top of page

Cyber-Religious Threat Landscape - Victims & Perpetrators

Updated: Oct 7, 2021

By Cameron Silva

The relationship between the cyber realm and religion is ever-changing and will continue to develop as technology and the internet advances. As a proud partner of FB-ISAO AdvIntel presents this in-depth analysis of the cyber-religious threat landscape to demonstrate how religious entities often the victims of threat actors utilizing the cyber realm against them, while extremists utilize the cyber realm to their advantage as well.


Amidst the current pandemic, most religious institutions have been forced to utilize technology and the internet in order to host virtual assemblies and accept donations. This sudden change gives cyber threat actors the increased ability to exploit religious institutions while the institutions adapt to using the internet for their religious purposes.

The broader exposure to the cyber domain creates new threats. Botnets, ransomware gangs, and state-sponsored threat actors have targeted religious institutions on a large scale for political and financial reasons. Ironically, some threat actors could be members of the religious community as well - religious extremists utilize the cyber realm to organize and communicate anonymously which can escalate and influence terrorist attacks.

The cyber-religious threat landscape is definitively dynamic and ever-changing as technology and the internet continues to develop. It includes several major threat areas - APT, Political cyber groups, botnets, and ransomware operators.

APT Threat: Case Study - Vatican-China Relations

Historically, the Vatican and the approximate population of 10,000,000 Chinese Catholics have been isolated from one another. About 5 million people of the Catholic population in China swear their allegiance to the CPA (Catholic Patriotic Association), the Chinese government's bureau for supervising the Catholic populace. The other 5 million Chinese Catholics refuse to swear allegiance to the state-run Catholic supervising bureau and instead, swear their allegiance to the Vatican and its religious leadership. China's CPA, in the past, has recognized several Catholic bishops but failed to reach a consensus with the Vatican which deemed Chinese state-sponsored bishops as illegitimate and had them excommunicated from the church. This differentiation in the allegiance of China's Catholic populace has influenced China to try to develop an agreement with the Vatican in order to unite the CPA and the Vatican. This deal came to fruition in September of 2018 and was named the China-Holy See agreement. In the stipulations of this deal, the Vatican had to recognize the CPA's bishops they formally excommunicated.

Despite the success of this agreement between the Vatican and China, there were concerns from China that the Vatican would not renew the deal once the 2 year period was completed. The Vatican refusing to renew the deal was not in China's strategic interests so China was able to exploit its state-sponsored cyberthreat group RedDelta (initially reported by Recorded Future), in order to pressure the Vatican to extend the China-Holy See agreement. China was ambitious to unite and supervise its 5 million 'underground' Catholics that are aligned with the Vatican instead of the CPA so China used RedDelta to leverage the Vatican to extend the agreement by targeting Catholic entities with various cyberattacks starting in May of 2020.

RedDelta attacked Catholic entities by way of spear-phishing in order to distribute and infect victims with PlugX malware. Once PlugX is distributed onto a system, The group allegedly has the ability to:

  • Take control of the affected system(s) remotely without permission or authorization

  • Perform data theft

  • Copy, move, rename, execute, and delete files

  • Log keystrokes

  • Fingerprint the infected system

Although both China and the Vatican never publicly unveiled that cyberattacks from RedDelta were a contributing factor to the extension of the China-Holy See agreement it can be reasonably implied. China's alliance with the Vatican gives it the ability to the CPA to supervise and control 5 million of its 'underground' Catholic citizens to a greater degree because of the legitimacy of having recognition of the Vatican, a luxury that the Chinese Communist government does not wish to relinquish. When China's Foreign Ministry announced that the negotiations for the extension of the China-Holy See agreement with the Vatican were successful on September 10, 2020, the threat activity of RedDelta suddenly declined. The immediate ceasing of threat activity on Catholic entities is not a coincidence and may have much greater implications if these types of attacks are to continue elsewhere.

With the success of extending the China-Holy See agreement with the assistance of cyberattack leverage over the Vatican, there are many considerations about China's future in relation to this behavior and strategy. With potential mass amounts of information China has gathered from May 2020 to September 2020 from Catholic entities it is likely that it would be used against the Vatican in negotiations to extend the China-Holy see agreement once again in 2022. It also shows that the amount of power that China has with state-sponsored threat groups with tactics, techniques, and procedures that are aligned with their strategic interests, that they could dictate terms in their favor with technologically inferior partners or opponents in future conflicts or 'diplomatic' negotiations.

Saint Peter's Square

Political Groups: Case Study - Religious Extremists

Religious extremist groups utilize the cyber realm in order to recruit potential members, post 'news' and propaganda, and privately communicate with one another. The most notorious example of religious extremists that use the cyber realm to advance their movement is ISIS but it is not exclusive to that group as well. The threats posed by religious extremists online is much different than those posed by hacker groups because they do not typically have the technological capabilities or desires to benefit from their actions financially but more so have the ambition to gather and exchange ideas with other extremists. The utilization of the cyber realm by religious extremists is aimed to further: project their extremist ideologies, recruit members, and potentially participate in terrorist activities or hate crimes.

ISIS utilizes the cyber realm for a multitude of strategic purposes but specifically uses social media as a tool for radicalization and recruitment. Since the declaration of the reestablishment of the Islamic caliphate in 2014, ISIS has used social media as a tool to post appalling photos and videos of people being executed in order to intimidate their enemies and recruit members that believe in their extremist ideology. ISIS's social media presence not only looks to radicalize people within the Middle East with their fundamentalist ideology, they look to branch out to an international audience. An example of this would be how the popular ISIS publication Dabiq is posted in many languages such as English, French, German, Russian as well as Arabic. This is used to get the attention of the international community of potential jihadists. ISIS also converts Dabiq into an online format which allows for relative ease in terms of distribution.

Cover of Dabiq Magazine; Credit: Counter Jihad Report & Christian Today

Self-identified Christian radicals and white supremacists also use social media as a platform to recruit, post media, and organize terror and hate-related actions. In prior years traditional media was utilized by all religious extremists but in recent years companies such as Facebook, Twitter, and Youtube have been actively banning hate groups from gathering on their platforms. In response Christian extremists and white supremacist groups similar to the Ku Klux Klan (KKK), Army of God (AOG), Council of Conservative Citizens (CCC), etc have moved to alternative and less regulated media platforms to gather, communicate, and post media.

Islamic and Christian extremist religious groups alike use platforms such as Telegram to communicate with their respective groups. On these platforms, ISIS extremists will post videos of executions, rapes, assassinations, etc, and will get praise from peers for doing so. Similarly, after a gunman opened fire on a synagogue in Halle, Germany killing 2 and injuring 3, many Telegram channels that contained extremists called the shooter a 'hero' and a 'saint' for his actions. Religious extremists of all types gather on alternative media platforms like Telegram because they are encrypted and purposely meant to be anonymous. They also migrate to platforms like Gab, BitChute, 4chan, and 8chan (8kun) when banned from traditional social media or to be more anonymous. It is apparent that terrorist organizers utilize these anonymous social media platforms to assist in the organization of low-tech terrorism and active shooter attacks.

DarkWeb Intelligence

AdvIntel's analysts utilized Andariel's DarkWeb monitoring system to attempt to investigate activity related to the religious sector. Analysts searched key terms such as: "Church," "Christian," "Catholic," "Baptist," "Methodist," "Islam," "Mosque," "Jewish," "Synagogue," "Religion," "Religious," "Faith," "Christ," "Muhammad," and many other religiously affiliated keywords in Andariel's DarkWeb monitoring system along with their Russian, Spanish, Portuguese, Hebrew, Arabic, and Chinese translations.

AdvIntel has identified several cases in which sensitive data from religious institutions was advertised in the DarkWeb on top-tier DarkWeb forums, however, no major activity has been identified. The lack of prevalence of postings and auctions related to religious entities on the DarkWeb shows that threat actors targeting religious entities often do so for purposes other than for auctioning sensitive data for monetary gain.

Ransomware & Botnet Intelligence

The amount of botnet, Remote Desktop Protocol (RDP) exposure, and exploits this year to religious entities according to AdvIntel's monitoring system has increased. As illustrated in the chart below, the majority of the infections are of Christian entities by a substantial majority of over 90%. Islamic and Jewish entities were about 4.2% of the compromises collectively.

The vast majority of the infected entities were located in the United States but some were also located in Canada, the United Kingdom, and the Philippines. Evidently, entities that are American and Christian are the most likely to being infected and potentially compromised according to AdvIntel's botnet data. Religious entities often do not have IT, staff, or cybersecurity teams, assisting them when operating on the internet leaving them susceptible to attacks by cyberthreat actors. Cyberattacks could potentially cease the ability of victims to host virtual assemblies and collect donations amidst the societal disarray associated with COVID-19.

With many of the religious entities being associated with healthcare and education, a cyberattack initiated through botnets or through compromised RDPs against a religious target could severely damage the infrastructure within these sectors as well.

Many malware strains used in the monitored attacks have the ability to log keystrokes, steal login credentials, load additional malware, and steal financial data. Stealthy botnet strains have comparable abilities and are commonly used to compromise systems by uploading ransomware.

AdvIntel-observed infections, RDP exposure cases, DarkWeb threats, and other indications of compromise related to religious entities, based on denomination


In the age of technology, religious institutions are particularly vulnerable to cyberattacks because they are more traditional in nature, sometimes less technologically advanced, and were forced to integrate on the internet since the start of the COVID-19 pandemic. This integration combined with a lack of IT support and cybersecurity leaves religious entities susceptible to cyberattacks by threat actors. Cyber threat actors could load malware onto religious entities' computer systems which could steal login credentials, financial data, and load ransomware which could completely halt virtual assemblies. In addition to this, website defacements are common by cyber threat actors. For example, in 2014, a Jewish temple website was attacked by anti-Semitic threat actors who uploaded anti-Semitic and pro-ISIS messages. These types of attacks are the consequences of a lack of general cybersecurity for local religious institutions.

The cyber-vulnerabilities do not simply apply to local entities though - they apply to international religious communities such as the Vatican. The manipulation in order to extend the China-Holy See deal has set a precedent for other technologically advanced governments and groups to take advantage of religious entities for their own gain whether political or financial.

As opposed to cyber threat actors exploiting religious institutions, there are prevalent religious extremist threat actors who use the cyber realm to communicate and organize in secret. While cyber threat actors typically exploit the internet for financial gain, religious extremist threat actors exploit the internet to organize terror operations which have extremely dangerous physical security implications.

Ultimately, the cyber-religious threat landscape is ever-changing with the continuous development of technology and the internet. As technology develops so will the methods of threat actors that wish to exploit the cyber realm for their own benefit.

Advanced Intelligence is an elite threat prevention firm. We provide our customers with tailored support and access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and DarkWeb economy, and mitigate any existing or emerging threats.

Cameron Silva is a Threat Intelligence Analyst with Advanced Intelligence, LLC, U.S Army Affiliate, Research Assistant specializing in Middle Eastern & Central Asian Terrorism, and B.A. History Student at the University of Massachusetts-Dartmouth

bottom of page