This DAP highlights – FB-ISAO: What We Learned About Ransomware Resilience / Six things we learned from the LockBit takedown / FRC Publishes New Edition of Hostility Against Churches Report Indicating a Doubling of Attacks / Nonprofit Security Grant Program Webinar Series info from FEMA Bulletin. Every DAP also has More Faith-Based Stories and Select All-Hazard Stories. These updates are shared to help raise the situational awareness of Faith-Based organizations to best defend against and mitigate the impacts from all-hazards threats including physical security, cybersecurity, and natural disasters.
The FB-ISAO Cyber Threat Intelligence, Operational Resilience (together, the Threat and Incident Response) working groups actively monitor and share information, reports, and perspective regarding our threat environment. In addition to our continued observance of a broad array of general threats and hostility to people and places of faith, we have reviewed the events and threats relating to the ongoing conflict in Israel and Gaza and the related activities internationally and domestically. Based on that assessment, we have determined to move both the Physical and Cyber Threat Levels to “ELEVATED” at this time. Additionally, we continue to have concerns over the general widespread acts of faith-based hostilities and open threats to faith-based organizations based on their religious and political beliefs – (including antisemitism, islamophobia, anti-Christian and anti-Sikh sentiment, etc.), regularly occurring acts of violence such as arson, vandalism, and low-level attacks including Swatting and bomb threats, as well as commodity cyberattacks seen in all communities including Business Email Compromise (BEC) and ransomware. Additionally, the TIG is closely monitoring the COVID-19 threat, events and rhetoric relating to the 2024 U.S. election season, along with other considerations that may pose direct or indirect risks to organizations. We will continue to closely monitor activities and continually reassess both threat levels and provide appropriate updates.
- The Physical Threat Level is “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal. We are also closely monitoring events and are considering an escalation to “SEVERE,” meaning that an event is highly likely, but decided to not escalate to that level at this time.
- The Cyber Threat Level is “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal.
FB-ISAO will continue to closely monitor events and threats and if we assess that there is a high likelihood of a physical or cyber threat, or if we see a decrease in tensions, we will make appropriate revisions to this threat assessment. This is a continuously and rapidly developing conflict that may prompt further responses (change in threat level, recommendations for action, etc.) in a matter of days, not weeks or months.
A general note of caution. Combat operations in Israel and Gaza are challenging to accurately follow in real time. War, and incidents during war, can be confusing and events – such as recent incidents at a Gaza hospital and church – demonstrate the uncertainty of facts. Regarding both events internationally and incidents here in the US, in an environment rife with mis- dis and mal-information, members are encouraged to avoid idle speculation, not overreact to hearsay or personal emotions and biases, but to calmly and rationally assess facts and respond accordingly.
PHYSICAL THREAT: The TIG has determined to increase the Physical Threat Level to “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal. We are also closely monitoring events and are considering an escalation to “SEVERE,” meaning that an event is highly likely, but decided to not escalate to that level at this time.
Threats relating to the ongoing conflict in Israel and Gaza. As has been demonstrated, the events in Israel and Gaza have increased tensions and threats internationally and in the US. These threats include targeted threats and attacks against individuals believed to be Jewish, Muslim and Palestinian, targeted threats and incidents at faith-based organizations and at higher education institutions, and escalation of rhetoric and threats at protests and demonstrations. We believe these threats will be persistent as this conflict continues.
We have seen individuals conduct hateful acts of violence upon individuals the attackers believed to be Jewish, Muslim and Palestinian. On 18 Oct, the FBI noted that “the FBI has seen an increase in reports of threats against Jewish, Muslim, and Arab communities and institutions.” We assess such attacks will continue. Further, such attacks could manifest themselves as attacks at FBOs or places of business where there may be believed to be high concentrations of targeted individuals or leadership identified as the targeted groups. This may include telephonic, mail, or online threats of violence, vandalism, and low-tech attacks such as arson, smashing of glass, and other violence.
Additionally, following calls for “days of revenge,” we are concerned about aspirational calls for violence by ISIS and others that may emulate such calls. On 20 Oct, ISIS published their weekly “Al-Naba” in Arabic, advocating for violence and murder against Jewish people worldwide. As reported in FB-ISAO Slack and in open source reports such as via Newsweek, this issue includes an infographic titled, “Practical ways to support Muslims in Palestine,” which encourages attacks on Jewish people and Israel, with the goal of “returning its land to the House of Islam again.” The publication suggests ways that supporters can help, including “targeting Jewish neighborhoods in America, Europe and the rest of the world,” and “attacking the Jewish and Crusader embassies with burning and vandalism” (and such events have been occurring internationally). It also encourages the “targeting Jewish temples (synagogues) spread everywhere” as well as attacking “Jewish economic interests spread throughout the world” noting that the battlefield is not limited to Palestine and “includes all places of the Jewish presence.”
FBOs have seen common incidents of swatting and vandalism as regularly reported in the Faith-Based Daily Awareness Post, and some of those common concerns are expressed below. We assess that these may increase and that some of the recent events may be tied to the ongoing conflict, even if not explicitly known to be at this time.
We also have concerns regarding ongoing demonstrations and two primary concerns.
- As with any mass gathering demonstration, there is the possibility of increasing tensions and escalation, even at intended peaceful protests, can spiral into violence. Beyond the immediate threat to those involved, such escalation can extend to people and facilities in the surrounding area.
- Mass gatherings can be used to conceal nefarious activities. Individuals or small groups may seek to conduct violence at these events or use the events to cover their movement and intentions to conduct attack at nearby facilities.
- We assess the greatest concerns are those facing the Jewish and Muslim communities, and more broadly to individuals believed to be of Palestinian or Arabic descent.
- Also of concern, Christian organizations seen to be supporting one side of the conflict or the other may be targeted.
- Additionally, past incidents have shown that Hindus, Sikhs, and individual Arabs, Persians, and South- and Southwest Asians, and others, may be confused as Arabs and be the target of verbal or physical attacks conducted in ignorance.
- We are raising the threat level not only for awareness, but also for the purpose of encouraging members to consider their current security posture and level of preparedness to be able to rapidly respond to threats and incidents, should the situation require it. This includes both immediate measures and potential escalation of measures as needed in a fluid environment.
- If members need resources or have questions, please reach out to our team and community via FB-ISAO Slack.
- Members are encouraged to consider their local event awareness and coordination with local law enforcement, neighboring organizations, and even with event organizers. For international awareness, members may reference recent US Department of State updates including:
- Worldwide Caution (23 Oct)
Some of the potential considerations that may result in an increase to “SEVERE” include, but are not limited to, the following:
- The initiation of ground operations in Gaza.
- The formal opening of other military fronts around Israel (i.e., an actual declaration of war by or against another party, especially Hezbollah, Iran, Lebanon, Syria) or activities or statements indicating regional nations are leaning toward formal conflict with Israel.
- A major, mass casualty terror attack in Europe or North America, especially if it is against perceived Jewish, Muslim, or Arab people or facilities and especially if it not aimed at an official government target but civilians.
- Actual discovery (not speculation) of identified terrorist or extremist elements (foreign terrorist organizations or Western and domestic extremist groups) traveling abroad toward the US or Europe and / or setting up operations outside of the immediate zone of conflict, which would indicate a broadening of the battlefield and targeting.
- US protests and demonstrations escalating into riots, accompanied by violent actions against property or individuals.
- The initiation of staging demonstrations outside of or specifically targeting Houses of Worship or other known FBOs.
- Discovery of an actual improvised explosive device (IED) or other actual attempt of violence at any FBO or the interdiction of any individual(s) proximate to or surveilling an FBO found to be carrying firearms or other lethal weapons with the expressed intent to target the FBO or its members.
- A significant, quantifiable increase in street attacks against members of any of the potentially targeted communities noted above (actual, as opposed to suspected or anecdotal observations).
General. We assess that Faith-Based Organizations (FBO) will continue to face vandalism, property damage, theft, harassment, and communicated threats, as well as other low-level acts of violence and, in rare instances, actual physical assaults on individuals and facilities, whether motivated by hate, politics, or criminal gain. The possibility that an active assailant may target an FBO remains an enduring threat. Of note, over recent months, swatting threats have been observed at numerous faith-based facilities. The vast majority of these have been Jewish facilities but threats have also been received at churches and mosques. Given the ease in which these threats can be made and with no expected decrease in hostilities towards faith-based people and organizations, this trend is likely to continue in the near-term. We also remain concerned that societal/political issues, such as positions on abortion, LGBTQ rights, racial justice, and other divisive topics will continue to be flashpoints for protest and violence near or at FBOs. This concern increases as we progress into a contentious election season.
While these threats and incidents encourage a continued level of heightened vigilance at FBOs, we assess that the majority of these will mostly remain nuisance activities short of actual physical violence. Activities such as leafletting, banner drops, graffiti, vandalism, swatting, bomb threats, etc. are low level, low skill and low risk activities which minimally expose the perpetrators to actual criminal or physical consequences. They successfully create fear, because they create the perception of threat – the fear of attack, of being targeted, but with little or no physical impact or damage. Such activities, however, combined with other factors, may incite some individuals towards violence. While we expect most of these threats to be hollow, we strongly urge members and others to treat all threats seriously, have procedures in place and maintain situational awareness to ensure detection of critical indicators of potential individual, group, criminal, and even nation-state aggression. We encourage members to assess and incorporate local threat information reported by local law enforcement, fusion centers, FB-ISAO Daily Awareness Post, weekly reports and other updates, and incorporate the information into your on-going threat and vulnerability assessments. We also encourage you to record and share your own observations of suspicious activities at your House of Worship with your local community faith partners, and contribute Suspicious Activity Reports to your local law enforcement agency, fusion center, FB-ISAO, Department of Homeland Security, and other religious and secular organizations that collect, collate, analyze and report on adversary trends, tactics, and procedures. It is through the widest collection of SARs and other pre-incident indicators that government, law enforcement and other analysts build their analysis of developing trends in the threat environment and allow them to advise us on what to expect.
CYBER THREAT: The TIG has determined to increase the Cyber Threat Level is “ELEVATED.” ELEVATED means that FB-ISAO is unaware of any specific threats, but there is concern that an event is more likely than normal.
We continue to encourage preparedness and vigilance against routine threats and ongoing challenges such as ransomware, business email compromise, gift card scams, and other common concerns. We are, however, concerned about potential hacktivism relating to the ongoing turmoil in Israel and Gaza.
- There have been incidents of faith-based website defacements relating to the ongoing turmoil in Israel and Gaza. FBOs may see more of this and other online attacks as this conflict continues. Such attacks could be launched by foreign entities or domestic sympathizers, and we assess that such attacks may target Jewish, Muslim, and Christian organizations. We see the following as the most likely threat concerns:
- Website defacements
- Social media account takeover
- Online meeting crashing (“zoombombing” and like online meeting threats)
Basic security measures including robust, unique passwords, and implementing multi-factor authentication (to include online meeting passcodes) significantly reduce the likelihood of a successful attack. Members are encouraged to ensure good security practices are in place and to reach out to FB-ISAO with any questions. Members are also encouraged to continue to review the Faith-Based Daily Awareness Post which includes daily threat and preparedness updates, including several recent best practice references shared by our USG partners.
- Common cybersecurity threats are an enduring threat to FBOs, as they are to all organizations. BEC and ransomware continue to be significant areas of concern. Beyond direct attacks on an FBO, these attacks may occur with vendors and other supply chain partners, with cascading risks and impacts to members. FB-ISAO has noted, and reported, on an uptick in cyber threats as that affect faith-based organizations.
- We continue to caution members on scams of all kinds. This includes gift card and related scams with criminals pretending to be known faith-based leaders. This also includes common scams like those that follow disasters, various types of elder fraud, sextortion, and others, as well as emerging scams such as QR Code Scams. Relating to the current crisis in Israel and Gaza, see this post from the FTC: “Safely donating in response to the Israel-Gaza crisis” (19 Oct 2023). Scammers impersonating either legitimate or legitimate-sounding charities will likely attempt to trick people into “donating” to their favored cause(s) via both online and telephonic methods. AI tools may be used to rapidly scale up such operations and enhance the credibility of scams. We also will likely see a rise in the incidence of impersonation of trusted local clergy and lay leaders in attempts to defraud followers.
- CISA encourages users to review the Federal Trade Commission’s Staying Alert to Disaster-related Scams and Before Giving to a Charity, and CISA’s Using Caution with Email Attachments and Tips on Avoiding Social Engineering and Phishing Attacks to avoid falling victim to malicious attacks.
- As always, geopolitical events and perceived political positions and other high-profile issue positions by FBOs or their leadership – real or perceived – may result in hacktivism or other online attacks, such as was experienced in an attack on the Papal website believed to be a related to Russia’s invasion of Ukraine.
- It is important to take at least basic actions to reduce risk.
- Keeping staff aware of threats, tactics, techniques, and procedures used in common attacks, and how to protect themselves and the FBO is an important basic risk reduction measure.
- FBOs are encouraged to develop and exercise incident response plans, to include communications, outreach, and reporting procedures.
- A best way to reduce risk remains to keep all devices updated with current operating systems and software. In addition, despite improvements in defensive security posture, ransomware remains a viable and disruptive event.
The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.
GENERAL. The continuous threat against Faith-Based Organizations in particular led DHS to reconstitute the Faith-Based Security Advisory Council (FBSAC) which “serves as an advisory body with the purpose of providing guidance and recommendations to the Secretary” on a variety of matters. FB-ISAO Executive Director Mayya Saab is a member of the FBSAC. Members are encouraged to review recent weekly reports that have included some related information and mitigation ideas. Additionally:
Regular updates are being shared in the Faith-Based Daily Awareness Post, shared via email and available on our blog.
- Please refer to this post for an explainer on the FB-ISAO Threat Levels.
- September 2023 Department of Homeland Security Homeland Threat Assessment
- CISA – Protecting Places of Worship: Six Steps to Enhance Security Against Targeted Violence; Protecting Places of Worship: Six Steps to Enhance Security Against Targeted Violence Fact Sheet. The Cybersecurity and Infrastructure Security Agency, in partnership with the Federal Bureau of Investigation, developed the Protecting Places of Worship: Six Steps to Enhance Security Against Targeted Violence Fact Sheet to outline actions that faith-based organizations and community leaders can take to increase security, focusing on six overarching steps. The product details how taking these six steps can help protect places of worship against potential threats of targeted violence in a cost-effective manner that maintains an open and welcoming environment. The product also provides training, exercise, and grant resources, and interagency contact points to assist places of worship in identifying their security needs, develop actionable plans, obtain funds for security improvements, and recognize and report potential threats in their area. Protecting Places of Worship: Six Steps to Enhance Security Against Targeted Violence Fact Sheet.
- DHS CISA Guidance: Mitigating Attacks on Houses of Worship Security Guide.
- FB-ISAO – Catalogue of 2021 Hostile Events Affecting Faith-Based Organizations.
- CISA: Security Planning Workbook. The Security Planning Workbook is a comprehensive resource that can assist critical infrastructure owners and operators with the development of a foundational security plan. This workbook is designed to be flexible and scalable to suit the needs of most facilities. PDF: Security Planning Workbook.
- FB-ISAO Post: The Nonprofit Security Grant Program- A Resource to Faith-Based Organizations.
FB-ISAO maintains a resources page which may be accessed here and includes:
- Physical Threat (and given recent mail threats in Europe, members may want to review the Mail and Package and Bag Checks resources)
- Insider Threat
- Domestic Terrorism Threat
- Health and Natural Disaster
- Preparedness Videos and Training
- Resources for Schools
- COVID-19 and Pandemic Resources
- Domestic Terrorism Threat
- CISA SHIELDS UP
- U.K. NCSC guidance on steps to take when the cyber threat is heightened
- NJCCIC Advisory: Cybersecurity Considerations as Geopolitical Tensions Increase
- June 2021 White House Memo on ransomware preparedness
- CISA: Stop Ransomware
- UK NCSC ransomware resources
International Travel Resources:
- U.S. Department of State—Bureau of Consular Affairs: Ukraine Travel Advisory
- U.S. Department of State—Bureau of Consular Affairs: Information for U.S. Citizens in Ukraine
- U.K. Foreign travel advice—Ukraine
Business Continuity Resources
- Continuity of Operations (COOP), Federal Emergency Management Agency (FEMA)