“The ongoing coronavirus (COVID-19) pandemic has temporarily altered our daily activities. People are rightly practicing social distancing to limit community spread, in line with the President’s Coronavirus Guidelines for America. Many houses of worship have also suspended or significantly reduced services to avoid mass gatherings. Although many people undoubtedly continue to practice their faith, including through remote services and prayer, most are inevitably eager to return to normalcy and join their fellow congregants in practicing their faiths. The American people are resilient, and we will achieve this goal soon.”
The above is an excerpt from a letter written by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Assistant Director of Infrastructure Security, Mr. Brian Harrell.
In addition to the letter, CISA wanted to make sure FB-ISAO members are familiar with a valuable resource page, CISA’s Hometown Security can be found here: https://www.cisa.gov/hometown-security. From the webpage “These tools and resources are offered free to communities because the Department recognizes that communities are the first line of defense in keeping the public safe and secure.” Brian Harrell continues with “As I mentioned in my February 2019 letter to the Faith-Based Community, the Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security (DHS) is committed to supporting your efforts to maintain safe and secure houses of worship and related facilities while sustaining an open and welcoming environment. In partnership with entities such as the DHS Center for Faith and Opportunity Initiatives and the Faith-Based Information Sharing and Analysis Organization, we provide resources that assist in securing physical and cyber infrastructure.”
Assistant Director Brian Harrell
“In partnership with entities such as the DHS Center for Faith and Opportunity Initiatives and the Faith-Based Information Sharing and Analysis Organization, we provide resources that assist in securing physical and cyber infrastructure.”
“Thank you again for everything you do to champion the American people’s Constitutional First Amendment rights, as well as your leadership in keeping our houses of worship safe and secure. You have a committed partner in DHS who is steadfast in ensuring you have the resources to enhance your security programs.” – Assistant Director Harrell
Through relationships with leaders and organizations, such as Assistant Director Harrell and CISA, with the Federal Bureau of Investigation, state and local fusion centers, and other public sector partners, we will continue to grow our private-public collaboration, and the continued awareness, preparedness, security, and resilience of the American community of faith. Please read the entirety of Assistant Director Harrell’s letter, above, and thank you for your commitment to building a stronger, more prepared nation.
The COVID-19 global pandemic is a complex and blended threat impacting members and the broader faith-based and charity community in numerous ways. FB-ISAO’s Threat and Incident Response Group (TIG) has continued to assess the ongoing threats and risks to our community and has made the following updates:
The TIG has determined to increase the Physical Threat Level from “SEVERE,” to “CRITICAL,” – our highest level of threat – as of 31 March 2020. The TIG will continue to assess the Physical Threat Level and provide updates accordingly. At present, this increase is valid through sunset on 30 April 2020, but that will be periodically re-evaluated.
The TIG has determined to maintain the Cyber Threat Level at “ELEVATED,” as it has been since 20 March 2020. The TIG will continue to assess the Cyber Threat Level and provide updates accordingly. At present, this increase is valid through sunset on 30 April 2020, but that will be periodically re-evaluated.
Regarding the cyber threat level, we do not assess a significant
change from the 21 Mar assessment. We do consider a higher level of risk as
organizations move to online processes – from routine assemblies to special
events, and for online giving.
The ploys are the same, but the deluge is unprecedented – With work, learning, and worship from home being status-quo for awhile, tactics leveraging coronavirus themes will likely continue to increase at an exponential rate before they plateau, as individuals who are not used to near-exclusive level of online interactions are bombarded with cyber attacks such as phishing, smishing (SMS phishing), disinformation, and counterfeit websites.
Think critically – Cyber attackers will continue their attacks to seek financial gain or sow seeds of rumors and disinformation to create chaos and confusion for their amusement.
Trust but verify – FB-ISAO members are encouraged to treat every coronavirus-themed communication or situational report with suspicion.
Regarding the physical threat level, the escalating threat of
coronavirus in the United States and many countries around the world is on an
upward trajectory and it is expected that the number of cases will increase in the
coming weeks. Based on the health threat alone, we urge members to follow
national guidance and state and local direction and, as directed, to limit the
size of gatherings or to forgo physical assemblies, in accordance with that guidance.
FB-ISAO strongly discourages defying state and local guidance and directives.
Beyond the pandemic threat on its own:
With the upcoming major holidays of Passover and
Easter;
Continued extremist interest in conducting
various attacks and hostile actions against people and places of faith (to
include specific anti-Semitic rhetoric relating to exploiting COVID-19; see
previous FB-ISAO reporting);
As well as the anniversary of complex
coordinated terrorist attacks in Sri Lanka last Easter, and other incidents
that may serve to inspire extremists;
We assess the month of April to be a CRITICAL threat period.
Recent and upcoming reports and public posts speak to ideas elaborating
on these various threats and on mitigation, including the public posts listed
above, and recent weekly reports on maintaining preparedness for non-health
threats during this pandemic and on upcoming threats. Please contact our team with
any questions, needs for information, assistance or any other concerns.
We encourage members to review the FB-ISAO Daily Journal for general threat awareness, updates and ideas on what other organizations are doing.
Join the #covid-19 channel in FB-ISAO Slack to see more updates, details and conversation on this threat, and share your questions, ideas and actions for others.
This assessment has been developed by FB-ISAO and is our
general, nationwide, cyber threat assessment for the U.S. community of faith.
As always, for local threat information, members are encouraged to work closely
with neighborhood partners, local law enforcement, state and local fusion
centers, local FBI
field offices, DHS Protective
Security Advisors (PSAs), Cybersecurity
Advisors (CSAs), and other local experts and responders.
This post was originally informed by a TLP:GREEN FB-ISAO Monthly Threat Brief, distributed on 19 December 2019.
What could we possibly learn about cybersecurity from the Charles Dickens classic: A Christmas Carol, you ask? Well, pardon our parallels and allow us some latitude as we explore this holiday classic with a cyber theme. In A Christmas Carol, Ebenezer Scrooge (the community of faith) is visited by the ghost of his longtime partner and friend, Jacob Marley (FB-ISAO) warning Scrooge that he’s doomed if he doesn’t change his ways. Jacob then foretells Scrooge that he will be visited by three spirits who will show Scrooge visions of his past, present, and a very unpleasant future should the trajectory of his life remain unchanged. Like the Christmas spirits, the cybersecurity community takes a similar approach at the end of each year by reviewing past events and incidents, looking at the present, and applying lessons learned to increase future cyber readiness. With that in mind, FB-ISAO presents some of these cyber events to help inform the community of faith toward a positive future trajectory of cyber resilience.
The Ghost of Cyber Past. This spirit takes us on a journey of the most notable cyber events of the past decade. An enlightening summary about some of the most influential events that shape cyber-present and yet-to-come. Not all of the biggest incidents are represented, but each event depicts a new trend or watershed moment in cybersecurity. Like Scrooge, if given the opportunity of hindsight in light of past cyber events, what changes will you make for a more promising future? But at the very least, the events beg the question, “Do you member when?”
Stuxnet (2010). An advanced computer worm designed to sabotage Iranian nuclear centrifuges. I know, this incident wasn’t relevant to most, and certainly less for FBOs. But a vivid depiction of Stuxnet proved to the public consciousness that cyberattacks weren’t just the work of hoodie-clad teenagers holed up in their parent’s basement. Stuxnet was serious, and forever changed how businesses approached cybersecurity. Was news of Stuxnet the first time you perceived cyber threats might actually be real, even if you thought, “it won’t happen to me”?
Target Breach (2013). The massive point-of-sale (PoS) compromise that enabled the siphoning of credit and debit card, and personal data of over 40 million guests. Target’s transparency began the long, storied future of major retail data breach disclosures and brought the issue closer to home for the general public. In weeks to come, details of the breach would be a poignant example of how malicious actors attack less cyber secure SMBs to gain access to the big target (pun intended). This incident remains a bit of a poster child as far as cybercrime data breaches go. When was the last time you shopped at Target?
Anthem, Inc. & Office of Personnel Management Breaches (2015). Two more widespread data breaches. Personal health records (Anthem) and security clearance, personal, and fingerprint data (OPM) were stolen by Chinese state-sponsored cyber espionage threat actors. Over 100 million combined records were pilfered in what is believed to be an attempt of the Chinese government to amass intelligence on U.S. citizens. These thefts validated the value of Personal Health Information (PHI) and remove all question that our sensitive personal data is in the hands of our adversaries. Is there any expectation of privacy or confidentiality anymore?
Mirai (2016). Malware designed to infect unsecured connected consumer devices (internet-of-things) and enslave them as part of a massive botnet to wage further cyberattacks. Mirai was the first botnet of its kind and used to launch some of the largest DDoS attacks to date. Mirai (and its ilk) exploit the convenience and plug-n-play nature of IoT, including industrial control devices running our nation’s critical infrastructure. Do you remember that day the internet died?
(Ransomware) WannaCry and NotPetya (2017). Global ransomware epidemics that leveraged previously leaked source code from an exploit (EternalBlue) stolen from the NSA. These weren’t the first ransomware strains we’d seen in the cyber community, but like what Stuxnet did for advanced cyber threats, and Target did for data breaches, WannaCry brought ransomware into the public consciousness. The sad part about these outbreaks – they could’ve been prevented. But as is the case all too often, previously released security patches weren’t applied in a timely fashion. WannaCry (May) was a rude awakening, but NotPetya (June) still caught many with their cyber pants down. Hmmm, I feel like I’ve been here before – DejaBlue (and BlueKeep)…
Equifax Breach (2017). Ouch! I don’t think much needs to be said here. First we had Target losing credit, debit, and personal data. Then personal health records and sensitive security clearance details stolen from Anthem and OPM. Now, the entire credit histories of over 145.5 million Americans, British, and Canadian citizens are siphoned. This is beginning to look a lot like a complete identity picture floating around. How? Failure to apply patches for known vulnerabilities. Is it Patch Tuesday yet?
Magecart (2018). E-commerce website online payment skimming malware. As if ATM skimming and PoS malware weren’t enough, Magecart pretty much represents both. Simply staying away from shady online stores may not keep your credit card data safe – Magecart actors infect well-known, high-profile, reputable, SSL protected websites, reminding us there are no safe websites, only less risky ones. Is your online holiday shopping done yet?
More Ransomware (2019). “Big game hunting” ransomware campaigns that have been particularly targeting municipalities, schools, and managed service providers (MSPs). Most notably, twenty-two government entities in Texas were infected with ransomware in August after the compromise of a single MSP they all had in common. This onslaught of attacks primarily highlights two things: the importance of encrypted, validated, off-site backups, and the necessity of third-party risk management programs. Have you tested your backups recently?
The Ghost of Cyber Present. This spirit gives Scrooge a unique glimpse into his life as others see him and how past choices led him here. Like Scrooge, we can learn a lot from assessing past events and how they inform present circumstances. FB-ISAO reviewed some of the most concerning threats faced in 2019 and how they’ve unfolded in the current threat environment in light of past decisions – many incidents were even a combination of the two, and more often than not were precipitated by the ever-popular phishing-based email account spoofing tactic.
Ransomware. The threat responsible for one of the biggest cyber events of the decade (More Ransomware) was undoubtedly one of 2019’s most widespread threats. Like Scrooge, it seems the majority of businesses and enterprises alike have failed to heed spirits’ warnings on the importance of backups as the best mitigation against a crippling ransomware attack. Furthermore, to add insult to injury, ransomware gangs are now outing victim businesses who do not pay up by threatening to publicly release data that has been stolen (not just encrypted).
Supply Chain. As if past events were not enough to convince you of the importance of supply chain security and third-party risk management, there were countless incidents in 2019 that highlighted this unabating problem. Yet many organizations still fail to properly vet these relationships and end up paying the price when they are compromised through a vendor. Supply chain risks are a concern for all types and sizes of organizations. With the latest ransomware attacks targeting MSPs, it’s particularly important for organizations to remember that while you may outsource your IT (and/or cybersecurity) services, you can’t outsource your risk.
The Ghost of Cyber Yet-to-Come. Short of the ability to time travel, Scrooge gets an opportunity that none of us will ever have – a glimpse of things yet-to-come if he continues down the same path. For the rest of us, if we learn from others’ successes and failures, the past may not come back to haunt us. That said, with prognostications in hand, and a view of the past and present, FB-ISAO offers its top cyber concern for 2020 to help you take a step forward to invest wisely into your cybersecurity posture for the coming year(s). That doesn’t mean treat other threats with less importance, but if you haven’t addressed this threat by now, please do so before it’s too late.
Even More Ransomware. In 2018 it looked like ransomware was going to take a backseat in 2019 to other threats, like cryptojacking and cloud-based threats. But it didn’t take long to resurge and catch many organizations unprepared. Will Tiny Tim die, laments Scrooge. If the shadows of ransomware remain unaltered by the future, many more organizations will fall victim and further legitimize the ransomware economy. The cybersecurity community expects more targeted ransomware attacks, and actors will increasingly leverage common techniques of phishing and computer vulnerabilities, such as exploiting the Remote Desktop Protocol (RDP).
Jennifer Lyn Walker is a cybersecurity professional with over nineteen years’ experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for FB-ISAO and Gate 15, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.
Join FB-ISAO!
We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and
TLP GREEN reports,
join our collaborative forums, working groups, participate in leadership
opportunities and take the next step in enhancing your organization’s
preparedness, security and resilience!
This post was originally informed by a TLP AMBER FB-ISAO Weekly Physical Security Report, distributed to members on 11 July 2019.
There
are threats not inherent in day-to-day activities or related to direct threats
routinely confronted by an organization. For example, most faith-based organizations (FBOs) may never
encounter a hostage situation, an extremist demonstration, or a major sport championship
parade. Nonetheless, these types of incidents or events may pose indirect
threats to FBOs in proximity to such activity.
While many FBOs occupy standalone buildings, many houses of worship, other faith-based and charity facilities are adjacent, co-located, or otherwise in proximity to other organizations that are also widely accessible to the public. These relationships to other facilities and organizations constitute a risk from potential indirect threats that FB-ISAO refers to as “Associated Risk.” Examining these associated risks allows organizations to look beyond just the direct threats, and consider risks that emanate from potential incidents that bring other, perhaps less likely, or asymmetrical, threats with them. Planning for associated risk requires close coordination with local partners, awareness of local events and activities, and making appropriate risk-based decisions to minimize impact or effectively responding to the threat.
What Are Associated Risks?
Associated
risks are potential unwanted outcomes resulting from an incident, event, or
occurrence in nearby proximity, that may not be connected to the specific
organization or location. In many instances, the associated risk stems from the
impact of threats against people, places or event that are actually the
intended target. While the direct threat may be to something specific, the
associated risk is to everything and everyone that may be associated with the
target.
Associated Risks can occur in instances when an entity becomes a “second-hand” target by way of an attacker’s intended target, or when the second-hand target, or incident, is located in close proximity of the intended target.
Associated risks are not typically planned for and may not be identified during normal planning and preparedness efforts.
Keeping
abreast of local events and maintaining close coordination with local authorities
and neighbors will help organizations recognize and prepare for associated risks.
Indirect Threats; Associated Risks
From protest events to celebratory parades, in recent months there have been several instances in which facilities were impacted from an associated risk, as opposed to a direct threat to their business or location. Types of such activities could include:
A protest taking place in proximity to an FBO, charity, or other non-profit facility. Such events could escalate and include acts of violence, vandalism, threaten uninvolved personnel, or otherwise indirectly impact a facility. A recent demonstration in Portland saw multiple assaults reported and items that looked like milkshakes, but actually contained quick-dry concrete, thrown at demonstrators and officers.
A shooting incident, criminal or a mass shooting event, may occur in proximity to an FBO, charity, or other non-profit facility, or (as was the case in the recent Odessa shooting spree) may implicate a large area and cause massive confusion. Such events may be particularly impactful to organizations during peak service or business hours, and lead to necessary decisions on evacuations, sheltering in place, or otherwise responding to protect people.
Sports celebrations, holiday, and other notable parades can be proud times for a city but the festivities around the victory can cause physical damage to local establishments, and parade routes can disrupt normal day-to-day operations. Whether real or not, extremists or ardent supporters on either side of an issue could use such events to promote their agendas or show their disapproval, creating an possible associated risk for FBOs.
For FBOs,
the above incidents may not immediately present a risk
or indicate a threat, but that often depends on the location of the
organization, its members or other visitors, and a number of other factors that
may extend beyond the FBO, charity, or other non-profit facility
itself. Maintaining
situational awareness of these types of events and the potential spill-over
impact will be beneficial to overall organizational preparedness.
Mitigate Associated Risks
Coordinate with local law enforcement and neighborhood partners. These valuable relationships need to be established in advance of any threat or incident and are a vital part of incident response planning. Keep in touch with local law enforcement and fusion centers for potential threat updates and upcoming events that may represent potential targets for attacks.
Review local activity and events. Maintaining situational awareness of community activities and incidents allows organizations to consider potential threats and make risk-based decisions.
Develop appropriate incident response. While it is difficult to anticipate every possible associated risk, organizations should still develop response plans that will enable more effective response to an evolving threat and make real-time decisions. This could include evacuating the immediate area, shutting down business operations, or alerting employees to remain at home.
Convene key personnel when appropriate. Once events are identified that could cause associated risk, it will be important for the organization to coordinate and assess the potential impacts.
Communicate, communicate, communicate. Last, but certainly not least, if operational changes are required, these need to be communicated to employees so they can comply or respond accordingly. For example, an organization may choose to work from home when there are big events near the office. This requires a direct communication channel to employees.
David Pounder is Gate 15’s Director of Threat and Risk Analysis. He advises on both physical and cyber security issues. Dave spent over 20 years in the Army as an Intelligence and Security Officer, specializing in counter-terrorism, force protection, and counterintelligence efforts as well as serving in the private sector for leading financial institutions responsible for information security and mobile applications. Dave twice served in senior command positions responsible for both counterintelligence operations and investigations. He has briefed Senior Army Leadership on intelligence and security issues and operations to include General David Petraeus and General Martin Dempsey. David was a regular guest instructor at the Department of Defense Joint Counterintelligence Training Academy in Quantico, VA. Dave graduated from George Mason University and from the US Army’s Command and General Staff College and has served internationally to include tours in Iraq, Cuba and Qatar.
Omar Tisza graduated from American University in
2017 with a bachelor’s in International Relations. After a brief stint
in business development on the federal market, he began his role as Jr.
Risk Analyst at Gate 15 in 2018 and currently supports the Health
Information Sharing and Analysis Center (HISAC) and the Healthcare
Sector Coordinating Council – Cybersecurity under the leadership of
Executive Director Greg Garcia, former Assistant Secretary for Cyber
Security and Communications at DHS.
Join FB-ISAO!
We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and
TLP GREEN reports,
join our collaborative forums, working groups, participate in leadership
opportunities and take the next step in enhancing your organization’s
preparedness, security and resilience!
This post was originally informed by a TLP AMBER FB-ISAO Weekly Physical Security Report, distributed on 01 August 2019.
Special note: In light of the
on-going hostile events and mass violence attacks, a Pittsburgh, PA parish
cancelled a scheduled festival in response to a suspicious note.
On 13 August, a parish in Pittsburgh, PA painstakingly chose to cancel a
scheduled festival that would have taken
place 14-17 August. While no direct threat was made, the parish decided to
cancel the festival out of an abundance of caution in response to a suspicious
handwritten note received by the Diocese of Pittsburgh; the note said, “Cancel
August 14-17 Festival Security Problem is Huge.”
FB-ISAO stresses the importance of considering all suspicious activity and treating threats seriously as leaders and organizations make threat-informed, risk-based decisions for their communities, as exemplified by the parish.
In our previous post in
the Hostile Events Attack Cycle (HEAC) series, we reviewed the target selection phase of the HEAC. We
highlighted three recent incidents (recapped below) to illustrate the process
attackers go through when determining potential targets to wage attacks. Since
that post was written, a recent arrest was made of a Las Vegas suspect with
ties to a hate group accused of plotting to bomb synagogues and an LGBTQ bar.
On 28 July, three people were killed when a shooter opened fire at the Gilroy Garlic Festival in Gilroy, California – the attacker’s reported target set was religious and political groups.
On 3 August, a 21-year old killed 20 people and injured 26 more at a Walmart in El Paso, Texas – the attacker indicated his desire to “kill as many Mexicans as he could.” In the early morning of 4 August, a 24-year old attacker killed nine people and another 26 were injured at the popular Oregon District in Dayton, Ohio – target set is inconclusive, but FBI reports the attacker had a history of violent obsessions and had mused about committing mass murder.
On 8 August, a 23-year old suspect was arrested in Las Vegas in connection with plans to surveil a Las Vegas bar he believed catered to LGBTQ clientele. An FBI-led task force found a notebook with “hand-drawn schematics” for a possible attack in the Las Vegas area. The suspect is identified as a registered security guard in Nevada. According to authorities, the suspect allegedly attempted to recruit a homeless person to conduct “pre-attack surveillance” on at least one Las Vegas synagogue and “other targets.”
As a quick review, target selection usually involves some symbolic value to the attacker, or motivation to gain publicity for a cause. The target selection process can occur consciously or subconsciously and is often influenced by a grievance and a sense of injustice, leading the attacker to feel the need to right the wrong. In this post, we explore how attackers build out their plan against their selected target by engaging in more detailed surveillance (intense surveillance) to increase the best chance of attack success.
Intense Surveillance
Once a target is selected, the
attacker will resolve outstanding questions about the target environment,
expand collection efforts through surveillance, and seek to adequately address remaining
unknowns in order to ensure their attack is as successful as possible. While
initial surveillance will help identify potential weaknesses within a target, the
period of intense surveillance will go into much more detail and will involve a
lot more “time on target” – time spent getting to know the target in-depth. Reports
regarding the El Paso and Dayton attacks indicate the attackers spent time
casing the areas before returning to their cars to arm themselves in
preparation for the massacres. This intense surveillance allows the attacker to
learn as much as possible and validate the initial attack plan. Likewise, it
may even identify additional vulnerabilities that could make the target
susceptible to a larger attack, or confirm alternate targets if the initial
target is seen as too secure to permit an effective attack.
While all phases of the attack cycle are important, it could be argued that the intense surveillance phase can have the most impact in determining attack success or failure. This phase of the HEAC can take a long time. Depending on the target, some key questions intense surveillance will address include, but are certainly not limited to:
What are the layers of security outside and inside the location; are there roving patrols on foot by security personnel or vehicle patrols; how often and how many people are involved?
Does the facility have external surveillance platforms?
Does the facility have a receptionist or check in area; what is that like?
Are there alternate entrances that are not secure?
Does the facility have a loading dock or delivery area; what is that security like?
How often are deliveries made and on what schedule?
What is the security response to suspicious events or materials?
In the Gilroy attack, it’s likely the attacker knew about the security processes in place at entrances, or at least knew there would be security to frustrate direct entry, but also understood the venue well enough to know that there would be access through the perimeter fence. Either way, research and surveillance conducted by the attacker allowed him to bypass security and exploit a gap. In the El Paso incident, the attacker was not from the area, but likely knew enough about these types of retail locations to inflict as much damage as possible prior to security response. Likewise, given that he surrendered to police, it is likely that he had anticipated how much time he had before police arrived.
It’s important to note, surveillance
of a target does not always have to be done solely at the target site. Attackers
can use similar type locations to identify potential vulnerabilities (and increasingly,
attackers may conduct more and more of their targeting virtually). Recognizing similar
venues will follow comparable protocols in their security plans, attackers can benefit
from performing surveillance at other, like locations.
Know the Threat
As stated last time, all facilities, including
places of worship, faith-based offices, other non-profits, and charities are
potential targets for hostile attacks. The importance of maintaining awareness of
the threat environment, potential threats to your organization(s), and an attack’s
desired outcome is imperative – KNOW THE THREAT. FB-ISAO and its partners are
dedicated to collecting and analyzing threat information to develop usable
threat and risk intelligence to be disseminated/reported to the community of
faith and to help organizations keep abreast of the current threat environment.
Furthermore, through our ongoing work, resources, and Hostile Events
Preparedness Series (HEPS) webinars, FB-ISAO aims to keep our members equipped
to successfully prepare for and respond to any threat that should come against
them.
David Pounder is Gate 15’s Director of Threat and
Risk Analysis. He advises on both physical and cyber security issues.
Dave spent over 20 years in the Army as an Intelligence and Security
Officer, specializing in counter-terrorism, force protection, and
counterintelligence efforts as well as serving in the private sector for
leading financial institutions responsible for information security and
mobile applications. Dave twice served in senior command positions
responsible for both counterintelligence operations and investigations.
He has briefed Senior Army Leadership on intelligence and security
issues and operations to include General David Petraeus and General
Martin Dempsey. David was a regular guest instructor at the Department
of Defense Joint Counterintelligence Training Academy in Quantico, VA.
Dave graduated from George Mason University and from the US Army’s
Command and General Staff College and has served internationally to
include tours in Iraq, Cuba and Qatar.
Brett Zupan is a Risk Analyst at Gate 15 with
experience in all-hazards analysis, exercise development, and
information sharing. He has supported analysis, preparedness and
operations for a number of critical infrastructure communities,
including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC,
among other projects. Before joining the company in 2016, he worked at
the Georgia State Senate. Brett received his Masters of International
Relations from American University.
Join FB-ISAO!
We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and
TLP GREEN reports,
join our collaborative forums, working groups, participate in leadership
opportunities and take the next step in enhancing your organization’s
preparedness, security and resilience!
This post was originally informed by a TLP: AMBER FB-ISAO Weekly Cybersecurity Report, distributed on 10 July 2019.
Over the past several weeks, ransomware has been a widespread topic. However, on 02 July there was a bit of good news for a change. St John Ambulance, a “not-for-profit provider of specialist patient transport services across England” advised customers they were “subjected to a ransomware attack.” Fortunately, having a plan in place allowed St John Ambulance to resolve the issue within 30 minutes without paying any ransom demands. While the company was “temporarily blocked from accessing the system affected and the data customers gave [them] when booking a training course was locked” there did not appear to be any information shared or exposed. Even though the UK-based company did not have to report the incident, they still performed due diligence by advising the Information Commissioner’s Office (ICO) and the Charity Commission, as well as the police in accordance with their established procedures. These notifications and the speed in which they were delivered is another indicator of strong preparedness processes in place.
This recent report is
another encouragement for non-profit organizations, especially on the heels of
news about Father Bill’s and MainSpring, a Massachusetts-based non-profit homeless
shelter, successfully blocking a ransomware attempt. These incidents demonstrate
how, with advance planning and preparedness, organizations can recover from
ransomware without having to pay costly fees to malicious actors or suffer further
financial impacts. However, it is still
important to note that an incident did occur; the attack was successful in that
it locked out an aspect of the organization’s business and delivered the ransom
demands. The difference is, as security researcher Graham Cluley noted, St John was “able to put in place emergency
recovery plans to restore from unaffected backup systems. That’s in marked
contrast to ransomware attacks that
have hit American cities in recent weeks – which have
resulted in extortionists being paid over a million dollars.” St John
Ambulance’s recovery and response plan worked. But a plan on paper needs to be validated
through exercises and testing in order to ensure gaps and vulnerabilities in
the plan are addressed prior to implementation. In contrast, the city of
Baltimore, which is still battling the effects of their ransomware attack, also opted not to pay the demands but ran into
recovery challenges with an untested plan, and the financial impact has already exceeded $18 million.
There is a lot of no-cost government and third-party guidance
to help inform faith-based organizations, charities, and other non-profits what
to put into a ransomware recovery plan. In general, adhering to good cyber
discipline goes a long way to reducing or mitigating threats posed by
ransomware. Some other key principles include FBI recommendations:
“Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working.” This is extremely important to ensure that not only are the backups conducted, but that there are no bumps in the road when you attempt to restore them.
“Conduct an annual penetration test and vulnerability assessment.”
“Secure your backups. Ensure backups are not connected permanently to the computers and networks they are backing up. Examples are securing backups in the cloud or physically storing backups offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization.” With regards to backing up data – one suggestion would be to use the “3-2-1 backup process” – 3 backups, 2 different mediums, 1 offsite.
If impacted by ransomware, the ultimate question is: do we
pay the ransom? In FBI guidance, the U.S. Government “does not encourage paying a ransom to criminal actors. However, after
systems have been compromised, whether to pay a ransom is a serious decision,
requiring the evaluation of all options to protect shareholders, employees, and
customers. Victims will want to evaluate the
technical feasibility, timeliness, and cost of restarting systems from backup.
Ransomware victims may also wish to consider the following factors:
“Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.
“Some victims who paid the demand were targeted again by cyber actors.
“After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
“Paying could inadvertently encourage this criminal business model.”
Ultimately, in the
event of a ransomware attack, all organizations need to have a list of pre-determined
responses. This list should be established by leaders before, not during, an
attack.
Understand the situation. What is the extent of the infection? What data is being ransomed? What decision points determine whether to pay or not to pay?
Implement your security incident response and business continuity plan. Ideally, organizations will ensure they have appropriate backups, so their response to an attack will simply be to restore the data from a known clean backup. Having a data backup can eliminate the need to pay a ransom to recover data.
Immediately secure backup data or systems by taking them offline. Ensure backups are free of malware.
If available, collect and secure partial portions of the ransomed data that might exist.
If possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.
Delete Registry values and files to stop the program from loading.
David Pounder is Gate 15’s Director of Threat and Risk Analysis. He advises on both physical and cyber security issues. Dave spent over 20 years in the Army as an Intelligence and Security Officer, specializing in counter-terrorism, force protection, and counterintelligence efforts as well as serving in the private sector for leading financial institutions responsible for information security and mobile applications. Dave twice served in senior command positions responsible for both counterintelligence operations and investigations. He has briefed Senior Army Leadership on intelligence and security issues and operations to include General David Petraeus and General Martin Dempsey. David was a regular guest instructor at the Department of Defense Joint Counterintelligence Training Academy in Quantico, VA. Dave graduated from George Mason University and from the US Army’s Command and General Staff College and has served internationally to include tours in Iraq, Cuba and Qatar.
Brett Zupan is a Risk Analyst at Gate 15 with experience in all-hazards analysis, exercise development, and information sharing. He has supported analysis, preparedness and operations for a number of critical infrastructure communities, including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC, among other projects. Before joining the company in 2016, he worked at the Georgia State Senate. Brett received his Masters of International Relations from American University.
Join FB-ISAO!
We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and
TLP GREEN reports,
join our collaborative forums, working groups, participate in leadership
opportunities and take the next step in enhancing your organization’s
preparedness, security and resilience!
This post was originally informed by a TLP: GREEN FB-ISAO Monthly Threat Overview, distributed on 27 June 2019.
It’s easy to adopt the “this won’t
happen to me” mentality when it comes to fighting cyber threats in the faith-based
community, charities, and other non-profits. The reality is that cyber threats
are everywhere, and manifest themselves in different ways, such as Business
Email Compromise (BEC), clergy impersonation scams, phishing, and ransomware.
Certainly, the aforementioned attack
techniques have been particularly prevalent within the faith-based community.
However, there is another cyberattack tactic that is relevant to faith-based
organizations and should not be overlooked. Domain hijacking.
What is Domain
Hijacking?
Domain hijacking occurs when malicious actors fraudulently change the registration information for a website domain with the domain registrar, such as GoDaddy, Bluehost, Network Solutions, etc. The changes are typically made possible due to a compromise of the domain registrar account credentials through a successful phishing attack, or through a deceptive password reset request.
Domain hijacking is often the precursor
to a website compromise; however, it has also been used to precipitate
extortion attempts. Once a domain has been hijacked, miscreants are able to
manipulate website content and/or redirect website traffic to another site
under the attacker’s control. Content is often changed, or traffic is
redirected, to display things that could damage the reputation of a faith-based
organization, such as ideological statements contrary to an organization’s
beliefs, or unsavory images. Likewise, malicious actors often set up phishing
pages that mimic well-known and trusted sites, or install malware for other
nefarious intent, such as spamming or credential harvesting. Furthermore, less
sophisticated actors who do not have the skills to change content or redirect
website traffic resort to the perception they are holding the domain hostage in
exchange for ransom.
Unexpected and
Disruptive
While domain hijacking seems like something only governments and major enterprises need to worry about, a church in Spring Township, PA recently learned otherwise. Church officials at West Lawn United Methodist Church (UMC) in Spring Township, PA said they never expected someone would target their church. But according to Jeff Raffauf, the church’s pastor, “hackers worked their way into the GoDaddy website server in March, changing all security information and transferring domains for the church’s two sites.” Fortunately, the attackers did not have a chance to do any damage, as administrative pastor, Carolanne Schneiderhan swiftly contacted the FBI to launch an investigation and immediately filed a transfer request with GoDaddy to regain control of the website domain. While the malicious actors did not take control or shutdown the website, or worse (for an FBO), redirect website visitors to something unsavory, not all was well. Despite the pastor’s diligence, “it took months before they got the domains back, and the sites still aren’t working right,” according to Raffauf. Even though West Lawn UMC is still recovering, the consequences of this attack could have been more severe if the incident had not been quickly identified and reported to the authorities and GoDaddy.
If your house of worship is anything
like West Lawn UMC, you regularly tell congregants to check your website for
information, to sign-up for events or programs, or make donations. For many
organizations, websites are central points for sharing information and to
provide visibility to their communities. Not only would it be inconvenient and
embarrassing if your site was unreachable, being redirected to a website of ill
repute or nefarious intent, or plastered with propaganda contrary to your FBOs
beliefs, but the hours and money spent to set up a new website, email, and
branding would subtract from the daily and vital operations within your
organization.
While West Lawn UMC was able to
stifle the attack, Faithful Friends, a nonprofit that fundraises for the
church, was not so fortunate. According to the report, cyber attackers took
control of Faithful Friends’ domain and asked for a $5000 ransom. These
incidents further underscore the need for developing a cybersecurity strategy in
houses of worship, faith-based organizations, charities, and other non-profits,
and the infrastructures that support them. The benefits of establishing effective
and proactive cybersecurity measures far outweigh the consequences of having to
remediate the damages of a cyberattack against your organization and the
community it serves.
Avoid Domain
Hijacking
The best way to avoid becoming a
victim of domain hijacking is to avail yourself to the domain security
resources offered by your domain registrar. Most registrars offer domain monitoring
and domain registry locking services. In addition, establish multifactor
authentication on your domain administration account and set up notifications
for any changes made to your domain.
Despite the challenges that befell
West Lawn UMC, the pastors embody the mission of information sharing and
increased resilience and have taken the time to share details about the attack
in hopes others will heed their warning to be alert. “Make sure your information
is current. Go in and change the password. Set up a two-step verify,”
Schneiderhan said, “…very, very important. I learned the hard way.”
Remember, no matter how large or
small your faith-based organization is:
You are always a target. In
this day and age, cyberattacks are just as certain as death and taxes.
Your experiences are always valuable to help the community improve
resilience and preparedness. Please
share your successes and lessons learned with FB-ISAO for
the benefit of the larger Community of Faith.
Jennifer Lyn Walker is a cybersecurity professional with over nineteen years’ experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for FB-ISAO and Gate 15, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.
Omar Tisza graduated from American University in 2017 with a bachelor’s in International Relations. After a brief stint in business development on the federal market, he began his role as Jr. Risk Analyst at Gate 15 in 2018 and currently supports the Health Information Sharing and Analysis Center (HISAC) and the Healthcare Sector Coordinating Council – Cybersecurity under the leadership of Executive Director Greg Garcia, former Assistant Secretary for Cyber Security and Communications at DHS.
Join FB-ISAO!
We welcome faith-based organizations, charities and critical partners to join
FB-ISAO. Access our TLP AMBER and TLP GREEN reports,
join our collaborative forums, working groups, participate in leadership
opportunities and take the next step in enhancing your organization’s
preparedness, security and resilience!
This post was originally informed by the TLP GREEN FB-ISAO Monthly Threat Overview, distributed on 27 June 2019.
A series of recent ransomware incidents are not only highlighting just how vulnerable faith-based organizations and charities are to this type of cyberattack, these incidents also demonstrate threat actors interest in targeting organizations that are often less prepared for a cyber incident and perception they may be more willing to pay the ransom. In Auburn, WA, servers belonging to the Auburn Food Bank, a non-profit entity serving approximately 150 families per day, were infected with ransomware on 05 June. This attack locked employees out of their files and emails. Like similar non-profit and charitable agencies, they do not have money budgeted for such events. “We are going to need help paying for this,” said Debbie Christian, Director of Auburn Food Bank. While the food bank has decided not to pay the ransom, it is estimated that equipment replacement and recovery will cost about $8,000. Indicative of a lack of backups to restore systems – in addition to requesting financial donations, the Auburn Food Bank stated they welcomed volunteers who “can type” in order to manually recreate tons of forms.
Similarly, Father Bill’s and MainSpring, a Brockton, Massachusetts-based non-profit homeless shelter, recently announced its network became victim to a ransomware attempt in April. Thankfully, the organization’s antivirus software was able to detect and prevent the attack before it could infect any computers on the network. While there was no evidence of a data breach, due to the potential, the organization was required by the Massachusetts Attorney General’s office to send notification letters to anyone with a social security number stored in the shelter’s systems.”We’ve gone through all the proper procedures with a breach through AG’s office, and have done everything we need to do that’s required by the state to let people know,” John Yazwinski, president & CEO of Father Bill’s said. This task was made difficult as the shelter does not have a current address for 30% of the potentially affected individuals.
Both instances demonstrate the difficulties that smaller organizations face when confronting ransomware, whether it’s dealing with the aftermath of a successful attack or an unsuccessful attempt. As noted in prior FB-ISAO reporting, ransomware attacks are re-surging and malicious actors are developing more creative ways to part organizations from their money and proprietary information. Examples include ransom notes containing a false PayPal option in addition to the standard Bitcoin payment that is actually a disguised phishing attempt to steal the victim’s PayPal credentials, adding insult to injury, or ransom notes that promise to donate the victim’s payment to a children’s charity. With these trends in mind, FB-ISAO recommends faith-based organizations, charities, and non-profit organizations be proactive in preparing for a ransomware incident before – not if – it happens. The following are suggestions for leaders to consider:
An ounce of prevention is worth a pound of cure. Unfortunately, Auburn Food Bank’s situation is not unique – lacking the IT budget and data backup capabilities – in not being prepared to recover from a ransomware incident. FB-ISAO urges members to heed these reports and begin delegating resources for cyber-related incidents, including ransomware, ahead of time. There are low-cost, reliable solutions for maintaining current and stable backups, which is the best way to recover from a ransomware infection when it happens without paying the ransom.
Plan for the worst, hope for the best. Budgeting is important but providing awareness of and planning for these threats with your staff does not cost any money and offers huge benefits. Reminding staff of the latest threats, such as phishing, keeps the topic on their mind and can help when encountering a potentially suspicious situation. This habit also fosters a security-aware workplace.
We are stronger together. FB-ISAO recommends all organizations be proactive in preparing for a ransomware incident by searching for resources and collaborating with peers and other partners. Resources, such as KnowBe4’s Ransomware Hostage Rescue Manual, have information to help you prevent infections and how to recover when you are hit with ransomware. The rescue manual explores ways you may be able to potentially recover files even if you did not have a backup and includes a Ransomware Attack Response Checklist and a Ransomware Prevention Checklist. Similarly, reaching out to local peers and information sharing organizations, including FB-ISAO, can provide a vast network that offers hard-won knowledge and experience when facing a cyberattack. Depending on the relationship, some partners may be able to provide resources such as educational materials or temporary staff during a crisis.
Jennifer Lyn Walker is a cybersecurity professional with over nineteen years’ experience supporting critical infrastructure and SLTT governments. As Director, Cybersecurity Services for FB-ISAO and Gate 15, she advises and consults on cyber threats related to homeland security for critical infrastructure and vital lifeline sectors, including WaterISAC. She is experienced in malware analysis, threat assessments, cyber threat intelligence, compliance, and cybersecurity awareness.
Brett Zupan is a Risk Analyst at Gate 15 with experience in all-hazards analysis, exercise development, and information sharing. He has supported analysis, preparedness and operations for a number of critical infrastructure communities, including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC, among other projects. Before joining the company in 2016, he worked at the Georgia State Senate. Brett received his Masters of International Relations from American University.
Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!
This post was originally informed by a TLP GREEN FB-ISAO Monthly Threat Overview, distributed on 27 June 2019.
Every month, FB-ISAO provides a TLP GREEN report, the FB-ISAO Monthly Threat Overview. The report is developed over a specific reporting period by a team of analysts. The report addresses all-hazards – to include physical, cyber, natural hazards, and health threats. The complete physical security section includes incidents involving hostile events, vandalism, theft, harassment, arrests and other notable events. In our May report, I was struck by the remarkable number of incidents that were included, specifically in the area of hostile events.
This month, it was a different portion of the report that notably stood out for me – the significant incidents of vandalism and theft, which are not necessarily unique this period, though some are specific to the month. One of the areas that we observed in June was vandalism aimed at houses of worship recognizing Pride Month (June).
“All of the faithful they should have some assurance that when they go into churches, that these places are safe” – Monsignor Edward Lohse, Vicar General with the Erie Catholic Diocese, via Erie News Now
Chicago, Illinois: “LGBTQ Pride flags vandalized in possible hate crime at Wicker Park church.” On 25 June, The Chicago Tribune wrote, “A week before thousands of Chicagoans fill North Side streets to share love, acceptance and pride for the LGBTQ community, a Wicker Park church is moving ahead after being targeted with messages of hate. Early Sunday morning, a pride flag and transgender flag hung outside Wicker Park Lutheran Church in the 1500 block of North Hoyne Avenue were vandalized. A Chicago police spokesperson confirmed police are investigating the incident as a possible hate crime.”
United Church of Renton, Washington State
Renton, Washington: “FBI Offers Reward of Up to $5,000 for Information on Renton, Washington Church Display Defacement.” On 28 June, the FBI announced, “On June 19, 2019, at approximately 2:30 a.m., an unknown individual (or individuals) used explosive devices to deface an outdoor display at the United Church of Renton in Renton, Washington. The display featured multi-colored doors, each painted with a different word from the phrase ‘God’s doors are open to all.’ It is believed that the subject(s) also wrote ‘Leviticus 20:13’ on one of the doors. This display was previously vandalized during the evening hours of June 13, 2019, when parts of the display were knocked down. The display was also defaced with explosive devices at approximately 10:00 p.m. on June 16, 2019.”
Beyond Pride Month acts of vandalism, theft continues to target Houses of Worship. From South Carolina to Virginia, and across other parts of the country, theft continues to challenge our community.
Loudoun County, Virginia: “Group tries to rob Virginia Buddhist temple; may havestolen from others.” On 26 June, WTOP reported, “Four people tried to rob a Buddhist temple in Sterling, Virginia, on Tuesday, and that might not have been the only temple they hit… One of the men tried to distract the abbot by asking about Buddhism and about a statue in the temple, while the other man sneaked off and went around to the office building, and the two women stole several keys from the abbot… Loudoun County Sheriff Mike Chapman said his department was working to confirm reports that the same group had robbed Buddhist temples in Maryland and North Carolina.”
Bethune, South Carolina: “‘We estimate that we have over $38,000 worth of losses.’ Bus among other items stolen from Bethune church.” On 27 June, WLTX19, CBS, wrote, “Sometime Tuesday evening a church in the town of Bethune was broken into and thousands of dollars of valuables were stolen including their church bus. The pastor of the Bethune Baptist church Scott Bernshausen said, ‘I came out and found the bus was stolen… We entered the building and realized that the burglars had broke in and stolen multiple TVs and electronic equipment throughout the church.” Church member Robert Horton had just been at the church around 9 p.m. Tuesday night, ‘the neighbor said maybe this happened between 9 and 10. So you never know when somethings going on or when someone could be watching what you’re doing.’”
Last week, this post’s author had the opportunity to visit with a church leadership team to discuss hostile events preparedness. With Board of Trustees members having watched an FB-ISAO presentation on Hostile Events (see this month’s FB-ISAO newsletter for info on the next session), recently attending local law enforcement training, and after talking with police and fire personnel, the church wanted to discuss ways to approach security and to minimize risks. Among the ideas discussed was the importance of basic facility hardening. Not every facility can have robust security measures, but it is important to have something – whether human patrols, security cameras, public address systems, mass notifications capabilities, the cloud-based Geoaware®️ platform being offered **at no cost** to FB-ISAO Pro Members by our friends at Vizsafe, or other measures. Hardening and a complete preparedness program don’t happen overnight, but can be approached in manageable steps, respecting time, resources and an assessment of risks (read a great article on preparedness from Homeland Security Today, “Hard Conversations About Soft Targets: DHS Workshop Aims to Save Lives in Mass Shootings” [28 Jun])
“I recognize that investments don’t happen overnight… Are we building security, redundancy and resiliency into our budgets, or are we just being reactive to everything? …we will not get any better during a crisis — we will fall back to our training.” Assistant Director Brian Harrell, Assistant Director for Infrastructure Security, DHS Cybersecurity and Infrastructure Security Agency (CISA), in HS Today
In the case of the South Carolina church noted above, the church stated that, “We do have a security system and currently its with the burglars. We had just purchased a security system and we just formed a security team but before we could get the security system in, it actually got stolen by the burglars.” In Virginia, the temple has security cameras installed and operation and the Sherriff’s Office is reviewing and sharing footage with authorities in the other areas, according to WTOP. Two other recent incidents also demonstrate how having cameras, which can also help deter some crimes and attacks, at least also help inform post-incident investigations:
Erie, Pennsylvania: “Erie Church’s Security Measures Help Police Track Down Attacker.” Erie News Now reportedon 01 July, “The victim fought off her attacker, and he left, but not before he was caught on the church’s surveillance cameras. Erie police released a picture of the suspect, along with his physical description on social media. By nightfall, Erie police identified the man as Josue Mendez, 25, and arrested him, ‘The presence of the surveillance cameras at St. Joseph’s was certainly a help in this case,’ said Msgr. Lohse.” And in another Pennsylvania incident, “Police investigating after break-in at Northampton County church” (WFMZ, 01 July).
And in addition to cameras, the importance of threat reporting and information sharing cannot be understated. Beyond vandalism and crime, our community must always be ready for the possibility of hostile attackers. From WHTC in Michigan, 01 July: “Police were called at about 10 a.m. with the report of a suspicious incident at a church, which Mulder did not identify. The dispatcher was told by the church’s security official that a man made a comment about having a shotgun in his vehicle, and was headed to another church…”
Threats exist – right now, today. We need to take reasonable actions – today. Is your organization properly, reasonably, and responsibly addressing the risks you are facing? Are you actively working on preparedness and operations to protect and prepare your people and places? FB-ISAO will be providing our next offering of the Hostile Events Preparedness Series educational presentation on 25 July. It is free, and only costs you an hour and a half of your time. Contact our team for more information on that event.
Join FB-ISAO! We welcome faith-based organizations, charities and critical partners to join FB-ISAO. Access our TLP AMBER and TLP GREEN reports, join our collaborative forums, working groups, participate in leadership opportunities and take the next step in enhancing your organization’s preparedness, security and resilience!
The complete FB-ISAO Monthly Threat Overview goes into additional incidents, other threat vectors and provides resources for members. As a TLP GREEN report is available to all Standard and Professional members, as well as our Government and Law Enforcement members (read more on membership here).
Vandalism and Theft Incidents, for period from 23 May-25 June 2019.
In early June in London, Ontario, vandals scrawled an offensive message on the sidewalk outside of a mosque. Pictures of the graffiti were taken immediately, and police were called.
In early June in Germany, three mosques suffered assaults over a two day period. At one mosque, a right-wing group desecrated the mosque walls with graffiti that said, “get out.” In Hessen, vandals threw rocks at a mosque. Finally, at a mosque in Bremen, a copy of the Quran was set on fire. Police said they were investigating the attacks and expected to arrest the perpetrators soon.
On 8 June, the results of a British surveyrevealed that criminal gangs are increasingly turning to metal theft, including from church roofs. The survey found there were on average 37 reports of lead theft from churches in Britain each month. Security experts have warned that the thieves will often get violent if confronted.
On 6 June in Bergen County, New Jersey, a swastika was found etched into a classroom wall at a high school. It was the second such incident in the span of two weeks. On 28 May, a swastika was discovered on the wall of a bathroom shared between the high school and middle school. Local police are investigating, but they don’t have much evidence to go on, law enforcement said.
On 6 June in Tulsa, Oklahoma, a man was arrested after he was caught on video smashing a church’s windows. The church sustained $1,000 worth of damage as a result. Police say the man told them he had no reason for the vandalism, other than that he was drunk.
On 6 June in South Derbyshire, England, thieves broke into a church and stole money from charity collection boxes. Police appealed for witnesses to come forward.
On 2 June in Cardiff, Wales, two men were arrested after they broke into an Islamic community center. No one was hurt as a result of the break-in.
On 30 May in Florence, South Carolina, a pastor pleaded guilty to bank fraud and identity theft, having used his job as a bank manager to get loans and lines of credit for elderly customers and launder the money through his church. He used the money obtained through two customers to pay for rental cars, a home security system, and hotels in Myrtle Beach. He also closed a $50,000 certificate of deposit belonging to one of the elderly victims and made payments on his delinquent mortgage. The pastor tried to hide his financial doings by depositing some of the bank money in the church’s operating account and withdrawing it for his own use. He opened an account in the church’s name at a bank and disguised a $28,500 loan withdrawal as a donation from the elderly victim. The pastor faces up to 30 years in prison and a $1 million fine for bank fraud and a mandatory two-year term for aggravated identity theft.
On 29 May in Anaheim, California, a man broke into a church and stole electronics and religious items. Security footage showed a man breaking into the church and stealing two iPads, a laptop, a projector, and a microphone. The suspect also damaged property inside of the church. The police department said they had not seen any evidence that would point to the burglary as a hate crime.
On 29 May in Lake Charles, Louisiana, acts of arson and vandalism were perpetrated against a church. Security cameras captured a suspect approaching the building with a five-gallon bucket of possible flammable liquid. The suspect allegedly attempted to get into the church by kicking in the glass doors. Unable to gain entry, police say the suspect then can be seen breaking out a side window on the church and throwing the bucket of liquid into the building. The suspect allegedly made multiple trips to the broken window, throwing lit items into the building.
On 28 May in Austin, Texas, it was reported that a sign for “Muslim Space,” an Islamic institution, had been defaced with Islamophobic language and obscenities. The Austin chapter of the Council on American-Islamic Relations (CAIR-Austin), the nation’s largest Muslim civil rights and advocacy organization, asked police to investigate the incident.
On 28 May in Bellmead, Texas, a man broke into a church and stole two security cameras. The man entered the church through an unlocked window. At that time, he took a security camera and batteries for the camera. He also took a box containing keys to every door at the church. The following morning, he returned to the church and attempted to enter the front door using the keys that he took the night before. The alarm scared man off, and he took another camera as he left. He was eventually arrested by police.
On 23 May in Staten Island, New York, anti-Semitic graffiti was found written on the external walls of a synagogue. The graffiti said, “synagogue of Satan.” Meanwhile, at a Jewish school across the street, the letters “SOS” had been written. A spokesman for the synagogue said security would be increased. Police said they were aware of the incident and were investigating.
