CIA Vault 7 tools attributed to hacking group for years

Security researchers said the CIA Vault 7 tools and techniques are linked to cyberattacks over the past six years targeting various foreign entities.

WikiLeaks redacted key information from the CIA Vault 7 dump, but researchers still think there is enough evidence to attribute the work of a specific hacking group to the CIA itself.

Symantec researchers call the hacking group Longhorn and said the group has been active since at least 2011 and "has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets."

"Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education and natural resources sectors," Symantec wrote in a blog post. "All of the organizations targeted would be of interest to a nation-state attacker."

According to Symantec, the Longhorn hacking group has attacked "at least 40 targets in 16 different countries," and descriptions found in the CIA Vault 7 documents bear "close similarities" to the tools and techniques of Longhorn.

Symantec has reported some of the vulnerabilities the alleged CIA hacking group used and now attributes attacks to Longhorn that go back at least six years, but Symantec never mentioned the group before.

Eric Chien, technical director of Symantec Security Response, told SearchSecurity the delay in outing Longhorn was because although Symantec tracks "a wide range of groups ... in addition to threat descriptions," the company only publishes research when there is "actionable information."

"As part of normal practices, we published threat descriptions of the binary threats when they were discovered and we confirmed protections for our customers," Chien said. "The threats came on our radar in 2014 (although binaries were likely detected prior by proactive detection technologies in our products) when a customer reported them and asked for assistance."

Tom Kellermann, CEO of Strategic Cyber Ventures, was not happy with Symantec's connection of Longhorn to the CIA Vault 7 hacking tool.

"Symantec is altering their public relations/communications policy to begin to out the U.S. government's cyberespionage efforts. As an American patriot, I do not agree with this shift," Kellermann told SearchSecurity via email. "The CIA has been conducting cyberespionage against our nation's adversaries and now their methods have been disclosed which will hurt our national security."

However, Josh Zelonis, senior analyst at Forrester, said it was "only a matter of time" before researchers connected the data in the CIA Vault 7 dump with tools seen in the wild.

"I don't think anyone should be surprised that the CIA was using the tools it had to hack, the motivation behind this report is strictly to demonstrate value for Symantec threat intelligence and forensics capabilities," Zelonis told SearchSecurity. "It is interesting, however, that Symantec rates a Trojan.Corentry infection as having a 'very low' risk level, considering they were attributing it to a nation-state actor (Longhorn) even before they figured out it was the CIA. This is a problem with the way the industry treats risk levels; the implication of being infected by malware of this type is high but the likelihood is low because it's not commodity malware."

Next Steps

Learn more about WikiLeaks and the CIA hacking tool brouhaha

Find out more about digital certificates for the enterprise

Read about lack of vulnerability responsibility disclosure

Dig Deeper on Threats and vulnerabilities