Past cyber attacks on scores of organizations around the world were conducted with top-secret hacking tools that were exposed recently by the Web publisher Wikileaks, the security researcher Symantec Corp SYMC.O said on Monday.
After WikiLeaks dumped Vault 7, a collection of documents allegedly stolen from the CIA, Symantec experts started going through those files, which were mostly wiki pages and manuals for all sorts of hacking tools. While the Central Intelligence Agency has not publicly said the documents are legitimate, security firm Symantec is claiming it has found some of the security vulnerabilities described being used in the wild by a North American hacking group. Longhorn also has some of the same "cryptographic protocols" as some of the Vault 7 documents and also employed similar outlined guidelines to avoid detection.
Longhorn has been active since at least 2011, using a variety of backdoor Trojans and zero-day vulnerabilities to infiltrate governments and worldwide organisations, as well as targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors.
In part because some of the targets are USA allies in Europe, "there are organizations in there that people would be surprised were targets", Chien said.
Though Symantec steers clear of naming the "who" behind the perpetrators, there are strong hints that there is a United States origin, given that those attacked by the software were in the Middle East, Europe, Asia and Africa.
Symantec named the group Longhorn, while Kaspersky tracked its activity under the name of Lamberts. The CIA hasn't confirmed the veracity of the documents. Symantec found ones that would likely indicate the group originated from an English-speaking North American country.
The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks.
Researchers Count at Least 40 Longhorn Targets Across 16 CountriesJeremy Kirk (jeremy_kirk) • April 11, 2017 Malware that Symantec calls Corentry appears to correlate with Fluxwire malware described in the Vault 7 release. Longhorn even used "SCOOBYSNACK" as a code word in their malware.
Symantec reached that conclusion by comparing information taken from the Vault 7 documents with everything it's learned about Longhorn.
Researchers have been tracking Longhorn since 2014 when they discovered an attack involving a zero day exploit and a backdoor known as "Plexor".
Exhibit A in Symantec's case are Vault7 documents describing malware called Fluxwire.
Long before WikiLeaks claimed the malware was created by the CIA, Symantec had already assumed the group responsible-which it dubbed "Longhorn"-was government-sponsored".
The combination of valuable zero-day flaws as well as the used of advanced malware attack capabilities seen in Longhorn attacks leave little doubt that this is the work of a single group, Symantec says.