, , , , ,

You may not be the target. You may be the route to it. 

, , , , ,

Advanced targeting, supply-chain understanding and effective disruption: what Palestine Action Group tells us about business exposure, and how we can be better prepared. 

Palestine Action Group (PAG) began in 2020 as a direct-action group under its campaign message “Shut Elbit Down.” PAG initially focused on what it described at the time as taking “direct action against Israel’s arms trade in Britain.” 

Motivated by Israeli military action against Palestine, its methodology was to disrupt Elbit Systems, a core Israeli defence prime with a UK footprint, and organisations it associated with Israel’s military supply chain. Over time, its activity extended beyond Elbit sites and defence companies into a wider ecosystem of businesses, institutions and service providers it believed enabled or supported its primary target. 

Palestine Action’s activity continued against a series of high-profile targets. In June 2025, the group claimed responsibility for damaging UK military aircraft at RAF Brize Norton. Shortly afterwards, the UK Government moved to proscribe the organisation under the Terrorism Act 2000. The proscription came into force on 5 July 2025.

A trained and motivated adversary  

Open-source research conducted by BluSkills in April 2025 identified a publicly accessible Palestine Action “Target List” containing what appeared to be more than 50 targets. The listed entities were not limited to Elbit Systems sites, but included landlords, logistics and supply-chain companies, professional service providers, local authorities and other organisations associated by the campaign with Elbit’s UK operations. 

Later reporting indicated that a wider target map had grown to 148 UK targets, reportedly including government buildings, RAF bases, financial institutions and insurance firms. This list highlighted the organisation’s targeting strategy and, critically, its conceptual understanding of how to identify points of vulnerability, often less well protected, in order to have an effective, indirect and significant effect on its primary target or objective. 

Many organisations may not have been aware this list existed, or that they appeared on it. 

PAG did not hide their activity or intent. Alongside public targeting material, reporting also identified direct-action training days in Manchester, Birmingham and Leeds, indicating a clear intent to organise and upskill supporters.  

You may not be the primary target. You may be the route to it. 

For the purpose of this article, the term “action” describes a reported attack, incident, or claimed direct action linked to or claimed by PAG, identified through open-source reporting, official material, company or police comment, court reporting, or contemporaneous reported claims. 

69% of PAG actions supported wider targeting.

Infographic comparing Palestine Action reported actions against direct Elbit-linked sites and wider supply-chain or enabling relationships, showing 31% direct Elbit-linked sites and 69% wider network targets.

69% of actions were wider or non-direct targets rather than direct Elbit locations. This was based on 26 entries, all supported by credible reporting or credible source leads. 

Around 35% of those actions related to supply-chain exposure, manufacturing, logistics or packaging. When wider enabling relationships are included, such as finance, insurance, property, professional services and public-sector property interests, that rises to approximately 58%. 

This statistic shows that targeting was advanced. Suppliers and other critical business relationships can be strong, and even critical, single points of failure for large businesses and organisations. This activity is highly relevant as it replicates existing tactics seen in hybrid activity and sub-threshold activity, which nation states use to affect adversaries at reach. 

Once a campaign identifies a primary target, the organisations around that target can become exposed: suppliers, landlords, insurers, banks, logistics providers, advisers and public-sector property owners. 

It is not your sector, it is your access, visibility and criticality 

8 sectors, 58% of actions focused on wider enabling relationships. 

The stronger working set spanned at least eight broad sector groups, including defence and aerospace, finance, insurance, logistics, packaging, property, professional services, local authority/property interests, higher education and RAF/MoD-linked infrastructure. 

The evidence indicates that PAG knew how to increase its effect on Elbit. It successfully conducted actions against Elbit through sites in the UK, but also through other connections which presented a softer target. 

The appeal of this strategy may have been ease of targeting. Some of the companies may have been less well secured than an Elbit site and therefore presented an opportunity. Others, such as distributors and logistics providers, held critical relationships. 

This successful targeting and disruption of the Elbit supply chain and ecosystem highlights the role supporting businesses and organisations play in the wider context. 

Improving the standards of suppliers within your supply chain increases resilience and protects continuity, revenue and reputation. 

Image showing the sector split of stronger sourced action reporting. 8 Sectors, 54% defence/aerospace, supply chain 46%. Business security consultancy, hybrid threats.

Low-complexity does not mean low-impact 

Low-complexity actions were a feature, not a weakness. 

If we assume that one of PAG’s aims was to increase awareness and that, in order to do this, they needed to conduct more actions and increase visibility, then the tactics they used were well selected. 

Viewed through the crime cycle: motivation, opportunity and ability, PAG’s approach was tactically effective. The motivation was already present within the campaign. The ability threshold was kept low by selecting tactics that did not require high levels of technical skill. We see this through the targeting of external vulnerabilities, the use of basic tools and spray paint. These tactics made participation more accessible and perhaps supported a wider aim to recruit, mobilise and expand activity. 

Opportunity was increased through the targeting of visible and often external vulnerabilities. The outside of bank branches is a good example of an unprotected space, protected by CCTV, a situational awareness tool, but not a physical defence. A business may have strong internal security, but its public-facing frontage, signage, vehicles, deliveries, access points, reception areas, landlords, logistics providers or other exposed relationships may still present an opportunity. 

Why low-complexity activity matters in the context of hybrid threat is that hybrid activity often relies on proxies: organised criminal groups, criminal individuals or those vulnerable in society, recruited at reach, to conduct actions that are simple, deniable, repeatable and disruptive. This simplicity matters because proxy actors may have varying levels of skill, motivation and discipline. 

The targeting of property linked to Prime Minister Keir Starmer illustrates the hybrid action process. Reporting indicates that low-skilled individuals were recruited remotely through Telegram, with financial rather than ideological motivation, to conduct arson attacks on property linked to a political target. Lower ability, easy access and a motivated party completing the crime cycle. 

PAG was the canary in the coal mine 

PAG was not a hostile-state proxy, and this article does not suggest that it was, although it is worth noting that these types of campaign and societal division do offer opportunities in themselves, to be fuelled by external parties such as nation states. PAG was a low-resourced campaign funded by donations and public support; the relevance is that it exposed vulnerability patterns that better-funded hybrid actors, including hostile states and their proxies, are replicating. 

PAG’s use of low-complexity actions enabled momentum to build in a persistent campaign until its proscription as a terrorist organisation in the UK. Over this period, it cost UK businesses money, created fear and disruption, and generated publicity and pressure. 

These methods and effects are mirrored today. The target may no longer be a single company such as Elbit; it may be UK plc. That brings a wider range of UK businesses into scope, especially those operating in the defence supply chain or forming part of critical national infrastructure. 

In MI5’s October 2024 threat update, Ken McCallum said Russia’s GRU was on a “sustained mission to generate mayhem on British and European streets”, including arson, sabotage and dangerous actions. MI5’s state-based investigations had reportedly risen by 48% in the previous year. 

Security of the defence supply chain will become even more relevant. We foresee increased levels of attention and scrutiny through security auditing and the adoption of security standards by those who form part of it, to ensure the UK can deliver what it needs to, when it needs to. The cost of compliance for those who need to comply quickly with new standards will be high, and security culture will be challenging to change overnight. 

PAG has shown us how effective low-complexity, repeatable tactics can be. Incidents such as the Meest fire in Leyton, which reportedly caused £1m of damage to a warehouse storing supplies for Ukraine, including generators and Starlink equipment, show why this matters. That case, linked by authorities to Russian/Wagner activity, echoes the message. 

There is an opportunity for organisations that can demonstrate they understand the threat landscape and have taken appropriate action to mitigate these risks. For those who do not, the consequences may be painful or business-critical. Taking action now will help improve the attractiveness and resilience of your business, as well as the wider resilience of the UK. 

If your organisation forms part of the defence supply chain, supports critical national infrastructure, or has exposure through clients, sites, suppliers or public-facing assets, BluSkills can help you understand where you are visible, where you are vulnerable, and what practical action should be taken next. 

If your organisation supports the defence supply chain, critical infrastructure or high-profile clients, BluSkills can help you understand where you are visible, where you are vulnerable and what practical action should be taken next.

Arrange a confidential security Briefing
Review your business exposure


Methodology 

For the purpose of this article, the term “action” describes a reported attack, incident, or claimed direct action linked to or claimed by Palestine Action Group (PAG), identified through open-source reporting, official material, company or police comment, court reporting, or contemporaneous reported claims. 

BluSkills conducted an initial open-source review to assess visible targeting patterns, sector spread and the campaign’s targeting logic. This review is not presented as a complete dataset of all Palestine Action activity. It distinguishes between confirmed reported incidents, publicly reported claims of responsibility, contested target relationships and credible source leads. 

Where a target organisation disputed its alleged relationship to Elbit Systems or Israel-linked defence supply chains, that dispute was recorded separately. The purpose of the review was not to prove every claim made by PAG, but to assess what its claimed and reported activity reveals about target selection, exposed relationships and business vulnerability. 

The statistics used in this article, including the 69%, 58% and 35% figures, are drawn from the stronger part of BluSkills’ working review. These entries were supported by credible reporting, official material, company or police comment, court reporting, civil claim reporting, or credible source leads. They should be read as an evidence-based assessment of visible open-source patterns, not as a forensic or exhaustive incident count. 

 References 

  • BluSkills open-source research note, April 2025.  

  • BluSkills PAG claimed/reported targets register.  

  • UK Parliament, Home Secretary written statement on Palestine Action proscription, 23 June 2025.  

  • UK legislation / Home Office explanatory material, Terrorism Act 2000 (Proscribed Organisations) (Amendment) Order 2025.  

  • The Times / Sunday Times reporting on Palestine Action target map, claimed actions, training days and affected organisations.  

  • KentOnline reporting on Kite Packaging, Sittingbourne / Bobbing incident.  

  • The Guardian reporting on Allianz civil claim and Palestine Action protests.  

  • The Times reporting on Barclays branch vandalism.  

  • The Times / Sunday Times reporting on Fisher German and repeated targeting.  

  • Guardian, AP and FT reporting on Elbit Systems UK / Filton / Bristol incidents.  

  • AP, Guardian and FT reporting on RAF Brize Norton incident.  

  • MI5 Director General Ken McCallum, October 2024 threat update.  

  • NATO statement on Russian hostile activity across Allied territory, May 2024.  

  • Europol Serious and Organised Crime Threat Assessment 2025.  

  • AP and Guardian reporting on the Leyton / Meest warehouse arson case.  

  • Reporting on arson attacks against property linked to Prime Minister Keir Starmer. 

Trustpilot