Symantec attributes 40 cyber attacks to CIA-linked hacking tools

Symantec attributes 40 cyber attacks to CIA-linked hacking tools

The security firm Symantec believes it has observed one of the hacking tools described in Central Intelligence Agency files released by WikiLeaks to a series of different attacks dating back to 2011.

Longhorn is a mysterious hacking group categorized as an advanced persistent threat, or APT, and it has been active since at least 2011. Because the executable code was apparently scrubbed from the documents, researchers found attributable information in a series of referenced program notes, updates, code revisions, interface details and other indicators - which directly correlated to Longhorn's past activities. All of the organisations targeted would be of interest to a nation-state attacker. "Then, more recently, information via Vault 7 came out and Symantec was able to determine that the tools and activity we had been tracking from Longhorn closely match some of the information disclosed in Vault 7".

Long before WikiLeaks claimed the malware was created by the CIA, Symantec had already assumed the group responsible-which it dubbed "Longhorn"-was government-sponsored".

Since WikiLeaks published its first Vault7 installment in early March, there has been no outside source to either confirm or refute the authenticity of the documents. New features of Corentry appeared on the same dates listed in the Vault 7 documents, leading researchers to the conclusion the two forms of malware are one and the same.

"The malware had all the hallmarks of a sophisticated cyberespionage group", Symantec writes. The researchers have found a striking resemblance between the tools and work practices described in Vault 7 and used by Longhorn. The group also uses the codeword SCOOBYSNACK in its malware documents, which Symantec says hints that it comes from an English-speaking region. These include the use of inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks, key exchange once per connection, and use of AES with a 32-bit key. Most of the malware can also be customized with additional plugins and modules, some of which have been observed by Symantec.

Longhorn's malware seem tuned for cyberespionage, with components for fingerprinting systems, discovering other ones and exfiltrating data, Symantec adds. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.

"We can not exclude the possibility that any government is working to develop sophisticated code, malware, (zero-day) exploits and hacking tools in order to gather intelligence".

Analysis of the Longhorn code strongly suggest that the group is based in North America, and the timecodes which adhere to regular office hours suggest state involvement. Longhorn is nearly certainly a state-sponsored hacking group operating in North America on a 9-to-5 weekday schedule, which Symantec determined with date stamps, use of American pop culture terms like "Scoobysnack", and other indicators. The Symantec research establishes without a doubt that the malware described in the trove is real and has been used in the wild for at least six years.