The CIA’s cyberespionage toolkit made public by WikiLeaks has been linked to 40 spying operations in 16 countries by a group identified as Longhorn, an early public assessment of the intelligence agency’s global hacking operations, computer security company Symantec said Monday.

In a blog post published , the California-based Symantec Corp. said the tools in WikiLeaks’ recent releases have been linked to the electronic infiltration of international, financial, energy and aerospace organizations across the world. Like many security firms, Symantec draws on data supplied by its clients. Researcher Dick O’Brien declined to provide further details, saying might prompt speculation as to the identity of the people or organizations involved.


Who is Longhorn?

“Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker.

“Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.”

– From Symantec blog


“I will say, in terms of the regions, the largest region represented in terms of those targets was the Middle East,” O’Brien said in a telephone interview.

The word “CIA” was mentioned nowhere in Symantec’s post, but few if any doubt that that’s where the tools come from. When WikiLeaks began releasing them in early March, it gave an unusually explicit account of how the tools had been taken from the CIA’s Center for Cyber Intelligence. The U.S. government has since all but publicly accepted the embarrassing claim; about a week later, President Donald Trump told a television host: “I just want people to know the CIA was hacked, and a lot of things taken.”

O’Brien said that while Symantec didn’t dispute that assessment, pinning the tools on a specific government agency was “straying outside our area of expertise.”

Intriguingly, O’Brien said one CIA tool was discovered breaking into an U.S. computer — only to uninstall itself almost immediately afterward.

“That, to us, smacks of an accidental compromise,” we said. “Our assessment is it was likely a mistake.”

Online:

Symantec’s blog post: https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7