According to a blog posted Monday, internet security giant Symantec has linked real-world cyberattacks to the tools detailed in the “Vault 7” WikiLeaks dump.
Since 2011, Symantec has tracked a group they called “Longhorn,” that used sophisticated software exploits against organizations that “would be of interest to a nation-state attacker.” The blog post never specifically mentions the CIA, instead assessing that the Longhorn group exhibited “behavior which is consistent with state-sponsored groups” and that there were “indicators that Longhorn was from an English-speaking, North American country.” Longhorn even used “SCOOBYSNACK” as a code word in their malware.
Symantec says that they found that the group “infected 40 targets in at least 16 countries” across the globe:
“Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors.”
To tie the WikiLeaks information to their investigation of Longhorn, Symantec found that the software detailed in Vault 7 followed a development timeline that they saw in real-world scenarios. One piece of software known as “Corentry” to Symantec and referred to as “Fluxwire” by WikiLeaks provided particularly compelling evidence:
“New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document.”
Symantec’s investigation found that the attacks were carried out “across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.” According to Reuters, Symantec did not track any mass surveillance tools and all of the targets held national security value. However, Symantec’s Eric Chien told Reuters that,
“there are organizations in there that people would be surprised were targets.”
Symantec’s Stephen Doherty told Wired that they had been tracking the Longhorn group for many years, but Vault 7 was key in pin-pointing their identity. “[T]he tools and activity we had been tracking from Longhorn closely match some of the information disclosed in Vault 7,” said Doherty.
Symantec’s efforts mark the first real-world example of the Vault 7 tools being used. However Doherty said that they have not yet found additional links:
“We track a lot of groups and a lot of actors and we haven’t seen any specific details that would link to any other malware at the moment.”
While the CIA understandably denies the authenticity of the tools and documents contained in Vault 7, the government has attempted to block the leaks from being admitted into court cases because they should be considered classified. That action, paired with expert analysis by industry leaders like Symantec, shows that the WikiLeaks collection is likely real.