Category: Homeland Security

Source: US Department of Homeland Security

Competition Crowdsources, Engages Citizen Inventors Directly to Find Promising Clean Energy Storage Solutions

WASHINGTON – As the Biden-Harris Administration celebrates Earth Day, the Department of Homeland Security (DHS) announced the five winners of the Clean Power for Hours Challenge, awarding a total of $835,000 to recipients for their innovative clean energy solutions to keep essential services functioning during power outages. Developed by DHS’s Science and Technology Directorate (S&T) and Cybersecurity and Infrastructure Security Agency (CISA), the purpose of this Challenge, one in a series of DHS prize competitions, is to strengthen resilience to extreme weather events worsened by climate change and encourage the development of groundbreaking solutions for environmental hazards facing communities across the country.

Extreme weather has increased the frequency of power outages, with the average duration of electricity interruption exceeding five hours. Critical facilities that provide services and functions essential to a community during and after a disaster often rely solely on electricity for power. These include hospitals, water and wastewater treatment facilities, police and security services, and places of refuge. While critical facilities have backup generators onsite to supply electricity in the case of a grid failure, they typically rely on a finite supply of diesel fuel onsite. Affordable, easy-to-use, and environmentally friendly solutions supported by the Clean Power for Hours Challenge will improve energy reliability and enhance the resilience of National Critical Functions (NCF)—government and private-sector functions so vital that their disruption would debilitate security, the economy, public health, or safety.

“When disaster strikes, restoring electric power can quickly become a matter of life or death. It is required to keep utilities like water treatment plants running, emergency rooms operational, first responders in communication with each other, and much more,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The Clean Power for Hours Challenge empowers some of our most creative citizen innovators to help strengthen the resilience of our critical infrastructure and support communities in their moment of need – all while moving our country towards a clean energy future.”

“As S&T contributes to the global response to climate change, we recognize the winners of the Clean Power for Hours Challenge and the next-generation technologies they are developing,” said Dr. Dimitri Kusnezov, DHS Under Secretary for Science and Technology. “The Challenge winners offer ready-to-field energy storage solutions with the potential to advance the DHS mission to strengthen national climate resilience and address supply chain challenges in sourcing minerals and materials for energy technologies.”

“CISA is proud to support the Clean Power for Hours Challenge. By its very nature, climate resilience is infrastructure resilience,” said CISA Director Jen Easterly. “Ensuring that lifeline critical infrastructure facilities have sustainable, robust back-up power solutions is paramount to maintaining the resilience of our nation’s infrastructure. This Challenge not only promotes the adoption of innovative, environmentally friendly energy solutions, but it also reinforces the importance of protecting the essential services that underpin emergency response, public health, and national security. We look forward to seeing these solutions in action.”

The Clean Power for Hours Challenge builds on federal government-wide efforts to stimulate innovation and partnership and expand the American public’s participation in science. A panel of judges who are experts in climate change, resilience, and energy storage selected the winners using specific selection criteria and hypothetical use to identify solutions that can provide backup power to small-scale facilities or utility assets as a substitute for fossil fuel-powered generators.

The Challenge had two stages.  During Stage 1, DHS awarded nine finalists $15,000 each for a written or video submission describing how their solution meets the judging criteria. Those finalists progressed to Stage 2, where they conducted live demonstrations of their technology solutions at facilities or customer sites for judges to assess.

The Grand Prize winner awarded $400,000:

• Urban Electric Power, Inc. (Pearl River, NY), for its Rechargeable Zinc-Manganese Dioxide Battery Energy Storage System. The technology uses the chemistry found in alkaline batteries to make a rechargeable battery system for stationary energy storage applications. This solution is easy to use and safer for critical infrastructure in most need of protection than lithium batteries and cleaner than fossil fuels.

The Runner-up awarded $200,000:

•  Dr. Hari Dharan, Omnes Energy (Woodland, CA), for his Long Duration Power Delivery for Critical Infrastructure, a nonlithium technology that uses an electromagnetically suspended steel rotor (flywheel) coupled with a motor/generator.  The flywheel generates back-up power and is easy to run and fix during an emergency.

The “Innovator” Honorable Mention awarded $50,000:

• The startup company ElectricFish (Fremont, CA) for its 350squared technology — a containerized battery storage device which operates as a microgrid for local critical loads, distributed energy resource for the grid, and electric vehicle fast charger.

Other Honorable Mentions awarded $25,000 each:

• New Use Energy Solutions, Inc. (Phoenix, AZ) for the SunKit, an expandable battery+solar generator system and ONYX POWER LLC (Long Beach, CA) for its rugged, mobile, modular nanogrid that can recharge from the grid or solar.

DHS, S&T, CISA, and their government partners will continue working with the winners and provide for future opportunities, including assistance meeting mentors, establishing connections to technology accelerators, and finding opportunities to speak at conferences with broader security audiences.

To stay up to date with DHS S&T and prize competitions, visit the DHS Prize Competitions website and follow DHS S&T on LinkedIn, Twitter, Facebook, and Instagram.

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the Physical Security Checklist for Polling Locations, a new tool designed to bolster security preparedness for the frontline of U.S. elections.

The checklist, part of CISA’s suite of election security resources, is tailored to empower election workers with actionable and accessible security measures for locations serving as temporary election facilities.

“Protecting against physical threats to election locations like polling places where Americans cast their vote is one of the most significant responsibilities election officials bear. CISA is committed to doing anything we can to support this mission,” said CISA Senior Advisor Cait Conley. “The people who run elections and those who volunteer to work at polling places are heroes, and CISA is proud to support them, including with critical threat awareness and planning tools such as this checklist. While no measure can eliminate all risk, these resources empower officials to understand, mitigate, and address security challenges proactively.”

The resource is designed for simplicity, requiring no prior security expertise for implementation. It covers pre-planning and Election Day procedures and is adaptable to individual facility needs and resources. Through a series of yes or no questions, election workers and volunteers can assess potential security threats and incidents, aiding in the establishment and improvement of physical security measures.

The Physical Security Checklist for Polling Locations is one of a collection of resources CISA has developed to support the physical security of election infrastructure.  The agency has Protective Security Advisors serving all 50 states, District of Columbia, and territories who support state and local election officials through sharing information, conducting physical security assessments of election facilities, and offering no-cost services and trainings on areas like de-escalation techniques, responding to active shooter situations, and other physical threat specific offerings to address the evolving threats facing election officials.

For more information, or to access the checklist, visit Physical Security Checklist for Polling Locations.

Source: US Department of Homeland Security

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) hosted the final round of the fifth annual President’s Cup Cybersecurity Competition this week and announced the winners today of the three competitions.

The President’s Cup is a national competition designed to recognize the top federal cybersecurity talent. Three separate competitions take place during each President’s Cup; two Individuals tracks -– Track A which focuses on defensive work roles and tasks from the NICE Framework, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, and Track B which focuses on offensive work roles and tasks, and a Teams competition comprised of defensive and offensive challenges. The first rounds of the competition began earlier this year in January.

This year’s winning team, known as Artificially Intelligent, was composed of members of the Department of Defense, U.S. Army, and the U.S. Air Force. Artificially Intelligent featured four members of last year’s winning teams, including one member who has been on every winning team since President’s Cup began five years ago. The winner of Individuals Track A was U.S. Army Major Nolan Miles, and the winner of the Individuals Track B was U.S. Marine Corps Staff Sergeant Michael Torres. SSG Torres also finished in second place of the Individuals Track A competition and is the first Individuals winner to repeat having won President’s Cup 3 Track A.

“This competition is an exciting way to highlight the talents of cybersecurity professionals throughout the U.S. government and military, and these competitors showcased the depth of talent we have in this important field,” said CISA Director Jen Easterly. “Congratulations to all the participants and winners – your prowess and passion are pivotal in shaping the cybersecurity landscape and protecting our nation.”

During the week, several leaders from CISA and the U.S. Army offered their perspectives and support for the competitors, recognizing the diverse talents and skills needed to participate, as well as the inspirational collaboration on display throughout the finals:

CISA hosted 36 competitors for the Finals over the week at CISA’s facilities in the Washington, DC area. Competitors came from across the federal government including the Federal Bureau of Investigation, Department of Transportation, Department of Defense, U.S. Army, U.S. Airforce, U.S. Navy and the U.S. Marine Corps.

The President’s Cup is open to the entire federal civilian workforce and members of the armed services. The fifth annual competition included more than 1,421 individuals and nearly 312 teams with diverse backgrounds and experiences. Learn more about the competition at CISA.gov/PresidentsCup.

The competition is held in partnership with the Office of the National Cyber Director and the winners will be invited to attend an awards ceremony at the White House in appreciation of their accomplishments.

Source: US Department of Homeland Security

SUMMARY

Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024.

Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.

Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension.  Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.

The FBI, CISA, EC3, and NCSC-NL encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.

Download the PDF version of this report:

TECHNICAL DETAILS

Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.

Initial Access

The FBI and cybersecurity researchers have observed Akira threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured[1], mostly using known Cisco vulnerabilities [T1190] CVE-2020-3259 and CVE-2023-20269.[2],[3],[4] Additional methods of initial access include the use of external-facing services such as Remote Desktop Protocol (RDP) [T1133], spear phishing [T1566.001][T1566.002], and the abuse of valid credentials[T1078].[4]

Persistence and Discovery

Once initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts [T1136.002] to establish persistence. In some instances, the FBI identified Akira threat actors creating an administrative account named itadm.

According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting[5], to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS) [T1003.001].[6] Akira threat actors also use credential scraping tools [T1003] like Mimikatz and LaZagne to aid in privilege escalation. Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes [T1016] and net Windows commands are used to identify domain controllers [T1018] and gather information on domain trust relationships [T1482].

See Table 1 for a descriptive listing of these tools.

Defense Evasion

Based on trusted third party investigations, Akira threat actors have been observed deploying two distinct ransomware variants against different system architectures within the same compromise event. This marks a shift from recently reported Akira ransomware activity. Akira threat actors were first observed deploying the Windows-specific “Megazord” ransomware, with further analysis revealing that a second payload was concurrently deployed in this attack (which was later identified as a novel variant of the Akira ESXi encryptor, “Akira_v2”).

As Akira threat actors prepare for lateral movement, they commonly disable security software to avoid detection. Cybersecurity researchers have observed Akira threat actors using PowerTool to exploit the Zemana AntiMalware driver[4] and terminate antivirus-related processes [T1562.001].

Exfiltration and Impact

Akira threat actors leverage tools such as FileZilla, WinRAR [T1560.001], WinSCP, and RClone to exfiltrate data [T1048]. To establish command and control channels, threat actors leverage readily available tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel, enabling exfiltration through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega [T1537] to connect to exfiltration servers.

Akira threat actors use a double-extortion model [T1657] and encrypt systems [T1486] after exfiltrating data. The Akira ransom note provides each company with a unique code and instructions to contact the threat actors via a .onion URL. Akira threat actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. Ransom payments are paid in Bitcoin to cryptocurrency wallet addresses provided by the threat actors. To further apply pressure, Akira threat actors threaten to publish exfiltrated data on the Tor network, and in some instances have called victimized companies, according to FBI reporting.

Encryption

Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange [T1486]. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption. Encrypted files are appended with either a .akira or .powerranges extension. To further inhibit system recovery, Akira’s encryptor (w.exe) utilizes PowerShell commands to delete volume shadow copies (VSS) on Windows systems [T1490]. Additionally, a ransom note named fn.txt appears in both the root directory (C:) and each users’ home directory (C:Users).

Trusted third party analysis identified that the Akira_v2 encryptor is an upgrade from its previous version, which includes additional functionalities due to the language it’s written in (Rust). Previous versions of the encryptor provided options to insert arguments at runtime, including:

• -p --encryption_path (targeted file/folder paths)
• -s --share_file (targeted network drive path)
• -n --encryption_percent (percentage of encryption)
• --fork (create a child process for encryption

The ability to insert additional threads allows Akira threat actors to have more granular control over the number of CPU cores in use, increasing the speed and efficiency of the encryption process. The new version also adds a layer of protection, utilizing the Build ID as a run condition to hinder dynamic analysis. The encryptor is unable to execute successfully without the unique Build ID. The ability to deploy against only virtual machines using “vmonly” and the ability to stop running virtual machines with “stopvm” functionalities have also been observed implemented for Akira_v2. After encryption, the Linux ESXi variant may include the file extension “akiranew” or add a ransom note named “akiranew.txt” in directories where files were encrypted with the new nomenclature.

Leveraged Tools

Table 1 lists publicly available tools and applications Akira threat actors have used, including legitimate tools repurposed for their operations. Use of these tools and applications should not be attributed as malicious without analytical evidence to support threat actor use and/or control.

Table 1: Tools Leveraged by Akira Ransomware Actors

Name	Description
AdFind	AdFind.exe is used to query and retrieve information from Active Directory.
Advanced IP Scanner	A network scanner is used to locate all the computers on a network and conduct a scan of their ports. The program shows all network devices, gives access to shared folders, and provides remote control of computers (via RDP and Radmin).
AnyDesk	A common software that can be maliciously used by threat actors to obtain remote access and maintain persistence [T1219]. AnyDesk also supports remote file transfer.
LaZagne	Allows users to recover stored passwords on Windows, Linux, and OSX systems.
PCHunter64	A tool used to acquire detailed process and system information [T1082].[7]
PowerShell	A cross-platform task automation solution made up of a command line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
Mimikatz	Allows users to view and save authentication credentials such as Kerberos tickets.
Ngrok	A reverse proxy tool [T1090] used to create a secure tunnel to servers behind firewalls or local machines without a public IP address.
RClone	A command line program used to sync files with cloud storage services [T1567.002] such as Mega.
SoftPerfect	A network scanner (netscan.exe) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. It also scans for remote services, registry, files, and performance counters.
WinRAR	Used to split compromised data into segments and to compress [T1560.001] files into .RAR format for exfiltration.
WinSCP	Windows Secure Copy is a free and open source SSH File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Akira threat actors have used it to transfer data [T1048] from a compromised network to actor-controlled accounts.

Indicators of Compromise

Disclaimer: Investigation or vetting of these indicators is recommended prior to taking action, such as blocking.

Table 2a: Malicious Files Affiliated with Akira Ransomware

File Name	Hash (SHA-256)	Description
w.exe	d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca	Akira ransomware
Win.exe	dcfa2800754e5722acf94987bb03e814edcb9acebda37df6da1987bf48e5b05e	Akira ransomware encryptor
AnyDesk.exe	bc747e3bf7b6e02c09f3d18bdd0e64eef62b940b2f16c9c72e647eec85cf0138	Remote desktop application
Gcapi.dll	73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf	DLL file that assists with the execution of AnyDesk.exe
Sysmon.exe	1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386	Ngrok tool for persistence
Config.yml	Varies by use	Ngrok configuration file
Rclone.exe	aaa647327ba5b855bedea8e889b3fafdc05a6ca75d1cfd98869432006d6fecc9	Exfiltration tool
Winscp.rnd	7d6959bb7a9482e1caa83b16ee01103d982d47c70c72fdd03708e2b7f4c552c4	Network file transfer program
WinSCP-6.1.2-Setup.exe	36cc31f0ab65b745f25c7e785df9e72d1c8919d35a1d7bd4ce8050c8c068b13c	Network file transfer program
Akira_v2	3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75 0ee1d284ed663073872012c7bde7fac5ca1121403f1a5d2d5411317df282796c	Akira_v2 ransomware
Megazord	ffd9f58e5fe8502249c67cad0123ceeeaa6e9f69b4ec9f9e21511809849eb8fc dfe6fddc67bdc93b9947430b966da2877fda094edf3e21e6f0ba98a84bc53198 131da83b521f610819141d5c740313ce46578374abb22ef504a7593955a65f07 9f393516edf6b8e011df6ee991758480c5b99a0efbfd68347786061f0e04426c 9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065 2f629395fdfa11e713ea8bf11d40f6f240acf2f5fcf9a2ac50b6f7fbc7521c83 7f731cc11f8e4d249142e99a44b9da7a48505ce32c4ee4881041beeddb3760be 95477703e789e6182096a09bc98853e0a70b680a4f19fa2bf86cbb9280e8ec5a 0c0e0f9b09b80d87ebc88e2870907b6cacb4cd7703584baf8f2be1fd9438696d C9c94ac5e1991a7db42c7973e328fceeb6f163d9f644031bdfd4123c7b3898b0	Akira “Megazord” ransomware
VeeamHax.exe	aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d	Plaintext credential leaking tool
Veeam-Get-Creds.ps1	18051333e658c4816ff3576a2e9d97fe2a1196ac0ea5ed9ba386c46defafdb88	PowerShell script for obtaining and decrypting accounts from Veeam servers
PowershellKerberos TicketDumper	5e1e3bf6999126ae4aa52146280fdb913912632e8bac4f54e98c58821a307d32	Kerberos ticket dumping tool from LSA cache
sshd.exe	8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694	OpenSSH Backdoor
sshd.exe	8317ff6416af8ab6eb35df3529689671a700fdb61a5e6436f4d6ea8ee002d694	OpenSSH Backdoor
ipscan-3.9.1-setup.exe	892405573aa34dfc49b37e4c35b655543e88ec1c5e8ffb27ab8d1bbf90fc6ae0	Network scanner that scans IP addresses and ports

Table 2b: Malicious Files Affiliated with Akira Ransomware

File Name	Hash (MD5)	Description
winrar-x64-623.exe	7a647af3c112ad805296a22b2a276e7c	Network file transfer program

Table 3a: Commands Affiliated with Akira Ransomware

Persistence and Discovery
nltest /dclist: [T1018]
nltest /DOMAIN_TRUSTS [T1482]
net group “Domain admins” /dom [T1069.002]
net localgroup “Administrators” /dom [T1069.001]
tasklist [T1057]
rundll32.exe c:WindowsSystem32comsvcs.dll, MiniDump ((Get-Process lsass).Id) C:windowstemplsass.dmp full [T1003.001]

Table 3b: Commands Affiliated with Akira Ransomware

Credential Access
cmd.exe /Q /c esentutl.exe /y “C:UsersAppDataRoamingMozillaFirefoxProfiles.default-releasekey4.db” /d “C:UsersAppDataRoamingMozillaFirefoxProfiles.default-releasekey4.db.tmp” Note: Used for accessing Firefox data.

Table 3c: Commands Affiliated with Akira Ransomware

Impact
powershell.exe -Command “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject” [T1490]

MITRE ATT&CK TACTICS AND TECHNIQUES

See Tables 4 -12 for all referenced Akira threat actor tactics and techniques for enterprise environments in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

Table 4: Initial Access

Technique Title	ID	Use
Valid Accounts	T1078	Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access.
Exploit Public Facing Application	T1190	Akira threat actors exploit vulnerabilities in internet-facing systems to gain access to systems.
External Remote Services	T1133	Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access.
Phishing: Spearphishing Attachment	T1566.001	Akira threat actors use phishing emails with malicious attachments to gain access to networks.
Phishing: Spearphishing Link	T1566.002	Akira threat actors use phishing emails with malicious links to gain access to networks.

Table 5: Credential Access

Technique Title	ID	Use
OS Credential Dumping	T1003	Akira threat actors use tools like Mimikatz and LaZagne to dump credentials.
OS Credential Dumping: LSASS Memory	T1003.001	Akira threat actors attempt to access credential material stored in the process memory of the LSASS.

Table 6: Discovery

Technique Title	ID	Use
System Network Configuration Discovery	T1016	Akira threat actors use tools to scan systems and identify services running on remote hosts and local network infrastructure.
System Information Discovery	T1082	Akira threat actors use tools like PCHunter64 to acquire detailed process and system information.
Domain Trust Discovery	T1482	Akira threat actors use the net Windows command to enumerate domain information.
Process Discovery	T1057	Akira threat actors use the Tasklist utility to obtain details on running processes via PowerShell.
Permission Groups Discovery: Local Groups	T1069.001	Akira threat actors use the net localgroup /dom to find local system groups and permission settings.
Permission Groups Discovery: Domain Groups	T1069.002	Akira threat actors use the net group /domain command to attempt to find domain level groups and permission settings.
Remote System Discovery	T1018	Akira threat actors use nltest / dclist to amass a listing of other systems by IP address, hostname, or other logical identifiers on a network.

Table 7: Persistence

Technique Title	ID	Use
Create Account: Domain Account	T1136.002	Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts to establish persistence.

Table 8: Defense Evasion

Technique Title	ID	Use
Impair Defenses: Disable or Modify Tools	T1562.001	Akira threat actors use BYOVD attacks to disable antivirus software.

Table 9: Command and Control

Technique Title	ID	Use
Remote Access Software	T1219	Akira threat actors use legitimate desktop support software like AnyDesk to obtain remote access to victim systems.
Proxy	T1090	Akira threat actors utilized Ngrok to create a secure tunnel to servers that aided in exfiltration of data.

Table 10: Collection

Technique Title	ID	Use
Archive Collected Data: Archive via Utility	T1560.001	Akira threat actors use tools like WinRAR to compress files.

Table 11: Exfiltration

Technique Title	ID	Use
Exfiltration Over Alternative Protocol	T1048	Akira threat actors use file transfer tools like WinSCP to transfer data.
Transfer Data to Cloud Account	T1537	Akira threat actors use tools like CloudZilla to exfiltrate data to a cloud account and connect to exfil servers they control.
Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	Akira threat actors leveraged RClone to sync files with cloud storage services to exfiltrate data.

Table 12: Impact

Technique Title	ID	Use
Date Encrypted for Impact	T1486	Akira threat actors encrypt data on target systems to interrupt availability to system and network resources.
Inhibit System Recovery	T1490	Akira threat actors delete volume shadow copies on Windows systems.
Financial Theft	T1657	Akira threat actors use a double-extortion model for financial gain.

MITIGATIONS

Network Defenders

The FBI, CISA, EC3, and NCSC-NL recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the risk of compromise by Akira ransomware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.F, 2.R, 2.S].
• Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [CPG 2.C].
• Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems. [CPG 1.E].
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
• Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O].
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
• Disable unused ports [CPG 2.V].
• Consider adding an email banner to emails received from outside of your organization [CPG 2.M].
• Disable hyperlinks in received emails.
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E, 2.N].
• Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data. 
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, 2.L, 2.R].

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, the FBI, CISA, EC3, and NCSC-NL recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI, CISA, EC3 and NCSC-NL recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

1. Select an ATT&CK technique described in this advisory (see Tables 4 -12).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

The FBI, CISA, EC3, and NCSC-NL recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

REFERENCES

1. Fortinet: Ransomware Roundup – Akira
2. Cisco: Akira Ransomware Targeting VPNs without MFA
3. Truesec: Indications of Akira Ransomware Group Actively Exploiting Cisco AnyConnect CVE-2020-3259
4. TrendMicro: Akira Ransomware Spotlight
5. CrowdStrike: What is a Kerberoasting Attack?
6. Sophos: Akira, again: The ransomware that keeps on taking
7. Sophos: Akira Ransomware is “bringin’ 1988 back”

REPORTING

Your organization has no obligation to respond or provide information back to the FBI in response to this joint CSA. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.

The FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Akira threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.

Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.

The FBI, CISA, EC3, and NCSC-NL do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov or (888) 282-0870).

DISCLAIMER

The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, EC3, and NCSC-NL do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI or CISA.

ACKNOWLEDGEMENTS

Cisco and Sophos contributed to this advisory.

VERSION HISTORY

April 18, 2024: Initial version.

Source: US Department of Homeland Security

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI) released Securing Election Infrastructure Against the Tactics of Foreign Malign Influence Operations, a guidance document that details the latest tactics employed in foreign malign influence operations to shape U.S. policies, decisions, and discourse and could be used to target America’s election infrastructure.

The product discusses popular tactics used in foreign malign influence operations, provides recent examples, and recommends potential mitigations for election infrastructure stakeholders. While many of these tactics are not new, recent advances in generative artificial intelligence (AI) technology have made it much easier and cheaper to generate and spread convincing foreign malign influence content.

“The elections process is the golden thread of American democracy, which is why our foreign adversaries deliberately target our elections infrastructure with their influence operations. Defending our democratic process is the responsibility of all of us,” said CISA Senior Advisor Cait Conley.  “CISA is committed to doing its part to ensure these officials – and the American public – don’t have to fight this battle alone.  We will continue to work with the election community to ensure they have the tools and information they need to run safe and secure elections in 2024 and beyond.

“The FBI and its partners work diligently every day to disrupt foreign malign influence operations targeting our democratic institutions,” said Acting Assistant Director Joseph Rothrock of the FBI’s Counterintelligence Division. “We are putting out this guide because our strategy in combatting this threat starts with awareness and collaboration. We will continue to relentlessly pursue bad actors looking to disrupt our election infrastructure.”

“Foreign actors continue to pursue efforts aimed at sowing discord among the American people, with the ultimate goal of eroding confidence in our democratic institutions,” said ODNI Foreign Malign Influence Center Director Jessica Brandt. “The normalization of influence activities, combined with the rise of new technologies, increasingly presents a whole-of-society challenge for the Intelligence Community to address alongside the broader U.S. Government, industry, and civil society.”

View the Securing Election Infrastructure Against the Tactics of Foreign Malign Influence Operations guide.

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on Twitter, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

There Were Over 36 Million Reports of Suspected Child Sexual Exploitation in 2023, More Than Twice the Number Reported in 2019

Department’s New Know2Protect.Gov Campaign to Provide Young People, Parents, Community Leaders, and Educators with Resources to Better Prevent and Educate Themselves on These Crimes

WASHINGTON, D.C. – Today, the Department of Homeland Security (DHS) announced Know2Protect, Together We Can Stop Online Child Exploitation^TM, a first-of-its-kind national public awareness campaign that brings together public and private sector partners. Key partners include high-profile technology companies, national and international sports leagues, youth-serving organizations and nonprofits, and other private sector partners to raise awareness of this heinous and growing crime and how to keep children safe. Through Know2Protect, DHS and its partners will educate and empower young people, parents, and trusted adults on ways to prevent and combat exploitation and abuse both on and offline, explain how to report incidents of these crimes, and offer support resources for victims and survivors of online child sexual exploitation and abuse.  

Online child exploitation and abuse is reaching epidemic proportions and threatens the safety of children globally. In 2023, the National Center for Missing and Exploited Children (NCMEC) received more than 36 million CyberTipline® reports of suspected online child sexual exploitation and abuse (CSEA), a 360% increase over the number of reports received 10 years ago. According to the 2023 WeProtect Global Threat Assessment, the volume of child sexual abuse material has increased globally by 87% over the past five years.

“All of us, working together, must protect our children from the heinous and growing crime of online child sexual exploitation and abuse. The tragic reality is that, as young people spend more time online, predators around the world increasingly target them through manipulation and deceit,” said Secretary of Homeland Security Alejandro N. Mayorkas. “Know2Protect is a first-of-its-kind national initiative to raise public awareness and prevent these horrific crimes from happening in the first place. Public-private partnerships and targeted trainings are essential to raising awareness and educating the public; identifying, protecting, and supporting victims; and bringing perpetrators to justice. By partnering with national sports leagues, youth-serving organizations, and gaming, technology, and other private sector organizations, Know2Protect will help educate the public, save lives, and prevent tragedies.”

Know2Protect is the first federal government campaign focused on education and prevention of online CSEA. The campaign’s mission is to mobilize young people, parents, educators, and community leaders to learn the signs of this crime, what they can do to prevent it, how to report it to law enforcement, and how they can support survivors. The Know2Protect.gov website, launching today, is being advertised in 25 media markets and online through digital and physical billboards, posters, as well as displays across the country. The campaign will reach millions of Americans where they are and will disseminate resources to educate the public about this crime — including a portal specifically for kids ages 10 and older — and empower them with resources and tools for people to protect themselves and others against online CSEA.

To reflect the importance of a unified commitment to combat the dramatic and alarming increase of online child sexual exploitation and abuse, today DHS is announcing partners from across society – from social media and technology companies to sporting leagues and youth-serving organizations – that have already joined Know2Protect in its important mission. More partners will join the campaign in the coming months.  

“The best way to keep kids safe online is to provide helpful information where they are: on social media and online gaming platforms, and through clubs, sporting events, and organizations. By partnering with a range of companies to raise awareness and disseminate educational messaging, we are keeping kids safe from online predators,” said Know2Protect Campaign Director Kate Kennedy. “We are grateful for all of our partners who share a commitment to combat online child sexual exploitation and abuse and keep children safe as a result.”

The National Center for Missing & Exploited Children (NCMEC) has been working with the Department on the development of Know2Protect assets and concepts since its inception. NCMEC subject matter experts and its survivor network reviewed campaign materials to ensure they were appropriate and educational for all audiences.  

“Online Child Sexual Exploitation and Abuse is a growing global concern, and NCMEC is at the forefront of addressing it. The exponential rise in CSEA within the past year underscores the urgency of our mission,” said NCMEC Chief Operating Officer Derrick Driscoll. “NCMEC applauds any initiative or governmental effort aimed at raising awareness about this crime. The Know2Protect campaign helps to do just that. Collaborating globally is crucial to prevent these crimes from happening and families and children should know they are not alone in this fight.”

TECHNOLOGY PARTNERS

Google LLC is donating ad credits for Google display, YouTube, and Google Search, which will bolster the reach of the campaign in order to educate as many young people, parents, educators, and community leaders as possible on the signs of child exploitation and abuse and how to keep yourself and others safe both on and offline.

“We are proud to donate Search and YouTube ads to support the DHS’ campaign raising awareness on the issue of child sexual abuse and exploitation online, including sextortion,” said Google.org Senior Director Annie Lewin. “Through our broader child safety work, we know how impactful it can be to provide young people and parents with information and tools on how to report these crimes and find resources. By donating ads, we hope to help the DHS reach a wider audience and further educate the public on this timely and urgent issue.”

Intel Corporation is inviting Know2Protect staff to deliver awareness trainings to their staff yearly.

“Intel is proud to support the Know2Protect campaign through education of our employee base to amplify awareness and enable parents and their families to stay safe online,” said Intel Corporate Board Member of NCMEC and Intel Chief Product Sustainability Officer Jen Huffstetler.

Meta Platforms, Inc. will support the DHS to promote the Know2Protect campaign on Facebook and Instagram, raise awareness about these crimes and how to recognize them, and direct people to information and resources that can support them.

“Child exploitation is horrific. We work aggressively to fight the criminals behind it, from the new tools we announced just last week to protect teens from financial sextortion, to supporting law enforcement in investigating and prosecuting offenders,” said Meta’s Global Head of Safety Antigone Davis. “We’re pleased to support the Department of Homeland Security in its campaign, which will raise awareness of these crimes, help parents and teens spot potential risks, and direct them to support.”

Roblox Corporation will display in-game billboard advertisements for users of its online platform. These advertisements will share helpful tips for gamers on internet safety and best practices. In the future, Roblox will work with Know2Protect to develop in-game immersive experiences, such as building characters from the campaign’s iGuardian training program and Know2Protect badges for Roblox users.

“Roblox is built on a foundation of safety and civility, and we are proud to support the Know2Protect campaign,” said Roblox Vice President of Civility Tami Bhaumik. “By educating and empowering people with the knowledge and tools to prevent harm, collectively, we will be in a stronger position to prevent abuse from happening. Sometimes these are difficult issues to talk about, which makes resources and tools all the more important. We are honored to be part of the solution to amplify this important campaign.”

Snap Inc., Know2Protect’s first official partner, is providing Know2Protect in-platform ad credits on its Snapchat platform and conducting research to gauge Snapchatters’ awareness and familiarity with a variety of sexual-related online risks. In the United States, more than 100 million people use Snapchat to communicate with their friends and family, including more than 20 million teenagers. In addition, Snap will promote the Know2Protect website on its dedicated online Privacy and Safety and Parents Hubs. 

“These horrific crimes can’t be ignored – they need to be discussed in the halls of government, at boardroom tables and at kitchen tables. Young people need to be attuned to online sexual risks, and adults need to understand the issues so they can help young people in crisis,” said Snap Inc Global Head of Platform Safety Jacqueline Beauchere. “That’s why Snap is honored to be a founding partner of Know2Protect, and to help share educational resources with the millions of teens who use our app daily to communicate.”

NATIONAL AND INTERNATIONAL SPORTING LEAGUE PARTNERS

Major League Baseball (MLB), through their MLB Together CSR platform, will display Know2Protect physical advertisement collateral, such as posters, at the host venue for 2024 MLB All-Star Week in July, and also list Know2Protect on MLBTogether.com as a trusted youth safety resource for players and families to access.

“MLB is proud to join the Know2Protect awareness campaign to address this important issue affecting far too many families in our world,” said Major League Baseball Vice President of Social Responsibility April Brown. “Our Midsummer Classic provides an outstanding platform, through our MLB Together initiative, to share this critical information with families across the country.”

Major League Soccer (MLS) will highlight the campaign during the July 24, 2024 MLS All-Star Game presented by Target.

“The mission of Know2Protect to keep children safe from online exploitation is vitally important at this time, and Major League Soccer considers it an honor to work with the Department of Homeland Security, Secretary Mayorkas, and the NCMEC on this global campaign,” said MLS Commissioner Don Garber. “We are dedicated to using the platforms of our league and 30 clubs to share the resources and guidance of Know2Protect, and to do everything in our power to assist in the fight against the abhorrent crime of child exploitation.”

NASCAR will display Know2Protect promotional assets and materials during races around the country.

“NASCAR is proud to partner with the U.S. Department of Homeland Security to help raise awareness of its important Know2Protect initiative,” said NASCAR President Steve Phelps. “The DHS has been a strong partner to NASCAR over the years, and we’re honored to have been asked to take part in this vital program that protects children throughout this great country.”

The National Football League (NFL) will work to amplify the Know2Protect campaign by raising awareness among clubs and players, and running Know2Protect public service announcements on various platforms, including NFL Media.

“Keeping our children safe is something we can all agree on, and the NFL is proud to support DHS’ efforts to stop online abuse and exploitation,” said NFL Senior Vice President and Chief Security Officer Cathy Lanier. “We commit to using the league’s platform to raise awareness about this real and growing threat, and to highlight a national campaign to protect young people from predators and other bad actors.”

The National Hockey League (NHL) will display advertisements and host in-person events at its games, while also amplifying campaign messaging on its network and among its various social media platforms.

“The National Hockey League is proud to support this vital initiative and contribute to the protection of our nation’s youth and most vulnerable,” said NHL Senior Executive Vice President and Chief Security Officer Jared Maples.

The United States Olympic & Paralympic Committee (USOPC) will work with Know2Protect to provide virtual presentations to Team USA athletes and parents on the threat of online CSEA and the preventative strategies they can implement to keep all Team USA Athletes safe. 

“Keeping Team USA athletes safe where they live, train and compete is the USOPC’s top priority. As part of that effort, educating athletes and their support communities is an essential step in prevention,” said USOPC Senior Vice President and Chief of Security & Athlete Services Nicole Deal. “We are happy to partner with Know2Protect as an important part of our holistic commitment to creating safe environments and providing more resources for Team USA athletes.”

YOUTH-SERVING ORGANIZATIONS

Boy Scouts of America (BSA) will collaborate with Know2Protect to promote knowledge sharing and empowerment for youth and parents. The BSA will also facilitate Project iGuardian presentations for Scouts and parents and explore developing a co-branded BSA patch in recognition of taking an in-person Project iGuardian training at the local or national level.

“Safeguarding our Scouts so that we can prevent harm will always be our most important mission, and that includes their online safety,” said Boy Scouts of America President and CEO Roger Krone. “Through this collaboration with DHS, Scouting will make the Know2Protect resources available to empower more than a million youth members and adult volunteers, further enhancing our education and training initiatives to help ensure that our Scouts, leaders, and their families remain safe from online dangers.”

National Police Athletic League (National PAL) will host Know2Protect representatives to train its members across the nation at both the National PAL Conference and Youth Mentoring Summit. National PAL will also amplify campaign resources in its webpage and on social media platforms monthly.  National PAL is committed to protecting the youth at all costs and greatly supports this effort put forth by the Department of Homeland Security.

“National PAL is extremely excited and honored to partner with the Department of Homeland Security on the Know2Protect campaign. Know2Protect provides another tool for youth, parents, educators, coaches etc. to keep our youth safe from online predators,” said National PAL Board President Christopher Hill. “Today, National PAL will be rolling out the K2P campaign to all of our member chapters immediately to ensure that we are further prepared to protect our youth at all levels! We will make sure our youth are aware that no matter the threat, the iGuardians are there to support and protect them!”

LAW ENFORCEMENT ASSOCIATIONS

Law enforcement officials across the country are joining the campaign, including the National Fusion Center Association, International Association of Campus Law Enforcement Administrators, and Small & Rural Law Enforcement Executives Association. These law enforcement associations have committed to partnering with the campaign to share information and resources with their members and the communities that they serve; amplify the tools through their communication platforms and channels; and amongst other activities, collaborate with the Department moving forward to further develop training programs for state, local, tribal, territorial, and campus law enforcement across the country.

“The National Fusion Center Association (NFCA) is proud to be a partner with the Know2Protect Campaign. Our National Network of 80 State and Major Urban Area Fusion Centers, was built on the foundation of helping to protect America through threat detection, criminal intelligence analysis, and information sharing,” said NFCA President Mike Sena. “We are honored to be working with the Know2Protect Campaign in its effort to empower children, teens, parents, trusted adults, and policymakers to prevent and combat online child sexual exploitation and abuse.

“Our children are one of the most vulnerable members of our society. We must do all we can to fight those who would exploit and take advantage of them,” said IACLEA Executive Director Paul Cell. “International Association of Campus Law Enforcement Administrators (IACLEA) stands united and in support of the work K2P is doing to insure our children are educated on the dangers of online predators and how they can identify when they are being targeted.”

“The Small and Rural Law Enforcement Executives Association (SRLEEA) wholeheartedly endorses the DHS’s Know2Protectcampaign, highlighting its vital role in smaller, rural, and tribal communities. These areas often encounter increased risks due to scarce resources, and this initiative is crucial for providing necessary awareness and tools to combat online child exploitation. ‘The impact of Know2Protect in empowering our communities and law enforcement to protect our most vulnerable from these evolving threats is invaluable,’ said Chair of the SRLEEA Human Trafficking Committee Sheriff Kim Stewart.”

Know2Protect is the latest example of DHS’s ongoing efforts to address online child sexual exploitation and abuse and comes after the Department’s Quadrennial Homeland Security Review added combating crimes of exploitation and protecting victims as a sixth mission area in April 2023. Learn more about recent DHS efforts to combat child exploitation and abuse here.

Know2Protect will highlight the whole of DHS efforts to combat online CSEA, including:

• Homeland Security Investigations (HSI), which serves as the principal investigative arm of DHS and protects the public from crimes of victimization, including child sexual exploitation. HSI works to investigate, apprehend, and prosecute offenders and identify, protect and support victims. HSI also prevents transnational child sexual abuse, including those who travel internationally to engage in illicit sexual conduct with minors. HSI oversees Know2Protect and Project iGuardian, Know2Protect’s educational program to teach the public about the ongoing threats children and teens face from online predators.
   
• The U.S. Secret Service supports the protection of minors from CSEA through advanced investigative and forensic support to state and local law enforcement agencies, such as providing support for polygraphs of suspected perpetrators, advanced analysis of photo or video evidence, and assistance on cases related to missing and exploited children. The U.S. Secret Service’s Childhood Smart Program, created in partnership with the National Center for Missing and Exploited Children, educates parents, children, and teens about internet and personal safety.
   
• The Cybersecurity and Infrastructure Security Agency (CISA) administers SchoolSafety.gov, a collaborative, interagency website that provides schools and districts with actionable recommendations to create safe and supportive environments for students and educators. The site is an access point for information, resources, guidance, and evidence-based practices on a range of school safety topics, including online exploitation.
   
• The DHS Science and Technology Directorate supports DHS offices by providing technical and scientific expertise. It also researches, develops, and deploys leading-edge forensic tools and technologies.

The campaign will continue to spread prevention and awareness messaging through partnerships, a robust social media presence, and training and outreach to schools and communities through age-appropriate educational presentations provided by agents from Homeland Security Investigations and the U.S. Secret Service.

To demonstrate the Department’s unified focus on combating cybercrimes, Secretary Mayorkas redesignated the HSI Cyber Crimes Center as the DHS Cyber Crimes Center (DHS C3), strengthening the Department-wide effort to combat cyber-related crimes and online CSEA. The Department works alongside our U.S. and international government partners to raise awareness of these threats, investigate, apprehend, and prosecute offenders, and to identify, protect, and support victims. The entire Biden-Harris Administration has identified online child safety and security as a top priority, creating the White House Online Harassment and Abuse Task Force, the Kids Online Health and Safety Task Force, and the Australia-U.S. Joint Council on Combatting Online Child Sexual Exploitation, all of which the Department plays a leading role.

The Department’s participation in multilateral partnerships, such as the Five Country Ministerial, has led to important initiatives such as the development of the Voluntary Principles to Counter Online Child Sexual Exploitation, also endorsed by the G7 foreign ministers, and the Children Online Protection Lab, led by France, which the United States participates as a member of the Executive Committee, all of which are crucial in combating this borderless crime.   

WHAT YOU CAN DO

• Request an educational presentation tailored for school children and trusted adults:
  • Project iGuardians™: Combating Child Predators : Project iGuardian is Know2Protect’s educational program to teach schools, community groups, corporations, and nonprofit organizations about the ongoing threats children and teens face from online predators. To request a presentation, please email iguardian.hq@hsi.dhs.gov.
  • Childhood Smart Program: The U.S. Secret Service Childhood Smart Program educates parents, trusted adults, children (grades K-12) and the community about real-world safety issues to increase awareness of internet safety. To request a presentation in your community, please email fsdncmec@usss.dhs.gov.
     
• Visit SchoolSafety.gov for resources to help educators, school leaders, parents, and school personnel identify, prevent, and respond to child exploitation: https://www.schoolsafety.gov/child-exploitation.
   
• Learn more about sextortion: it is more common than you think. https://www.ice.gov/features/sextortion. 
   
• Learn more from the National Center for Missing and Exploited Children: www.ncmec.org.

HOW TO REPORT SUSPECTED ONLINE CHILD SEXUAL EXPLOITATION AND ABUSE

• Contact your local, state, campus, or tribal law enforcement officials directly. Call 911 in an emergency.
   
• If you suspect a child has been abducted or faces imminent danger, contact your local police and the NCMEC tip line at 1-800-THE-LOST (1-800-843-5678).
   
• If you suspect a child might be a victim of online sexual exploitation, call the HSI Tip Line at 1-866-347-2423 and report it to NCMEC’s CyberTipline at https://report.cybertip.org/reporting. 

Know2Protect is managed by the Department of Homeland Security’s Cyber Crimes Center. To learn more about the campaign or to request a presentation tailored for your community, please visit know2protect.gov.

###

Source: US Department of Homeland Security

WASHINGTON— Secretary of Homeland Security Alejandro N. Mayorkas today announced more than $1.8 billion in funding for eight Fiscal Year 2024 preparedness grant programs. These grant programs provide critical funding to help state, local, tribal, and territorial officials prepare for, prevent, protect against, and respond to acts of terrorism and disasters.

“As threats continue to evolve, the Department of Homeland Security is committed to providing state, local, tribal and territorial governments, as well as transportation authorities and nonprofit organizations, with vital resources to help them strengthen our nation’s security and preparedness,” said Secretary Mayorkas. “This funding is essential for frontline personnel, including emergency managers, firefighters, emergency medical services, law enforcement and other first responders. The grants will play a critical role in ensuring local communities across the country have the resources and capabilities to prevent threats to the homeland.”

After extensive consultation with grantees leading up to this announcement, DHS is focused on the need to invest in high priority areas, build capacity in other communities, and give jurisdictions the flexibility to make prioritization decisions based on their own assessment of their needs. For Fiscal Year (FY) 2024, Congress cut each of the preparedness grants by 10%, which resulted in commensurate cuts to each jurisdiction.

The law requires that at least 25% of the combined funds for the State Homeland Security Program (SHSP) and the Urban Area Security Initiative (UASI) be dedicated to Law Enforcement Terrorism Prevention Activities (LETPA). This year, we are maintaining the LETPA minimum requirement of 35%. The Department’s law enforcement subject matter experts engaged with FEMA experts to review and clarify policy and program decisions to ensure that law enforcement and terrorism-focused grant funds are appropriately used for terrorism prevention activities, thereby strengthening our national preparedness posture.

This year, we will provide $274.5 Million in Nonprofit Security Grant Program funds to houses of worship, schools, and other nonprofits to support target hardening and other physical security enhancements for nonprofit organizations that are at high risk of a terrorist attack. The program will continue to help integrate nonprofit preparedness activities with broader state and local preparedness efforts. It will also promote collaboration in emergency preparedness activities among public and private community representatives, as well as state and local government agencies.

The FY 2024 grant guidance will continue to focus on the nation’s highest risk areas, including urban areas that face the most significant threats. The Urban Area Security Initiative enhances regional preparedness by helping build and sustain capabilities responsive to the evolving threat environment. This year, the Urban Area Security Initiative will fund 41 high-threat, high-density urban areas, including an urban area that has not previously received funding.

DHS continues to emphasize six national priority areas in the FY 2024 grant cycle: cybersecurity; soft targets and crowded places; intelligence and information sharing; domestic violent extremism; community preparedness and resilience; and election security. Grant recipients under the State Homeland Security Program and Urban Area Security Initiative will be required to dedicate a minimum of 30% of their awards across these six priority areas. Of the 30%, there is a 3% minimum spend on election security, with flexibility on how to spend the remaining 27% across the six priority areas.

As with previous years, new capabilities that are built using homeland security grant funding must be deployable if needed to support regional and national efforts. All capabilities being built or sustained must have a clear linkage to the core capabilities articulated in the National Preparedness Goal.  

FY 2024 Preparedness Grant Summary

State Homeland Security Program	$373.5 Million
Urban Area Security Initiative	$553.5 Million
Intercity Passenger Rail	$9 Million
Emergency Management Performance Grant	$319.55 Million
Operation Stonegarden	$81 Million
Tribal Homeland Security Program	$13.5 Million
Nonprofit Security Grant Program	$274.5 Million
Port Security Grant Program	$90 Million
Transit Security Grant Program	$83.7 Million
Intercity Bus Security Grant Program	$1.8 Million

Preparedness Grant Program Allocations for Fiscal Year 2024  

The following grants are non-competitive and awarded to recipients based on several factors:  

Homeland Security Grant Program (HSGP): State Homeland Security Program—provides $373.5 million to support the implementation of risk-driven, capabilities-based state homeland security strategies to address capability targets. Awards are based on statutory minimums and relative risk as determined by DHS/FEMA’s risk methodology.  

HSGP: Urban Area Security Initiative—provides $553.5 million to enhance regional preparedness and capabilities in 41 high-threat, high-density areas. Awards are based on relative risk as determined by DHS/FEMA’s risk methodology. 

For both the state homeland and urban area grants, 30% of the awards must address the six priority areas of cybersecurity; soft target and crowded places; information and intelligence sharing; domestic violent extremism; community preparedness and resilience; and election security. Additionally, 35% of these grants must be dedicated to law enforcement terrorism prevention activities, and 80% of these grants must be obligated from the state to local or tribal governments within 45 calendar days of receipt.    

Intercity Passenger Rail—provides $9 million to Amtrak to protect critical surface transportation infrastructure and the traveling public from acts of terrorism and increase the resilience of the Amtrak rail system. Award made per congressional direction.  

Emergency Management Performance Grant (EMPG) Program –provides $319.55 million to assist state, local, tribal and territorial emergency management agencies in obtaining the resources required to support the National Preparedness Goal’s associated mission areas and core capabilities to build a culture of preparedness. Awards are based on statutory minimums and population.  

The following grants are competitive, and exact awards will be announced later this year:   

HSGP: Operation Stonegarden—provides $81 million to enhance cooperation and coordination among state, local, tribal, territorial, and federal law enforcement agencies to jointly enhance security along the United States land and water borders.  

Tribal Homeland Security Grant Program —provides $13.5 million to eligible tribal nations to implement preparedness initiatives to help strengthen the nation against risk associated with potential terrorist attacks and other hazards.  

Nonprofit Security Grant Program—provides $274.5 million to support target hardening and other physical security enhancements for nonprofit organizations that are at high risk of a terrorist attack. This year, $137.25 million is provided to nonprofits in UASI-designated urban areas, and $137.25 million is provided to nonprofits outside of UASI-designated urban areas located in any state or territory.  

Port Security Grant Program—provides $90 million to help protect critical port infrastructure from terrorism, enhance maritime domain awareness, improve port-wide maritime security risk management, and maintain or re-establish maritime security mitigation protocols that support port recovery and resiliency capabilities.  

Transit Security Grant Program —provides $83.7 million to owners and operators of public transit systems to protect critical surface transportation and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure.   

Intercity Bus Security Grant Program —provides $1.8 million to owners and operators of intercity bus systems to protect surface transportation infrastructure and the traveling public from acts of terrorism and to increase the resilience of transit infrastructure.   

Before determining modifications and final allocations to the grant programs, DHS coordinated extensive engagements with local and state partners, and worked with a wide range of stakeholders.   

All preparedness funding notices can be found at www.grants.gov. Final submissions must be made through the FEMA Grants Outcomes (FEMA GO) system located at https://go.fema.gov.  

Further information on DHS’s preparedness grant programs is available at www.dhs.gov and http://www.fema.gov/grants.  

Source: US Department of Homeland Security

$18 Million to be Awarded to Nonprofits, Educators, and Other Community Leaders Working to Prevent Targeted Violence and Terrorism

WASHINGTON – The Department of Homeland Security (DHS) today released the Fiscal Year (FY) 2024 Targeted Violence and Terrorism Prevention (TVTP) Grant Program Notice of Funding Opportunity (NOFO). Administered by the DHS Center for Prevention Programs and Partnerships (CP3) and the Federal Emergency Management Agency (FEMA), the TVTP Grant Program is the only federal government grant program dedicated to helping local communities develop and strengthen local capabilities that prevent targeted violence and terrorism. In FY 2024, $18 million in TVTP grants are available for such projects run by state, local, tribal, and territorial government agencies, nonprofits, and universities. The applications must be submitted through FEMA GO by May 17, 2024. DHS will announce recipients in September 2024.

“Our nation’s ability to prevent targeted violence and terrorism requires all of us, working together, to develop programs and share best practices that build new prevention capabilities and strengthen our communities,” said Secretary of Homeland Security Alejandro N. Mayorkas. “This grant program helps do just that, and we are grateful to Congress for the resources it has provided to invest in community programs across our country.”

The TVTP Grant Program supports online, in-person, and hybrid projects that address the threat of online pathways to violence as well as the threat of violence in physical spaces. CP3 has invested $70 million across the United States in the past four years to increase awareness, establish local prevention networks and provide training to community members. Previously funded recipients include Palm Beach County, who in 2023 was able to leverage their Behavioral Threat Assessment and Management Team (BTAM), created through their TVTP award, to stop an individual on the Palm Beach State College campus who had threatened mass violence.

“Working with DHS CP3’s TVTP Grant Program has provided various benefits to the Palm Beach County Sheriff’s Office and Palm Beach County. PBSO has been able to provide training to the students in Palm Beach County through Project Safe Learning, from the two detectives that were provided through the grant allowing us to create the program and enhance the efforts to keep our schools safe,” said Captain Randy Foley of the Palm Beach County Sheriff’s Office, Behavioral Services Division. ”The grant has fostered collaboration and information sharing through quarterly trainings with law enforcement agencies throughout Palm Beach County. Funds from the grant have provided PBSO with the means to set up a Targeted Violence Unit that utilizes a co-responder model that enables a proactive approach in preventing violence.”

“Because of CP3’s TVTP grant program, Life After Hate was able to expand its efforts to help individuals disengage from violent extremist groups and online hate spaces,” said Patrick R. Riccards, Executive Director and CEO of Life After Hate. “As a result of TVTP, our offerings are stronger and more effective, allowing us to do more to build safer communities.”

The FY24 iteration of the TVTP Grant Program continues to prioritize engaging underserved communities which are often disproportionately the targets of violence. Projects supported under this program must adhere to strict privacy, civil rights, and civil liberties standards described in the NOFO guidance. Projects must be designed and operated in ways that do not infringe on individuals’ freedom of speech or target anyone based on the exercise of their First Amendment rights. Examples of past third-party evaluation reports, grantee-authored closeout reports, and grantee TVTP project webpages can be found at CP3’s TVTP Grantee Results Webpage.

TVTP grants are a critical part of President Biden’s National Strategy for Countering Domestic Terrorism to expand community-based diversion of individuals at risk of committing targeted violence or terrorism and boost training opportunities to support local prevention efforts in vulnerable communities.

The latest Homeland Security Threat Assessment listed targeted violence and terrorism as one of the most pressing threats facing Americans. The Department expects the threat of violence from radicalized individuals and small groups already present in the United States to remain high.

The TVTP Grant Program also encourages innovation to harness the best ideas from those directly engaging with members of the community. CP3 has worked with grantees, as well as third party evaluators in collaboration with DHS’ Science & Technology Directorate, to identify best practices that enhance protections for participants in prevention programs. As grantees continue their innovative work, CP3 will incorporate the lessons learned and promising practices identified in the third-party evaluations into future grant cycles. These evaluation reports are accessible at CP3’s Grantee Evaluation Reports webpage.

Through CP3, DHS strengthens our country’s ability to prevent targeted violence and terrorism nationwide, through funding, training, increased public awareness, and partnerships across every level of government, the private sector, and in local communities. Leveraging an approach informed by public health research, CP3 brings together nonprofits, social services, mental health providers, educators, faith leaders, public health and safety officials, law enforcement, and others in communities across the country to help people who are on a pathway to violence before harm occurs. Since 2021, CP3 has delivered nearly 250 briefings to communities and stakeholder groups on the threat of violence and creating local prevention efforts.

For more information on the application process and available funding, please see the NOFO on FEMA GO. Visit the TVTP Grant Program Resource page or contact CP3 at TerrorismPrevention@hq.dhs.gov for additional information on how to apply.

Source: US Department of Homeland Security

DHS continues to provide unprecedented resources to support border & interior communities while calling on Congress to act

WASHINGTON – Today, the Department of Homeland Security (DHS), through the Federal Emergency Management Agency (FEMA) and U.S. Customs and Border Protection (CBP), announced $300 million in grants through the Shelter and Services Program (SSP), which was authorized by Congress to support communities that are providing services to migrants. $275 million will be distributed in the first allocation, and the remaining $25 million will be allocated later in the year to accommodate evolving operational requirements. The initial funding will be available to 55 grant recipients for temporary shelter and other eligible costs associated with migrants awaiting the outcome of their immigration proceedings. Additionally, the Department is announcing $340.9 million through the Shelter and Services Program-Competitive grant program to be allocated before the end of this Fiscal Year.   

Today’s announcement responds to feedback from recipients in terms of providing additional flexibilities and an opportunity for new recipients through the competitive program, while continuing to require budget submissions and review prior to releasing funds, which is standard practice at FEMA.  It also builds on the support being provided to communities on the border and in the interior.  Last year, more than $780 million awarded through SSP and the Emergency Food and Shelter Program – Humanitarian Awards (EFSP-H) funding in Fiscal Year 2023 which went to organizations and cities across the country.  DHS also works to streamline and improve access to work permits for eligible noncitizens, including through the announcement last week of a temporary final rule to increase the automatic extension period for certain employment authorization documents to prevent a lapse for work-authorized individuals to be in the workforce, supporting local economies. 

DHS efforts to manage and secure our borders in a safe, orderly, and humane way include support for communities, as well as strengthened consequences for those without a lawful basis to remain and an expansion of lawful pathways that have helped reduce the number of encounters from specific populations. From May 12, 2023 to April 3, 2024, DHS has removed or returned over 660,000 individuals, the vast majority of whom crossed the Southwest Border, including more than 102,000 individual family members. The majority of all individuals encountered at the southwest border over the past three years have been removed, returned, or expelled. Total removals and returns since mid-May exceed removals and returns in every full fiscal year since 2011.  

Due to the substantial demand that exceeds the limited SSP program funding authorized by Congress, not all requests can be fulfilled. DHS continues to call on Congress to pass the bipartisan border security agreement, which would in part provide an additional $1.4 billion in SSP funds, and provide additional needed tools and resources to respond to historic global migration.

For more information on the Shelter and Services Program, visit www.fema.gov/grants/preparedness/shelter-services-program.  

###

Source: US Department of Homeland Security

Redesignation Allows Additional Eligible Ethiopian Nationals to Apply for TPS and Employment Authorization Documents

WASHINGTON – Secretary of Homeland Security Alejandro N. Mayorkas today announced the extension and redesignation of Ethiopia for Temporary Protected Status (TPS) for 18 months, from June 13, 2024, to December 12, 2025, due to ongoing armed conflict and extraordinary and temporary conditions in Ethiopia that prevent individuals from safely returning. The corresponding Federal Register notice provides information about registering as a new first-time applicant or current beneficiary for TPS under Ethiopia’s extension and redesignation.

After consultation with interagency partners, Secretary Mayorkas determined that an 18-month extension and redesignation of TPS is warranted because conditions that support Ethiopia’s designation are ongoing. Ethiopia continues to face armed conflict and violence in multiple regions of the country. Human rights abuses are prevalent, and civilians are facing indiscriminate attacks. Droughts, floods, and disease outbreaks have put millions of lives at risk. These overlapping humanitarian crises have resulted in ongoing urgent humanitarian needs.

Accompanying this announcement is a Special Student Relief notice for F-1 nonimmigrant students whose country of citizenship is Ethiopia so that eligible students may request employment authorization, work an increased number of hours while school is in session, and reduce their course load while continuing to maintain F-1 status through the TPS designation period.

“Temporary Protected Status provides individuals already present in the United States with protection from removal when conditions in their home country prevent their safe return,” said Secretary Mayorkas. “That is the situation facing Ethiopians who arrived here on or before April 11 of this year. We are granting them protection through this temporary form of humanitarian relief that the law provides.”

The extension of TPS for Ethiopia allows approximately 2,300 current beneficiaries to retain TPS through December 12, 2025, if they re-register and continue to meet TPS eligibility requirements.

The redesignation of Ethiopia for TPS allows an estimated 12,800 additional Ethiopian nationals (or individuals having no nationality who last habitually resided in Ethiopia) to file initial applications to obtain TPS, if they are otherwise eligible and they established residence in the United States on or before April 11, 2024, and have continued to reside in the United States since then (“continuous residence”). Ethiopian nationals (and those without nationality who last habitually resided in Ethiopia) who arrive in the United States after April 11, 2024 are not eligible for TPS.

Re-registration is limited to individuals who previously registered for and were granted TPS under Ethiopia’s initial designation. Current beneficiaries under TPS for Ethiopia must re-register in a timely manner during the 60-day re-registration period from April 15, 2024, through June 14, 2024, to ensure they keep their TPS and employment authorization.

DHS recognizes that not all re-registrants may receive a new Employment Authorization Document (EAD) before their current EAD expires and is automatically extending through June 12, 2025, the validity of EADs previously issued under Ethiopia’s initial TPS designation.

U.S. Citizenship and Immigration Services (USCIS) will continue to process pending applications filed under previous TPS designation for Ethiopia. Individuals with a pending Form I-821, Application for Temporary Protected Status, or a related Form I-765, Application for Employment Authorization, as of April 15, 2024 do not need to file either application again. If USCIS approves a pending Form I-821 or Form I-765 filed under the previous designation of TPS for Ethiopia, USCIS will grant the individual TPS through December 12, 2025, and issue an EAD valid through the same date.

Under the redesignation of Ethiopia, eligible individuals who do not have TPS may submit an initial Form I-821, Application for Temporary Protected Status, during the initial registration period that runs from April 15, 2024 through December 12, 2025. Applicants also may apply for TPS-related EADs and for travel authorization. Applicants can request an EAD by submitting a completed Form I-765, Application for Employment Authorization, with their Form I-821, or separately later.

The Federal Register notice explains eligibility criteria, timelines, and procedures necessary for current beneficiaries to re-register and renew EADs, and for new applicants to submit an initial application under the redesignation and apply for an EAD.