Advertisement

Symantec links CIA tools to mysterious group that hacked 40 organizations globally

Malware linked to the CIA, according to documents published by WikiLeaks, was used to hack into government, financial, telecom, energy, aerospace, education and natural resources organizations based in the Middle East, Europe, Asia and Africa, according to newly published research by Symantec.
Joshua Schulte
The update comes more than two months after a jury found Schulte, 31, guilty of lying to the FBI and contempt of court. (CIA.gov)

Malware linked to the CIA, according to documents published by WikiLeaks, was used to hack into government, financial, telecom, energy, aerospace, education and natural resources organizations based in the Middle East, Europe, Asia and Africa, according to newly published research by Symantec.

A blog post published Monday by the cybersecurity giant reads: ”spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn.”

On March 23, WikiLeaks began publishing individual packages of supposed CIA documents on nearly a weekly basis as part of a disclosure project it titled Vault 7. The controversial transparency organization redacted a majority of the executable code apparently evident in the original documents to stop readers from copying the digital weapons, according to WikiLeaks editor-in-chief Julian Assange.

WikiLeaks’ documents provide descriptions about specific hacking tools allegedly used by the spy agency, including information about when certain exploits were updated, revised and who they were aimed at. Some of these tools date back to the early 2000s.

Advertisement

Symantec researchers immediately began reviewing the first batch of CIA documents, dubbed “Dark Matter,” as soon as they were published, according to Eric Chien, technical director of Symantec’s Security Technology and Response division.

Chien’s team studied the material to see if it could provide insight into potential weaknesses that could exist in company products — a concern that was eventually dispelled — and to see if clients were targeted. Researchers noticed last week that some of the cryptographic protocols mentioned in Vault 7’s “Dark Matter” were identical to those used by the Longhorn group in previous incidents.

Longhorn is a mysterious hacking group categorized as an advanced persistent threat, or APT, and it has been active since at least 2011. In 2014, Symantec caught the group using a Microsoft Word zero-day exploit against a European company. The fact that the group is capable of using zero-day vulnerabilities helps to illustrate how sophisticated and well-resourced they are, Chien explained.

Even prior to Vault 7, Symantec believed Longhorn was likely backed by a government entity with significant financial resources. Computer code used to construct many of the group’s tools show that the developers were proficient in the English language and typically worked Mondays through Fridays.

“Longhorn’s malware appears to be specifically built for espionage-type operations, with detailed system fingerprinting, discovery, and exfiltration capabilities,” Symantec researchers wrote, “the malware uses a high degree of operational security, communicating externally at only select times, with upload limits on exfiltrated data, and randomization of communication intervals — all attempts to stay under the radar during intrusions.”

Advertisement

Four separate malware variants used by Longhorn are referenced in the CIA documents, Chien said. Because the executable code was apparently scrubbed from the documents, researchers found attributable information in a series of referenced program notes, updates, code revisions, interface details and other indicators — which directly correlated to Longhorn’s past activities.

Three of the four malware variants — each of which allows for an attacker to remotely control a computer — that are linked to Longhorn, and consequently the CIA, were found in use by Symantec against their clients as recently as 2015, Chein told CyberScoop.

“Based on what we see and have seen, it seems [Longhorn’s] motivation is espionage and U.S. national security,” said Chien, “with that said, we have limited visibility … we don’t have customers in Iran or Syria, for example, where they may be more active, today.”

Symantec was able to track a limited amount of Longhorn’s past activity by monitoring customer networks and systems. They have been unable to follow the group’s movements since 2015. Now researchers are piling through the data to see if the latest Vault 7 revelations can help connect Longhorn to other, known U.S.-linked digital espionage campaigns.

Latest Podcasts