Symantec says CIA tools found across 16 countries

  • Symantec says CIA tools found across 16 countries

Symantec says CIA tools found across 16 countries

After WikiLeaks dumped Vault 7, a collection of documents allegedly stolen from the CIA, Symantec experts started going through those files, which were mostly wiki pages and manuals for all sorts of hacking tools. Given all that, Symantec says "there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group". Given the close similarities between the tools and techniques, there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group. The security firm found new features in Trojan.Corentry mirrored ones described in the Fluxwire documentation and noted those features appeared in samples of the virus on or shortly after the date similar features were noted in the Fluxwire changelog. The group has compromised 40 targets in at least 16 countries across the Middle East, Europe, Asia, Africa, and on one occasion, in the USA, although that was probably a mistake.

The CIA Fire and Forget tool, used for the user-mode injection of a payload called Archangel resembles the modus operandi of a trojan Symantec detected as Backdoor.Plexor. In particular, Symantec highlights a number of documents from the Vault 7 files that it ties to the group, which is said to have targeted the financial, telecoms, energy, aerospace, information technology, education, and natural resources industries.

The dates of these changes of Fluxwire correspond with developments of the Corentry Trojan tracked by Symantec. Now, the files also suggest that Longhorn and the Central Intelligence Agency are one and the same.

Another Vault7 document prescribes the use of inner cryptography within communications already encrypted using the secure sockets layer protocol, performing key exchanges once per connection, and the use of the Advanced Encryption Standard with a 32-bit key.

"Longhorn's malware appears to be specifically built for espionage-type operations, with detailed system fingerprinting, discovery, and exfiltration capabilities", Symantec researchers wrote, "the malware uses a high degree of operational security, communicating externally at only select times, with upload limits on exfiltrated data, and randomization of communication intervals - all attempts to stay under the radar during intrusions".

Symantec reached that conclusion by comparing information taken from the Vault 7 documents with everything it's learned about Longhorn.

The malware had all the hallmarks of a sophisticated cyberespionage group.

Some evidence shows that Longhorn may date back as far as 2007, according to Symantec.

Longhorn also uses tricks to cover their tracks that are outlined in the documents.

Prior to the WikiLeaks disclosure, the firm assessed it was a "well-resourced organisation involved in intelligence gathering operations". Researchers based that assessment on Longhorn's global range of targets and its ability to use well-developed malware and zero-day exploits. While Symantec doesn't name names directly, it argues all of the organizations targeted would be of interest to a nation-state attacker.

The CIA has declined to say whether the documents dumped by WikiLeaks are authentic.