Video | Agriculture | Confidence | Economy | Energy | Employment | Finance | Media | Property | RBNZ | Science | SOEs | Tax | Technology | Telecoms | Tourism | Transport | Search

 

Longhorn: Tools used by cyberespionage group

Symantec Security Response

Longhorn: Tools used by cyberespionage group linked to Vault 7

Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn. Symantec has been protecting its customers from Longhorn’s tools for the past three years and has continued to track the group in order to learn more about its tools, tactics, and procedures.

The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group.

Who is Longhorn?

Longhorn has been active since at least 2011. It has used a range of backdoor Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organisations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organisations targeted would be of interest to a nation-state attacker.

Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.

The link to Vault 7

A number of documents disclosed by WikiLeaks outline specifications and requirements for malware tools. One document is a development timeline for a piece of malware called Fluxwire, containing a changelog of dates for when new features were incorporated. These dates align closely with the development of one Longhorn tool (Trojan.Corentry) tracked by Symantec. New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document.

Global reach: Longhorn’s operations

While active since at least 2011, with some evidence of activity dating back as far as 2007, Longhorn first came to Symantec’s attention in 2014 with the use of a zero-day exploit (CVE-2014-4148) embedded in a Word document to infect a target with Plexor. The malware had all the hallmarks of a sophisticated cyberespionage group. Aside from access to zero-day exploits, the group had preconfigured Plexor with elements that indicated prior knowledge of the target environment.

To date, Symantec has found evidence of Longhorn activities against 40 targets spread across 16 different countries. Symantec has seen Longhorn use four different malware tools against its targets: Corentry, Plexor, Backdoor.Trojan.LH1, and Backdoor.Trojan.LH2.

Distinctive fingerprints

Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide. Taken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault 7.

ends

© Scoop Media

 
 
 
Business Headlines | Sci-Tech Headlines

 

21, 22, 23 December: Air NZ Workers Vote To Strike

Last week union members voted overwhelmingly in favour of industrial action in response to the company’s low offer and requests for cuts to sick leave and overtime. More>>

ALSO:

24/7: National Geohazards Monitoring Centre Opens

For the first time, New Zealand will have 24-7 “eyes on” monitoring of the four perils: earthquake, tsunami, landslides and volcanic activity. More>>

ALSO:

EU Wine Exports: Yealands Fined For "Unprecedented Offending"

Yealands Estate Wines has pleaded guilty to “unprecedented offending” under the Wine Act 2003 and has copped a $400,000 fine. More>>

ALSO:

Discussion Paper: Govt To Act On Unfair Commercial Practices

“I’ve heard about traders who have used aggressive tactics to sell products to vulnerable consumers, and businesses that were powerless to stop suppliers varying the terms of their contract, including price.” More>>

ALSO:

'Considering Options' On Tip Top Ownership: Fonterra Drops Forecast Milk Price

Fonterra Co-operative Group Limited today revised its 2018/19 forecast Farmgate Milk Price range from $6.25-$6.50 per kgMS to $6.00-$6.30 per kgMS and shared an update on its first quarter business performance. More>>

ALSO: