Symantec attributes 40 cyber attacks to CIA-linked hacking tools

19 April, 2017, 02:54 | Author: Glen Fletcher
  • REUTERS  Thomas White  File

Past cyber attacks on scores of organizations around the world were conducted with top-secret hacking tools that were exposed recently by the Web publisher Wikileaks, the security researcher Symantec Corp SYMC.O said on Monday.

The group has infected targets throughout the Middle East, Europe, Asia, and Africa; and although researchers detail how the group once infected a machine in the U.S., but an uninstaller was launched within hours, potentially indicating "this victim was infected unintentionally".

The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks.

In their blog post, the researchers said that the close similarities between the hacker group and the Vault 7 tools induce a situation of doubt that "Longhorn's activities and the Vault 7 documents are the work of the same group".

Longhorn targeted governments as well as financial, telecommunications, energy, aerospace, IT, education, and natural resources companies, using zero-days and Trojan Horse malware.

The highly sophisticated nature of the tools, the targets (government and global agencies, major industries such as utilities, finance and telecoms) and working patterns led Symantec to conclude Longhorn was a hacking collective from a North American, English speaking country.

"On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally", it writes. The security firm found new features in Trojan.Corentry mirrored ones described in the Fluxwire documentation and noted those features appeared in samples of the virus on or shortly after the date similar features were noted in the Fluxwire changelog. New features of Corentry appeared on the same dates listed in the Vault 7 documents, leading researchers to the conclusion the two forms of malware are one and the same.

But Longhorn didn't only have "all the hallmarks of a sophisticated cyber-espionage group".

WikiLeaks hasn't released much of the source code to the suspected Central Intelligence Agency hacking tools.

The CIA has not confirmed the WikiLeaks documents are genuine.

Prior to the Vault 7 leak, Symantec's assessment of Longhorn was that it was a well-resourced organization which was involved in intelligence gathering operations. When it sends stolen data back to its makers, it does so through private servers using a custom encryption protocol, and limits the amount of data it sends in each burst to avoid detection.

There is evidence of activity dating back as far as 2007, said Symantec, with Corentry, Plexor, Backdoor.Trojan.LH1 and Backdoor.Trojan.LH2 the four malware tools utilised within Longhorn's armoury.

"These include the use of inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks, key exchange once per connection, and use of AES with a 32-byte key. Symantec has observed Longhorn tools following all of these practices".

Recommended:



Popular

Trump signs order on high-skilled worker visas
Immigration authorities already announced earlier in April measures to combat "fraud and abuse" in issuing the visas. And any changes to the work visa process in the U.S. is bad news for India's $150bn IT service industry.

Post office expects busy Tuesday with extended tax filing deadline
Planning to mail in your tax return? The IRS also levies interest on unpaid taxes , now at a rate of 4%, compounded daily. Emancipation Day in Washington is normally celebrated on April 16, but that day fell on a Sunday this year.

North Korea rolls out missiles, other weaponry at parade
The comments came as North Korea marked the 105th anniversary of the birth of its founding president, Kim Il-sung. Experts and government officials believe it is working to develop nuclear-warhead missiles that can reach the US.