Vault 7: Symantec says CIA hacking tools revealed by WikiLeaks were used in 40 'Longhorn' cyberattacks

The CIA's range of hacking tools revealed as part of WikiLeaks' Vault 7 series of leaks have been used to conduct 40 cyberattacks in 16 countries, says Symantec. The security firm alleges that a group known as Longhorn has been using tools that appear to be the very same ones used by the CIA.

While it would be obvious to jump to the conclusion that the CIA was itself responsible for the attacks -- and that Longhorn is just a branch of the CIA -- Symantec opts for a rather more conservative evaluation of things: "there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group."

In a post on the Symantec Security Response blog, the company provides what it says is the first evidence that the Vault 7 tools have actually been used in cyberattacks or cyberespionage. The Longhorn group is known to Symantec as it has been tracking its activities for the last three years.

The post says:

The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group.

Symantec says that Longhorn has been active since 2011, and is responsible for a number of cyberattacks in the Middle East, Europe, Asia and Africa -- and even one (possibly accidental) attack in the US. The attacks have all the hallmarks of a state-sponsored attacker, as the targets are governments, financial institutions, energy companies and telecoms.

So how has the security company linked Longhorn to Vault 7 and the CIA?

A number of documents disclosed by WikiLeaks outline specifications and requirements for malware tools. One document is a development timeline for a piece of malware called Fluxwire, containing a changelog of dates for when new features were incorporated. These dates align closely with the development of one Longhorn tool (Trojan.Corentry) tracked by Symantec. New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document.

Early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file. The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0.

Up until 2014, versions of Corentry were compiled using GCC. According to the Vault 7 document, Fluxwire switched to a MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry, where a version compiled on February 25, 2015 had used MSVC as a compiler.

Analysis of the Longhorn code strongly suggest that the group is based in North America, and the timecodes which adhere to regular office hours suggest state involvement. Symantec says that it has been interested in the activities of Longhorn with a view to protecting its customers from the malware put out by the group:

Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide. Taken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault 7.

Throughout its investigation of Longhorn, Symantec's priority has been protection of its customers. Through identifying different strains of Longhorn malware, connecting them to a single actor, and learning more about the group's tactics and procedures, Symantec has been able to better defend customer organizations against this and similar threats. In publishing this new information, Symantec’s goal remains unchanged: to reassure customers that it is aware of this threat and actively working to protect them from it.