September 2020: FB-ISAO Physical Threat Level Remains SEVERE; Cyber Threat Level Remains GUARDED

This message is TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

The ongoing COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways and that continues to impact security and response, both to manmade and natural threats. FB-ISAO’s Threat and Incident Response Group (TIG) continues to assess the ongoing threats and risks to our community and has made the following updates to our Threat Level Assessments:

The TIG has determined to maintain the Physical Threat Level at “SEVERE.” SEVERE means an event is highly likely. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. This determination is valid through sunset on 30 Sep 2020, and will be periodically re-evaluated, especially with respect to ongoing threats and developing federal, state, local, tribal, and territorial (FSLTT / SLTT) guidance and directives.

The TIG has determined to maintain the Cyber Threat Level at “GUARDED.” GUARDED means FB-ISAO is unaware of any specific or targeted cyber attacks, but a general risk of cyber attacks exist. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. Likewise, the cyber threat landscape will be continuously monitored, but this Cyber Threat Level determination is valid until further notice.

• Please refer to this post for an explainer on the FB-ISAO Threat Levels.
• Please see this 15 May post regarding the distribution of the FB-ISAO Pandemic Reopening Reentry Checklist.
• Please see this important Message to the Community of Faith, from the DHS Assistant Director of Infrastructure Security (08 Apr 2020)

Reopening America. Across the country, many FBOs have reopened or are preparing to reopen, while others have elected to continue to suspend in-person activities (some determining to do that through at least the rest of 2020). As we continue in the process of reopening, with the possibility of having to move back to more stringent restrictions or delays in continued reopening based on events in our local communities, FB-ISAO continues to strongly encourage members “hold the line.” By hold the line, we mean continue to follow FSLTT guidance and directives and reopen, reenter and resume operations in accordance with, and not ahead of, such guidance and directives.

While recent COVID-19 numbers are somewhat encouraging, there are many ways that minor progress can quickly evaporate as some return to work and places of worship and to the many that returning to schools across the country. As of 26 Aug, there are 5.75 million cases in the U.S. and nearly 178,000 deaths and as of 21 Aug, the CDC reports that the “national ensemble forecast predicts that 3,700 to 9,600 new COVID-19 deaths will be reported during the week ending September 12 and that 187,000 to 205,000 total COVID-19 deaths will be reported by that date.” While personally and organizationally, many are understandably feeling pandemic fatigue, the coronavirus remains an active health threat with the potential to lead to local outbreaks or broader flare-ups, particularly if established best practices such as social distancing and mask wearing are not followed. As leaders, we encourage members to fight complacency and fatigue. FBOs should not base policies or enforcement on personal feelings, politics, or other subjective considerations. While as individuals we may agree or disagree with specific measures, FB-ISAO continues to strongly discourage defying state and local guidance and directives and encourages members to reopen, reenter and resume operations in accordance with government guidance and directives.

Regarding the Physical Threat Level, coronavirus remains a serious threat in the United States, with various states and local communities experiencing increasing infection numbers and with local outbreaks related to gatherings at FBOs in various areas around the country and observed internationally.

A health threat poses a challenge in assessing a threat level. In accordance with FB-ISAO’s threat levels, in many respects we are still in a “CRITICAL” phase, given that the pandemic remains very active and that further outbreaks are expected as reopening continues. The likelihood of a broad second wave of COVID-19 remains very possible, particularly if individuals, organizations and communities fail to follow identified best practices to mitigate risks. This is further complicated by annual flu season, which has the potential to complicate and overwhelm healthcare professionals and facilities. Some have referred to this as a potential “twindemic” – meaning the continuation of the COVID-19 pandemic and the start of flu season.

Beyond the explicit health threat, we have other security concerns, including:

• As noted above, SEVERE means we believe an event is highly likely. With respect to our current environment and this assessment, we assess an event to be one of two types:
  • Local Outbreak. The possibility of local COVID-19 outbreaks remains very possible. FBOs in particular may experience rapid spread and infection if infected individuals are exposed to larger groups, as has been observed in various local outbreaks (see CDC case study, Arkansas, March 2020).
  • Hostile Events. In addition to routine threats, additional stressors may increase challenges for FBOs. That concern is raised in former CISA Assistant Director Harrell’s 08 Apr letter to the faith-based community. There are also other challenges that could lead to hostile events or provide opportunities for individuals or small groups to conduct acts of violence.
    • Protests & Targeting of African-American People and Facilities. On 01 June we assessed that “protests relating to the death of George Floyd and racial issues take on a political dimension, it is also possible extremists could choose to target predominantly African American places of worship.” In the ensuing months, we have seen that come to fruition and be further complicated by several additional incidents of excessive use of force resulting in death or serious injury. Threats and hostile events have occurred at FBOs, to include predominantly African-American churches such as in Virginia and Kentucky. As Black Lives Matters and associated protests continue, this remains a concern. Further, additional protests continue in parts of the country and may pose indirect threats and associated risks to FBOs.
    • Protests & Targeting Other People of Faith. As domestic protests demand law enforcement resources, some extremists have suggested using that as an opportunity for attacks against people of faith – and synagogues specifically. We have seen this occur internationally and remain concerned about the possibility of domestic incidents.
    • September’s Jewish High Holidays. September will see the major Jewish holidays of Rosh Hashanah (18-20 Sep) and Yom Kippur (27-28 Sep). As FBOs reopen and seek to conduct gatherings, many are considering holding large outdoor events. While this reduces risks associated with COVID-19, large outdoor mass gatherings present complex security events and potentially enticing targets for those that would seek to do harm. Major religious celebrations are easily identified and can be used to conduct media attention-getting attacks. Last year’s Poway Synagogue shooting (California) occurred on the last day of Passover. Members are encouraged to balance the desire for gatherings with their ability to effectively secure such events and are strongly encouraged to discuss plans with local law enforcement and fusion centers to gain local expertise regarding threats, security, and other considerations that may inform decisions and planning.
    • Disgruntled Individuals. Individuals who do not agree with positions taken by an FBO during periods of closure and reopening may take action against those organizations or others.  
    • Political Events. Presidential elections, particularly during times of adversity, such as with the pandemic and associated economic impacts, or relating to other emotional topics, such as the removal of statues and monuments, can lead to a highly-charged atmosphere and pose associated risks to FBOs in the area which may not be directly targeted by indirectly implicated. During both the Democratic and Republican political conventions, the community of faith was one of significant attention. As election-related activities increase in the months ahead, especially after the Labor Day weekend, it is possible that political rallies may see protests and counter-protests – aimed at politicians, groups, or places of worship where events may be held. Such concerns are not limited to any party or individual but are a possibility for any political event occurring at or near an FBO.
    • The Labor Day weekend holiday, as with the 4^th of July, this year will see smaller and fewer events but nonetheless, mass gatherings – perhaps FBO picnic or other local community activities – may have high visibility. Combined with some of the additional challenges and complexities of our current environment, FBOs hosting events or in proximity to planned events, should consider threats and security to their people and places.

• There continue to be varied incidents, attacks, and threats against retail establishments and personnel relating to enforcement of safety protocols such as required wearing of masks and maintaining adequate social distancing, or the wearing of masks that incite responses from others (such as KKK or Nazi masks). This has continued with regular frequency, though FB-ISAO is unaware of any known incidents that have occurred at FBOs. On 24 Aug, the CDC released Limiting Workplace Violence Associated with COVID-19 Prevention Policies in Retail and Services Businesses. While not aimed at FBOs, the guidance may be useful for safety and security personnel to consider. As FBOs reopen and welcome back individuals, it is possible that some may have heightened sensitivities regarding these issues and may not respond well to personnel attempting to enforce safety actions. FBOs should prepare “frontline” staff and volunteers regarding how to engage personnel, when to ask for help from senior personnel, and other considerations to prepare them to effectively communicate and assist visitors.
• As we continue to reopen and reenter FBOs, recognize the potential for violence based on the stressors of COVID-19, the threats from violent extremists, and the longstanding issues that have resulted in previous acts of violence at houses of worship.
• There continues to be extremist interest in conducting various attacks and hostile actions against people and places of faith (to include specific anti-Semitic rhetoric relating to exploiting COVID-19 and other extremist discussion and interest in places of worship and people of faith [see previous FB-ISAO and government partner reporting]).
• Beyond the immediate challenges, while we have yet to emerge from the “first wave,” there is a very real possibility of second and third waves until a vaccine is developed and applied nationwide. Further, many countries around the world continue on an upward trajectory and it is expected that the number of cases in many areas will continue to increase in the coming weeks.

Regarding the Cyber Threat Level, FB-ISAO assess the current volume of coronavirus-related cyber attack campaigns continues to recede and is consistent with a general “GUARDED” posture. While there is still no shortage of coronavirus-themed cyber attack campaigns, non-coronavirus lures have more or less returned to pre-pandemic frequency. While we assess remaining at “GUARDED” is reasonable, increased vigilance is still recommended due to the ongoing pandemic, continued widespread teleworking, abundance of information and updates from legitimate and less-established sources (including social media and unofficial expert blogs), and commensurate distractions in businesses and homes across the U.S., among other considerations.

Comment on #BlueLeaks: While there have been no significant updates, due to members’ close partnerships with all impacted entities, including FB-ISAO, fusion centers, and law enforcement, this incident still represents a threat from actors who may try to leverage those trusted relationships in the future to phish (email or phone) for more information. We cannot stress enough the need to exercise extreme vigilance when receiving communications purporting to come from any impacted organization, particularly ones in your region. For members’ awareness, FB-ISAO has been contacted by the FBI Houston Division, who is investigating this matter.

Additional considerations for continued increased vigilance:

• Mis/disinformation is still a concern. Mis/disinformation continues to spread regarding coronavirus related and other highly charged matters, including elections. Disinformation is being increasingly spread by various entities for disruption, deceit, and even to discredit legitimate government efforts, including the integrity of American elections. It is imperative to think critically and continue verifying everything. Visit CISA’s #Protect2020 resources, including the Disinformation Stops With You infographic to better understand the evolving threats to the election systems.
• Ransomware running rampant. From municipalities and education institutions to healthcare and mega-corporations, no organization is safe from ransomware. In recent months, more and more ransomware attacks are including a data breach component. Prior to ransomware adopting the data breach paradigm, partner organizations likely only experienced a service impact while the third party victim recovered from the unfortunate incident. Nowadays, every partner organization carries a risk from a ransomware attack on a third party. Data leaked from third parties could be used in spearphishing against all partners in the victim’s supply chain for a variety of goals, including distributing more ransomware. Members are encouraged to review ransomware and data breach playbooks, policies, and procedures with staff and MSPs, or at least discuss necessary actions should ransomware impact your organization or one of your third-party partners. This Forrester report provides some salient points about dealing with ransomware.

We are all targets of opportunity. Cyber tactics such as phishing, smishing (SMS phishing), vishing (voice phishing), disinformation/misinformation, and counterfeit websites leveraging coronavirus themes will continue for the foreseeable future.

• Continue enabling/encouraging remote staff to work securely. As organizations consider a prolonged, perpetual, or even permanent work from home model, it is important to deliberate on the best strategy to promote a secure remote work environment. Staff who continue working remotely may require procurement and configuration of new devices, network infrastructure, and services to securely support extended offsite working. To enable safe telecommuting, review CISA’s Telework Guidance and Resources page and StaySafeOnline’s COVID-19 Security Resource Library.
• Continue providing threat awareness training to staff. There are many open source examples of emails, lures, images, and indicators of compromise being shared daily in the FB-ISAO Daily Journal. Consider appropriate ways to use that information to educate and better prepare staff. FB-ISAO is happy to help develop education and cybersecurity awareness materials for dissemination.

As we periodically update these assessments, FB-ISAO’s Preparedness Group (PG) continues to support the efforts of our broader Pandemic Recovery Group with FB-ISAO staff, PG members, and other government and industry partners, and is also liaising with the venue community in collaboration with the International Association of Venue Managers. This group has developed and released the FB-ISAO Pandemic Reopening Reentry Checklist and continues in close collaboration as we assess appropriate needs for revisions and updates. Interested in helping? Contact our team to find out how!

Please contact our team with any questions, needs for information, assistance or any other concerns.

• We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
• Join the #covid-19, #protest_awareness, #cybersecurity and other topical channels in FB-ISAO Slack to see more updates, reports, and conversation on threats, and to share your questions, ideas, and actions for others.

This assessment has been developed by FB-ISAO and is our general, nationwide, cyber threat assessment for the U.S. community of faith. As always, for local threat information, members are encouraged to work closely with neighborhood partners, local law enforcement, state and local fusion centers, local FBI field offices, DHS Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), and other local experts and responders.