Symantec Security Response
Longhorn: Tools used by cyberespionage group linked to Vault 7
Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at
least 40 targets in 16 different countries by a group Symantec calls Longhorn. Symantec has been protecting its
customers from Longhorn’s tools for the past three years and has continued to track the group in order to learn more
about its tools, tactics, and procedures.
The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents
disclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7
documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities
between the tools and techniques, there can be little doubt that Longhorn's activities and the Vault 7 documents are the
work of the same group.
Who is Longhorn?
Longhorn has been active since at least 2011. It has used a range of backdoor Trojans in addition to zero-day
vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating
organisations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education,
and natural resources sectors. All of the organisations targeted would be of interest to a nation-state attacker.
Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one
occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within
hours, which may indicate this victim was infected unintentionally.
The link to Vault 7
A number of documents disclosed by WikiLeaks outline specifications and requirements for malware tools. One document is
a development timeline for a piece of malware called Fluxwire, containing a changelog of dates for when new features
were incorporated. These dates align closely with the development of one Longhorn tool (Trojan.Corentry) tracked by
Symantec. New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed
in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked
document.
Global reach: Longhorn’s operations
While active since at least 2011, with some evidence of activity dating back as far as 2007, Longhorn first came to
Symantec’s attention in 2014 with the use of a zero-day exploit (CVE-2014-4148) embedded in a Word document to infect a
target with Plexor. The malware had all the hallmarks of a sophisticated cyberespionage group. Aside from access to
zero-day exploits, the group had preconfigured Plexor with elements that indicated prior knowledge of the target
environment.
To date, Symantec has found evidence of Longhorn activities against 40 targets spread across 16 different countries.
Symantec has seen Longhorn use four different malware tools against its targets: Corentry, Plexor, Backdoor.Trojan.LH1,
and Backdoor.Trojan.LH2.
Distinctive fingerprints
Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide. Taken
in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group,
leaving little doubt about its link to Vault 7.
ends