Symantec: Cyber Espionage Group Used Tools Described in CIA 'Vault 7' Leak

The CIA's Langley headquarters during the 1970s

Past cyber attacks on scores of organizations around the world were conducted with top-secret hacking tools that were exposed recently by the Web publisher Wikileaks, the security researcher Symantec Corp SYMC.O said on Monday.

Editor's Remarks: Although Symantec stopped short of explicitly naming the CIA, its claim that the swathe of attacks spanning some 16 countries were carried out using previously top-secret hacking tools recently revealed by Wikileaks more or less indicates they were conducted by United States intelligence service.

According to Symantec, the Longhorn group has used some of the same cryptographic protocols identified in the Vault 7 documents.

A number of similar instances, where direct correlation between Longhorn's behavior and Central Intelligence Agency documentation can be found, led Symantec to conclude "there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group".

Longhorn targeted governments as well as financial, telecommunications, energy, aerospace, IT, education, and natural resources companies, using zero-days and Trojan Horse malware.

All would be of interest to a nation-state attacker, it said.

Symantec says that a hacking group it dubbed "Longhorn" has been using those same tools to hack at least 40 targets in 16 different countries, going back to at least 2011.

Symantec added it has been aware of the Longhorn group since 2014 and that its malware is built for "espionage-type operations".

USA government officials have not confirmed or denied that the Vault 7 documents are authentic.

The highly sophisticated nature of the tools, the targets (government and worldwide agencies, major industries such as utilities, finance and telecoms) and working patterns led Symantec to conclude Longhorn was a hacking collective from a North American, English speaking country. That assessment was based in part on Longhorn using a zero-day software exploit, which Symantec found embedded within a Microsoft Word document.

"The malware had all the hallmarks of a sophisticated cyberespionage group", Symantec writes.

"One document is a development timeline for a piece of malware called Fluxwire, containing a changelog of dates for when new features were incorporated", Symantec says in a blog post.

From the start, Symantec suspected Longhorn was an outlier, saying it appeared to be different from other potential cybercrime groups.

The CIA Fire and Forget tool, used for the user-mode injection of a payload called Archangel resembles the modus operandi of a trojan Symantec detected as Backdoor.Plexor. Symantec also noted that the intelligence agency and cyberespionage both use very similar "tradecraft practices" with their attacks.

Symantec said that companies, universities and government departments were all subject to attacks, which used tools including malware that could turn Samsung televisions into spying devices.