In-brief: We don’t know if the Vault 7 tools belonged to the CIA. We do know that they were used by a group Symantec dubbed Longhorn that possessed powerful zero day exploits, never attacked computers in the US and used code words taken from lyrics by 80s band The Police, so…
In the month since the leak-site Wikileaks published information on a trove of offensive hacking tools allegedly lifted from the U.S. Central Intelligence Agency (CIA), one of the nagging questions has been how and where those tools may have been used, and by whom. Were these really CIA hacking tools – as alleged – or merely cyber criminal toolkits that may or may not have been used by intelligence agencies in the U.S. and other countries?
Symantec went some of the way towards answering that question on Monday, publishing an analysis that it says links the Vault 7 tools to a cyber espionage outfit it has been tracking for more than five years, known as “Longhorn.” Since 2011, that group has “infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors.” As to whether a state actor (like the CIA) was behind the incidents, Symantec doesn’t say. What it does say is that all of the organizations targeted “would be of interest to a nation-state attacker.” More tellingly: of 40 targets in 16 countries, a U.S. based system was compromised on only one occasion.
From the article:
Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.
Symantec connected the dots between Longhorn and the Vault7 tools by analyzing the Wikileaks documents. One document in that leaked trove laid out a timeline for the development of a piece of malware called Fluxwire, including a change log of dates for when new features were incorporated. That document provided a vital clue to Symantec, which could align those dates with a tool that it had long ago identified, a Trojan horse program dubbed Corentry, that was linked to the Longhorn group. “New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document,” Symantec’s Security Response team wrote in the blog post.
Additionally, early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file. The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0. Other similarities include a change in the type of compiler used to create the malware in 2014 – a change that Symantec noted with the Corentry malware, as well.
Another Vault 7 document details Fire and Forget, a specification for user-mode injection of a payload by a tool called Archangel. Symantec said the specification of the payload and the interface used to load it closely matched another Longhorn tool, Backdoor.Plexor. The Longhorn group also adhered strictly to many of the processes and procedures outlined in the Vault 7 documents.
According to Symantec, the Longhorn group has been active since at least 2011 and may have been active as far back as far as 2007. The company’s researchers first noticed the group in 2014 when it used a zero-day exploit (CVE-2014-4148) embedded in a Word document to infect a target with Plexor, a well-known malware family. Still, Longhorn’s use of it was unique. From Symantec’s post:
The malware had all the hallmarks of a sophisticated cyber espionage group. Aside from access to zero-day exploits, the group had preconfigured Plexor with elements that indicated prior knowledge of the target environment. To date, Symantec has found evidence of Longhorn activities against 40 targets spread across 16 different countries. Symantec has seen Longhorn use four different malware tools against its targets: Corentry, Plexor, Backdoor.Trojan.LH1, and Backdoor.Trojan.LH2.
Before deploying malware to a target, the Longhorn group will preconfigure it with what appears to be target-specific code words and distinct C&C domains and IP addresses for communications back to the attackers. The tools have unique identifiers for both campaigns and victims, over 40 of which have been observed. Those code words often “follow the theme of movies, characters, food, or music.” One example was a nod to the band The Police, with the code words REDLIGHT and ROXANNE used, Symantec wrote.
Read more on Symantec’s blog: Longhorn: Tools used by cyberespionage group linked to Vault 7 | Symantec Connect Community