Alleged APT implanted a backdoor in the network of a US federal agency

Pierluigi Paganini December 20, 2021

An alleged APT group planted a backdoor in the network of a U.S. federal government commission associated with international rights.

Experts spotted a backdoor in the network of an unnamed U.S. federal government commission associated with international rights.

The backdoor allowed the threat actors to achieve complete control over the infected networks, experts described the compromise as a “classic APT-type operation.”

According to security firm Avast who discovered the attack, the backdoor was likely used as the initial vector in a multi-stage attack to penetrate the government network.

“While we have no information on the impact of this attack or the actions taken by the attackers, based on our analysis of the files in question, we believe it’s reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all local network traffic in this organization. This could include information exchanged with other US government agencies and other international governmental and nongovernmental organizations (NGOs) focused on international rights.” reads the analysis published by Avast. “We also have indications that the attackers could run code of their choosing in the operating system’s context on infected systems, giving them complete control.”

The media outlet The Record speculates that the federal agency compromised by threat actors is the U.S. Commission on International Religious Freedom (USCIRF).

“A sophisticated threat actor has gained access and has backdoored the internal network of a US federal government agency, antivirus maker Avast reported this week.” reported The Record. “The security firm did not name the agency in its report, but The Record understands that the target of the attack was the United States Commission on International Religious Freedom (USCIRF).”

The USCIRF agency monitors the right to freedom of religion and belief abroad and then make policy recommendations to the President, Secretary of State, and US Congress.

Avast disclosed the attack after failing to directly report the compromise to the agency.

The security firm found two malicious files on the network of the impacted agency that allowed the attackers to gain full control over internal systems.

Threar actors were able to intercept and possibly exfiltrate all local network traffic in this organization, including information exchanged with other US government agencies and other international governmental and nongovernmental organizations (NGOs) focused on international rights.

“We also have indications that the attackers could run code of their choosing in the operating system’s context on infected systems, giving them complete control” continues the report.

backdoor US agency attack

Both samples analyzed by the experts masquerade as an Oracle library named “oci.dll,” the second file was used to replace the first one at a second stage of the attack and is a decryptor very similar to the one described by Trend Labs from Operation red signature.

The similarities have led the Avast experts to speculate that the threat actors have had access to the source code of the malicious code used in the Operation Red Signature.

“The second version of the oci.dll shows several markers in common with rcview40u.dll that was used in Operation Red Signature such that we believe these attackers had access to the source code of the malware used in that attack.” concludes the report. “Because the affected organization would not engage we do not have any more factual information about this attack. It is reasonable to presume that some form of data gathering and exfiltration of network traffic happened, but that is informed speculation. Further because this could have given total visibility of the network and complete control of an infected system it is further reasonable speculation that this could be the first step in a multi-stage attack to penetrate this, or other networks more deeply in a classic APT-type operation.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment