FB-ISAO Physical Threat Level Returns to SEVERE; Cyber Threat Level Remains GUARDED

This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

The COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:

The TIG has determined to lower the Physical Threat Level to “SEVERE.” SEVERE means an event is highly likely. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. This determination is valid through sunset on 26 June 2020, and will be periodically re-evaluated, especially with respect to ongoing threats and developing federal, state, local, tribal, and territorial (FSLTT / SLTT) guidance and directives.

The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.

• Please refer to this post for an explainer on the FB-ISAO Threat Levels.
• Please see this 15 May post regarding the distribution of the FB-ISAO Pandemic Reopening Reentry Checklist.
• Please see the 25 May, Memorial Day edition of the FB-ISAO Daily Journal for recent CDC guidance and updates for the community of faith.
• Please see this important Message to the Community of Faith, from the DHS Assistant Director of Infrastructure Security (08 Apr 2020)

Reopening America. After many weeks of closures, many FBOs are reopening or preparing to reopen. This is an exciting transition but one that requires a deliberate, thoughtful and disciplined approach. As we continue in the process of reopening, with the possibility of having to move back to more stringent restrictions or delays in continued reopening based on events in our local communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives. FB-ISAO strongly discourages defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.

Regarding the Physical Threat Level, as SLTT governments continue to “reopen” their communities and as FBOs are reopening and beginning to welcome back the public, coronavirus remains a serious threat in the United States, with many areas experiencing increasing infection numbers as they begin phase one reentry/reopening. A health threat poses a challenge in assessing a threat level. In accordance with FB-ISAO’s threat levels, in many respects we are still in a “CRITICAL” phase, given that the pandemic us underway and that further outbreaks are expected as reopening continues. We have been reluctant to decrease the physical threat level but, assessing the broad, national threat, we felt it was appropriate to move to SEVERE at this time. The likelihood of a broad second wave of COVID-19 remains very possible, particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks.

“The possibility of a local outbreak remains very possible. FBOs in particular may experience rapid spread and infection if infected individuals are exposed to larger groups.“

Beyond the explicit health threat, we have other security concerns, including:

• As noted above, SEVERE means we believe an event is highly likely. With respect to our current environment and this assessment, we assess an event to be one of two types:
  • Local Outbreak. The possibility of a local outbreak remains very possible. FBOs in particular may experience rapid spread and infection if infected individuals are exposed to larger groups. Two recent illustrations on that can be seen in the recent CDC report, “High COVID-19 Attack Rate Among Attendees at Events at a Church — Arkansas, March 2020” (22 May) and this L.A. Times report, “A choir decided to go ahead with rehearsal. Now dozens of members have COVID-19 and two are dead” (29 Mar).
  • Hostile Events. In addition to routine threats, additional stressors may increase challenges for FBOs. That concern is raised in Assistant Director Harrell’s 08 Apr letter to the faith-based community. Further, individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others. That was evidenced in a recent arson attack that destroyed the destroyed the First Pentecostal Church in Holly Springs, Mississippi. FB-ISAO warned about such possibilities in our 14 May threat levels update; the arson attack occurred the following week.
    • As domestic protests demand law enforcement resources, some extremists have suggested using that as an opportunity for attacks against people of faith – and synagogues specifically.
    • As protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship. We have no specific knowledge of threats suggesting that is being discussed but feel the possibility exists and should be considered.

“In addition to routine threats, additional stressors may increase challenges for FBOs.”

• During reopening, there have been varied attacks and threats against retail establishments and personnel relating to enforcement of safety protocols such as required wearing of masks and maintaining adequate social distancing. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.

“FBOs should prepare ‘frontline’ staff and volunteers regarding how to engage personnel”

• As we reopen and reenter FBOs, recognize the potential for violence based on the stressors of COVID-19, the threats from violent extremists, and the longstanding issues that have resulted in previous acts of violence at houses of worship.

• There continues to be extremist interest in conducting various attacks and hostile actions against people and places of faith (to include specific anti-Semitic rhetoric relating to exploiting COVID-19 and other extremist discussion and interest in places of worship and people of faith [see previous FB-ISAO and government partner reporting]).

• Beyond the immediate challenges, there is a very real possibility of second and third waves until a vaccine is developed and applied nationwide. Further, many countries around the world – including very significant ongoing outbreaks in Brazil and other parts of Latin America – are on an upward trajectory and it is expected that the number of cases in many areas will continue to increase in the coming weeks.

Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns has remained stable and is consistent with a general “GUARDED” posture. While there is still no shortage of coronavirus-themed cyber attack campaigns, non-coronavirus lures continue to populate the cyber threat landscape. While we assess remaining at “GUARDED” is still reasonable at this time, increased vigilance is recommended due to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations.

Additional considerations for continued increased vigilance:

• Cyberactivity spurred by protests over the death of George Floyd. While most cyber activity surrounding protests are targeting law enforcement and local government websites, FB-ISAO emphasizes the need for vigilance. Website defacements and denial-of-service (DoS) attacks have been the primary attack types thus far, but cyber threat actors are also known to aggrandize headlines to proliferate malware.
• Contact tracing scams. As if COVID-19 contact tracing doesn’t have enough challenges, the proliferation of fraudulent text messages from scammers pretending to be contact tracers adds to the issue. As iterated from the FTC, there’s no question contact tracing plays a vital role in helping stop the spread of COVID-19. But scammers are pretending to be contact tracers and taking advantage of how the process works by sending fake text messages. Also, given legitimate health department messages may vary from region to region, it may be difficult to determine a real message from a fake one. However, keep in mind that legitimate contact tracing messages are intended to be factual and will not ask for personal information or include a link to click. Visit the FTC for more tips on recognizing, avoiding, and reporting scam texts messages.
• Mis/disinformation is still a concern. In addition to coronavirus related matters, recent protest activity surrounding the death of George Floyd have also sparked similar attempts at spreading disinformation, including social media posts stating various extremist groups were present at protests, in neighborhoods, etc. Disinformation is spread by various entities for disruption, deceit, and even to discredit legitimate government efforts. Social media organizations such as Twitter are striving to flag potentially harmful and misleading posts. Likewise, several states are working to fight the scourge. It is imperative to think critically and continue verifying everything. FB-ISAO continues to encourage members to treat every coronavirus-themed communication or protest related subject with suspicion.

“In addition to coronavirus related matters, recent protest activity surrounding the death of George Floyd have also sparked similar attempts at spreading disinformation”

We are all targets of opportunity, especially during this time. Cyber tactics such as phishing, smishing (SMS phishing), disinformation/misinformation, and counterfeit websites leveraging coronavirus themes will continue for the foreseeable future.

• Continue enabling/encouraging remote staff to work securely. As organizations begin to consider a prolonged, perpetual, or even permanent work from home model, it is important to deliberate on the best strategy to promote a secure home working environment. Many organizations and people were thrust into remote working. However, those who continue to work remotely may require procurement and configuration of new devices, network infrastructure, and services to securely support extended offsite working. StaySafeOnline maintains its COVID-19 Security Resource Library with an up-to-date compilation of numerous trusted and verified resources to enable safe telecommuting.
• Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help members develop education and cybersecurity awareness materials for dissemination.

As we periodically update these assessments, FB-ISAO’s Preparedness Group (PG) continues to support the efforts of our broader Pandemic Recovery Group with FB-ISAO staff, PG members, and other government and industry partners, and is also liaising with the venue community in collaboration with the International Association of Venue Managers. This group has developed and released the FB-ISAO Pandemic Reopening Reentry Checklist and continues in close collaboration as we assess appropriate needs for revisions and updates. Interested in helping? Contact our team to find out how!

Please contact our team with any questions, needs for information, assistance or any other concerns.

• We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
• Join the #covid-19 channel and #cybersecurity channel in FB-ISAO Slack to see more updates, reports, and conversation on this threat, and to share your questions, ideas, and actions for others.

This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.