‘CIA hacking tools were used to attack organizations in 16 countries’
According to a Symantec investigation, CIA tools published by WikiLeaks in the Vault 7 files have been used to attack targets in 16 countries. The company attributes its activities to the so-called Longhorn group, which has been active since 2011.
The targets include 40 companies in Europe, the Middle East, Asia and Africa. This includes governments, banks, telecom companies, energy companies and ICT companies. In one case, a company in the US was infected, but an uninstaller was run there within hours, suggesting that the company may not have been attacked intentionally.
There are strong similarities between the tools used by Longhorn and the descriptions from the WikiLeaks publication from early March. For example, the changes in the Fluxwire tool’s changelog correspond to the dates on which Symantec detected those changes in a tool it has named Corentry. As a result, the company has little doubt that it is the same tool.
Other similarities exist between the CIA “Fire and Forget” specification and a specification known to Symantec as the Plexor backdoor. The requirements for cryptographic protocols, which require ssl and aes with a 32-bit key, among other things, are also in line with the findings of the security company.
Symantec has also released details about Longhorn’s working methods. This makes it clear that the group had information about the target in advance. For example, the group uses specific designations in malware and separate c2 servers per target. In addition, so-called group ids and site ids are used to identify targets. Before that, ‘redlight’ and ‘roxanne’ were used in one case, as a reference to the well-known song by The Police.
Before establishing the current connection, Symantec classified the Longhorn group as “a well-equipped organization specializing in intelligence-gathering.” Symantec doesn’t go so far as to actually make the link between the CIA and Longhorn, but points out that the similarities are very strong. Other findings that seem to indicate this include the finding that the group was active during business hours and that typically North American terms were used, such as “scooby snack.”