CIA tools exposed by Wikileaks linked to hacking across 16 countries

The North American-based Longhorn group has been using espionage tools against foreign targets for a sustained amount of time, say researchers.
Written by Danny Palmer, Senior Writer

Those carrying out the attacks against Middle Eastern, Africa, European, and Asian targets have nation-state level abilities

Image: Shutterstock

Security researchers have confirmed that the CIA hacking tools exposed by Wikileaks have been used against targets in at least 16 different countries.

Last month, WikiLeaks published over 8,000 documents -- apparently internal CIA files -- detailing the intelligence agency's hacking programmes.

Now, security company Symantec said it has tied the documents to the activities of a sophisticated cyberespionage operation it has been tracking for some time, which it has called 'Longhorn'. It said, for example, the makers of the tools and the Longhorn group share cryptographic protocols specified in the Vault 7 documents published by Wikileaks.

The tools haven't been picked up by attackers following the Vault 7 leak -- which detailed secret CIA files for hacking iPhones, Android, smart TVs, and more -- but rather used as part of longstanding espionage campaigns. Symantec said it "couldn't speculate" as to the real identity of the group, which has advanced capabilities and apparently is not running campaigns against North America targets.

Longhorn has been active since at least 2011, using a variety of backdoor Trojans and zero-day vulnerabilities to infiltrate governments and international organisations, as well as targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors.

The group has infected targets throughout the Middle East, Europe, Asia, and Africa. Although researchers detail how the group once infected a machine in the US, an uninstaller was launched within hours -- potentially indicating "this victim was infected unintentionally".

Symantec has linked a number of malware variants and vulnerabilities disclosed by Wikileaks in the Vault 7 documents to Longhorn. For example, one of the documents details a changelog of dates for malware called Fluxwire, detailing when new features were incorporated.

The dates of these changes to Fluxwire correspond with developments of the Corentry Trojan tracked by Symantec. New features of Corentry appeared on the same dates listed in the Vault 7 documents, leading researchers to conclude that the two forms of malware are one and the same.

That isn't the only correlation between Vault 7 and Longhorn: the Vault 7 documents detail 'Fire and Forget' -- a specification for the user-mode injection of a payload by a tool called Archangel. The specification of the payload and the interface it used to load closely resembles a Longhorn Trojan horse called Plexor.

Longhorn's espionge tools also use techniques such as Real-time Transport Protocol as a means of command and control communications, employing wipe-on-use as standard practice, secure erase protocols involving renaming and overwriting, and more.

All of these are also techniques detailed in the Vault 7 leaks and, while other malware families are known to use these practices, Symantec researchers say that "the fact that so many of them are followed by Longhorn makes it noteworthy".

Ultimately, all of Longhorn's malware is designed for cyberespionage, with the ability for detailed system fingerprinting and exfiltration capabilities. The malware is extremely stealthy, only communicating with its control server at random times and with upload limits in order to avoid detection.

Cybersecurity researchers at Symantec had been monitoring Longhorn for some time prior to the Wikileaks breach. The group is described as well-resourced and working a standard Monday to Friday working week -- behaviour which is consistent with the activity of state-sponsored groups -- and operating in an American time zone.

Analysis of the group's activity indicates that it's from an English speaking North American country, with code words found in the malware referring, the band The Police with codewords including REDLIGHT and ROXANNE, as well as colloquial terms such as SCOOBYSNACK.

"Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide. Taken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault 7," the Symantec document on the group concludes.


Editorial standards