Symantec claims to have found evidence that a North American cyber-espionage group exploiting the tools and operational protocols detailed in Wikileaks' recent Vault 7 releases.
Vault 7 is the codename given by WikiLeaks to documents that it claims reveals the hacking capabilities of the CIA. Critics, though, claim that the documents are out-of-date.
According to Symantec, a well-resourced intelligence-gathering organisation based in the US, called Longhorn, had been using these spying tools in cyber attacks against targets in at least 16 countries across the Middle East, Europe, Asia and Africa.
Symantec said that the tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks.
This includes some of the same cryptographic protocols specified in the Vault 7 documents, in addition to leaked guidelines on tactics to avoid detection.
"Given the close similarities between the tools and techniques, there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group," claimed Symantec.
One example Symantec gave of Longhorn's use of Vault 7 information is for a tool called Trojan.Corentry.
The Vault 7 leaks included a document with a development timeline for a piece of malware called Fluxwire, which included a changelog of dates for when new features were incorporated. Symantec said that these dates closely align with the development of the Longhorn Corentry tool.
"New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document," it said.
Vault 7 also detailed a specification for user-mode injection of a payload by a tool called Archangel. The specification of the payload and the interface used to load it were closely matched in another Longhorn tool called Backdoor.Plexor.
Other Vault 7 information that has been used to help develop Longhorn tools include cryptographic protocols that malware tools should follow, the use of a real-time transport protocol (RTP) as a means of command and control communications, in-memory string de-obfuscation, employing wipe-on-use as standard practice, and using secure erase protocols involving renaming and overwriting.
"Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide.
"Taken in combination, the tools, techniques and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault 7," Symantec claimed. µ
Insecticides based on sulfoxaflor might be as bad for bees as neonicotinoids
Intel teases forthcoming new graphics card accompanied by the text "We will set our graphics free"
Think your password manager is completely secure? Think again...
ARM plans 7nm 'Deimos' for 2019 and 5nm and 7nm 'Hercules' for 2020