DEL RIO, Texas – A federal grand jury in Del Rio returned an indictment charging a Mexican national with four counts related to methamphetamine trafficking.
According to court documents, Veronica Sanchez-Pineda, 46, of Piedras Negras, Coahuila, Mexico, approached the Eagle Pass Port of Entry in a pickup truck on April 20, allegedly giving Customs and Border Protection officers a negative declaration for contraband including narcotics. A secondary inspection allegedly resulted in the discovery of a crystal-like substance inside an auxiliary tank in the bed of the truck. The liquid was extracted and resulted in a positive test result for the properties of methamphetamine, a criminal complaint alleges. The total approximate weight of the alleged narcotic was 521.03 kg.
The criminal complaint also alleges that Sanchez-Pineda consented to a search of her cell phone, which contained a text message about a “job” in Eagle Pass as well as screenshots of money transfers between the defendant and another individual. Sanchez-Pineda allegedly admitted to being involved in illegal activity regarding the contents of the auxiliary tank and that she was being compensated in Mexican Pesos.
Sanchez-Pineda is charged with one count of conspiracy to possess with intent to distribute methamphetamine; one count of possession of methamphetamine with intent to distribute; one count of conspiracy to import methamphetamine; and one count of importation of methamphetamine. She was arrested and made her initial court appearance April 24 before U.S. Magistrate Judge Matthew H. Watters of the U.S. District Court for the Western District of Texas. If convicted, Sanchez-Pineda faces 10 years to life in prison and up to a $10 million fine. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Acting U.S. Attorney Margaret Leachman for the Western District of Texas made the announcement.
Homeland Security Investigations is investigating the case.
Assistant U.S. Attorney Warsame Galaydh is prosecuting the case.
This case is part of Operation Take Back America, a nationwide initiative that marshals the full resources of the Department of Justice to repel the invasion of illegal immigration, achieve the total elimination of cartels and transnational criminal organizations (TCOs), and protect our communities from the perpetrators of violent crime. Operation Take Back America streamlines efforts and resources from the Department’s Organized Crime Drug Enforcement Task Forces (OCDETFs) and Project Safe Neighborhood (PSN).
An indictment is merely an allegation and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
CONCORD – A Dover man plead guilty yesterday in federal court for stalking three women he was in romantic relationships with by using anonymous phone numbers and email accounts to create a fictious stalker, Acting U.S. Attorney Jay McCormack announces.
Jason Subirana, age 48, pleaded guilty in federal court in Concord to three counts of Stalking. U.S. District Court Judge Steven J. McAuliffe scheduled sentencing for August 27, 2025.
According to the charging documents and statements made in court, between November 2016 – December 2021, the defendant stalked three women he was in romantic relationships with. He used more than 50 anonymous phone numbers, provided by TextNow, and anonymous email accounts to send over 650 harassing messages to the three victims from a fictious stalker. He attempted to manipulate his victims, catch them in lies, and cause emotional distress. For example, he sent one victim a text message that read:
“How can you b*tch to everyone about your birthday? You should be grateful he’s put up with all your lies and shit for so long. Stop trying to make him look like a bad guy, he’s the best thing you have and lucky he hasn’t put you to the curb like the trash bag that you are. Own your shit and stop lying to everyone. You want more? Be honest to EVERYONE around you. Stop thinking you are smarter than everyone.”
In addition to sending harassing communications to the victims, the defendant also sent himself harassing messages from the fictious stalker using anonymous accounts. For example, the defendant texted himself from an anonymous TextNow number, “Do you really think you’re the only one she’s banging? You really should get yourself tested. Put something in the mail for you keep an eye out for it.” On February 10, 2021, the defendant texted himself from an anonymous TextNow number, “How many times do you think she’s going to take it this afternoon before coming to give you sloppy seconds?”
The defendant also collected compromising information about the victims and then sent the compromising information to himself under the guise that he received it from “the stalker”. For example, the defendant gained access to Victim 2’s email account and forwarded himself an email exchange from 2015 where Victim 2 mentioned a potential romance with an acquaintance of hers. The defendant orchestrated a series of email forwards through anonymous accounts before making its way back to Victim 2. This email controversy led to Victim 2 admitting to the defendant a prior romantic relationship with that acquaintance, with the defendant responding, “You’re only telling me this now because of the email you got. What else are you hiding from me?” and “What wlse [sic] is out there? Has this all been based on lies???”
The defendant actively distanced himself from “the stalker” by accusing innocent individuals of being his victim’s “stalker.” For example, the defendant sent numerous harassing messages to a male colleague of Victim 3. Between April 22, 2018, and August 15, 2018, the defendant sent 52 harassing text messages to the victim’s colleague from at least five anonymous TextNow numbers. The defendant also sent the victim’s colleague numerous explicit photos of a woman’s body that resembled Victim 3 but was not in fact Victim 3. When Victim 3 described this to the defendant in messages, he then sent himself multiple messages from “the stalker,” including two of the explicit photos that he had sent to the victim’s colleague and suggested to Victim 3 that her colleague was in fact her stalker.
The charging statute provides for a sentence of a maximum penalty of 5 years in prison. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.
The Federal Bureau of Investigation led the investigation. Assistant U.S Attorney John Kennedy is prosecuting the case.
CHARLOTTE, N.C. – Dujuan Marquise McNeil, 39, of Charlotte, was sentenced yesterday to 10 years in prison followed by three years of supervised release for illegal possession of a firearm after he assaulted two U.S. Postal Service mail carriers on the same day, announced Russ Ferguson, U.S. Attorney for the Western District of North Carolina.
Rodney Hopkins, Inspector in Charge of the Atlanta Division of the U.S. Postal Inspection Service (USPIS), which oversees Charlotte, joins U.S. Attorney Ferguson in making today’s announcement.
“My office will continue to aggressively prosecute those that threaten or harm our postal workers,” said U.S. Attorney Ferguson. “Postal workers are hard-working Americans that are vital to our way of life and essential to our system of commerce.”
“A core mission of the U.S. Postal Inspection Service is to provide a safe environment for Postal employees and the American public. Illegal weapons threaten the safety of all our communities,” said Inspector in Charge Hopkins. “We extend our utmost appreciation to our law enforcement partners and the U.S. Attorney’s Office in the Western District of North Carolina for supporting our mission and bringing this investigation to a successful conclusion.”
According to court records, on June 1, 2023, McNeil, used firearms to threaten two U.S. Postal Service mail carriers. In both instances, McNeil used his vehicle to block a mail truck, before threatening the carrier inside with his guns. McNeil believed someone with the post office stole an unidentified item from his package. McNeil also went to a local post-office complain about the alleged theft. Clerks at that office reported that McNeil stated he would kill whichever carrier was responsible for the alleged theft.
During the investigation, law enforcement determined the McNeil had multiple prior criminal convictions, including Possession of a Firearm by a Felon, Discharge of a Weapon into Occupied Property, and Domestic Violence Protective Order Violation, and was prohibited from possessing firearms.
On June 14, 2023, a federal search warrant was executed at McNeil’s residence, where law enforcement found and seized multiple firearms, including: three 9mm semi-automatic pistols (one fitted with an extended magazine); a Polymer 80 9mm semi-automatic pistol (commonly referred to as a “ghost gun”) with an extended magazine; an AR15 semi-automatic rifle; multiple magazines; and nearly 300 rounds of ammunition.
On October 30, 2024, McNeil pleaded guilty to possession of a firearm by a convicted felon. He is currently in federal custody and will be transferred to the custody of the Federal Bureau of Prisons.
In making today’s announcement U.S. Attorney Ferguson commended USPIS for their work in this investigation and thanked the Bureau of Alcohol, Tobacco, Firearms and Explosives and the Charlotte Mecklenburg Police Department for their assistance.
The U.S. Attorney’s Office in Charlotte prosecuted the case.
AUSTIN, Texas – An Austin man was sentenced in a federal court in Austin to 144 months in federal prison for one count of felon in possession.
According to court documents, Steven Moreno Briseno, 38, was arrested by Austin Police when he surrendered during a barricaded standoff at his family’s residence on Nov. 30, 2023. Briseno had allegedly been under the influence of methamphetamine and got into an altercation with his wife, physically assaulting her and then fleeing on foot when officers arrived in response to a 911 call.
Briseno ran into a vacant apartment across the street then sprinted back to his residence, where he barricaded himself inside. Briseno’s aggressive behavior escalated as he refused the officers’ commands to exit the residence, made comments about arming himself, and threatened to start shooting if the officers did not back away from his residence. Officers observed Briseno fashioning a tripod through a window and mounting a long rifle on top. He was also seen smoking from a glass pipe that resembled a meth pipe while he loaded numerous rounds into rifles, handguns, and at least one shotgun. Additionally, officers watched Briseno exit the residence with a gun in his hand while wearing a camouflaged tactical vest.
When APD SWAT arrived on the scene, Briseno was instructed to exit the residence with his hands up and empty. Subsequently, he fired at least one round from one of his firearms from inside the residence to an unspecified location outside the residence. After several minutes of speaking via loudspeaker, Briseno surrendered to APD. Inside the residence, officers located numerous firearms, loaded magazines, and boxes of ammunition in plain view, including on top of the kitchen table and staged near the front door and multiple windows in the front of the house.
Briseno had previously been convicted of multiple felonies, including burglary on Nov. 30, 2022. He pleaded guilty to one count of felon in possession of a firearm on Jan. 15, 2025.
Acting U.S. Attorney Margaret Leachman for the Western District of Texas made the announcement.
The Bureau of Alcohol, Tobacco, Firearms and Explosives and the Austin Police Department investigated the case.
Assistant U.S. Attorney Grant Sparks prosecuted the case.
The defendant sold undercover agents more than 2,000 grams of drugs.
Baltimore, Maryland – Derrick Nutter, 40, of Baltimore, Maryland, pled guilty to conspiracy to commit drug trafficking in federal court.
Kelly O. Hayes, U.S. Attorney for the District of Maryland, announced the plea with Special Agent in Charge Toni M. Crosby, Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF).
According to the guilty plea, Nutter unknowingly met with undercover agents on multiple occasions to sell methamphetamine, fentanyl, cocaine, and a loaded AR-style pistol.
On June 12, 2024, Nutter sold an undercover agent approximately 109 grams of cocaine for $3,600, approximately seven grams of methamphetamine for $100, and a free sample of fentanyl. Then on June 20, 2024, Nutter sold the undercover agent approximately 85 grams of suspected fentanyl for $3,300, and approximately 79 grams of cocaine for $2,700.
Additionally, on the same date, Nutter sold the undercover agent a 5.56 caliber AR-style privately made pistol with no serial number. It was equipped with an Axeon optic and loaded with 12 rounds of ammunition. The substance Nutter described as fentanyl was actually Schedule I ortho-Methylfentanyl – a fentanyl analogue.
Nutter sold cocaine and MDMA to a second undercover on June 25, 2024, and August 22, 2024. He also explained that his “girl” was receiving a package of drugs in the mail. Investigators identified Nutter’s “girl” as co-conspirator Khristina Williams.
On September 3, 2024, Nutter was at Williams’ residence and then he drove to a planned meeting location to sell the second undercover agent drugs. Nutter met the undercover agent and sold approximately 223 grams of methamphetamine in exchange for $4,000. He returned to his vehicle where authorities observed Williams seated in the front passenger seat.
Then on September 10, 2024, Nutter met with two undercover agents and sold them approximately 525 grams of methamphetamine in exchange for $6,100. He also provided a free sample of fentanyl. Nutter agreed to sell the undercover agents additional fentanyl if they came to his home.
While in route to his home, Nutter called Williams multiple times. After arriving at his residence, Nutter sold the undercover agents several hundred fentanyl pills. Eventually, Nutter and the undercover agents walked outside and met with Williams, who had arrived in her vehicle. Nutter retrieved several hundred additional fentanyl pills from Williams and handed them to the undercovers. The undercover agents paid Nutter $3,900 in exchange for the drugs, including nearly 800 fentanyl pills.
On October 3, 2024, the two undercover agents met Nutter in a public parking lot. After Nutter sold them approximately 830 grams of methamphetamine, authorities arrested him. During the undercover operation, Nutter sold agents approximately 1,595 grams of methamphetamine, 298 grams of cocaine, 90 grams of fentanyl, 85 grams of fentanyl analogue, and the loaded AR-style pistol.
Nutter faces a maximum sentence of 20 years in prison. Sentencing is scheduled for Wednesday, September 17, at 11 a.m.
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
U.S. Attorney Hayes commended the ATF for their work in the investigation. Ms. Hayes also thanked Assistant U.S. Attorney James O’Donohue who is prosecuting the case.
Greenbelt, Maryland – Chase William Mulligan, 28, of Silver Spring, Maryland, pled guilty to two counts of producing child sexual abuse material in federal court. The charges are in connection with a scheme in which he met young girls through social media and internet chat rooms and eventually “sextorted” them.
Specifically, through the scheme, Mulligan coerced at least 108 girls — ranging from ages 5-17 — to send him sexually explicit photographs and videos of themselves. When the girls told him they no longer wanted to send him sexually graphic images, Mulligan threatened to post the images online or come to their house.
Kelly O. Hayes, U.S. Attorney for the District of Maryland, announced the guilty plea with Special Agent in Charge William J. DelBagno of the Federal Bureau of Investigation (FBI) – Baltimore Field Office.
“Mulligan used manipulation, fear, and intimidation to exploit over 100 young victims. Now we must ensure that we send a clear message to Mulligan, and others, that those who abuse the most vulnerable members of our communities will pay a steep price,” Hayes said. “We’re committed to working with our law-enforcement partners to relentlessly pursue, prosecute, and bring to justice those who engage in these deplorable acts.”
“Chase Mulligan is a depraved and dangerous predator. He used social media to target, viciously threaten, and horribly abuse more than 100 minor victims – one as young as five years old,” DelBagno said. “His abhorrent behavior is not diminished by the fact he was thousands of miles away and never met his victims, rather, it’s the opposite. Despite his distance, he presents a serious threat to any child he can access through the internet. The FBI works diligently every day to find and arrest predators like Mulligan so they can no longer prey on innocent children.”
As detailed in the plea agreement, between at least 2019 and December 2023, Mulligan used numerous Snapchat, Discord, Roblox, Skype, Omegle, and Instagram accounts to target young girls. He convinced minors living in the United States, Canada, Denmark, Spain, Philippines, Australia, and United Kingdom to produce and send him sexually explicit images.
Mulligan also directed minors to expose their genital areas and engage in sexual conduct. Additionally, Mulligan coerced multiple girls to urinate on camera, insert objects into their genitalia, and participate in sexual acts with dogs.
After some victims informed Mulligan that they no longer wished to send him sexually explicit images, he threatened to publicly post the images or come to their homes. Mulligan wanted the victims to send more images depicting increasingly graphic sexual conduct.
As part of his plea agreement, Mulligan must register as a sex offender in places where he resides, is an employee, and is a student, under the Sex Offender Registration and Notification Act.
Mulligan is facing a mandatory minimum of 15 years and a statutory maximum of 60 years in federal prison. U.S. District Judge Theodore C. Chuang scheduled sentencing for Wednesday, August 27, at 2:30 p.m.
This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorney’s Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, visit www.justice.gov/psc. Click the “Resources” tab on the left side of the page to learn about Internet safety education.
U.S. Attorney Hayes commended the FBI for its work in the investigation. Ms. Hayes also thanked Assistant U.S. Attorneys Megan S. McKoy and Elizabeth Wright who are prosecuting the case.
PIERRE – United States Attorney Alison J. Ramsdell announced today that U.S. District Judge Eric C. Schulte has sentenced a Mission, South Dakota woman convicted of Larceny and Failure to Appear. The sentencing took place on May 19, 2025.
Kylie Leader Charge, age 19, was sentenced to eight months in federal prison, followed by three years of supervised release. Leader Charge was further ordered to pay a $200 special assessment to the Federal Crime Victims Fund and $1,000 in restitution.
Leader Charge was indicted by a federal grand jury in February 2024. She pleaded guilty on February 20, 2025.
The conviction for Larceny stemmed from an incident that occurred in November of 2023, within the Rosebud Sioux Indian Reservation, when Leader Charge and a co-defendant stole a vehicle near Mission, drove it in a reckless manner, and caused damage to the vehicle.
Following her Indictment, Leader Charge was released on bond. On March 21, 2024, Leader Charge failed to appear for a bail review hearing as required by her bond conditions. She was subsequently indicted for Failure to Appear.
These matters were prosecuted by the U.S. Attorney’s Office because the Major Crimes Act, a federal statute, mandates that certain violent crimes alleged to have occurred in Indian Country be prosecuted in Federal court as opposed to State court.
These cases were investigated by the Rosebud Sioux Tribe Law Enforcement Services and the United States Marshals Service. Assistant U.S. Attorney Meghan N. Dilges prosecuted the cases.
Leader Charge was immediately remanded to the custody of the U.S. Marshals Service.
NATO Secretary General Mark Rutte welcomed Czech President Petr Pavel to NATO Headquarters on Wednesday (21 May 2025) to discuss preparations for the upcoming NATO Summit in The Hague.
The Secretary General praised Czechia as a strong and reliable Ally, highlighting its defence investment and support to Ukraine. “You spend more than 2% of GDP on defence, and I welcome the commitment you’ve already made to increase defence spending to 3% in the coming years,” said Mr Rutte.
Czechia plays an important role in NATO’s deterrence and defence, contributing to Forward Land Forces in Slovakia, Latvia and Lithuania. This year, Czechia will also deploy combat aircraft to Iceland in support of NATO’s air policing mission.
The Secretary General commended Czechia’s substantial support to Ukraine, including over 1.3 billion euros in military assistance. He welcomed the success of the Czech-led ammunition initiative, which has helped deliver over 3 million rounds of large-calibre ammunition to Ukraine, including 1.5 million in 2024 alone. Mr Rutte also underlined Czechia’s growing role in NATO’s long-term support to Ukraine, including contributions to NATO’s Security Assistance and Training command (NSATU) in Wiesbaden and the deployment of 20 personnel to NSATU’s Logistics Enabling Nodes this July.
Looking ahead to the NATO Summit in The Hague, Secretary General Rutte stressed the importance of strengthening NATO’s deterrence and defence even further, increasing defence spending, and building a stronger and more innovative transatlantic defence industry. “We will need to do much more, and this will remain our focus as we prepare for The Hague Summit,” he said. “We have a lot of work to do. And I know I can count on Czechia’s continued commitment and leadership.”
Source: Federal Bureau of Investigation FBI Crime News (b)
KANSAS CITY, Mo. – A Kansas City, Mo., man was indicted by a federal grand jury on charges related to child pornography.
According to an indictment returned this week, Jeffrey Lynn Petrie, 40, of Kansas City, Mo., was charged with one count of distributing child pornography over the internet in May 2024, and one count of receiving child pornography from Dec. 9, 2024, to Dec. 10, 2024.
The indictment replaces a complaint originally filed on Friday, April 25, 2025. According to an affidavit filed in support of the criminal complaint, law enforcement officers received a Cybertip reporting that a user, “kinkypopper69,” was uploading video files depicting child sexual abuse materials. Petrie was later identified as the user “kinkypopper69.”
On April 24, 2025, the FBI conducted a search at Petrie’s residence and seized a cell phone and other electronic devices.
Petrie is a registered sex offender in Missouri based on prior convictions for child molestation in the 2nd degree.
The charges contained in this indictment are simply accusations, and not evidence of guilt. Evidence supporting the charges must be presented to a federal trial jury, whose duty is to determine guilt or innocence.
Under federal statutes, if convicted of distribution and receipt of child pornography, a prison sentence of not less than 15 years and not more than 40 years and a fine of up to $250,000 is authorized on each count. The maximum statutory sentence is prescribed by Congress and is provided here for informational purposes, as the sentencing of the defendant will be determined by the court based on the advisory sentencing guidelines and other statutory factors. A sentencing hearing will be scheduled after the completion of a presentence investigation by the United States Probation Office.
This case is being prosecuted by Assistant U.S. Attorney Teresa A. Moore. This case was investigated by the Federal Bureau of Investigation, and the Franklin County, Missouri Sheriff’s Office.
Project Safe Childhood
This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorneys’ Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, please visit www.usdoj.gov/psc. For more information about Internet safety education, please visit www.usdoj.gov/psc and click on the tab “resources.”
Source: Federal Bureau of Investigation FBI Crime News (b)
ALBUQUERQUE – A Shiprock man has been charged with assault with a dangerous weapon following a shooting incident outside a restaurant.
According to court documents, Navajo Nation Police responded to a 911 call reporting that an individual was shot in the hand in front of the Little Caesars Restaurant in Shiprock. Officers located the suspect, identified as TerroldTyler, 35, an enrolled member of the Navajo Nation, near the scene carrying a black backpack that contained a homemade firearm and five live shotgun shells. Tyler was detained without incident.
Investigators determined that Tyler and the victim were involved in an argument behind the restaurant prior to the shooting. Tyler allegedly produced the homemade shotgun and shot the victim in the left hand. Paramedics responded to the scene, but the victim declined medical treatment. A social media video depicting Tyler with the firearm was also recovered as evidence.
Tyler is charged with assault with a dangerous weapon and will remain in custody pending trial, which has not yet been scheduled. If convicted of the current charges, Tyler faces up to 10 years in prison.
U.S. Attorney Ryan Ellison and Philip Russell, Acting Special Agent in Charge of the Federal Bureau of Investigation’s Albuquerque Field Office made the announcement today.
The Farmington Resident Agency of the Federal Bureau of Investigation’s Albuquerque Field Office investigated this case with assistance from the Navajo Nation Police Department and Navajo Department of Criminal Investigations. Assistant U.S. Attorney Amy Mondragon is prosecuting the case.
A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
In coordination with the Federal Government of Somalia, U.S. Africa Command (AFRICOM) conducted airstrikes against al Shabaab on May 17, 2025.
The airstrikes occurred approximately 200 km north of Mogadishu near Mabaax, Somalia.
Al Shabaab has proven both its will and capability to attack U.S. forces.
AFRICOM, alongside the Federal Government of Somalia and Somali Armed Forces, continues to take action to degrade al Shabaab’s ability to plan and conduct attacks that threaten the U.S. homeland, our forces, and our citizens abroad.
Specific details about units and assets will not be released to ensure continued operations security.
The USS Forrest Sherman (DDG 98) visited Algiers on a port visit this week. The three-day visit demonstrated the ongoing friendship and security cooperation between the U.S. and Algeria, building off prior port visit stopovers in Algiers and Oran in 2023 by the USNS Trenton (T-EPF 5).
Two overdue snowmobilers were located deceased this past weekend by Hopedale Ground Search and Rescue and Hopedale RCMP.
Shortly before 10:00 p.m. on May 17, 2025, Hopedale RCMP received the report of the two overdue men, ages 41 and 47, who were traveling together on a snowmobile. The two were last seen on the night of May 16 and were destined for a cabin outside of the community for a fishing trip.
Hopedale Ground Search and Rescue were engaged and conducted a search of the area with the assistance of Hopedale RCMP. Tracks led searchers to the ocean where poor ice conditions were observed. The two men and the snowmobile they had been traveling on were located submerged in the water just outside of Hopedale. The bodies of the two men were recovered by GSAR.
The Office of the Chief Medical Examiner is engaged and the investigation is continuing.
RCMP NL offers condolences to the family and friends of the two men and thanks Hopedale Ground Search and Rescue for the assistance provided.
The deployment of Live Facial Recognition (LFR) technology by Met Police officers in Southwark helped put a registered sex offender back behind bars.
LFR is an advanced technology where Met officers position a van equipped with cameras in a pre-agreed location in London.
These cameras capture live footage of people passing by and compare their faces against a database of wanted offenders. If a match is detected, the system generates an alert. An officer will then review the match and decide if they wish to speak with the individual.
On the afternoon of Friday, 10 January, a police van with LFR was operating in the Denmark Hill area, when cameras alerted officers to 73-year-old David Cheneler as being a registered sex offender. Upon being stopped by officers, he was found to be with a six-year-old girl.
Further checks confirmed he was in breach of his Sexual Offences Prevention Order (SOPO), which prevented him from being alone with a child under the age of 14. He was also in possession of a lock knife that was hidden in the buckle of his belt. He was arrested and taken into custody.
Further enquiries from Met officers established Cheneler had picked the child up from school as a favour for her mother, which he’d also done on two previous occasions after building a relationship with them both over the course of a year.
This case is another example of how the Met’s use of LFR is protecting communities by helping officers take dangerous offenders off the streets of London.
The Met is a forerunner in using this technology as part of its commitment to make London safer by harnessing cutting-edge technology and data to identify and apprehend offenders who pose significant risks to our communities.
Detective Constable Adam Pearce of the Met’s local policing team in south-east London, who led the investigation, said:
“This is a prime example of how the Met is using technology to remove dangerous offenders from our streets, and Live Facial Recognition remains an important tool in protecting Londoners.
“Although there were no allegations made towards David Cheneler on this occasion, it’s possible if he hadn’t been identified using this technology, he could have gone on to abuse this child.
“Her mother was completely unaware of his offending history, and along with her young daughter, were both taken advantage of by Cheneler who abused their trust.”
Lindsey Chiswick, the Met’s lead for Live Facial Recognition, said:
“The Met is committed to making London safer, using data and technology to identify offenders that pose a risk to our communities.
“This is a prime example of the variety of uses for LFR. The tool is not only used to find those wanted, but also to stop people on a watch list who have conditions they must adhere to.
“These interventions are crucial. Without this technology, Cheneler may have had the opportunity to cause further harm.”
David Cheneler, 73 (05.04.52), of Lewisham, appeared at Kingston Crown Court on Tuesday, 20 May, where he was sentenced to two years’ imprisonment.
He pleaded guilty at Wimbledon Magistrates’ Court on Monday, 13 January to breaching the conditions of his SOPO, as well as possessing an offensive weapon.
The SOPO was originally imposed in 2019 by the courts, following a previous conviction in 2010 for 15 counts of indecent assault on a female under 16 and five counts of gross indecency with a child between 1968 and 1993, for which he served a nine-year prison term.
Live Facial Recognition enables the Met to take a more precise, intelligence-led approach to tackling crime.
Each deployment is carefully planned based on operational needs and is guided by data to ensure resources are directed at offenders who pose the greatest threat to our communities.
A man has been charged following an investigation by detectives in the Metropolitan Police Service.
Chris Brown, 36 (05.05.89), who is a US National, was charged on Thursday, 15 May with grievous bodily harm with intent.
He appeared in custody at Manchester Magistrates’ Court on Friday, 16 May. He was remanded in custody to appear at Southwark Crown Court on Friday, 13 June.
On Wednesday, 21 May he was granted bail by the court.
The charge relates to an assault, which reportedly took place at a venue in Hanover Square in London, on Sunday, 19 February 2023.
DOHA, Qatar (May 20, 2025) – For the third time in seven years, Qatar hosted U.S. forces to participate in a combined military exercise designed to improve interoperability and strengthen the enduring partnership between the two countries.
Exercise Invincible Sentry 2025 (IS-25) took place April 13-17 and was designed as a crisis-response rehearsal, using scenarios depicting a simulated transnational security threat. The exercise validated U.S. and Qatari crisis-response planning and strengthened staff proficiency and execution in critical mission areas. Qatar previously hosted IS in 2019 and 2021 in preparation for the country to host the 2022 FIFA World Cup tournament.
Gerben Dijksterhuis, Mayor of Borsele, addresses residents who developed a list of conditions for community acceptance of the construction of new nuclear power plants in the municipality. (Photo: Municipality of Borsele, Kingdom of the Netherlands)
The world’s first major gathering of representatives of communities hosting nuclear facilities will take place in Vienna, Austria, from 26 to 30 May 2025 at the IAEA’s International Conference on Stakeholder Engagement for Nuclear Power Programmes. Gerben Dijksterhuis, Mayor of Borsele, Kingdom of the Netherlands, which hosts the country’s only operating nuclear power plant, discusses key aspects of stakeholder engagement for nuclear power:
How has stakeholder engagement changed over time?
In the 1960s and 1970s, there were fierce protests and demonstrations against the arrival of the nuclear power plant, but in recent years we have seen almost no demonstrations. Over the years, the plant operator, EPZ, has learned to communicate openly and transparently. This has contributed to a good relationship with the surrounding community, an important element of EPZ’s ‘licence to operate’. The plant is now seen as a good neighbour.
Borsele organized a unique citizen participation process in 2023 on upcoming large energy projects, including two nuclear power reactors. What prompted you as Mayor, and the local government, to include citizens in the process?
People often have strong opinions either for or against nuclear energy, but the decision about whether new nuclear power plants will be built is ultimately made by the national government. So we’ve focused on the interests of the local community and asked the question: “If two additional nuclear power reactors are built, what will that mean for our municipality and residents? Under what conditions would we accept such a development?” By having this conversation, we’re engaging in a discussion about our shared future and deciding what is needed to keep living, working and enjoying life in our region.
My municipality has over 23 000 residents, so it’s not possible to ask everyone personally about their views on these developments. By randomly selecting 100 residents, we thought we would get a fair range of opinions reflecting the views of all residents. This way, we can look at what’s coming our way as a community with an open mind, without being too influenced by loud supporters or critics. We also wanted to give a voice to young people, who will live with the impact of new nuclear power plants the longest, and to the ‘silent majority’ — residents who are generally less likely to speak out in public debates.
Over the course of 5 meetings, these 100 residents came up with 39 conditions under which major developments could take place, ensuring that the environmental impact is properly considered.
We believe that as a local community we should have a voice in projects happening in our area.
What are some of the common concerns local residents have about nuclear energy projects? To what extent are they different from concerns about other large projects?
We are somewhat used to big projects because we live next to a large industrial area and an international seaport. However, there are concerns about the impact of the construction: we see in other countries how long it takes, how large the construction site is, and how many people work there. Residents mainly think about noise, dust and light pollution and an increase in construction traffic. There are also concerns about this development in relation to the landscape we are so proud of here.
Specifically for the nuclear component, people are concerned about the safety of new nuclear power plants and the continuing perception of a lack of a final solution for nuclear waste.
What is the socioeconomic impact of nuclear energy projects on host communities and neighbouring areas, based on the experience of Borsele?
About 400 people work at the existing nuclear power plant, and many more are employed indirectly. If the construction of two new nuclear power reactors goes ahead, thousands of additional workers will be needed for 5 to 15 years. This will not only create jobs in the region but also provide opportunities for local businesses, educational institutions and housing development. It is an opportunity to invest in the future of the region, with innovation and progress at the forefront. It’s therefore crucial that, as a government and society, we make timely plans to properly manage these developments. The construction of nuclear power plants affects an entire region, and when new nuclear power reactors are built, cooperation with neighbouring municipalities is essential to prepare for this. This includes planning for housing, infrastructure and education.
In addition to being Mayor of Borsele, you are President of the Group of European Municipalities with Nuclear Facilities (GMF Europe). Why is it important for nuclear host communities to organize in such associations?
Nuclear host communities often face or have faced the same challenges. As a network of host communities in different parts of Europe, GMF allows us to learn from each other and find solutions together. We can help each other by sharing information and lessons learned about how to deal with nuclear initiatives. Together, we can also be a stronger voice that is heard in international politics. I am proud that GMF has been invited several times — including by the IAEA — to contribute to new policy and present our vision to participating countries. Together with mayors in Canada and the United States of America, we have also established the Global Partnership of Municipalities with Nuclear Facilities.
It is equally important to advocate for the position of local communities. They must have a voice in developments that take place in their community.
What is the advice you would give to communities that are newcomers to nuclear?
Take an active role, make sure you are well informed, ask the right questions and ensure that the concerns of your community are heard. This not only helps in understanding the impact of nuclear projects, but also ensures that you can actively contribute to decision making and to the process in a way that is in the interest of your community.
Additionally, it is important to join networks of municipalities. This way, you can jointly influence policy, both nationally and internationally. By working with organizations such as the IAEA, we can ensure that policies take into account the needs of host communities.
SAN DIEGO – Ricardo Alonzo of San Diego appeared in federal court today to face charges that he smuggled 17 exotic birds into the United States from Mexico under the seat of his car.
According to a complaint, Alonzo was the driver and registered owner of a vehicle that was intercepted by U.S. Customs and Border Protection officers at the San Ysidro Port of Entry. Officers found four bags containing 10 Burrowing Parakeets, five Yellow-Crowned Amazon Parrots, and two Red-Lored Amazon Parrots underneath the rear seat. The two Red-Lored Amazon Parrot chicks did not survive; the surviving birds were transferred to a quarantine facility managed by the U.S. Department of Agriculture.
“Trafficking exotic birds isn’t just illegal — it’s cruel and dangerous,” said U.S. Attorney Adam Gordon. “These actions put the lives of helpless animals at risk and expose the public and other animals to serious diseases.”
“This charge underscores our unwavering commitment to protecting vulnerable wildlife and holding traffickers accountable for their crimes,” said Shawn Gibson, special agent in charge of HSI San Diego. “We are grateful to our dedicated law enforcement partners whose collaboration was instrumental in bringing this individual to justice.”
According to the U.S. Fish and Wildlife Service, Amazon parrots are native to Mexico, the West Indies, and northern South America, while Burrowing Parakeets are local to Chile and Argentina. All 30-some species of Amazon parrots, as well as the Burrowing Parakeets, are listed on either Appendix I or Appendix II of the Convention on International Trade in Endangered Species of Wild Flora and Fauna (“CITES”).
The successful smuggling of undeclared Amazon parrots and Burrowing Parakeets into the U.S. means no quarantine period or process. This would be dangerous to the United States as birds can carry and spread Avian influenza (bird flu), psittacosis, and histoplasmosis. Bird flu is highly contagious and can cause flu like symptoms, respiratory illness, pneumonia and death in humans and other birds including birds in United States poultry farms. Quarantining animals entering the United States is intended to safeguard against this potential disease transmission.
This case is being prosecuted by Assistant U.S. Attorney Parker Gardner-Erickson.
DEFENDANT Case Number 25mj2712-VET
Ricardo Alonzo Age: 26 San Diego, CA
SUMMARY OF CHARGES
Importation Contrary to Law – Title 18, U.S.C., Section 545
Maximum penalty: Twenty years in prison and $250,000 fine
INVESTIGATING AGENCIES
U.S. Fish and Wildlife Service
Homeland Security Investigations
*The charges and allegations contained in an indictment or complaint are merely accusations, and the defendants are considered innocent unless and until proven guilty.
A third man has been charged as part of an investigation into a series of fires in north London.
Petro Pochynok 34 (25.07.90) of north London, a Ukrainian national [C] has been charged with conspiracy to commit arson with intent to endanger life, namely:
conspiring together with Roman Lavrynovych and Stanislav Carpiuc and others unknown to damage by fire property belonging to another,
intending to damage the property,
intending to endanger the life or another or being reckless as to whether the life of another would thereby be endangered.
Pochynok is due to appear at Westminster Magistrates’ Court on Wednesday, 21 May at 10:00hrs.
The charge, which was authorised by the Crown Prosecution Service, relates to a period from Thursday, 17 April to Tuesday, 13 May this year, in which three incidents took place – a vehicle fire in NW5 on Thursday, 8 May, a fire at the entrance of a property in N7 on Sunday, 11 May and a fire at a residential address in NW5 in the early hours of Monday, 12 May.
All have connections with a high-profile public figure, and therefore officers from the Met’s Counter Terrorism Command led the investigation into the fires.
Pochynok was arrested on Monday, 19 May, in the Chelsea area, SW3, on suspicion of conspiracy to commit arson with intent to endanger life.
As part of the same investigation, Roman Lavrynovych 21 (06.02.04), of Sydenham, a Ukrainian national [A] was charged with three counts of arson with intent to endanger life.
He appeared at Westminster Magistrates’ Court on 16 May and was remanded in custody to appear at the Old Bailey on 6 June.
Stanislav Carpiuc, 26 (15.07.98) of Romford, a Romanian national, [B] has also been charged with conspiracy to commit arson with intent to endanger life.
He appeared at Westminster Magistrates’ Court on Tuesday, 20 May and was remanded in custody to appear at the Old Bailey on 6 June.
Anyone with information that could assist the investigation should call police on 101 quoting CAD 441/12 May.
PUERTO PRINCESA, Philippines — U.S. Marines from 2nd Battalion, 1st Marine Regiment, Marine Rotational Force – Darwin (MRF-D) 25.3 Marine Air-Ground Task Force (MAGTF), Australian Army Soldiers with the 5th/7th Battalion, The Royal Australian Regiment (5/7 RAR), Australian Defence Force (ADF), and Philippine Marines from the 3rd Marine Brigade, Philippine Marine Corps (PMC), executed a high-tempo, trilateral simulated airfield insertion during a maritime key terrain security operation (MKTSO) for Exercise Balikatan 25, May 4, 2025.
Source: United States Department of Justice (National Center for Disaster Fraud)
PHILADELPHIA – United States Attorney David Metcalf announced that Zaven Yeghiazaryan, 44, of Newtown, Pennsylvania, pleaded guilty before the Honorable Gerald J. Pappert to 13 counts of an indictment charging him with conspiracy, health care fraud, wire fraud, and money laundering in connection with his execution of a variety of schemes.
The charges arose from the defendant’s commission of fraud offenses targeting, among others, government programs, including through the use of shell companies and false identities, between January 2020 and April 2024. The defendant’s fraud offenses targeted two government programs which offered relief during the Covid-19 pandemic: the Small Business Administration’s Economic Injury Disaster Loan program, and the Pandemic Unemployment Assistance Program. In addition, the defendant admitted that he participated in a scheme to defraud the Medicaid program.
Based upon his guilty pleas to the 13 counts, the defendant faces a maximum possible sentence of 230 years in prison, a three-year period of supervised release, and a $3,250,000 fine, restitution of $334,905 and forfeiture. Sentencing is scheduled for September 4, 2025.
The case was investigated by the Social Security Administration – Office of the Inspector General, Internal Revenue Service – Criminal Investigation, the United States Postal Inspection Service, Homeland Security Investigations, the Department of Health and Human Services – Office of Inspector General, the United States Department of Labor, the United States Department of Transportation – Office of the Inspector General and the State Department. It is being prosecuted by Assistant United States Attorneys Mary E. Crawley and Special Assistant United States Attorney Megan Curran.
GREAT FALLS – A Texas man who failed to register as a sex offender was found guilty by a federal judge today, U.S. Attorney Kurt Alme said.
Following a bench trial, Tracy Allen Reilly, 60, was found guilty of failure to register as a sex offender. Reilly faces 10 years in prison, a $250,000 fine, and at least 5 years to a lifetime of supervised release.
Chief U.S. District Judge Brian M. Morris presided and will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors. Sentencing was set for October 1, 2025. Reilly will remain in custody pending further proceedings.
The government alleged in court documents that in 1995, Tracy Allen Reilly was convicted in Texas of aggravated sexual assault of a child and sentenced to 20 years in custody. He discharged from custody in 2014 and was instructed to register as a sexual offender for the duration of his life. In July 2018, Reilly was convicted of another felony in Texas for violating sex offender registration. After he was released from custody on that sentence, Reilly signed additional registration forms in 2022 and in June of 2023.
Reilly moved to Montana sometime in the fall of 2023. Before he moved, he was informed he would be required to register as a sex offender in Montana. Once in Montana, Reilly camped on federal land around Homestake Lake in Jefferson County. In October 2023, the Jefferson County Sheriff’s Office contacted Reilly and advised him he was required to register as a sex offender.
In November 2023, an officer with the U.S. Forest Service was patrolling the Homestake area and made contact with Reilly. The officer learned Reilly was a non-compliant sex offender, and when the officer again encountered Reilly in January 2024, he told Reilly he needed to register. Reilly never registered as a sex offender in Montana.
On November 6, 2024, the Grand Jury returned an indictment charging Reilly with failure to register as a sex offender, in violation of 18 U.S.C. § 2250(a). Reilly was arrested in December 2024.
The U.S. Attorney’s Office prosecuted the case. The investigation was conducted by the U.S. Marshals Service, U.S. Forest Service, and Jefferson County Sheriff’s Office.
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results. For more information about Project Safe Neighborhoods, please visit Justice.gov/PSN.
SAN JOSE — Two California men pleaded guilty yesterday to not paying over employment taxes to the IRS.
The following is according to court documents and statements made in court: Lalo Valdez and Matthew Olson, both of Northern California, operated a San Jose-based health informatics and product development company that provided clinical care and technology services to clients in healthcare and academia. Valdez was the CEO and Olson the CFO. As such, both were responsible for the company’s operations, managed its internal books and records, signed checks on behalf of the company, and hired and fired employees. Both men also were responsible for withholding Social Security, Medicare, and federal income taxes from employees’ wages and paying those funds over to the government each quarter. The timely payment of quarterly employment taxes is critical to the functioning of the U.S. government, because, for example, they are the primary source of funding for Social Security and Medicare. The federal income taxes that are withheld from employees’ wages also account for a significant portion of all federal income taxes collected each year.
For every calendar quarter from the first quarter of 2017 through the second quarter of 2021, Valdez and Olson withheld these taxes from employees’ wages but did not pay them over to the IRS or report them on quarterly tax forms. Instead of paying over the taxes, Valdez and Olson used the company’s money to pay for country club memberships and season tickets to the San Jose Sharks of the National Hockey League.
During this same period, Olson also was one of the owners and operators of a day spa located in Saratoga, Calif. There, Olson was responsible for collecting and paying Social Security, Medicare, and income taxes to the IRS. From the second quarter of 2017 through the fourth quarter of 2020, however, Olson collected but did not pay them over to the IRS or report them on quarterly tax forms.
In total, Olson caused a tax loss to the IRS exceeding $2.1 million.
Valdez caused a total tax loss to the IRS of nearly $1.5 million.
Valdez and Olson are scheduled to be sentenced on Oct. 20. Both men face a maximum penalty of five years in prison as well as a period of supervised release, restitution, and monetary penalties. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Acting U.S. Attorney Patrick D. Robbins, Acting Deputy Assistant Attorney General Karen E. Kelly of the Justice Department’s Tax Division, and IRS Criminal Investigation Special Agent in Charge of the Oakland Field Office Linda Nguyen made the announcement.
IRS Criminal Investigation is investigating the case.
Assistant U.S. Attorney Kristina Green and Trial Attorney Mahana Weidler of the Tax Division are prosecuting the case.
WASHINGTON – Kenneth Watts, 57, of Upper Marlboro, Md., and James Kinard, 47, of Temple Hills, Md., were found guilty by a federal jury today for their roles in a drug trafficking conspiracy that distributed large amounts of cocaine, fentanyl and PCP in the DMV. The conspiracy also used firearms to protect their narcotics and the proceeds from their trafficking operation.
The verdicts were announced by U.S. Attorney Jeanine Ferris Pirro, FBI Assistant Director in Charge Steven J. Jensen of the Washington Field Office, DEA Special Agent in Charge Ibrar A. Mian of the Drug Enforcement Administration Washington Division, and Chief Pamela Smith of the Metropolitan Police Department.
The jury found both defendants guilty of conspiracy to distribute and possess with intent to distribute one kilogram or more of PCP. The jury also found defendant Kinard guilty of conspiracy to distribute and possess with intent to distribute 40 grams or more of fentanyl. U.S. District Court Judge Jia M. Cobb scheduled sentencing for August 7, 2025. Watts and Kinard each face a minimum-mandatory sentence of 10 years in federal prison.
Watts has two prior felony drug convictions. Kinardhas a prior 1995 conviction for second-degree murder while armed and a prior 2016 conviction assault with intent to commit robbery while armed and related offenses. Kinard was on supervised release during the investigation in this case.
Three co-defendants pleaded guilty before the case went to trial on May 7.
Melvin Grayson, 51, of District Heights, Maryland, pleaded guilty to conspiracy to distribute a detectable amount of cocaine, more than 40 grams or more of fentanyl, and more than one kilogram or more of PCP. Grayson faces a minimum-mandatory sentence of ten years. He has two prior felony drug convictions from 1993.
Tyrone Ragland, 56, aka “Tech,” of the District, pleaded guilty to a charge of conspiracy to distribute one kilogram of PCP. Charles Cunningham, 58, of the District, pleaded guilty to unlawful possession of a firearm by a felon. According to their plea agreements, Ragland and Cunningham will be required to serve 15 years in prison. Cunningham has four prior felony drug convictions.
According to court documents and evidence presented at trial, officers with the Prince George’s County Police Department intercepted a package containing six kilos of PCP at a FedEx facility in Maryland. The officers set up a controlled delivery of the package and stopped defendant Kenneth Watts after he picked it up. In Watts’ cell phone, investigators found text messages linking Watts to the package and to co-defendant Melvin Grayson.
Through controlled purchases and wiretaps, evidence showed that Grayson distributed PCP, fentanyl, cocaine, and heroin, in the Washington, D.C. metropolitan area. The investigation also showed that defendants Ragland, Cunningham, Kinard and others conspired with Grayson to distribute the narcotics. In search warrants conducted at various residences, agents recovered four firearms, more than 2.5 kilos of PCP, more than 100 grams of fentanyl, and approximately $50,000 in cash.
This case is being investigated by the FBI’s Washington Field Office Cross Border Task Force and the DEA Washington Field Office, with assistance from MPD’s Violent Crime Suppression Division and the Prince George’s County Police Department. The Cross Border Task Force is a part of the FBI’S Safe Streets Initiative and targets the most egregious and violent street crews operating in the District of Columbia. Valuable assistance was provided by the U.S. Attorney’s Office for the District of Maryland and the Baltimore/Washington High Intensity Drug Trafficking Area (HIDTA) program.
This investigation was part of an Organized Crime Drug Enforcement Task Force (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at www.justice.gov/OCDETF.
The matter is being prosecuted by Assistant U.S. Attorneys Nihar R. Mohanty and Iris Y. McCranie of the U.S. Attorney’s Office for the District of Columbia.
ST. LOUIS – U.S. District Judge Sarah E. Pitlyk on Tuesday sentenced a purported auto mechanic from Arizona to 33 Months in Prison and ordered him to repay $1.37 million to his fraud victims.
Beginning in November 2019, Andres “Manny” Lopez, 37, defrauded customers of his Arizona company, All Performance Tuning and Diesel Repair LLC, by accepting money for vehicles, vehicle upgrades and parts with no intention of performing the work or turning over the vehicles. He also damaged some customer vehicles and loaned vehicles to others without the owners’ consent.
A Missouri victim who wanted to buy a vehicle for his mother wired Lopez $45,000 for a Toyota RAV4. Lopez falsely claimed that he’d bought the vehicle, and then provided a series of false excuses about why it was not being delivered. Lopez claimed delivery delays were due to product recalls and even impersonated the general manager of a Florida Toyota dealership in text messages to the client’s mother.
After Lopez was indicted in October of 2023, he defrauded another victim out of approximately $567,892.
Lopez used the money for personal expenses.
In a letter to the court, one victim spoke of Lopez’s pattern: “Promise… then a reason why I cannot meet that promise… then a new promise… then repeat the string (for years).”
Lopez pleaded guilty in February U.S. District Court in St. Louis to one count of wire fraud.
“For years, Andres Lopez lied to customers to line his own pockets. The lies and manipulation continued even after he had been charged for the crime and released on bond,” said Special Agent in Charge Chris Crocker of the FBI St. Louis Division. “Today, Lopez earned every day of his prison sentence for victimizing people with his fraudulent business practices.”
The FBI investigated the case. Assistant U.S. Attorney Derek Wiseman is prosecuting case.
OAKLAND – Adesola Kehinde was sentenced yesterday to 57 months in federal prison for unlawful possession of a firearm and ammunition as a felon. U.S. District Judge Araceli Martínez-Olguín handed down the sentence.
Kehinde, 38, of Alameda, was charged by complaint in January 2024 and by information in May 2024. On Dec. 16, 2024, Kehinde pleaded guilty to one count of being a felon in possession of a firearm and ammunition in violation of 18 U.S.C. § 922(g)(1). According to the plea agreement, Kehinde admitted that on Jan. 9, 2024, officers with the Alameda Police Department detained him while he was seated in the driver’s seat of his car, which was parked outside of his apartment building. At the time, Kehinde was on parole after serving a state prison sentence for human trafficking of a minor, threats with intent to terrorize, and robbery. Officers searched Kehinde’s car and located a loaded Glock pistol with one round in the chamber and six rounds inside the magazine inserted into the pistol.
Acting United States Attorney Patrick D. Robbins and FBI Special Agent in Charge Sanjay Virmani made the announcement.
In addition to the prison term, Judge Martínez-Olguín also sentenced Kehinde to a three-year period of supervised release and ordered him to forfeit the firearm and ammunition he possessed.
Assistant U.S. Attorney Jonah Ross is prosecuting the case with the assistance of Amala James. The prosecution is the result of an investigation by the FBI and the Alameda Police Department.
Gulfport, MS – An Ocean Springs, Mississippi man pleaded guilty today to extortion by official right and witness tampering.
According to court documents, Steven Wood, 64, used his position as a Mississippi Probation and Parole officer to extort drugs, sexual photos, and sexual services from multiples state probationers. The investigation was initiated when a probationer reported to the Federal Bureau of Investigation (“FBI”) that Wood was having her bring him methamphetamine. Subsequent investigation including additional witness interviews, and the forensic examination of Wood’s phone revealed that he solicited methamphetamine, sexual photos, and videos from multiple probationers. Wood took official action on those probationer’s behalf by not reporting their use, possession, or transfer of illegal drugs, not requiring them to report for their probation visits, not requiring some of them to pay their probation fees and writing at least one letter to be submitted by a probationer in a child custody dispute.
During the course of the investigation, Wood contacted multiple probationers, and he told one probationer to lie about her relationship with Wood and to hide evidence.
Wood pleaded guilty to one count of extortion by official right in violation of the Hobbs Act and one count of witness tampering. He is scheduled to be sentenced on September 17, 2025. He faces not more than 20 years of imprisonment for both the Hobbs Act and Witness Tampering offenses. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
Acting U.S. Attorney Patrick A. Lemon of the Southern District of Mississippi and FBI Special Agent in Charge, Rob Eikhoff, made the announcement.
The FBI, with assistance of the Mississippi Department of Corrections and the Mississippi Bureau of Narcotics are investigating the case.
Assistant U.S. Attorney Jonathan Buckner is prosecuting the case.
Defendant allegedly embezzled hundreds of thousands of dollars from relatives with disabilities
BOSTON – A Lexington, Mass. attorney has been charged and agreed to plead guilty in connection with alleged schemes to defraud Massachusetts victims, including two of his own relatives.
David Smerling, 75, has agreed to plead guilty to a Superseding Information charging him with four counts of wire fraud, two counts of money laundering and one count of aggravated identity theft. Smerling was previously indicted in January 2025 on charges of embezzling from a business partner.
“The alleged multi-million-dollar embezzlement that Mr. Smerling was originally charged with was, unfortunately, just the tip of the iceberg. Today’s charges allege that Mr. Smerling also preyed on a family member with special needs and another with dementia, allegedly stealing money these victims needed for their own care,” said United States Attorney Leah B. Foley.
“For anyone with elderly and vulnerable loved ones, these are frightening allegations,” said Kimberly Milka, Acting Special Agent in Charge of the Federal Bureau of Investigation, Boston Division. “David Smerling allegedly betrayed the trust of his victims and took full advantage – embezzling from them to line his own pockets while trying to cover up his crimes. The FBI will never stop working to protect the public from criminals like this, and we’re gratified to see him brought to justice.”
According to court filings, between January 2016 and May 2020, Smerling embezzled more than $2.5 million from three Massachusetts companies for whom he worked as a bookkeeper. Specifically, it is alleged that Smerling transferred funds from the victim companies into a separate bank account that he controlled, before moving the money to bank accounts in his own name or directly from the companies’ accounts to bank accounts in his own name. Smerling allegedly concealed his scheme by changing the mailing address on victims’ bank statements to his home address and refusing to share the online banking password for the victims’ accounts.
Court filings further allege that, between May 2020 and August 2021, Smerling embezzled more than $470,000 from a trust established for the benefit of a relative with special needs for which Smerling served as the trustee. Smerling allegedly transferred trust funds to bank accounts he controlled before sending the funds to bank accounts in his wife’s name or using the funds to pay for personal expenses. It is alleged that Smerling concealed his scheme by making lulling payments to the beneficiary so he would not discover the trust had been depleted.
Court filings also allege that, between May 2023 and April 2025, Smerling embezzled more than $150,000 from a relative with dementia for whom Smerling served as the financial power of attorney. Specifically, Smerling allegedly transferred funds from the victim’s accounts to accounts he controlled, used a credit card in the victim’s name for personal purchases and took out a loan in the victim’s name. To conceal this scheme, Smerling allegedly misrepresented the purpose of the transfers to the financial institutions in which the victim’s accounts were held.
The charge of wire fraud provides for a sentence of up to 20 years in prison, three years of supervised release and a fine of up to $250,000 or twice the gross gain or loss, whichever is greater. The charge of money laundering provides for a sentence of up to 20 years in prison, three years of supervised release and a fine of up to $500,000 or twice the value of the property involved in the transaction, whichever is greater. The charge of aggravated identity theft provides for a mandatory sentence of two years in prison to be served consecutive to any sentence imposed on the wire fraud and money laundering charges. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.
U.S. Attorney Leah B. Foley and FBI Acting SAC Milka made the announcement today. Assistant U.S. Attorney Kristen A. Kearney of the Securities, Financial & Cyber Fraud Unit is prosecuting the case.
The details contained in the charging documents are allegations. The defendant is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
BUFFALO, N.Y. – U.S. Attorney Michael DiGiacomo announced today that Nicholas Mangione, 44, of Buffalo, NY, pleaded guilty before U.S. District Judge Lawrence J. Vilardo to possession of child pornography following a prior conviction, which carries a mandatory minimum penalty of 10 years in prison, a maximum of 20 years, and a fine of $250,000.
Assistant U.S. Attorney Aaron J. Mango, who handled the case, stated that in April 2013, Mangione was convicted of possession of child pornography and sentenced to serve 48 months in prison. On August 15, 2024, a federal search warrant was executed at Mangione’s residence after it was discovered he uploaded a file containing child pornography to the Snapchat server. During the search, Mangione’s cellular telephone was seized. An examination of the device uncovered approximately 20 images and 52 videos of child pornography. It was also determined that Mangione distributed child pornography to other individuals using the Telegram application in exchange for other child pornographic files.
On August 16, 2024, the defendant was arrested on New York State charges and was found to be in possession of an additional cell phone, which also contained images and videos of child pornography. Some of the child pornography possessed by Mangione depicted the sexual exploitation of an infant or toddler and depictions of violence against children.
The plea is the result of an investigation by the Federal Bureau of Investigation, under the direction of Special Agent-in-Charge Matthew Miraglia, and the New York State Police, under the direction of Major Amie Feroleto.
Sentencing is scheduled for September 30, 2025, at 9:30 a.m. before Judge Vilardo.