Symantec has recently tied the CIA hacking tools leaked by WikiLeaks last month to a cyber espionage group responsible for at least 40 hacks in 16 countries.
A blog post published by the company recently mentioned that the group called Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide.
It also mentioned that the tools, techniques, and procedures used by the group are distinctive and unique, leaving little doubt about its connection to Vault 7.
Symantec highlights that it has been watching this group Longhorn, since 2014. The group has been active since at least 2011, with evidence of activity dating back to 2007.
Dick O’brien, Senior Information Developer, Symantec Security Response, says, “We have been tracking the group for quite some time and in that period we have discovered a number of malware tools that this group have used. But our investigations took a turn with the Vault 7 release by WikiLeaks, we then looked into these documents and discovered that it contained incidents that are closely described the malware tools that we have seen Longhorn use.”
The firm notes that Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa.
O’brien describes the Longhorn malware attacks as very similar to that of a sophisticated cyber espionage group. He explains that that the methodology and approach used by the attackers showed that they have extensive knowledge of their target environments prior to launching an attack.
Longhorn’s malware has an extensive list of commands for remote control of the infected computer, according to Symantec. Most of the malware can also be customised with additional plugins and modules, some of which have been observed by the cybersecurity firm.
The attacks have targeted a number of organisations in sectors such as energy, financial, telecom, aerospace, education, information technology, natural resources, and education.
As for the objectives behind Longhorn’s cybercriminal activities, O’brien says that their investigations found no evidence of any financial motivations. “Based on their targets and the nature of their attacks we found that their malware is specifically built for espionage-type operations.”
The malware has detailed system fingerprinting, discovery, and exfiltration capabilities. It uses a high degree of operational security, communicating externally at only select times, with upload limits on exfiltrated data, and randomisation of communication intervals—all attempts to stay under the radar during intrusions.
Symantec has seen Longhorn use four different malware tools against its targets: Corentry, Plexor, Backdoor.Trojan.LH1, and Backdoor.Trojan.LH2.
O’brien advises Middle East companies, in both private and public sectors, to be vigilant of potential attacks from groups like Longhorn. “Cyber espionage doesn’t only target government agencies, it can also affect private organisations especially if they are operating in a strategically sensitive area.”
Symantec’s analysis uncovered a number of indicators that Longhorn was from an English speaking, North American country.