Hacking tools in Vault 7 data dump linked to prolific cyber espionage group

While security researchers and companies go through the collection of hacking tools contained in the data dump that the Shadow Brokers failed to sell, Symantec has tied hacking tools from WikiLeaks’ Vault 7 documents to “Longhorn,” a cyber espionage group whose activity they have been following for years.

Shadow Brokers’s data dump

The encrypted file containing the data was already available for download, but the group has now released the key required to decrypt it.

For those of you who lost track, Shadow Brokers is the name given by an individual or group that has claimed to have hacked the Equation Group – a threat actor that has been linked with the US National Security Agency – and has previously leaked exploits and hacking tools.

This latest data dump was initially offered for sale, but Shadow Brokers now decided to give it out for free, and have accompanied the release with a note in which they are addressing US President Donald Trump and complaining about him going back on his campaign promises.

Security researchers have already compiled a summary of the tools and exploits found in the data dump, and among these is a remote root exploit for systems running Oracle’s Solaris. Malwarebytes researchers also provided some insight into the leaked stuff. Still, it will take some time for every detail to be revealed and verified (as far as it can be).

NSA whistleblower Edward Snowden noted that a “quick review of the ShadowBrokers leak of Top Secret NSA tools reveals it’s nowhere near the full library, but there’s still so much here that NSA should be able to instantly identify where this set came from and how they lost it.”

Is Longhorn the CIA?

The Vault 7 data dump, which WikiLeaks claims to originate from the CIA, is still being analyzed, but some discoveries have already been made.

On Monday, Symantec researchers released a report saying that the spying tools and operational protocols detailed in the Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group the company calls Longhorn.

“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group,” they noted.

The group has been active for at least six years, and has used backdoor Trojans and zero-day vulnerabilities to compromise its targets: governments, organizations in the financial, telecoms, aerospace, information technology and other industries across the Middle East, Europe, Asia, and Africa.

“Prior to the Vault 7 leak, Symantec’s assessment of Longhorn was that it was a well-resourced organization which was involved in intelligence gathering operations,” the researchers noted. “The group appeared to work a standard Monday to Friday working week, based on timestamps and domain name registration dates, behavior which is consistent with state-sponsored groups.”

Also, they uncovered a number of indicators that Longhorn was from an English-speaking, North American country.

Kaspersky Lab researchers published on Tuesday the results of their own analysis of the group’s tools, and also noted their predilection for pop culture references and codenames that seems to indicate that the tools’ authors are from North America.