Cyberterrorists targeting first responders

WASHINGTON — A U.S. intelligence community collaborative warned first responders in late July about escalating efforts to target them and their missions by cyberterrorists.

The Joint Counterterrorism Assessment Team (JCAT), an alliance between the FBI, DHS and the National Counterterrorism Center, told first responders, “We assess with moderate confidence that cyber actors, including those who support violent extremism, are likely to continue targeting first responders on the World Wide Web including by distributing personally identifiable information (PII) for the purpose of soliciting attacks from willing sympathizers in the homeland, hacking government websites, or attacking 911 phone systems to hinder first responders’ ability to respond to crises.”

While not a new phenomenon, the practice took on greater importance after a vulnerability was discovered in D.C. shortly before the presidential inauguration in January.

In a publication called First Responder’s Toolbox, the JCAT revealed, “police in Washington, D.C., discovered multiple disruptions to their surveillance cameras as a result of ransomware infections. Hackers compromised 70 percent of the cameras across the city eight days before the Presidential Inauguration, which prevented officials from accessing the command and control center of the surveillance system.”

The FBI said the infected cameras were configured with default remote access passwords. More than 120 of the city’s 187 camera/video recorders were impacted between Jan. 11 and Jan. 15, rendering them unable to record.

Two people were eventually arrested in London, England, in connection with the incident.

Another more widespread incident took place in October 2016 — a telephony denial of service (TDOS) attack on the 911 network which affected emergency call centers in at least 12 states.

“Several centers reported they were inundated with fake phone calls. As a result, authorities were in danger of losing service to their switches, and operators had difficulty in distinguishing fake incoming calls from legitimate calls for service,” said the JCAT publication.

Authorities arrested a U.S. person for the cyberattack and charged him with three counts of felony computer tampering.

Perhaps the most serious cases occurred in March 2016, when there were two doxxing attacks in the U.S. Doxxing is the process of searching for and publishing private or identifying information about a specific person or persons on the internet, typically with malicious intent.

That month, according to the JCAT bulletin, “the pro-ISIS Caliphate Cyber Army (CCA) posted PII of 50 police officers from New Jersey. The PII included the officers’ names, home and work addresses, and phone numbers.”

Later that month, before merging with other hacking groups to form the United Cyber Caliphate (UCC), the CCA hacking group posted a “kill list” containing the PII of 36 Minnesota police officers, said the publication.

The FBI, according to JCAT, is still investigating threatening phone calls to law enforcement officials, possibly resulting from CCA postings.

The alert urges first responders to become familiar with existing and emerging tactics and technologies used by cyber actors with malicious intent, including doxxing, ransomware, phishing, spear-phishing, whaling and social engineering, among others.

In order to counter attempts to target them, the JCAT bulletin encourages first responders “to minimize their online footprints on social media accounts, by removing or securing information to limit the release of potentially sensitive information on public-facing platforms.”

They are also advised, “That information that cyber actors may glean from first responders may be used on the ‘Dark Web,’ which is unindexed ‘invisible’ sections of the internet which enable anonymous communication.”

Because Dark Web use by cyber actors may hinder awareness that a cyberattack against an entity has even occurred, first responders are encouraged to regularly perform online searches to determine what information is available about them and their families on the open internet.

In the process, they’re being encouraged to be aware of the location from which searches are performed, because those searches may reveal police or fire IP addresses.

The bulletin also strongly suggested the following steps:

  • Be familiar with and set the strongest privacy controls possible on social media sites;
  • Remove address, date of birth, phone number, email address and other PII from social media profiles;
  • Audit all personal and family photographs accessible on the internet and attempt to remove, if possible;
  • Search for personal and family photographs posted/tagged by “friends” and “friends of friends” on social media and remove yourself from the tag list;
  • Follow strict password security protocols on all devices and online accounts; update regularly;
  • Use two-factor authentication whenever possible;
  • Monitor credit reports; consider purchasing year-round credit monitoring through trustworthy services or directly from the credit bureaus;
  • Be aware of social engineering tactics and scams aimed at obtaining PII or sensitive information;
  • Implement sustainable processes for securely configuring operating systems, applications, workstations, servers, and network devices; and
  • Install operating system updates when they are available.

First responders are encouraged to report suspicious activity to law enforcement by calling the Multi-State Information Sharing & Analysis Center (MS-ISAC) Security Operations Center at 1-866-787-4722 or emailing

J.J. Green

JJ Green is WTOP's National Security Correspondent. He reports daily on security, intelligence, foreign policy, terrorism and cyber developments, and provides regular on-air and online analysis. He is also the host of two podcasts: Target USA and Colors: A Dialogue on Race in America.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up