Symantec Connects 'Longhorn' Group To Vault 7 Tools

Symantec revealed connections between the Longhorn cyberespionage group and tools described in alleged CIA documents published by WikiLeaks. The so-called "Vault 7" trove describes the CIA's methods for infecting target computers with malware, snooping on end-to-end encrypted messages, and other hacking techniques used by the U.S. intelligence agency. Now, the files also suggest that Longhorn and the CIA are one and the same.

Symantec reached that conclusion by comparing information taken from the Vault 7 documents with everything it's learned about Longhorn. The group has been active since at least 2011, according to Symantec, which said that it's known to have targeted 40 devices across 16 countries. The company said only one device in the U.S. has been targeted--and an uninstaller launched "within hours," which suggests an accidental infection.

Longhorn is said to have targeted members of the "financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors" as well as governments and "internationally operating organizations" with a mix of zero-day vulnerabilities and back door Trojans. Those characteristics are common among nation-state actors that often use hacking in the name of national interests rather than for personal gain.

There were hints that Longhorn was based in North America before the Vault 7 leak. Symantec explained in its blog post:

Prior to the Vault 7 leak, Symantec’s assessment of Longhorn was that it was a well-resourced organization which was involved in intelligence gathering operations. This assessment was based on its global range of targets and access to a range of comprehensively developed malware and zero-day exploits. The group appeared to work a standard Monday to Friday working week, based on timestamps and domain name registration dates, behavior which is consistent with state-sponsored groups.Symantec’s analysis uncovered a number of indicators that Longhorn was from an English-speaking, North American country. The acronym MTWRFSU (Monday Tuesday Wednesday ThuRsday Friday Saturday SUnday) was used to configure which day of the week malware would communicate with the attackers. This acronym is common in academic calendars in North America. Some of the code words found in the malware, such as SCOOBYSNACK, would be most familiar in North America. In addition to this, the compilation times of tools with reliable timestamps indicate a time zone in the Americas.

The company stated said that documents in the Vault 7 trove match what it knows about Longhorn. References to specific malware, similarities in how various tools work, and cryptographic protocols all point to a connection between the CIA and Longhorn. Symantec also noted that the intelligence agency and cyberespionage both use very similar "tradecraft practices" with their attacks. The evidence is more than circumstantial.

Vault 7 documents have offered a lot of insight into how antivirus products are circumvented or how remote car hacks might (but probably won't) be used to kill people, among other things, and how companies affected by the leaks respond to what they find. The files have also shown how the CIA repurposes public malware to suit its own needs, and now they strongly suggest that the agency is behind a high-profile hacking group.

Still, it's worth noting that Symantec didn't connect the dots between Longhorn and the CIA; rather, it found connections between the group and the Vault 7 documents. The company didn't outright blame the CIA--perhaps because it didn't want the kind of scrutiny that would result if it did--and of course there are multiple countries in North America. The general consensus, however, is that the Vault 7 documents were in fact taken from the CIA.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • memadmax
    Yeah.... sure...

    Now that the cards are flipped, ur telling me you "knew this all along" right? *wink* *wink*....

    Sounds like Symantec trying to cover their skin over this... And very poorly I might add...
  • JonDol
    "and an uninstaller launched 'within hours' which suggests an accidental infection"

    I'm having hard time believing that this kind of extremely targeted attacks have been accidental. I'd rather believe they already obtained what they were looking for.
  • McGyro
    Thank heavens for Wikileaks; sometimes they seem the only organisation interested in keeping the public informed about malfeasance.