Malware and hacking tools that mirror one detailed in purported Central Intelligence Agency (CIA) Vault 7 documents released by WikiLeaks have been used in numerous cyberattacks in recent years, according to cyber security firm Symantec.
The tools have been used primarily by a group Symantec identified as Longhorn. The collective has been active since at least 2011 and has been tied to attacks against 40 targets in 16 different countries.
Symantec claims it has been tracking the group for three years, keeping a close eye on its behavior in order to protect against similar attacks. Since the release of CIA documents by WikiLeaks as a part of its Vault 7 series, the security firm has been able to match the technical documentation from supposed CIA hacks to those performed by Longhorn.
According to Symantec, the Longhorn group has used some of the same cryptographic protocols identified in the Vault 7 documents. The group also used tactics for avoiding detection that were similar to ones in the leaks.
In one instance, Symantec retraced an attack called Trojan.Corentry used by Longhorn to a piece of purported CIA malware called Fluxwire that was unveiled by WikiLeaks. The security firm found new features in Trojan.Corentry mirrored ones described in the Fluxwire documentation and noted those features appeared in samples of the virus on or shortly after the date similar features were noted in the Fluxwire changelog.
A number of similar instances, where direct correlation between Longhorn’s behavior and CIA documentation can be found, led Symantec to conclude “there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group.”
Given the apparent evidence that Longhorn is a hacking group within the CIA, it’s interesting to take note of the group’s targets over the last several years. According to Symantec, the group has targeted governments and international organizations in attacks.
Targets of Longhorn have ranged from individuals and organizations working in the financial, telecom, energy, aerospace, information technology, education and natural resources sectors. While Symantec doesn’t name names directly, it argues all of the organizations targeted would be of interest to a nation-state attacker.
Attacks from Longhorn took place in countries across the Middle East, Europe, Asia and Africa. On one occasion, the group infected a computer in the United States but quickly uninstalled the attack, perhaps because the user was unintentionally attacked.
The evidence presented by Symantec isn’t irrefutable proof that the documents disclosed by WikiLeaks in Vault 7 are legitimate, but it is the closest indication yet to suggest the supposed CIA hacking tools are not only real but have been used to attack targets around the world.