Cybersecurity company identifies months-long attack on US federal commission

Avast said the United States Commission on International Religious Freedom (USCIRF) was hit with a cyberattack.
Written by Jonathan Greig, Contributor

The United States Commission on International Religious Freedom (USCIRF) has been hit with a cyberattack, according to cybersecurity firm Avast

Avast did not identify the federal agency affected, but The Record was able to determine it was the USCIRF.

Eric Goldstein, CISA's Executive Assistant Director for Cybersecurity, told ZDNet that they are aware of a potential cyber incident at USCIRF. 

"We are working closely with the agency to provide resources and ensure adoption of appropriate mitigation measures. As in all such cases, we worked quickly to share actionable information regarding this potential incident," Goldstein said.  

Created in 1998, USCIRF describes itself as a US federal government commission that monitors the right to freedom of religion or belief abroad.  

"USCIRF uses international standards to monitor religious freedom violations globally, and makes policy recommendations to the President, the Secretary of State, and Congress," the organization said on its website

In Avast's report, the company said attackers were able to compromise systems on USCIRF's network in a way that "enabled them to run code as the operating system and capture any network traffic traveling to and from the infected system." 

"Further because this could have given total visibility of the network and complete control of an infected system, it is further reasonable speculation that this could be the first step in a multi-stage attack to penetrate this or other networks more deeply in a classic APT-type operation," Avast said.  

"That said, we have no way to know for sure the size and scope of this attack beyond what we've seen. The lack of responsiveness is unprecedented and cause for concern. Other government and non-government agencies focused on international rights should use the IoCs we are providing to check their networks to see if they may be impacted by this attack as well."

Avast said the attack has been going on for months and the report notes that there is evidence that the attack was done in multiple stages and may have involved "some form of data gathering and exfiltration of network traffic."

"The attempts to resolve this issue included repeated direct follow-up outreach attempts to the organization. We also used other standard channels for reporting security issues directly to affected organizations, and standard channels the United States Government has in place to receive reports like this," Avast explained.  

"In these conversations and outreach, we have received no follow up, or information on whether the issues we reported have been resolved and no further information was shared with us. Because of the lack of discernible action or response, we are now releasing our findings to the community so they can be aware of this threat and take measures to protect their customers and the community."

An Avast spokesperson told ZDNet that after the report was published, they were contacted by CISA. 

The company admitted that their analysis was based on two files they observed in the attack and noted that without more information from USCIRF, it was hard to know who the attackers were, what their motive is and the potential impact of the attack. 

The Avast spokesperson said that with the ability to intercept and possibly exfiltrate all local network traffic from USCIRF, the backdoor "had the potential to give the attackers total visibility of the network including information exchanged with other agencies, or international governmental or non-governmental organizations, and complete control of the agencies' system." 

"Fixing the issue, therefore, is essential, however since the agency didn't respond to us, we can't tell whether the issues we reported have been resolved," the spokesperson said. 

"Taken all together, this attack could have given total visibility of the network and complete control of a system and thus could be used as the first step in a multi-stage attack to penetrate this, or other networks more deeply."

It has been about one year since the SolarWinds attack, where hackers for the Russian government spent months inside the systems of multiple US government agencies, including the Justice Department, Treasury Department, Department of Homeland Security, State Department and Department of Energy. 

Editorial standards