Symantec he said that he managed to connect at least 40 attacks in 16 countries, which were tooled and first announced by WikiLeaks through Vault 7 revealing the CIA's espionage tactics.
In a lengthy report, Symantec talks about a highly organized group called Longhorn, which the security firm says carried out these attacks. The company emphasizes that Longhorn is made up of CIA agents, and presents ample evidence data.
“The tools used by Longhorn follow exactly the development schedule and technical specifications set out in the documents released by Wikileaks. The Longhorn team shares the same encryption protocols specified in the Vault 7 documents, except that they follow the same tactical guidelines to avoid detection. Considering the similarities between the tools and techniques, there can be no doubt that Longhorn's activities and the documents that they leaked through Vault 7 is the work of the same team,” the security company says.
Who's on Longhorn?
Longhorn is a group that has been active since at least 2011, using a number of trojan backdoors and zero-day vulnerabilities to gain access to its targets. The group has managed to infiltrate government organizations and companies with international activity. Its targets are companies and government organizations involved in finance, telecommunications, energy, aerospace, information technology, education, natural resources sectors, Symantec says but does not specifically name them.
These targets were in 16 countries across the Middle East, Europe, Asia and Africa. Once, a computer was infected in the United States, but the malware was uninstalled within a few hours, indicating that the infection was probably inadvertently.
As soon as WikiLeaks began publishing the CIA files, Symantec found that some of these documents contained information closely related to the development of a Longhorn tool called Corentry trojan. Symantec has announced that the tool has new features it discovered when it was able to collect more samples.
Symantec reports that it has detected Longhorn from 2014 when it drew its attention by using a zero-day exploit that had been embedded in a Word document. Other malware used by Longhorn is Corentry, Backdoor.Trojan.LH1, and Backdoor.Trojan.LH2.
Prior to WikiLeaks revelations, Symantec believed that Longhorn was a very good fundraising team dealing with information gathering operations. Time stamps for the team's work show that hackers are working from Monday to Friday, making it quite clear that the group was a state agency.
