Separately, a group calling itself the Shadow Brokers on Saturday released another batch of pilfered National Security Agency hacking tools, along with a blog post criticizing President Donald Trump for attacking Syria and moving away from his conservative political base.
Symantec's efforts mark the first real-world example of the Vault 7 tools being used. The hacks detailed in the documents included using of malware and trojans designed by a CIA Engineering Development Group to be "unaccountable" and "untraceable", Julian Assange said.
Longhorn is a mysterious hacking group categorized as an advanced persistent threat, or APT, and it has been active since at least 2011. In particular, Symantec highlights a number of documents from the Vault 7 files that it ties to the group, which is said to have targeted the financial, telecoms, energy, aerospace, information technology, education, and natural resources industries.
Intriguingly, O'Brien said one Central Intelligence Agency tool was discovered breaking into an US computer - only to uninstall itself nearly immediately afterward. The security firm found new features in Trojan.Corentry mirrored ones described in the Fluxwire documentation and noted those features appeared in samples of the virus on or shortly after the date similar features were noted in the Fluxwire changelog.
After WikiLeaks dumped Vault 7, a collection of documents allegedly stolen from the CIA, Symantec experts started going through those files, which were mostly wiki pages and manuals for all sorts of hacking tools. The group also uses the codeword SCOOBYSNACK in its malware documents, which Symantec says hints that it comes from an English-speaking region.
While there has been deafening silence from Washington about whether the WikiLeaks documents are accurate, which many are interpreting as an implicit statement they're accurate, we may never know for sure. "T$3 he tools and activity we had been tracking from Longhorn closely match some of the information disclosed in Vault 7", said Doherty. It claims the malware is not overt in communicating with its creators and will try to remain hidden for as long as possible. Now researchers are piling through the data to see if the latest Vault 7 revelations can help connect Longhorn to other, known USA -linked digital espionage campaigns. These include the use of inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks, key exchange once per connection, and use of AES with a 32-bit key. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.
"While other malware families are known to use some of these practices, the fact that so many of them are followed by Longhorn makes it noteworthy", the firm continued.
But Longhorn didn't only have "all the hallmarks of a sophisticated cyber-espionage group". Taken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault 7.