The US faces an elevated threat from domestic violent extremists (DVEs) and homegrown violent extremists (HVEs), who are increasingly favoring targeted attacks against high-profile individuals and sabotage over mass-casualty terrorist attacks. The influence of geopolitical conflicts, particularly the Israel-Hamas conflict, and advancements in technology such as UAVs and cryptocurrencies are expected to enhance these adversaries’ operational capabilities. #IslamicState #Hamas #AxisOfResistance #AlQaeda #DomesticViolentExtremists
Keypoints
- Targeted attacks against personnel and sabotage of facilities by US-based DVEs are expected to be more frequent and impactful than mass-casualty attacks over the next year.
- Personnel and facilities associated with minorities, government agencies, private industry sectors (defense, healthcare, finance), and critical infrastructure remain at high risk.
- HVEs and DVEs will increasingly use new technologies such as UAVs, generative AI, encrypted communications, cryptocurrencies, and 3D printing to enhance attack capabilities.
- Islamic State supporters represent the most lethal HVE threat in the US, with increased activity linked to developments in Syria and the broader Middle East.
- Al-Qaeda franchises and other groups like Hamas and the Axis of Resistance are unlikely to carry out large-scale attacks but may motivate or financially support US-based violent extremists.
- DVEs such as neo-Nazi accelerationists, anti-government extremists, and anarchists are shifting toward targeted assassinations and attacks on high-profile public figures.
- Executive protection and proactive removal of publicly available personal information are critical measures for mitigating threats against organizational leadership.
MITRE Techniques
- [T1566] Phishing – HVEs and DVEs likely continue issuing online threats and conducting disruptive online activities to support attack plots. (“HVEs and DVEs will almost certainly continue issuing online threats…”)
- [T1598] Phishing for Information – Violent extremists conduct doxing and surveillance to gather information on targets. (“…stalking, harassing, and physically approaching victims; and conducting sabotage, surveillance, disruptive demonstrations, doxing, and swatting.”)
- [T1609] Container Administration Command Execution – Use of UAVs and drones in attacks as an emerging technology vector. (“…very likely to accelerate adoption of new technologies, such as commercially available unmanned aerial vehicles (UAVs)…”)
- [T1486] Data Encrypted for Impact – Use of cryptocurrencies to finance operations and facilitate attacks. (“US HVEs almost certainly continue to provide financial assistance… through cryptocurrencies.”)
- [T1622] Compromise Infrastructure – Use of end-to-end encrypted communication platforms to coordinate and enhance operational security. (“…adoption of new technologies, such as… end-to-end encrypted communications platforms…”)
Indicators of Compromise
- [File Hashes] Associated with arrests of IS sympathizers involved in mass-casualty attack plots – example hashes from 2024 DOJ cases (specific hashes not publicly disclosed)
- [IP Addresses] Related to online threat activity platforms used by HVEs and DVEs for communication and coordination (details classified)
- [Domains] Cryptocurrency wallets and exchanges used by Hamas supporters to funnel funds internationally, including examples of darknet donation portals
- [File Names] ISKP media and propaganda files disseminated by al-Azaim Foundation for Media Production encouraging attacks in the US