Since 7 March, WikiLeaks has released four batches of files, allegedly originating from the CIA as part of a leak it calls Vault 7. iTWire’s latest article is here.
Longhorn’s malware appears to be specifically built for espionage-type operations, with detailed system fingerprinting, discovery, and exfiltration capabilities. The malware uses a high degree of operational security, communicating externally at only select times, with upload limits on exfiltrated data, and randomisation of communication intervals – all attempts to stay under the radar during intrusions.
Symantec says the discovery is doubly significant.
- The tools used by the Longhorn group closely follow development timelines and technical specifications laid out in the Vault 7 documents disclosed by WikiLeaks.
- Symantec’s analysis is that the group is a well-resourced intelligence-gathering organisation based in North America, and has used these spying tools in cyber attacks against targets in at least 16 different countries across the Middle East, Europe, Asia and Africa.
Reading between the lines this is as close as Symantec can get without directly stating that the CIA and Longhorn could be one and the same.
A CIA spokesperson Heather Fritz Horniak told Reuters that the disclosures from WikiLeaks, "not only jeopardise US personnel and operations, but also equip our adversaries with tools and information to do us harm. It is important to note that the CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and the CIA does not do so."