Critical Infrastructure Daily Brief

Statewide Terrorism & Intelligence Center

Critical Infrastructure Daily Brief

August 24, 2021



(U) STIC is providing this information to our partner agencies for situational awareness. This document contains information obtained from open source information. While STIC has gone to great lengths to verify the information found in open source documents on the internet, this information may not be accurate.


Situational Awareness

Authorities at one of the nation’s top nuclear weapons laboratories issued a warning Monday that airspace over Los Alamos National Laboratory is off limits. The birthplace of the atomic bomb, Los Alamos lab reported that recent unauthorized drone flights have been detected in restricted airspace in the area. Officials said if you fly a drone over the lab, you likely will lose it. “We can detect and track a UAS (unmanned aircraft system), and if it poses a threat, we have the ability to disrupt control of the system, seize or exercise control, confiscate or use reasonable force to disable, damage or destroy the UAS,” said Unica Viramontes, senior director of lab security. The lab would not release any specifics about how the system works, citing security protocols. They also would not say how many unauthorized flights have occurred in recent months. Lab officials also warned of the potential for "collateral interceptions" of normal commercial or hobbyist drone flights, saying pilots should stay well outside the lab's restricted airspace and the additional no-drone zone designated by the Federal Aviation Administration. According to the FAA, drones are prohibited from flying over sites designated as national security sensitive facilities. Aside from military bases and other Department of Defense sites, restrictions are in place for national landmarks and certain critical infrastructure such as nuclear power plants.


A Southeast High School student was stabbed in a school hallway around 11:30 a.m. Monday, according to Springfield Police. Two subjects, both 17-year-old males and also students at Southeast, were taken into custody following the incident. Springfield Police School Safety Officer Demarreo Johnson, who was in the school cafeteria at the time of the incident, responded to the scene along with a number of other SPD officers and detectives, said SPDeputy Chief Joshua Stuenkel. Stuenkel did not give a motive for the stabbing. The victim, also a 17-year-old male, suffered two stab wounds. The student was treated at the scene by a school nurse and a CNA. The student was then transported to the emergency room at HSHS St. John’s Hospital.


U.S. President Joe Biden sent CIA Director William Burns to meet Taliban leader Abdul Ghani Baradar in Kabul on Monday in the highest level official encounter since the militant group took over the Afghan capital, a U.S. official and a source familiar with government activity told Reuters on Tuesday. Both sources spoke on condition of anonymity. The Biden administration has been evacuating U.S. citizens and other allies amid chaos at Kabul airport ahead of an Aug. 31 deadline to pull out of Afghanistan.

The Washington Post, citing U.S. officials who spoke on condition of anonymity, first reported the meeting. The White House and a CIA representative declined to comment. A Taliban spokesman said he was not aware if Baradar met the CIA chief. Biden last week said U.S. troops may stay in Afghanistan past his Aug. 31 deadline in order to evacuate Americans. However, Taliban spokesman Zabihullah Mujahid said on Tuesday the group had not agreed to extend the deadline for evacuation and they wanted all foreign evacuations to be completed by Aug. 31.



US President Joe Biden has invited Apple CEO Tim Cook, Microsoft CEO Satya Nadella, and Amazon president and CEO Andy Jassy to the White House to discuss how the private sector can help combat ransomware and software supply chain attacks. The forthcoming meeting, reported by Bloomberg, concerns America's resilience to major cyber attacks on critical infrastructure, which Biden has told Russian president Vladimir Putin should be "off limits". In July, Biden said he believed that if US engaged in a "real shooting war" it would be in response to a major cyber attack. US government agencies and critical infrastructure providers have faced numerous ransomware and espionage attacks during the pandemic, including the SolarWinds software supply chain espionage attack, and ransomware attacks against Colonial Pipeline, Kaseya, and meat packer JBS. Cook, Nadella, and Jassy plan to attend the event on the afternoon of Wednesday, July 24, according to Bloomberg sources. Chiefs of Google, IBM, Southern Co, and JPMorgan Chase have also been invited to the meeting to discuss how critical infrastructure organizations in the banking, energy and water utility sectors can improve cybersecurity and collaboration with the government. Microsoft, AWS, Cisco, FireEye and IBM are currently participating in the government-led effort to shore up US critical infrastructure as part of Biden's May cybersecurity executive order. The rise of software supply chain attacks has European cybersecurity teams worried too, because of the difficulties in validating third-party code -- be it open-source or proprietary software. The SolarWinds attack, which resulted in compromises at Microsoft, multiple top US cybersecurity firms, and several government agencies, highlighted the cybersecurity risks to US critical infrastructure. The other threat comes from commonly-used enterprise software, such as Microsoft Exchange Server, which alleged Beijing-backed hackers were exploiting before Microsoft's patches were available.


A clever UPS phishing campaign utilized an XSS vulnerability in UPS.com to push fake and malicious 'Invoice' Word documents. The phishing scam was first discovered by security research Daniel Gallagher and pretended to be an email from UPS stating that a package had an "exception" and needs to be picked up by the customer. What makes this phishing attack stand out is that the threat actor used the XSS vulnerability in UPS.com to modify the site's regular page to look like a legitimate download page. This vulnerability allowed the threat actor to distribute a malicious document through a remote Cloudflare worker but make it look like it was being downloaded directly from UPS.com.

The FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID1 banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting. OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and Clearnet, unless a ransom is paid in virtual currency. OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data.

Related Links

Back to index