In early March, WikiLeaks released "Vault 7" which appeared to detail cyberweapons used by the US Central Intelligence Agency (CIA). Now, security experts at Symantec say the same code has been used by a cyberespionage group to infiltrate networks of at least 40 targets in 16 different countries.
Symantec claims the sophisticated group it has tracked for years — dubbed "Longhorn" — is the same group described in WikiLeaks' publication. Using zero-day vulnerabilities, it has been active in the Middle East, Europe, Asia, and Africa since at least 2011, the firm asserts.
Longhorn has hacked into governments and international organisations, alongside a number of targets in the financial, telecommunications, energy, aerospace, information technology (IT), education, and natural resources sectors, the US cybersecurity firm said in a blog post on 10 April (Monday).
All would be of interest to a nation-state attacker, it said.
As evidence, experts revealed that the alleged CIA tools followed the same development timelines as those built by Longhorn, and that it shares striking similarities in terms of how these avoid detection.
"Given the close similarities between the tools and techniques, there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group," Symantec said in its report, which used its own network of customers to help investigate the incident.
Prior to the WikiLeaks disclosure, the firm assessed it was a "well-resourced organisation involved in intelligence gathering operations." It said its in-depth analysis found that Longhorn – potentially the CIA – was from an English-speaking, North American country.
The researchers said: "The group appeared to work a standard Monday to Friday working week, based on timestamps and domain name registration dates.
"Longhorn's malware appears to be specifically built for espionage-type operations, with detailed system fingerprinting, discovery, and exfiltration capabilities.
"The malware uses a high degree of operational security, communicating externally at only select times, with upload limits on exfiltrated data, and randomisation of communication intervals—all attempts to stay under the radar during intrusions."
The WikiLeaks publications revealed a slew of computer implants used by the alleged US intelligence agency to hack into iOS and Android operating systems. The CIA has not confirmed the tools are legitimate, but stressed it is the "first line of defence" against enemies of the state.
The source of the Vault 7 leak remains unknown, however WikiLeaks said in an initial analysis of the files that they were taken from an "isolated, high-security network" at Langley, Virginia. Julian Assange, WikiLeaks' founder, teased there are many more leaks to come.