Short Bytes: A team of Symantec researchers has been able to link around 40 cyber attacks, conducted by Longhorn group, to the CIA hacking tools leaks as a part of Vault 7. The researchers have found a striking resemblance between the tools and work practices described in Vault 7 and used by Longhorn.Within the last month, we have heard several instances of Wikileaks releasing CIA’s hacking toolset to the general public as a part of their Vault 7 series. It’s no wonder people might try to link these tools to the cyber attacks happened in the recent times.
A team of researchers at Symantec analyzed these tools and was able to connect them with 40 cyber attacks, in around 16 countries, conducted by a cyber espionage group known as Longhorn. The researchers have observed a close resemblance between the tools used by Longhorn and the technical specifications laid out in the Vault 7 documents.
Active since 2011, longhorn has been using trojans and 0-day bugs to target governments, international bodies, financial firms, telecoms, IT, etc.
In their blog post, the researchers said that the close similarities between the hacker group and the Vault 7 tools induce a situation of doubt that “Longhorn’s activities and the Vault 7 documents are the work of the same group.”
The fishy smell
A part of the Vault 7 docs is the development timeline for a tool called Fluxwire which the researchers conclude closely aligns with the development of Trojan.Corentry, a tool belonging to Longhorn.
“New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later,” the researchers said. They suspect that malware described in the leaked document is Corentry.
Another Vault 7 document details Fire and Forget, a specification for user-mode payload injection tool called Archangel. Symantec has associated the payload specs and interface to a Longhorn tool called Backdoor.Plexor.
Moreover, a similarity has been observed between Longhorn’s cryptographic practices and the ones sketched in the documents. These include the use of AES with a 32-bit key, once time key exchange per connection, and using inner cryptography within SSL to prevent MITM attacks.
Longhorn first came under Symantec’s radar in 2014 when they spotted a 0-day exploit to infect a target with Plexor. The malware showed signs of a sophisticated cyberespionage group. The way it was preconfigured indicated that the group had prior knowledge of the target environment. The group uses four different malware tools including Corentry, Plexor, Backdoor.Trojan.LH1, and Backdoor.Trojan.LH2.
Before the release of Vault 7 documents, Symantec had assumed Longhorn as a well-resourced organization involved in intelligence gathering operations. “Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide,” the researchers said.
“Taken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault 7.”
Read Symantec’s post to know more.
If you have something to add, drop your thoughts and feedback.