Many of the tools revealed in the WikiLeaks Vault7 cache have been spotted in the wild attacking targets in 16 countries and linked to a group operating since at least 2011, Symantec claimed.
The security giant revealed that the “spying tools and operational protocols” detailed by Vault7 matched those responsible for attacks against at least 40 targets of a group it has dubbed 'Longhorn'.
Longhorn’s targets spanned the Middle East, Europe, Asia and Africa. Interestingly, on one occasion a target in the US was infected but within hours an uninstaller was launched, suggesting it happened in error.
“It has used a range of back door trojans in addition to zero-day vulnerabilities to compromise its targets”, Symantec continued in a blog post.
“Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker.”
Symantec claimed one of the malware tools detailed in Vault7, Fluxwire, closely resembled a Longhorn tool it was tracking: Trojan.Corentry. The log of dates when new features were added also matches with Symantec’s records, it claimed.
Similar matches were made with the Fire and Forget payload, as well as cryptographic protocols used by the malware.
“These include the use of inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks, key exchange once per connection, and use of AES with a 32-byte key. These requirements align with the cryptographic practices observed by Symantec in all of the Longhorn tools”, said the vendor.
“Other Vault7 documents outline tradecraft practices to be used, such as use of the Real-time Transport Protocol (RTP) as a means of command and control (C&C) communications, employing wipe-on-use as standard practice, in-memory string de-obfuscation, using a unique deployment-time key for string obfuscation, and the use of secure erase protocols involving renaming and overwriting. Symantec has observed Longhorn tools following all of these practices.”
Other links include the standard Monday-Friday working week of the Longhorn hackers; use of the acronym MTWRFSU referring to days of the week; and code words in the malware, such as “Scoobysnack”, which are familiar in North America.