The hacking group that Symantec calls Longhorn and the threat actor detailed in the Vault 7 document dump share common targets, malware development timelines, tech specs, and cryptographic protocols.
The hacking group that Symantec calls Longhorn and the threat actor detailed in the Vault 7 document dump share common targets, malware development timelines, tech specs, and cryptographic protocols.

The hacking tools and techniques leaked in the WikiLeaks Vault 7 dump closely match the m.o. of a threat group that has actively carried out cyberattacks across the globe in recent years, according to Symantec.

In a blog post on Monday, the security company detailed what it claims is the first public evidence linking the Vault 7 group to actual in-the-wild attacks. Although WikiLeaks has explicitly attributed the Vault 7 documents to the CIA, Symantec did not confirm this connection, instead referring to the group only by the nickname Longhorn.

Eric Chien, director of Symantec Security Response, told SC Media that because WikiLeaks is so far the only party to attribute the hacks in Vault 7 to the CIA, Symantec cannot establish that "last-mile link" between the CIA and Longhorn. However, the company can connect Longhorn's binaries and attack methods to the Vault 7 revelations with "very high confidence."

The link also strengthens Symantec's previous assertion that a sophisticated nation-state actor is likely the brains behind Longhorn. Consequently, said Chien, organizations that were previously warned of being targeted by Longhorn might feel compelled by this latest development to double back and perform a more diligent incident response and impact report.

According to Symantec, Longhorn has perpetrated attacks against at least 40 targets in 16 different countries, primarily in the Middle East, Europe, Asia and Africa. Based on Symantec's findings, the U.S. does not appear to have been intentionally targeted by the group – a possible indicator that the actor is U.S.-based.

Symantec noted that the Vault 7 actor and Longhorn share common targets, malware development timelines and technical specifications, cryptographic protocols and anti-detection tactics.

Specifically, the blog cites a malware program referred to in the Vault 7 archives as Fluxwire, whose log of software updates aligns with the development of a Longhorn tool that Symantec calls Corentry. "New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document," the blog post notes.

Such matching details would be very difficult to forge to create a false-flag scenario, Chien explained. "You cannot go back in time to release binaries that match document information," including malware development logs, from years before, he said.

Symantec also referenced a Vault 7 document detailing Fire and Forget, a "specification for user-mode injection of a payload by a tool called Archangel," noting that the specifics matched another Longhorn tool called Backdoor.Plexor. Indeed, a 2014 Longhorn campaign to infect a target with Plexor/Archangel via a zero-day exploit is what brought the threat group to Symantec's attention in the first place.

Additionally, Symantec reported that a third Vault 7 document prescribes "the use of inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks, key exchange once per connection, and use of AES with a 32-bit key." Symantec observed all of these cryptographic practices in Longhorn campaigns.

Symantec noted that Longhorn's observed activities may date back as far as 2007.