Cybersecurity company identifies months-long attack on US federal commission
The United States Commission on International Religious Freedom (USCIRF) has been hit with a cyberattack, according to cybersecurity firm Avast.
Avast did not identify the federal agency affected but The Record was able to determine it was the USCIRF.
The Cybersecurity and Infrastructure Security Agency (CISA) declined to comment on the attack and said all requests for more information should go to USCIRF. USCIRF did not respond to requests for comment.
Created in 1998, USCIRF describes itself as a US federal government commission that monitors the right to freedom of religion or belief abroad.
“USCIRF uses international standards to monitor religious freedom violations globally, and makes policy recommendations to the President, the Secretary of State, and Congress,” the organization said on its website.
In Avast’s report, the company said attackers were able to compromise systems on USCIRF’s network in a way that “enabled them to run code as the operating system and capture any network traffic traveling to and from the infected system.”
The report notes that there is evidence that the attack was done in multiple stages and may have involved “some form of data gathering and exfiltration of network traffic.”
“Further because this could have given total visibility of the network and complete control of an infected system it is further reasonable speculation that this could be the first step in a multi-stage attack to penetrate this, or other networks more deeply in a classic APT-type operation,” Avast said.
“That said, we have no way to know for sure the size and scope of this attack beyond what we’ve seen. The lack of responsiveness is unprecedented and cause for concern. Other government and non-government agencies focused on international rights should use the IoCs we are providing to check their networks to see if they may be impacted by this attack as well.”
Avast said the attack has been going on for months yet USCIRF and CISA refused to engage with them when notified. They allegedly tried multiple channels over the course of months to help resolve the issue but were ignored after initial communications.
“The attempts to resolve this issue included repeated direct follow up outreach attempts to the organization. We also used other standard channels for reporting security issues directly to affected organizations and standard channels the United States Government has in place to receive reports like this,” Avast explained.
“In these conversations and outreach we have received no follow up or information on whether the issues we reported have been resolved and no further information was shared with us. Because of the lack of discernible action or response, we are now releasing our findings to the community so they can be aware of this threat and take measures to protect their customers and the community.”
An Avast spokesperson told ZDNet that after the report was published, they were contacted by CISA.
The company admitted that their analysis was based on two files they observed in the attack and noted that without more information from USCIRF, it was hard to know who the attackers are, what their motive is and the potential impact of the attack.
The Avast spokesperson said that with the ability to intercept and possibly exfiltrate all local network traffic from USCIRF, the backdoor “had the potential to give the attackers total visibility of the network including information exchanged with other agencies, or international governmental or non governmental organizations, and complete control of the agencies’ system.”
“Fixing the issue therefore is essential, however since the agency didn’t respond to us, we can’t tell whether the issues we reported have been resolved,” the spokesperson said.
“Taken altogether, this attack could have given total visibility of the network and complete control of a system and thus could be used as the first step in a multi-stage attack to penetrate this, or other networks more deeply.”
It has been about one year since the SolarWinds attack, where hackers for the Russian government spent months inside the systems of multiple US government agencies including the Justice Department, Treasury Department, Department of Homeland Security, State Department and Department of Energy.