Symantec confirms that Longhorn group is tied to CIA operators detailed in Vault 7

Pierluigi Paganini April 11, 2017

Symantec reportedly linked the CIA hacking tools to several cyber attacks powered over the years by the Longhorn group.

Security experts analyzed the alleged CIA hacking tools included in the Vault 7 dump that have been used against at least 40 governments and private organizations across 16 countries.
Researchers at company firm Symantec reportedly linked the CIA hacking tools to a number of cyber attacks launched in recent years by a threat actor the company identified as the Longhorn group.

“Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn. Symantec has been protecting its customers from Longhorn’s tools for the past three years and has continued to track the group in order to learn more about its tools, tactics, and procedures.” reads the analysis published by Symantec.

“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks.”

Symantec believes Longhorn is a North American hacking group that has been active since at least 2011. The group is very sophisticated and used zero-day exploits and complex malware to conduct targeted attacks against governments and organizations in almost every industry, including financial, energy, telecommunications and education, aerospace.

The Longhorn group is a well-resourced hacking team that operated on a standard Monday to Friday working week in an American time zone. The nature of the targets and their Techniques, Tactics, and Procedures (TTPs) suggests the Longhorn group is a state-sponsored crew.

The targets were all in located in the Middle East, Europe, Asia, and Africa. In one case, the researchers observed the Longhorn group compromising a computer in the US, following infection, an uninstaller was quickly executed, which demonstrates that this victim was infected unintentionally.

“The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection.” continues Symantec. “Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.” continues Symantec.

Digging the precious Vault 7 archive the experts discovered the Fluxwire cyber espionage malware. The documents related to this malware include a changelog of dates for when new features were added to the malicious code, the features, the timeline are coherent with the development cycle of the Corentry malware created by Longhorn APT.

“These dates align closely with the development of one Longhorn tool (Trojan.Corentry) tracked by Symantec. New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document.” reads Symantec.

“Early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file. The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0.”

Longhorn group

“Up until 2014, versions of Corentry were compiled using GCC [GNU Compiler Collection]. According to the Vault 7 document, Fluxwire switched to an MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry, where a version compiled on February 25, 2015, had used MSVC as a compiler.”

A second document in the Vault 7 archive details Fire and Forget, a specification for user-mode injection of a payload by a tool called Archangel.

The specification of the malicious code and the interface used to load it matches the Longhorn tool called Backdoor.Plexor.

The experts discovered many other similarities, another leaked CIA document outlined cryptographic protocols that should be implemented in the malware development.

“A third document outlines cryptographic protocols that malware tools should follow. These include the use of inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks, key exchange once per connection, and use of AES with a 32-bit key. These requirements align with the cryptographic practices observed by Symantec in all of the Longhorn tools.” continues Symantec.

another Vault 7 document recommends using in-memory string de-obfuscation and Real-time Transport Protocol (RTP) for communicating with the command and control (C&C) servers.

All the above techniques and protocols were implemented in all the hacking tools of the Longhorn group.

Researchers from Symantec discovered a number of indicators that confirm Longhorn was from an English-speaking, North American country.

“The acronym MTWRFSU (Monday Tuesday Wednesday ThuRsday Friday Saturday SUnday) was used to configure which day of the week malware would communicate with the attackers. This acronym is common in academic calendars in North America.” reads Symantec.”Some of the code words found in the malware, such as SCOOBYSNACK, would be most familiar in North America. In addition to this, the compilation times of tools with reliable timestamps indicate a time zone in the Americas.”

Summarizing, there is no doubt Longhorn group has the same abilities and hacking tools of the CIA operators documented in the Vault 7 documents.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Longhorn group, CIA Vault 7)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment