Symantec Links Trojans, Malware to CIA Hacking Tools
By Tom Brant
April 10, 2017 08:26 pm EST
April 10, 2017 08:26 pm EST
A series of computer viruses targeting companies and organizations closely resembles the Vault 7 hacking tools that WikiLeaks disclosed.
CIA hacking tools that WikiLeaks exposed as part of its Vault 7 data dump are linked to a rash of trojans and zero-day vulnerabilities that have infected computers since 2011, anti-virus software Symantec claimed this week.
The attacks, which Symantec researchers have lumped together into a single virus that they codenamed "Longhorn," have targeted at least 40 different organizations in 16 countries in the Middle East, Europe, Asia, and Africa. The victims include companies in the financial, telecom, energy, aerospace, IT, education, and natural resources sectors, as well as governments and international NGOs.
Symantec made the link between Longhorn and the WikiLeaks CIA hacking trove using changelog data, which shows that new features were added to the CIA tools at the same time as updates to some of Longhorn's tools. Other similarities exist, too, including cryptographic practices and the methods that both sets of tools use to cover their tracks on the systems they infect.
"Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide," Symantec said in a blog post. "Taken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault 7."
Symantec said it first became aware of Longhorn in 2014, and that its anti-virus products provide protection against the malware. The company hasn't identified any domestic targets; although it observed one computer in the US infected with Longhorn, the virus uninstalled itself within hours, suggesting that the infection was inadvertent.
WikiLeaks first announced its possession of the Vault 7 hacking tools in early March, claiming that they were widely circulated among government contractors, one of whom leaked them to the organization.
The attacks, which Symantec researchers have lumped together into a single virus that they codenamed "Longhorn," have targeted at least 40 different organizations in 16 countries in the Middle East, Europe, Asia, and Africa. The victims include companies in the financial, telecom, energy, aerospace, IT, education, and natural resources sectors, as well as governments and international NGOs.
Symantec made the link between Longhorn and the WikiLeaks CIA hacking trove using changelog data, which shows that new features were added to the CIA tools at the same time as updates to some of Longhorn's tools. Other similarities exist, too, including cryptographic practices and the methods that both sets of tools use to cover their tracks on the systems they infect.
"Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide," Symantec said in a blog post. "Taken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault 7."
Symantec said it first became aware of Longhorn in 2014, and that its anti-virus products provide protection against the malware. The company hasn't identified any domestic targets; although it observed one computer in the US infected with Longhorn, the virus uninstalled itself within hours, suggesting that the infection was inadvertent.
WikiLeaks first announced its possession of the Vault 7 hacking tools in early March, claiming that they were widely circulated among government contractors, one of whom leaked them to the organization.
Comments
Post a Comment