS might decline slightly, the budget package unveiled on February 1 actually shows a three percent increase in “discretionary spending” by DHS in 2011, versus the prior year, and modest growth, at approximately the predicted rate of inflation, in the outer years.
“The total fiscal year 2011 budget request for DHS, including fee funded and mandatory spending, is $56.3 billion, a two percent increase over the fiscal year 2010 enacted level,” said Peggy Sherry, the acting chief financial officer at DHS, in a telephone conference call with journalists on February 1. “The department’s fiscal year 2011 net discretionary or appropriated funding request is $43.6 billion, an increase of three percent over the fiscal year 2010 enacted level.”
In releasing his overall budget request, President Obama proposed a freeze in government spending for a portion of the discretionary domestic spending plan for three years, but he specifically exempted homeland security expenditures from that freeze. “It won’t apply to our national security – including benefits for veterans,” said Obama in remarks he made in the White House on February 1.
Some observers speculated that the slight bump up in DHS spending may have resulted from the nationwide trauma caused by the failed Christmas Day underwear bombing attempt, and the urgent call for stronger screening measures at the country’s airports. However, a DHS official who participated on the conference call with journalists, but requested anonymity, would not attribute the budget increase to that terrorist attack.
“As part of the budget process, we examined different scenarios and options,” explained the official. “Those are discussions that are internal to the Administration and what you see in the budget release today is the end product of all those budget deliberations.”
Among the thousands of individual line-items for specific programs and planned procurements are the following highlights:
Advanced imaging systems – The 2011 budget requests an additional $214.1 million to install about 500 extra advance imaging technology machines at airport checkpoints, above and beyond the 500 systems that had already been planned. These funds will place such whole body scanners in 75 percent of the country’s largest airports, said Sherry.
Explosive detection – Beyond body scanners, DHS will seek an additional $85 million to bolster international flight coverage by federal air marshals, an increase in $60 million for an additional 800 explosive trace detection machines and a $71 million bump up to pay for an additional 275 K-9 teams at airport check points.
Border Patrol – The new budget envisions a decrease of 180 personnel in the ranks of the Border Patrol, which will be achieved largely through attrition. A DHS official suggested that the overall operating effectiveness of the Border Patrol will not be affected by this decline in personnel slots because the Border Patrol has almost doubled in size during the past five years. “A lot of the agent workforce, the substantial portion of it, has only a couple of years experience,” said this DHS official. “As they become more seasoned and more mature in their jobs, their effectiveness will increase, and because we are not doing the extensive hiring of 2,000 to 3,000 new agents a year, we can afford to put less into training improvement.”
Cyber-security – By contrast, DHS is planning a substantial beef-up in its cyber-security efforts. The new budget seeks $379 million to develop the National Cyber Security Division, which will attempt to safeguard the dot.gov and dot.com domains, and limit the nation’s vulnerability to computer attacks. DHS wants to add another $5 million to the $5 million that was in last year’s budget for the National Cyber Security Center, which one DHS official characterized as “still in its infancy.” The budget envisions an increase in the Center’s staffing to 40 people and the enhancement of its expertise, so it can integrate with other cyber-centers throughout the federal government.
Terror trials – Contrary to media reports that a terror trial in Manhattan might require a billion dollars in security measures, the 2011 budget request for DHS includes only $200 million for such security measures, which would be available through the traditional urban area grant programs. “The department took a look at it and we think $200 million is really our best estimate of the costs,” said the DHS official.
Federal contracting – In what it calls “re-balancing the workforce,” DHS is planning to rely less on outside vendors and more on internally recruited and trained personnel, particularly in the areas of cyber-security -- where DHS is authorized to hire as many as 1,000 new cyber-specialists – and the intelligence work often referred to as “connecting the dots.” “In our analysis and operations activity, we have a major increase in the number of feds doing intelligence type work,” said Sherry.
Coast Guard – A DHS fact sheet issued by the Office of Management and Budget points out that the budget request includes $538 million for a fifth National Security Cutter and $240 million to produce four new Fast Response Cutters. Even so, the new budget seeks funds for 1,100 fewer active duty Coast Guard personnel. “We are looking to reorganize and restructure certain elements of the Coast Guard to create greater efficiency,” explained a DHS official, “and there are obviously tradeoffs made as part of that to ensure we could continue to recapitalize the Coast Guard.”
President Obama’s budget request was delivered to Capitol Hill and will now undergo months of scrutiny by lawmakers. Fiscal year 2011 begins officially on October 1, 2010.
Global ransomware damage costs predicted to exceed $11.5 billion annually by 2019:Ransomware will attack a business every 14 seconds by end of 2019
MENLO PARK, Calif., Nov. 15, 2017 -- Ransomware — a malware that infects computers (and mobile devices) and restricts their access to files, often threatening permanent data destruction unless a ransom is paid — has reached epidemic proportions globally.
Cybersecurity Ventures predicts there will be a ransomware attack on businesses every 14 seconds by the end of 2019. This does not include attacks on individuals, which occurs even more frequently than businesses.
"Since September 2013 when CryptoLocker, the first weapons-grade ransomware strain appeared, this type of malware has metastasized into a multi-billion dollar criminal business model that is only in its early phases and will continue to increase in sophistication," says Stu Sjouwerman, founder and CEO at KnowBe4, a company that specializes in training employees on how to detect and respond to ransomware attacks.
The big myth around ransomware damages is the costs are limited to ransom payouts. However, the percentage of businesses and individuals who are paying bitcoin to reclaim access to their data and systems in response to ransom demands — is declining (even if the total payout figures are rising due to the sheer volume of new attacks).
"Ransomware costs include damage and destruction (or loss) of data, downtime, lost productivity, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hostage data and systems, reputational harm, and employee training in direct response to the ransomware attacks," says Steve Morgan, founder and Editor-In-Chief at Cybersecurity Ventures.
CIOs, CISOs (Chief Information Security Officers), and IT security teams need to heighten their awareness and response plans around the ransomware threat. Cyber defense needs to cross boundaries so that every IT worker understands exactly what ransomware is, how it infects organizations, and how to combat it.
Cybersecurity Ventures predicts cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015. Ransomware is expected to worsen and make up a proportionately larger share of total cybercrime by 2021.
Cybersecurity Ventures is the world's leading researcher and publisher covering the global cyber economy, and a trusted source for cybersecurity facts, figures, and statistics.
SOURCE Cybersecurity Ventures
SOURCE Cybersecurity Ventures
HIDDEN COBRA – North Korean Trojan: Volgmer
Original release date: November 14, 2017 | Last revised: November 15, 2017
This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.
This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
For a downloadable copy of IOCs, see:
NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see:
MAR IOCs (.stix)
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.
It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer
The U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage:
India (772 IPs) 25.4 percent
Iran (373 IPs) 12.3 percent
Pakistan (343 IPs) 11.3 percent
Saudi Arabia (182 IPs) 6 percent
Taiwan (169 IPs) 5.6 percent
Thailand (140 IPs) 4.6 percent
Sri Lanka (121 IPs) 4 percent
China (82 IPs, including Hong Kong (12)) 2.7 percent
Vietnam (80 IPs) 2.6 percent
Indonesia (68 IPs) 2.2 percent
Russia (68 IPs) 2.2 percent
As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.
Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.
Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.
Detection and Response
This alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.
When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.
Network Signatures and Host-Based Rules
This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.
alert tcp any any -> any any (msg:"Malformed_UA"; content:"User-Agent: Mozillar/"; depth:500; sid:99999999;)
description = "Malformed User Agent"
$s = "Mozillar/"
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include
temporary or permanent loss of sensitive or proprietary information,
disruption to regular operations,
financial losses incurred to restore systems and files, and
potential harm to an organization’s reputation.
DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:
Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.
Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.
Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.
Response to Unauthorized Network Access
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC ([email protected](link sends e-mail) or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division ([email protected](link sends e-mail) or 855-292-3937).
November 14, 2017: Initial version
HIDDEN COBRA - North Korean Malicious Cyber Activity
The information contained on this page is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) to provide technical details on the tools and infrastructure used by cyber actors of the North Korean government. The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity. The U.S. Government refers to the malicious cyber activity by the North Korean government as HIDDEN COBRA.
For more information, see:
November 14, 2017: Alert (TA17-318A) HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
November 14, 2017: Alert (TA17-318B) HIDDEN COBRA – North Korean Trojan: Volgmer
August 23, 2017: Malware Analysis Report (MAR-10132963) – Analysis of Delta Charlie Attack Malware
June 13, 2017: Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
WASHINGTON—U.S. Customs and Border Protection announced today the expansion of Global Entry Enrollment on Arrival to 11 additional international airports. Enrollment on Arrival enables conditionally-approved Global Entry applicants to complete their interview, the final step of the Global Entry enrollment process, while clearing CBP processing. The program is currently available at nine new locations including Dallas/Fort Worth International Airport (DFW), Detroit Metropolitan Airport (DTW), Minneapolis-Saint Paul International Airport (MSP), Phoenix Sky Harbor International Airport (PHX), Salt Lake City International Airport (SLC), San Diego International Airport (SAN), Norman Y. Mineta San Jose International Airport (SJC), Seattle-Tacoma International Airport (SEA), and Toronto Pearson International Airport (YYZ), and will launch later this week at Denver International Airport (DEN) and Philadelphia International Airport (PHL).
“Global Entry continues to be one of CBP’s most successful and popular programs and we have made it a priority to improve the enrollment process for those looking to join the ranks of Trusted Traveler,” said Acting Commissioner Kevin McAleenan. “Last month, we launched a modernized, mobile-friendly application website making the initial step of the process more user friendly and now with these additional Enrollment on Arrival locations we have added greater flexibility for those looking to complete the enrollment process.”
Since the program’s launch in July, more than 5,200 conditionally-approved Global Entry applicants have completed the final step of the enrollment process at an Enrollment on Arrival location. Enrollment on Arrival is also available at George Bush Intercontinental Airport (IAH), William P. Hobby Airport (HOU), Austin-Bergstrom International Airport (AUS), San Francisco International Airport (SFO) and Vancouver International Airport (YVR).
Conditionally-approved applicants looking to utilize Enrollment on Arrival do not need to schedule an interview appointment ahead of time.
Once a traveler is conditionally-approved, instead of scheduling an interview at a Global Entry Enrollment Center, the traveler can complete the enrollment interview during CBP primary inspection at a participating airport. Upon arrival, travelers will be directed to a primary booth designated specifically for Enrollment on Arrival. A CBP officer will conduct both the primary processing and Global Entry interview and collect the traveler’s biometrics to complete the enrollment. The traveler will then be cleared for entry into the United States and, if approved, will be a Global Entry member.
Currently available at 54 U.S. airports and 15 Preclearance locations, Global Entry streamlines the international arrivals process at airports for trusted travelers. The more than 4.7 million Global Entry members bypass traditional CBP inspection lines and use an automated kiosk to complete their admission to the United States. As an added benefit, Global Entry members are also eligible to participate in the TSA Pre✓™ expedited screening program.
U.S. citizens, U.S nationals and U.S. Lawful Permanent Residents may apply for Global Entry as well as passport holders from Argentina, Colombia, Germany, India, Mexico, the Netherlands, Panama, the Republic of Korea, Singapore, Switzerland, Taiwan and the United Kingdom. Canadian citizens and residents enrolled in NEXUS may also use the Global Entry kiosks.
Interested travelers apply through the Trusted Traveler Programs website. The non-refundable application fee for a five-year Global Entry membership is $100 and applications must be submitted online. Once the applicant successfully passes a background check, a CBP officer will conduct an interview with the applicant at one of the more than 100 Global Entry Enrollment Centers located throughout the U.S., Canada, and Qatar or at an Enrollment on Arrival location and then make a final eligibility determination.
While the goal of Global Entry is to speed travelers through the process, members may be selected for further examination when entering the United States. Any violation of the program’s terms and conditions will result in appropriate enforcement action and may result in the revocation of the traveler’s membership privileges.
MIAMI — The crew of the Coast Guard Cutter Spencer offloaded approximately 10 tons of cocaine and 23 kilograms of heroin Tuesday in Port Everglades worth an estimated $300 million wholesale seized in international waters off the Eastern Pacific Ocean.
The drugs were interdicted along Mexico and Central America by multiple U.S. Coast Guard cutters.
The offload represents 14 separate, suspected drug smuggling vessel interdictions by the Coast Guard:
The CGC Steadfast was responsible for one case, seizing an estimated 940 kilograms of cocaine
The CGC James was responsible for two cases, seizing an estimated 690 kilograms of cocaine
The CGC Alert was responsible for six cases, seizing an estimated 3,305 kilograms of cocaine and 23 kilograms of heroin
The CGC Aspen was responsible for one case, seizing an estimated 102 kilograms of cocaine
The CGC Vigorous was responsible for one case, seizing an estimated 1,150 kilograms of cocaine
The CGC Spencer was responsible for two cases, seizing an estimated 3,000 kilograms of cocaine
The CGC Thetis was responsible for one case, seizing an estimated 1,060 kilograms of cocaine
Numerous U.S. agencies from the Departments of Defense, Justice and Homeland Security are involved in the effort to combat transnational organized crime. The Coast Guard, Navy, Customs and Border Protection, FBI, Drug Enforcement Agency, and Immigration and Customs Enforcement along with allied and international partner agencies play a role in counter-drug operations. The fight against transnational organized crime networks in the Eastern Pacific requires unity of effort in all phases from detection, monitoring and interdictions, to prosecutions by U.S. Attorneys in California, on the East Coast, and in the Caribbean.
"This offload today is not just the result of one unit, but the combined efforts of multiple Coast Guard cutters, aircraft and support, as well as that of our partners and allied men and women who continue to work day and night to stop these criminal organizations from profiting off transnational crime and smuggling," said Cdr. John Mctamney, Commanding Officer Coast Guard Cutter Spencer. "While this offload represents approximately 10 tons of illicit drugs that will never hit out streets, it also represents a significant depletion to the cash flow to these criminal organizations."
The Coast Guard increased U.S. and allied presence in the Eastern Pacific Ocean and Caribbean Basin, which are known drug transit zones off of Central and South America, as part of its Western Hemisphere Strategy. During at-sea interdictions in international waters, a suspect vessel is initially located and tracked by allied, military or law enforcement personnel. The interdictions, including the actual boarding, are led and conducted by U.S. Coast Guardsmen. The law enforcement phase of counter-smuggling operations in the Eastern Pacific are conducted under the authority of the 11th Coast Guard District headquartered in Alameda, California.
The cutter Steadfast is a 210-foot medium-endurance cutter homeported in Astoria, Oregon. The cutter James is a 418-foot national security cutter homeported in Charleston, South Carolina. The cutter Alert is a 210-foot medium-endurance cutter homeported in Astoria, Oregon. The cutter Aspen is a 225-foot buoy tender homeported in San Francisco, California. The cutter Vigorous is a 210-foot medium-endurance cutter homeported in Virginia Beach, Virginia. The cutter Spencer is a 270-foot medium-endurance cutter homeported in Boston, Massachusetts. The cutter Thetis is a 270-foot medium-endurance cutter homeported in Key West, Florida.