Found in the wild: Vault7 hacking tools WikiLeaks says come from CIA
Malware that WikiLeaks purports belongs to the Central Intelligence Agency has been definitively tied to an advanced hacking operation that has been penetrating governments and private industries around the world for years, researchers from security firm Symantec say.
Longhorn, as Symantec dubs the group, has infected governments and companies in the financial, telecommunications, energy, and aerospace industries since at least 2011 and possibly as early as 2007. The group has compromised 40 targets in at least 16 countries across the Middle East, Europe, Asia, Africa, and on one occasion, in the US, although that was probably a mistake.
Uncanny resemblance
Malware used by Longhorn bears an uncanny resemblance to tools and methods described in the Vault7 documents. Near-identical matches are found in cryptographic protocols, source-code compiler changes, and techniques for concealing malicious traffic flowing out of infected networks. Symantec, which has been tracking Longhorn since 2014, didn't positively link the group to the CIA, but it has concluded that the malware Longhorn used over a span of years is included in the Vault7 cache of secret hacking manuals that WikiLeaks says belonged to the CIA. Virtually no one is disputing WikiLeaks' contention that the documents belong to the US agency.
"Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide," Symantec researchers wrote in a blog post published Monday. "Taken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault7."
Exhibit A in Symantec's case are Vault7 documents describing malware called Fluxwire. The changelog tracking differences from one version to the next match within one to a few days the changes Symantec found in a Longhorn trojan known as Corentry. Early versions of Corentry also show that its developers used the same program database file location specified in the Fluxwire documentation. A change in Fluxwire version 3.5.0 that removes the database file path also matches changes Symantec tracked in Corentry. Up until 2014, Corentry source code was compiled using the GNU Compiler Collection. Then on February 25, 2015, it started using the Microsoft Visual C++ compiler. The progression matches changes described in Vault7 documentation.
Yet more similarities are found in a Vault7 malware module loader called Archangel and a specification for installing those modules known as Fire and Forget. The specification and modules described match almost perfectly with a Longhorn backdoor that Symantec calls Plexor.
Another Vault7 document prescribes the use of inner cryptography within communications already encrypted using the secure sockets layer protocol, performing key exchanges once per connection, and the use of the Advanced Encryption Standard with a 32-bit key. Still other Vault7 documents outline the use of the real-time transport protocol to conceal data sent to command-and-control servers and a variety of similar "tradecraft practices" to keep infections covert. While malware from other groups uses similar techniques, few use exactly the same ones described in the Vault7 documents.
According to Symantec:
While active since at least 2011, with some evidence of activity dating back as far as 2007, Longhorn first came to Symantec’s attention in 2014 with the use of a zero-day exploit (CVE-2014-4148) embedded in a Word document to infect a target with Plexor.
The malware had all the hallmarks of a sophisticated cyberespionage group. Aside from access to zero-day exploits, the group had preconfigured Plexor with a proxy address specific to the organization, indicating they had prior knowledge of the target environment.
To date, Symantec has found evidence of Longhorn activities against 40 targets spread across 16 different countries. Symantec has seen Longhorn use four different malware tools against its targets: Corentry, Plexor, Backdoor.Trojan.LH1, and Backdoor.Trojan.LH2.
Before deploying malware to a target, Longhorn will preconfigure it with what appears to be target-specific code words and distinct C&C domains and IP addresses to communicate with. Longhorn uses capitalized code words, internally referenced as “groupid” and “siteid”, which may be used to identify campaigns and victims. Over 40 of these identifiers have been observed, and typically follow the theme of movies, characters, food, or music. One example was a nod to the band The Police, with the code words REDLIGHT and ROXANNE used.
Longhorn’s malware has an extensive list of commands for remote control of the infected computer. Most of the malware can also be customized with additional plugins and modules, some of which have been observed by Symantec.
Longhorn’s malware appears to be specifically built for espionage-type operations, with detailed system fingerprinting, discovery, and exfiltration capabilities. The malware uses a high degree of operational security, communicating externally at only select times, with upload limits on exfiltrated data, and randomization of communication intervals—all attempts to stay under the radar during intrusions.
For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by the attackers; however they use privacy services to hide their real identity. The IP addresses are typically owned by legitimate companies offering virtual private server (VPS) or webhosting services. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.
Prior to WikiLeaks publishing its Vault7 materials, Symantec had regarded Longhorn as a well-resourced organization that engaged in intelligence-gathering operations. Researchers based that assessment on Longhorn's global range of targets and its ability to use well-developed malware and zero-day exploits. Symantec also noted that the group appeared to work a standard Monday-though-Friday work week, based on timestamps and domain name registration dates, behavior which is consistent with state-sponsored groups. Symantec also uncovered indicators—among them the code word "scoobysnack"—and software compilation times—that showed Longhorn members spoke English and likely lived in North America.
Since WikiLeaks published its first Vault7 installment in early March, there has been no outside source to either confirm or refute the authenticity of the documents. The Symantec research establishes without a doubt that the malware described in the trove is real and has been used in the wild for at least six years. It also makes a compelling case that the group that's responsible is the CIA.
Gloss