Symantec announced that it had connected at least 40 attacks across 16 countries where tools obtained and exposed by WikiLeaks via the Vault 7 revelations about CIA’s espionage tactics were used.
In a lengthy report, Symantec talks about a highly organized group they named Longhorn and which they linked to all these attacks. While stopping short of saying Longhorn is made up of CIA agents, Symantec presents plenty of evidence.
“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group,” Symantec writes.
Who is Longhorn?
Longhorn is a group that has been active since at least 2011, using a range of backdoor trojans and zero-day vulnerabilities to compromise targets. The group has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors, Symantec says, although it doesn’t give out any names. They do mention that the infected targets were in 16 countries across the Middle East, Europe, Asia, and Africa. On the one occasion when a computer in the United States was compromised, an uninstaller was launched within hours, indicating the infection was, most likely, unintentional.
Once WikiLeaks started dumping CIA files online, Symantec found that a number of those documents contain information that aligns closely with the development of one Longhorn tool, called Corentry trojan, which the firm had been tracking. New features added to Corentry further appeared in samples obtained by Symantec.
They further outline other tools detailed in the Vault 7 documents, such as Fire and Forget, a specification for user-mode injection of a payload by a tool called Archangel. Another tool detailed by another document outlines cryptographic protocols that malware tools should follow, which have all been observed in Longhorn’s tools over the years.
Symantec has been tracking Longhorn since 2014 when it captured their attention with the use of a zero-day exploit embedded in a Word document to infect a target with Plexor. Other malware used against its targets by Longhorn are Corentry, Backdoor.Trojan.LH1, and Backdoor.Trojan.LH2.
“Before deploying malware to a target, the Longhorn group will preconfigure it with what appears to be target-specific code words and distinct C&C domains and IP addresses for communications back to the attackers. Longhorn tools have embedded capitalized code words, internally referenced as ‘groupid’ and ‘siteid’, which may be used to identify campaigns and victims,” Symantec adds.
According to the company, the malware created and deployed by Longhorn was specifically built for espionage-type operations, with detailed system fingerprinting, discovery, and exfiltration capabilities.