US federal agency compromised in suspected APT attack

A sophisticated threat actor has gained access and has backdoored the internal network of a US federal government agency, antivirus maker Avast reported this week.

The security firm did not name the agency in its report, but The Record understands that the target of the attack was the United States Commission on International Religious Freedom (USCIRF).

According to its website, the USCIRF is tasked with monitoring the right to freedom of religion and belief abroad and then making policy recommendations to the President, Secretary of State, and US Congress.

The agency has a primary role in shaping US policy in regards to human rights violations and possible sanctions that the US may impose on misbehaving states, and as a result, it is very likely to have access to reports of current abuses across the world.

But despite the sensitive nature of the data it processes, Avast said in a report on Thursday that the agency was unresponsive after notifying it of a security breach of its internal network.

Backdoor and traffic interception malware discovered

Avast researchers said they found traces of two malicious files on its network that effectively granted attackers full control over internal systems.

"[B]ased on our analysis of the files in question, we believe it's reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all local network traffic in this organization," the Avast team said.

"This could include information exchanged with other US government agencies and other international governmental and nongovernmental organizations (NGOs) focused on international rights."

"We also have indications that the attackers could run code of their choosing in the operating system's context on infected systems, giving them complete control," the Czech security firm added.

Avast said that because the agency refused to interact with its researchers, it couldn't elaborate on the entire attack chain beyond the two files it detected.

However, the security firm said it believes the attack was "a classic APT-type operation," where APT stands for "andvanced persistent threat," a term used by the cybersecurity industry to describe state-sponsored groups.

Researchers said they noted some thin connections to Operation Red Signature, a report published in 2018 by Trend Micro, but the evidence was not enough to make a formal attribution without a more extensive view into the current attack.

The Record has sent a request for comment to the USCIRF but has not heard back from the agency.