Hacking tools linked to the CIA in the recent WikiLeaks Vault 7 release were used to target at least 40 organizations in 16 countries, according to internet security firm Symantec.
The techniques detailed in Vault 7 were almost certainly developed and used by the same group, Symantec said Monday. The tech company has corroborated a number of the tool “development timelines” put forward by WikiLeaks.
While Symantec does not specifically mention the CIA – instead referring to the group responsible for the attacks as ‘Longhorn’ – the latest revelation gives further credence to WikiLeaks’ assertion that Vault 7 is part of the intelligence service’s “hacking tools”.
“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks,” a Symantec statement said.
“The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tacts to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.”
Longhorn has been active since at least 2011, according to Symantec, infiltrating targets in the financial, telecoms, aerospace and natural resources industries.
“All the the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally,” Symantec added.
WikiLeaks recently published a tranche of information purportedly comprising files from a CIA center in Langley, Virginia. The hacks detailed in the documents included using of malware and trojans designed by a CIA Engineering Development Group to be “unaccountable” and “untraceable”, Julian Assange said.
A WikiLeaks description of a “Fire and Forget” process for a tool called Archangel is “closely matched” with a Longhorn tool called “Backdoor.Plexor”, according to Symantec.
Meanwhile, WikiLeaks’ release of a development timeline for malware called Fluxwire closely aligns with a Longhorn tool tracked and labeled Corentry by Symantec. Evidence of Longhorn’s use of advance “zero day” techniques leaves “little doubt” about the group’s link to Vault 7, the internet firm adds.
The CIA has refused to comment on the authenticity of the WikiLeaks documents, which so far have been published in four batches online.
“The American public should be deeply troubled by any WikiLeaks disclosure designed to damage the Intelligence Community’s ability to protect America,” the CIA said in a statement last month.
“Such disclosures not only jeopardize US personnel and operations, but also equip our adversaries with tools to do us harm.”