Symantec confirms the correspondence between cyber espionage tools of the CIA and that published by WikiLeaks

The company Symantec recently published the results of a study of information published by WikiLeaks. It is about Vault 7 , a package of documents describing the principles of the software used by the CIA for hacking computers and computer systems of individuals and organizations.

A special group engaged in cyber espionage at the CIA was dubbed Longhorn at Symantec. Its participants infected the computer networks of government bodies of various countries, also infected telecommunications and energy enterprises, as well as aviation companies. The toolbox that WikiLeaks said was used, according to Symantec, from 2007 to 2011. During this time, the group has modeled at least 40 targets in 16 different states, including the Middle East, Europe, Asia, Africa and the USA (in this case, most likely, by mistake).

The Longhorn group toolkit was very extensive. Symantec was able to find a match between the information provided by WikiLeaks and the attacks carried out in the past using various methods. This is a coincidence of cryptographic protocols (for example, the customized RC5 protocol), changes in the compiler used and the methods of carrying out attacks on computer networks and systems. As it turned out , Symantec itself has closely monitored the activities of Longhorn to the best of its ability since 2014. In any case, it was then that Symantec discovered a new malware distributed in Word documents.
')
“Longhorn used modern cyber tools and zero-day vulnerabilities to hit targets around the world,” the company said in a blog post. “The system of methods, tools, and methods used by Longhorn stood out among all the others, so there is almost no doubt that the group was involved in all these attacks.”

One of the indicators that were monitored is the malware Fluxwire . Changes to which the software has been applied correspond to the program described by Symantec. The specialists of this company, however, called the detected malware Corentry. But as far as it can be judged, it corresponds exactly to the software that appears in the WikiLeaks archives as FluxWire. For example, the FluxWare changes documented by WikiLeaks are fully consistent with the Corentry changes documented by Symantec. If it is simpler, then this is the same software with specific elements of "behavior", which is described by both Symantec and WikiLeals. On February 25, 2015, Symantec experts noted that the developers of this software now use the Microsoft Visual C ++ compiler. The same data is contained in the Vault 7 archive.

Much more similar moments can be found in the software, which in Vault7 is listed under the name Archangel. According to the archives of Symantec, it passes as Plexor. Specifications and modules of this software are almost equally described in the archives of the CIA and Symantec. There is no doubt - this is also the same program. In Vault7 there is information about the cryptographic features of the network activity of the CIA. These features are noted in Symantec.



“Before sending its malware to the target, Longhorn was pre-setting the software package, traces of which could be detected by specific words, C & C domains and IP addresses with which this software had to“ communicate ”. Longhorn used capitalized words, often “groupid” and “siteid”, which were used to identify campaigns and victims. More than 40 such identifiers have been studied; very often these were words from films, including characters, food or music. One example is a reference to the group “The Police,” with the code words REDLIGHT and ROXANNE, ”says a report from Symantec experts.

WikiLeaks published the first part of a collection of secret CIA documents on March 8. This collection, dubbed Vault 7, gives a good idea of ​​the scale of the cyber espionage work of this organization. With the help of programs developed by their employees, the CIA was able to penetrate the computer networks of virtually any organization. After the publication of these documents, it became clear that the capabilities of the CIA exceed the capabilities of the NSA.

Now WikiLeaks does not publish the source code of the tools, information about which is contained in the first part of the archive. This is done for various reasons, including the danger of such information falling into the hands of cybercriminals.

Well, the reaction of the CIA is quite natural. “As we said earlier, Julian Assange is not a bastion of truth and honesty. American society must be deeply moved by the disclosure of Wikileaks documents, which limits the ability of the CIA to protect America from terrorists and other intruders, ”said a spokesman for the department.