DHS: ‘Cyber Actors Have Engaged in Malicious Activity Against the US Government’

We are now reaching a point in America where the establishment really plans to drop the hammer by suppressing free minds they deem to be a threat to their operations.

Now the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) has come forth claiming that “sensitive information” and “trade secrets” have been penetrated, therefore there is a need to have an “IP awareness list” to monitor the activities of the “actors”.
One must assume that DHS and the FBI are actually targeting alternative news outlets, as they are independently ran and not controlled by key figureheads such as the Rothschild’s’ and Rockefeller’s.
This might also be the next step as the establishment moves toward a push for new internet systems, essentially providing a glorified cable service online while bankrupting smaller independent websites. The platform has been dubbed “Internet 2” by people in the know. According to Wikipedia, “Internet2 is an advanced not-for-profit United States networking consortium led by members from the research and education communities, industry, and government.^[1]
In 2009, Internet2 member rolls included over 200 higher education institutions,^[2] over 40 members from industry,^[3] over 30 research and education network and connector organizations,^[4] and over 50 affiliate members.^[5]
Internet2 operates the Internet2 Network,^[6] a next-generation Internet Protocol and optical network that delivers production network services to meet the high-performance demands of research and education, and provides a secure network testing and research environment. In late 2007, Internet2 began operating its newest dynamic circuit network, the Internet2 DCN, an advanced technology that allows user-based allocation of high-capacity data circuits over the fiber-optic network.
The Internet2 Network, through its regional network and connector members, connects over 60,000 U.S. educational, research, government and “community anchor” institutions, from primary and secondary schools to community colleges and universities, public libraries and museums to health care organizations.^[7]
The Internet2 community is actively engaged in developing and deploying emerging network technologies beyond the scope of single institutions and critical to the future of the Internet. These technologies include large-scale network performance measurement and management tools,^[8] simple and secure identity and access management tools^[9] and advanced capabilities such as the on-demand creation and scheduling of high-bandwidth, high-performance circuits.^[10]
Internet2 is member led and member focused, with an open governance structure and process.^[11] Members serve on several advisory councils,^[12] collaborate in a variety of working groups and special interest groups^[13] gather at spring and fall member meetings,^[14] and are encouraged to participate in the strategic planning process.^[15]“
In a bulletin posted on us-cert.gov entitled, “UPDATE: Ongoing Malicious Cyber Activity Against U.S. Government and Private Sector Entities” reads;
UPDATE: The United States Department of Homeland Security, in collaboration with the Federal Bureau of Investigation and other partners, has released a second Joint Indicator Bulletin (JIB) through secure channels. Confirmed members of the cybersecurity community of practice, which may include critical infrastructure owners and operators, systems administrators, and information security practitioners, may request a copy of this second bulletin by contacting soc@us-cert.gov with the subject “JIB Request,” and including the requestor’s name and affiliation.
Various cyber actors have engaged in malicious activity against U.S. Government and private sector entities. The apparent objective of this activity has been the theft of intellectual property, trade secrets, and other sensitive business information. The malicious actors have employed a variety of techniques to infiltrate targeted organizations, establish a foothold, penetrate throughout the targets’ networks, and steal confidential or proprietary data. The United States Department of Homeland Security, in collaboration with the Federal Bureau of Investigation and other partners, has released a Joint Indicator Bulletin (JIB) through secure channels. This JIB contains cyber threat indicators that will enable public and private sector critical infrastructure partners to take action to mitigate adverse impacts from this activity and protect their sensitive information.
This traffic light protocol green JIB contains internet protocol addresses, domain names, and malware indicators associated with malicious data exfiltration activity. Confirmed members of the cybersecurity community of practice, which may include critical infrastructure owners and operators, systems administrators, and information security practitioners, may request a copy of this bulletin by contacting soc@us-cert.gov with the subject “JIB Request,” and including the requestor’s name and affiliation.

Indicator Descriptions

As a general matter, malicious cyber actors have multiple tools at their disposal and can represent a significant threat to targeted victim organizations. Such actors frequently compromise victim organizations with targeted spear-phishing campaigns, understand how to move laterally within a network to acquire targeted data, and often maintain undetected persistence on victim networks for months or even years. The indicators provided in this Bulletin include malware and compromised IP addresses and domains used by such actors.

Malware

Malicious activity like that described in this Bulletin usually originates via targeted spear phishing email campaigns that compromise victim organizations. These emails can result in the installation of one or more pieces of malware used to enable complete control of those systems. The presence of such malware is a strong indication the computer or network has been compromised.

Client Tools

During the course of a computer intrusion, malicious actors often download additional tools to victim systems for the purpose of evading local security measures and to compromise additional computers on victim networks. These tools might have legitimate uses, but, when combined with other indications of an intrusion, could indicate that the computer has been compromised. The presence of these tools alone is not necessarily a positive indication of malicious activity, but may enable an organization to identify malicious activity.
IP Addresses, Hostnames and Second-Level Domains
Malicious actors routinely compromise hosts on the Internet for the purpose of obscuring their activity, particularly the exfiltration of computer files from end-point victims. The majority of these compromised hosts have been configured to prevent identification of the source of the intrusion activity. The traffic from these hosts is generally legitimate, but, because they have been compromised, activity to and from these IPs should be reviewed for indications of malicious traffic.
Malicious actors also make use of numerous Internet hostnames for the purpose of compromising and controlling victim systems. Actors have been known to register second-level domains for their exclusive use in these activities. In addition, malicious actors have been known to use DNS providers that allow the use of specific hostnames that are part of shared second-level domains.
Many of these hostnames and domains may be legitimate hosts or domains that have been co-opted by malicious actors. Any number of the IP addresses or domains in this Bulletin may have been remediated prior to publication of this list. In some cases, a single IP address from this indicator list may represent hundreds or even thousands of legitimate independent websites, or may represent a small business network. A number of indicators contained in this Bulletin resolve back to large scale service providers whose services are being abused. For these reasons, outright blocking of these indicators is not recommended. Rather, traffic from these IPs or domains should be investigated for signs of compromise.