Critical Infrastructure Daily Brief

Statewide Terrorism & Intelligence Center

Critical Infrastructure Daily Brief

September 20, 2021



(U) STIC is providing this information to our partner agencies for situational awareness. This document contains information obtained from open source information. While STIC has gone to great lengths to verify the information found in open source documents on the internet, this information may not be accurate.


Situational Awareness

The FBI said two explosive devices recently found outside cellphone stores in northern Michigan are believed to be linked to letters found last month in the Upper Peninsula. The bombs, which were discovered and defused Thursday, were found in suspicious packages left outside a Verizon store in Cheboygan and an AT&T store in Sault Ste. Marie. The FBI and Michigan State Police said in a statement that they believe the devices are related to a series of letters discovered in the Upper Peninsula last month. The letters claimed to be from the “Coalition for Moral Telecommunications” and made demands of telecommunications companies. They were found at several telecommunications tower sites, according to the FBI. Cheboygan authorities said emergency personal were dispatched around 9 a.m. Thursday after an employee reported a suspicious package near the door of the business. A bomb was found inside, which authorities removed and defused. A similar device was reported in Sault St. Marie. The FBI said both devices were found in U.S. Postal Service boxes which were sealed with black duct tape and placed outside the stores. Each one had “CMT” written on it and contained threatening notes addressed to the cellphone companies. Multiple law enforcement agencies were investigating.


A fourth chartered flight carrying civilians from Afghanistan to Qatar since U.S. forces withdrew last month left Kabul on Sunday with more than 230 passengers, including Afghans, Americans and Europeans, a Qatari official said. The Qatar Airways operated flight was also carrying citizens from Germany, Belgium, Ireland, Canada, France, Italy, Britain, Finland and the Netherlands, Qatari assistant foreign minister Lolwah Rashid Al Khater wrote on Twitter. A second Qatari official said there were 236 passengers, making it the largest evacuation flight since the withdrawal of U.S. and allied forces ended on Aug. 31. "Qatar will continue its collaboration with international partners on efforts that ensure freedom of movement in Afghanistan, while working with various parties on the ground towards more general progress in the country moving forward," the second official said. The passengers will initially stay in a compound in the Qatari capital Doha that is hosting Afghans and other evacuees. Qatar has emerged has a key interlocutor between the West and the Taliban. The Gulf state is a close U.S. ally, hosting the largest American military base in the Middle East, and has hosted a Taliban political office since 2013.



Security researchers are compiling an easy-to-follow list of vulnerabilities ransomware gangs and their affiliates are using as initial access to breach victims' networks. All this started with a call to action made by Allan Liska, a member of Recorded Future's CSIRT (computer security incident response team), on Twitter over the weekend. Since then, with the help of several other contributors that joined his efforts, the list quickly grew to include security flaws found in products from over a dozen different software and hardware vendors. While these bugs have been or still are exploited by one ransomware group or another in past and ongoing attacks, the list has also been expanded to include actively exploited flaws, as security researcher Pancak3 explained.


An Illinois man was found guilty today by a federal jury for running websites that allowed paying users to launch powerful distributed denial of service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet. Matthew Gatrel, 32, of St. Charles, Illinois, was found guilty of three felonies: one count of conspiracy to commit unauthorized impairment of a protected computer, one count of conspiracy to commit wire fraud, and one count of unauthorized impairment of a protected computer. According to evidence presented at his nine-day trial, Gatrel owned and operated two DDoS facilitation websites: DownThem.org and AmpNode.com. DownThem sold subscriptions allowing customers to launch DDoS attacks while AmpNode provided “bulletproof” server hosting to customers with an emphasis on “spoofing” servers that could be pre-configured with DDoS attack scripts and lists of vulnerable “attack amplifiers” used to launch simultaneous cyberattacks on victims. Records from the DownThem service revealed more than 2,000 registered users and more than 200,000 launched attacks, including attacks on homes, schools, universities, municipal and local government websites, and financial institutions worldwide. Often called a “booting” service, DownThem itself relied upon powerful servers associated with Gatrel’s AmpNode bulletproof hosting service. Many AmpNode customers were themselves operating for-profit DDoS services. Gatrel offered expert advice to customers of both services, providing guidance on the best attack methods to “down” different types of computers, specific hosting providers, or to bypass DDoS protection services. Gatrel himself often used the DownThem service to demonstrate to prospective customers the power and effectiveness of products, by attacking the customers intended victim and providing proof, via screenshot, that he had severed the victim’s internet connection. Gatrel’s DownThem customers could select from a variety of different paid “subscription plans.” The subscription plans varied in cost and offered escalating attack capability, allowing customers to select different attack durations and relative attack power, as well as the ability to launch several simultaneous, or “concurrent” attacks. Once a customer entered the information necessary to launch an attack on their victim, Gatrel’s system was set up to use one or more of his own dedicated AmpNode attack servers to unlawfully appropriate the resources of hundreds or thousands of other servers connected to the internet in what are called “reflected amplification attacks.”


Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by Microsoft this week. Collaborative research by Microsoft and RiskIQ revealed campaigns by Ryuk threat actors early on that exploited the flaw, tracked as CVE-2021-40444. The bug is a remote code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. The two released separate reports online this week to provide a look into who has been using the flaw–which can be used to hide a malicious ActiveX control in an Office document–in attacks, as well as their potential connections to known criminal groups. Specifically, most of the attacks that researchers analyzed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with an infrastructure that is associated with multiple cybercriminal campaigns–including human-operated ransomware, researchers from the Microsoft 365 Defender Threat Intelligence Team at the Microsoft Threat Intelligence Center (MSTIC) reported.



An attack with explosive devices laid along a natural gas pipeline southeast of Syria’s capital knocked out power in parts of the country before it was quickly restored, the electricity minister said Saturday. No one immediately claimed responsibility for the attack, which was the latest incidence of sabotage targeting Syria’s oil and gas infrastructure. During the 10-year conflict, Syria’s oil and gas infrastructure was subject to repeated attacks and many oil fields now lay outside of government-controlled areas. The attack southeast of Damascus late Friday targeted a pipeline that feeds nearly 50% of Syria’s power plants, according to Electricity Minister Ghassan al-Zamel, whose comments were carried by state media. He said the attack caused a drop in the transmission pressure, affecting different power plants in the country. Maintenance work began early Saturday and power was restored to all provinces, al-Zamel said. But he warned that rationing would be “severe” until all repair work was completed. A statement from the Oil Ministry called it a “terrorist attack that targeted the Arab Natural Gas pipeline” in the Haran al-Awamid area in southern Syria. The pipeline is part of a transregional gas export pipeline that used to bring natural gas from Egypt to Jordan, Syria and Lebanon. The exports stopped before Syria’s war, but the pipeline has been integrated into the country’s grid.



Getting Around Illinois is a web-based interactive mapping site that provides the ability to search and display several sources of transportation data. You can find information on winter road conditions, annual average daily traffic, road construction, trucking routes, and planned road projects.


Harvest season has arrived in McLean County and Central Illinois, and more farm equipment will be on roadways. Farmers are harvesting crops from September through November, and trucks, combines, and other machinery will be using the highways to transport their goods. Rodney Knittle with the Illinois Farm Bureau said this is what farmers work for. “It’s an important time for Illinois and Illinois agriculture, so slow down and share the road with our farmers,” Knittle said.


Barge freight costs for moving grains from the Midwest rose sharply due to the continuing logistical problems over two weeks after Hurricane Ida hit the Delta Region. As grain handlers are scrambling to get operations going again at the Gulf of Mexico, China booked four to six bulk cargoes of soybeans from Brazil for shipping in October and November, which is the peak of the U.S. export period. That agreement between China and Brazil is fueling industry concerns that terminal capacity at the Gulf will be limited into the next month. Cash grain traders tell Reuters that Gulf shipping problems are causing the cost for barge freight to rise along Midwest rivers. Unloading barges arriving at the Gulf is being delayed, which is creating a shortage of empty barges needed upriver as corn and soybean harvest revs up in the Midwest. Adding to the sense of urgency is the fact that crops are maturing faster than normal in key states like Minnesota, Iowa, and Illinois. Southern states are also much farther along in their harvest than northern states. “You have these southern states, and you need to get all of that through the system before the really big volume comes from places like Missouri, Illinois, and Iowa,” says Mike Steenhoek, Executive Director of the Soy Transportation Coalition.



Pfizer said Monday its COVID-19 vaccine works for children ages 5 to 11 and that it will seek U.S. authorization for this age group soon -- a key step toward beginning vaccinations for youngsters. The vaccine made by Pfizer and its German partner BioNTech already is available for anyone 12 and older. But with kids now back in school and the extra-contagious delta variant causing a huge jump in pediatric infections, many parents are anxiously awaiting vaccinations for their younger children. For elementary school-aged kids, Pfizer tested a much lower dose -- a third of the amount that’s in each shot given now. Yet after their second dose, children ages 5 to 11 developed coronavirus-fighting antibody levels just as strong as teenagers and young adults, Dr. Bill Gruber, a Pfizer senior vice president, told The Associated Press. The kid dosage also proved safe, with similar or fewer temporary side effects -- such as sore arms, fever or achiness -- that teens experience, he said.



  • NWS SEOC Daily Brief Attached


Cooler weather is coming to Chicago this week. It was very warm across the Chicago area on Sunday, and Monday's high is still expected to be around 79 degrees. But early Monday Chicago and the suburbs could see scattered rain showers. A strong cold front will bring more showers and storms through the Chicago area on Monday night. After that, much cooler air will bring a fall-like chill with gusty north winds.


Despite originally making landfall as a Category 1 Hurricane in Texas early last week, the now remnants of Tropical Cyclone Nicholas continue to pose a heavy rainfall and flash flooding threat Monday. Moisture will target portions of the Tennessee and lower Ohio valleys and the southern Appalachians. Additionally, some onshore winds off the Southeast coast will bring more moisture to the system, supporting heavy rains and flooding along the South Carolina and Georgia coasts. This flood risk will move into North Carolina by Tuesday. In the tropics, two new systems have formed. Tropical Storm Peter is located just east of the Leeward Islands and is expected to pass just to their north on Monday and Tuesday. Peter should weaken by midweek. Landfall is not currently forecast. Even further west, Tropical Storm Rose will also weaken by midweek. This storm is not a threat for landfall.

Back to index