Cyber Incident Victim: United States Commission on International Religious Freedom
Date:
Dec 2021
Location:
United States of America
Summary
A sophisticated threat actor compromised the United States Commission on International Religious Freedom, deploying backdoors that granted full control over internal systems, enabling potential interception and exfiltration of sensitive network traffic, including communications with other government agencies and international organizations. Avast attributed the breach to a classic advanced persistent threat (APT) operation, suggesting state-sponsored involvement, though insufficient evidence prevented definitive attribution despite weak connections to a prior campaign. The agency did not engage with researchers following notification, limiting insight into the full scope of the intrusion beyond the identified malicious files.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 16, 2021, antivirus firm Avast disclosed a security breach involving a U.S. federal government agency, later identified as the United States Commission on International Religious Freedom (USCIRF). Avast researchers discovered that a sophisticated threat actor had compromised USCIRF’s internal network and deployed two malicious files functioning as backdoors. These files granted attackers unrestricted control over infected systems, enabling them to execute arbitrary code within the operating system’s context. The compromise allowed adversaries to intercept and potentially exfiltrate all local network traffic, including communications with other U.S. government agencies, international governmental bodies, and NGOs focused on human rights monitoring. USCIRF’s role in advising the President, Secretary of State, and Congress on international religious freedom violations meant its compromised systems likely contained sensitive data on global human rights abuses and policy recommendations. Avast notified USCIRF of the breach but received no response, preventing further collaboration to investigate the full attack chain or identify additional compromised assets.
Avast characterized the intrusion as a “classic APT-type operation,” indicating involvement by a state-sponsored advanced persistent threat group. Researchers identified limited technical overlaps with Operation Red Signature, a 2018 campaign targeting South Korean entities documented by Trend Micro, though insufficient evidence precluded formal attribution. The breach’s operational impact included prolonged unauthorized access to USCIRF’s network, with attackers maintaining persistent control over systems. No public statements or remediation actions by USCIRF were reported following Avast’s disclosure. The absence of cooperation hindered efforts to determine the attack’s initial vector, duration, or full scope of data exposure. Potential consequences included the compromise of unclassified but diplomatically sensitive information shared between USCIRF and its partners, potentially undermining U.S. policy coordination on international religious freedom issues.