This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways and that continues to impact security and response, both to manmade and natural threats. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:

The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. Given the ongoing threat of the COVID-19 pandemic and the approaching U.S. winter season and associated health concerns, we have determined to maintain the broad Physical Threat Level at SEVERE and anticipate this level being maintained until a decrease in the threat of the pandemic as vaccines are administered and a possible decrease of travel as the winter season and seasonal health threats pass. The TIG will continue to assess the Physical Threat Level regularly and provide updates accordingly. This determination will be periodically re-evaluated, especially with respect to non-COVID-19-related threats.

The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist, particularly with respect to phishing using FB-ISAO’s likeness, the SolarWinds Orion/supply chain compromise, and scams using subjects for first of the year observance “Days” and COVID-19 vaccinations. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice. Please see below for on-going considerations regarding the Cyber Threat Level.

• Please refer to this post for an explainer on the FB-ISAO Threat Levels.
• Please see this 15 May 2020 post regarding the distribution of the FB-ISAO Pandemic Reopening Reentry Checklist.
• Please refer to this CDC guidance for FBOs: Considerations for Communities of Faith, which is periodically updated (this update, 30 Dec 2020).

Concerns Regarding the Physical Threat Level.

At this time, we have two primary concerns regarding the physical threat level – the ongoing pandemic and the heightened threat environment relating to domestic extremism.

COVID-19 Pandemic.

As we continue through this pandemic, with jurisdictions around the country and internationally having moved back and forth between local, state and national restrictions based on the continued surge of COVID-19, FB-ISAO continues to strongly encourage members “hold the line”. By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives. While the arrival of vaccines is greatly encouraging, the threat persists across the U.S.; members are advised to respect and adhere to FSLTT guidance.

The pandemic has continued to surge and, though a decrease in new cases has occurred since mid-January, deaths remained at peak levels with a slight decrease. As of 21 Jan, we are approaching nearly six million new cases since our last assessment (from 19.43 million cases to 25.2 million and from 337,419 deaths to now 419,827) and as of 25 Jan, the CDC reports that the national ensemble forecasting predicts significantly increasing numbers of anticipated deaths with “13,500 to 25,000 new deaths likely reported in the week ending February 20, 2021. The national ensemble predicts that a total of 479,000 to 514,000 COVID-19 deaths will be reported by this date.” Based on current behaviors and trends and the still slow rollout of the vaccines, the surge in cases and deaths will continue through the winter before an anticipated tapering off as we move towards spring.

“Our plan will take time… Despite our best intentions, we’re going to face setbacks.” – President Joe Biden, as quoted by The Hill, 27 Jan.

The distribution of vaccines is underway in the United States and across the globe. While this is an exciting development, the distribution will take time and preventive measures are still important as we move through 2021. As recently observed, there are continued mutations of COVID-19, such as the variations from the United Kingdom, South Africa, and Nigeria, as well as other variations developing in the United States and elsewhere. While vaccines seem to be effective against these variants, there are concerns that a variant may exist or develop which vaccines are not effective against. Exacerbating the existing challenges is the increasing challenge of “pandemic fatigue,” as Americans grow tired of restrictions and seek to return to normalcy. While understandable, a decrease in vigilance and safety will only prolong recovery and a return to a more open and safe environment.

While there is a lot of conflicting reporting and varied assessments regarding the threat, and as both personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains a very active health threat with continued local outbreaks or broader flare-ups, with more potential concerns particularly if established best practices such as social distancing and mask wearing are not followed. FB-ISAO assesses that we remain in a high-risk period.

Worth noting, many FBOs have begun or continued phased reopening and by applying smart practices and safety measures, they have been able to avoid outbreaks at their facilities and among their congregations. These successes are commendable but recognizing success should not lead to complacency or a false sense that the threat has passed. As we wrestle with pandemic fatigue and the continued surge in cases, we need to avoid the danger of overconfidence. Outbreaks can happen quickly and lead to closures and broad infections, as has been observed in communities and FBOs around the country. For those that have been successful, we encourage you to maintain discipline and hold on to your success.

As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.

Again, we encourage members to adhere to established best practices such as social distancing and mask wearing, and to make informed decisions based on observable data, not personal or political feelings.

Domestic Extremism.

The increasing tensions over the course of the 2020 election season came to a boil with the storming of the U.S. Capitol building on 06 Jan. From that event and given related concerns, on 27 Jan, the DHS released a National Terrorism Advisory System (NTAS) Bulletin “due to a heightened threat environment across the United States, which DHS believes will persist in the weeks following the successful Presidential Inauguration.  Information suggests that some ideologically-motivated violent extremists with objections to the exercise of governmental authority and the presidential transition, as well as other perceived grievances fueled by false narratives, could continue to mobilize to incite or commit violence.” FBOs, while not mentioned in the Bulletin, have continued to see threats and acts of violence during this period of escalated threat. As noted in recent Faith-Based Daily Journal (FBJ), FBOs – Jewish and Muslim – have received threatening letters, and a recent explosive attack at a California church, along with many continued cases of destruction, vandalism and arson, show individuals may progress through the Hostile Events Attack Cycle and move towards taking action. The IED occurred at a “conservative” church that had spoken out against LGBTQ issues, and threats had been received by “progressive” churches leading up to the Inauguration, showing there are threat actors of all stripes and all types of FBOs may be potentially be targeted by extremists.

• With notable events and dates coming up (i.e., former President Trump’s potential impeachment trial, 04 Mar [previous presidential inauguration date associated with ongoing conspiracy theories]), there may be additional flashpoints in the weeks ahead.
• De-platforming. With mainstream social media like Twitter and Facebook taking action against extremism, and with the shutdown of Parler, some have moved to alternative platforms such as Discord, MeWe and Telegram, among others. This can make intelligence collection more challenging, even as it may make coordination for events more challenging as well. Breakdowns in communications cause disruption for groups and the authorities tracking them alike; and absent the brakes that group communications can have on violence-prone members, splinter factions and  rogue actors may choose to launch attacks on their own.
• As members consider their security posture with regards to enduring and evolving physical security threats, they are encouraged to consider that recent events have demonstrated the variety and types of common objects (from fence posts to hockey sticks to bike racks to flagpoles, etc.) and improvised explosives that are readily available to would-be violent actors and the ease with which they could be used against Houses of Worship and other FBOs. Whether a deliberate attack or an escalation from a protest or other mass gathering, such items have the potential to be turned into improvised weapons and battering rams. Members may want to consider how well existing mitigations stand up to a potential siege-like assault. Members are encouraged to consider items such as bollards, ballistic film-reinforced windows and doors, gates, locks, lights, cameras and other security measures. Whether relating to protests on controversial issues or positions an FBO may be associated with, use of a facility for vaccine distribution, high-profile guests that could lead to security concerns (see this recent example, “ Lauren Boebert cancels meeting at Colorado church over security concerns,” 30 Jan), or other potentially trigger, the events at the Capitol, as well as routine violence and vandalism at FBOs, have shown that escalation can occur quickly and violently. Members are encouraged to consider recent events and the NTAS Bulletin with respect to their security operations and preparedness.

Beyond the explicit health threat, we have other security concerns, including:

• Protests (General). Since June, we have expressed concern over the potential that protest activities will continue to pose direct and indirect threats to FBOs. Observed throughout 2020 and noted in previous threat assessments and FB-ISAO reporting, whether seen as supportive of protests – directly, logistically, or as sanctuaries or meeting places – or if seen as being opposed to protests, FBOs have been attacked from both sides. We continue to assess protests may pose direct and indirect risks to FBOs. With continued frustrations over the 2020 elections or with new frustrations that may develop with an incoming presidential administration, protests may again flare-up in the weeks ahead. One upcoming notable date is 08 Mar, when the trial of at least one of the police officers – Derek Chauvin – charged in the death of George Floydis expected to begin.
• Vaccine-Related Protests. If an FBO becomes involved in vaccine distribution / administration, there is the potential that anti-vaccination protests could develop or that disturbed/disgruntled people attacking vaccination centers. DHS has stated that, “Organizations involved in the development and distribution of the COVID-19 vaccineshould take proactive measures to enhance their overall physical security posture,” and shared security measure guidance. We assess this to be a low-level threat but one for FBOs to consider as they may be involved in vaccine distribution and related activities. To date, we have not observed incidences of violence connected to vaccine distribution, but fraud and theft have been reported.
• Disgruntled Individuals. In addition to other issues that may excite some individuals to violence, such as the recsnt church IED noted above, individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others. We have continued to see various protests and violent actions aimed at COVID restrictions and individuals enforcing safety procedures. Last updated on 01 Sep, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, some individuals have demonstrated heightened sensitivities regarding these issues and have not responded well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors. Effective ways to safely engage individuals and de-escalation training could help prepare frontline personnel.
• Nashville Attack and Other Conspiracy Theories. While the motivation behind the Christmas Day 2020 Nashville attack is still not clear, it is possible that conspiracy beliefs / misinformation-related anxiety (i.e., 5G concerns) could have played a part. Already, there has been misinformation alleging the explosion was an attempted government cover-up to hide election fraud, and other such theories. It is possible that, inspired by Nashville and perhaps with additional motivations such as political frustrations and concerns relating to the COVID vaccines, others may be inspired to action. There is some concern around upcoming dates and conspiracy theories. Perhaps most notably, there could be potential activity relating to the idea of some Qanon believers that former President Trump will return to office and be sworn in on 04 March(read more). While FBOs may not be a primary target of such beliefs and the associated angst, they could be, and could also be indirectly targeted by way of location and neighboring facilities.
• Hostile Events and the Targeting of FBOs, Both People and Facilities. As acts of violence, vandalism and arson are being reported regularly in the FBJ, including hate crimes such as spray-painting hate symbols and the destruction of statues, arson and stabbings, it is important to note there are often connections between other issues and events and actions that may be taken at FBOs. Relating to protests and for other issues, and sometimes for no clear grievance, FBOs have been targeted by a variety of types of aggression and violence – at facilities, on statues, with threats, and more. This is unlikely to change in our current environment. Further, Europe has seen several low-tech terrorism attacks conducted by violent jihadists. While such attacks have not occurred recently in the U.S., terrorist propaganda continues to promote attacks and it is possible would-be jihadists could seek to conduct attacks domestically, and potentially aimed at FBOs, as has been observed overseas.

Concerns Regarding the Cyber Threat Level.

FB-ISAO assess the current overall volume of coronavirus-related cyber attack campaigns remains stable with the predominate scams leveraging vaccination-titled lures. Nonetheless, the current volume is consistent with a general “GUARDED” posture. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic and associated concerns and distractions. Additionally, members are highly encouraged to familiarize themselves with the FB-ISAO Weekly Advisory for 23 December 2020 regarding phishing activity using the likeness of FB-ISAO that could potentially be related to #BlueLeaks. Finally, members are encouraged to review the #cybersecurity_general channel in FB-ISAO Slack for a general level of awareness to on-going cyber threats and incidents.

As we offer the constant reminder that WE ARE ALL TARGETS of opportunity, the following are general considerations for continued vigilance:

• Vulnerabilities in church management software platforms. During January, we were made aware of at least two widely used church management software platforms that were impacted by potential cyber threats.
  • On 6 January 2021, in the FB-ISAO #general Slack channel, a notice was sent to all members regarding a malicious domain registration for the church management software platform Realm. Multiple variations of the login domain (onrealm [.] org) had been registered and members who use Realm were encouraged to block incoming email from the fictitious domains.
  • On 14 January 2021, the ADVINTEL Faith-Based Sector Intelligence Advisory includes information regarding two critical vulnerabilities in Rock RMS. Members that use Rock RMS are encouraged to read the report, apply available vendor patches immediately, and monitor for malicious activity from a potential compromise of the software.

• #BlueLeaks. We continue to stress the need to exercise vigilance when receiving communications purporting to come from any impacted organization, including FB-ISAO, fusion centers, and law enforcement entities (see FB-ISAO Weekly Advisory for 23 December 2020). Furthermore, be cautious of any activity from entities attempting to “survey” individuals who have received emails from FB-ISAO and other impacted organizations (fusion centers and law enforcement entities) as highlighted in an FB-ISAO Advisory emailed to members on 14 January 2021.
• Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), whaling (targeting of high-profile targets), disinformation/misinformation, and counterfeit websites leveraging current events represent a perpetual threat.
  • Be on your guard for scams trying to take advantage of the confusion surrounding COVID-19 Vaccine Distribution. Visit the FTC for a post and infographic on how to avoid vaccine-related scams. Likewise, with houses of worship participating as vaccination distribution sites, scams could have direct impact on the faith-based community if actors leverage/impersonate specific organizations to give their scams credibility.
  • Furthermore, threat actors commonly leverage upcoming sales related to national holidays and observances such as, Valentine’s Day, Presidents’ Day (Washington’s Birthday), etc. Members are urged to treat every sale and solicitation communication with suspicion.
• While the recent compromise of the SolarWinds Orion product is presumed less likely to impact most FBO’s, a general threat still exists from similar third-party product/service compromises. Information on SolarWinds continues to be included nearly each week in Faith-Based Daily Journal and other TLP:WHITE summaries sent by FB-ISAO since 13 December 2020. Additionally, information is available in a CISA Insights: What Every Leader Needs to Know About the Ongoing APT Cyber Activity. Members are encouraged to exercise due diligence when implementing any third-party products and services. Please contact our team for more information on vendor risk management.
• On-going ransomware attacks with subsequent leaked data. Ransomware continues impacting organizations of all types and sizes. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs and discuss necessary actions should ransomware impact your organization or third party partners. For more on ransomware preparedness and response, see the Ransomware Guide from CISA and the MS-ISAC.
• Continued “Zoombombing.” Faith-based organizations continue to experience disturbing and heart-wrenching “Zoombombing” incidents. Many Zoombombing incidents occur due to public posting of meeting links and often deficient procedures when hosting such videoconferencing events. Members are encouraged to review the security settings on their videoconferencing platforms and apply best practices and procedures to reduce the risk from this prevalent disturbance. Most teleconference platform vendors have published tips for maintaining secure meetings and FB-ISAO has previously shared tips for securing online events. In addition, members are encouraged to download the Center for Internet Security’s Videoconferencing Security Guide for more guidance and best practices for mitigating this threat.
• Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including post-election activity. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 Rumor vs. Reality resources, including the Election Security Resource Library.
• Continue enabling/encouraging remote staff to work securely. As organizations continue prolonged or permanent work from home models, it is important to promote a secure remote work environment. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library.
• Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.

Please contact our team with any questions, needs for information, assistance or any other concerns.

• We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.

• Join the #covid-19, #protest_awareness, #cybersecurity, #terrorism_us and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.

This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.