Symantec he said that he managed to link at least 40 attacks in 16 countries, carried out using tools and that WikiLeaks first announced through Vault 7 that reveals the tactics espionageof the CIA.
In a lengthy report, Symantec talks about a well-organized group called Longhorn and, according to the security company, made those attacks. The company emphasizes that Longhorn is made up of CIA agents, and has plenty of evidence.
"The tools used by Longhorn follow exactly the development schedule and technical specifications set out in the documents published by Wikileaks. The Longhorn team shares the same encryption protocols set out in the Vault 7 documents, except that they follow the same tactics guidelines to avoid detection. "Given the similarities between the tools and the techniques, there can be no doubt that Longhorn's activities and the documents that leaked through Vault 7 are the work of the same team," the security company said.
Who's on Longhorn?
Longhorn is a group that has been active since at least 2011, using a series of trojan backdoors and zero-day vulnerabilities to obtain access to its goals. The group has managed to infiltrate government organizations and Companies with international activity. Its targets are companies and government organizations involved in finance, telecommunications, energy, aerospace, information technology, education, natural resources sectors, Symantec said, but did not specifically name them.
These targets were in 16 countries across the Middle East, Europe, Asia and Africa. Once, a computer was infected in the United States, but the malware was uninstalled within a few hours, indicating that the infection was probably inadvertently.
As soon as WikiLeaks began publishing the CIA files, Symantec found that some of these documents contained information closely related to the development of a Longhorn tool called Corentry trojan. Symantec has announced that the tool has new features it discovered when it was able to collect more samples.
Symantec says it has detected Longhorn since 2014 when it was pulled caution them using a zero-day exploit that they had embedded in a Word document. Other malware used by Longhorn are Corentry, Backdoor.Trojan.LH1, and Backdoor.Trojan.LH2.
Prior to the WikiLeaks revelations, Symantec believed that the Longhorn Group was a well-funded group engaged in businesses information gathering. The timestamps for the team's work show that the hackers work from Monday to Friday, which made it pretty clear that the team was from some government agency.