Symantec attributes cyber attacks to leaked CIA hacking tools

Past cyber attacks on scores of organisations around the world were conducted with top-secret hacking tools allegedly from the CIA that were exposed recently by whistleblower website WikiLeaks, according to security vendor Symantec.

Analysis by Symantec found evidence of 40 attacks in at least 16 countries by a group it dubbed Longhorn, which that has been active since 2011 and possibly as early as 2007.

Longhorn targeted governments as well as financial, telecommunications, energy, aerospace, IT, education, and natural resources companies, using zero-days and Trojan Horse malware.

Symantec noted that the Corentry and Plexor malware deployed by Longhorn matched the Fluxwire Trojan and Archangel payload injector described in the CIA Vault7 documents released by WikiLeaks.

Although Symantec stopped short of saying so, its analysis suggests the CIA was behind the cyber attacks the security vendor recorded.

The files posted by WikiLeaks appear to show internal CIA discussions of various tools for hacking into phones, computers and other electronic gear, along with programming code for some of them, and multiple people familiar with the matter have told Reuters that the documents came from the CIA or its contractors.

The CIA has not confirmed the WikiLeaks documents are genuine.

Agency spokeswoman Heather Fritz Horniak said any WikiLeaks disclosures aimed at damaging the intelligence community "not only jeopardise US personnel and operations, but also equip our adversaries with tools and information to do us harm".

"It is important to note that CIA is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and CIA does not do so," Horniak said.

She declined to comment on the specifics of Symantec's research.

The CIA tools described by WikiLeaks do not involve mass surveillance, and all of the targets were government entities or had legitimate national security value for other reasons, Symantec researcher Eric Chien said.

In part because some of the targets are US allies in Europe, "there are organisations in there that people would be surprised were targets," Chien said.

Besides Europe, countries were hit in the Middle East, Asia, and Africa.

One computer was infected in the United States in what was likely an accident - the infection was removed within hours. All the programs were used to open back doors and collect and remove copies of files, rather than to destroy anything.

Chien said the WikiLeaks documents are so complete that they likely encompass the CIA’s entire hacking toolkit, including many taking advantage of previously unknown flaws.

The CIA is best-known for its human intelligence sources and analysis, not vast electronic operations. For that reason, being forced to build new tools is a setback but not a catastrophe.

It could lead to awkward conversations, however, as more allies realise the Americans were spying on them.

Separately, a group calling itself the ShadowBrokers on Saturday released the password to an encrypted trove of National Security Agency hacking tools, along with a blog post criticising President Donald Trump for attacking Syria and moving away from his conservative political base.

It is unclear who is behind the ShadowBrokers or how the group obtained the files.