Longhorn Cyber-Espionage Group Is Actually the Central Intelligence Agency

Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA

Symantec says tools described in Vault 7 documents leaked by WikiLeaks have been used against 40 targets in 16 countries in cyberattacks by an organisation previously known as "Longhorn". The group has compromised 40 targets in at least 16 countries across the Middle East, Europe, Asia, Africa, and on one occasion, in the United States, although that was probably a mistake.

Tom Kellermann, CEO of Strategic Cyber Ventures, was not happy with Symantec's connection of Longhorn to CIA Vault 7 hacking tool. Longhorn also has some of the same "cryptographic protocols" as some of the Vault 7 documents and also employed similar outlined guidelines to avoid detection.

Longhorn has hacked into governments and worldwide organisations, alongside a number of targets in the financial, telecommunications, energy, aerospace, information technology (IT), education, and natural resources sectors, the U.S. cybersecurity firm said in a blog post on 10 April (Monday).

Symantec claims that one computer in the U.S. was found to be "compromised" by the hacking toolkit, after which it was uninstalled within hours, thus indicating an accidental infection.

Symantec researchers call the hacking group Longhorn and said the group has been active since at least 2011 and "has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets".

Another CIA file described a malware payload specification that matched another Longhorn-deployed Trojan, which can open a backdoor in a Windows PC. "T$3 he tools and activity we had been tracking from Longhorn closely match some of the information disclosed in Vault 7", said Doherty.

After WikiLeaks dumped Vault 7, a collection of documents allegedly stolen from the CIA, Symantec experts started going through those files, which were mostly wiki pages and manuals for all sorts of hacking tools.

A part of the Vault 7 docs is the development timeline for a tool called Fluxwire which the researchers conclude closely aligns with the development of Trojan.Corentry, a tool belonging to Longhorn. When WikiLeaks began releasing them in early March, it gave an unusually explicit account of how the tools had been taken from the CIA's Center for Cyber Intelligence.

Three of the four malware variants - each of which allows for an attacker to remotely control a computer - that are linked to Longhorn, and consequently the Central Intelligence Agency, were found in use by Symantec against their clients as recently as 2015, Chein told CyberScoop.

Longhorn first came under Symantec's radar in 2014 when they spotted a 0-day exploit to infect a target with Plexor. Another contained the code word "SCOOBYSNACK", which "would be most familiar in North America", according to the blog post.

Symantec said that companies, universities and government departments were all subject to attacks, which used tools including malware that could turn Samsung televisions into spying devices.

Related news: