This story is over 5 years old.

CIA's Alleged Hacking Tools Now Linked to 40 Hacks Around the World

In all, Symantec has identified targets in 16 countries, based on information Wikileaks has published.
Vice President Mike Pence swears in Mike Pompeo. White House Photo by Ben Applebaum.

Over the past few weeks, Wikileaks has published a steady stream of files and other pieces of information apparently related to the CIA's hacking operations and tools.

Now, researchers at cybersecurity company Symantec have allegedly managed to link tools mentioned in the releases to real attacks around the world, possibly giving insight into the sort of organizations the CIA targets.

"Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn" a blog post published by the company on Monday reads.


According to Symantec, Longhorn has been active since at least 2011, and has infiltrated targets in government, financial, telecoms, energy, aerospace, education, and natural resources sectors. Typically, these were all in the Middle East, Europe, Asia and Africa, although one computer was briefly infected in the United States.

"Following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally," Symantec writes. In a rare public statement issued last month, the CIA said, "It is also important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so."

Naturally, Symantec is able to gain visibility into Longhorn hacking operations through the company's customers. Symantec first encountered Longhorn back in 2014, when the group used a zero-day exploit embedded in a Word document, the blog post adds. Longhorn appears to follow standard Monday to Friday work patterns, judging by domain registration and other timestamps.

Similarities between Wikileaks' files and real world attacks include development timelines of specific tools and tactics for avoiding detection, the blog post reads. One example is a piece of malware Symantec previously dubbed Corentry.

"New features in Corentry appeared either on the same date listed in the Vault 7 document or several days later, leaving little doubt the Corentry is the malware described in the leaked document," the blog post reads. In all, Symantec highlights four pieces of malware that it links to the Longhorn group.

Symantec also point to another document in the dump, which lays out what sort of cryptographic protocols CIA malware should follow. These practices have also been found in tools used by Longhorn, the company writes.

That the CIA may have been partly identified because of their particular use of cryptography is pretty ironic: another file released by Wikileaks allegedly shows CIA hackers analyzing how another suspected US government group, this time from the NSA, was unmasked.

"The custom RC5 [a cryptographic protocol] was everywhere," a CIA official wrote, according to the document.

Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.