Symantec Corporation, a cybersecurity business, said Monday spying tools and operational protocols detailed in the recent “Vault 7” leak, by Web publisher Wikileaks, have been used in cyberattacks against at least 40 targets in 16 different countries.
Although Symantec, headquartered in Mountain View, California, on the U.S. West Coast, did not mention the origin of the Vault 7 in its Security Response posting, Wikileaks pointed its finger to the U.S. Central Intelligence Agency (CIA) on March 7, when it released a new series of confidential documents.
Code-named Vault 7 by WikiLeaks, the 8,761 documents and files were said to be from an isolated, high-security network inside the CIA's Center for Cyber Intelligence.
On its part, Symantec called the group using the Vault 7 tools “Longhorn” and notified that the tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks, adding that “the Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group.”
Active since at least 2011, Longhorn has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets, infiltrating governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors, according to Symantec. And all of the organizations targeted would be of interest to a nation-state attacker.
“Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa,” Symantec said in a posting on its website. “On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.”
In addition, before deploying malware to a target, the Longhorn group has been found to preconfigure it with what appears to be target-specific code words and distinct domains and (Internet Protocol) IP addresses for communications back to the attackers.