Longhorn hacking group linked to dozens of worldwide cyberattacks

11 Apr 2017

Image: Ching Design/Shutterstock

Cybersecurity specialist Symantec claims that Longhorn, a cyber warfare operation discovered in the recent WikiLeaks breach, can be linked to dozens of attacks worldwide.

Active since at least 2011, the discovery of Longhorn – a particularly successful hacking group distributing malware worldwide – was revealed by the recent Vault7 leaks.

Symantec had been tracing it for a number of years, though it was WikiLeaks’ data haul – in which the latter alleged CIA involvement – that truly pulled back the curtain.

Symantec’s investigation of the trail left in Longhorn’s wake reveals an extensive history, linking the group with cyberattacks against at least 40 targets in 16 different countries.

Though Symantec steers clear of naming the ‘who’ behind the perpetrators, there are strong hints that there is a US origin, given that those attacked by the software were in the Middle East, Europe, Asia and Africa.

The US stays fairly clean throughout this, but there was one bizarre instance when a computer in the country was compromised before the malware was quickly uninstalled.

As this uninstall happened “within hours”, Symantec suggests this was merely an unintentional attack.

There is evidence of activity dating back as far as 2007, said Symantec, with Corentry, Plexor, Backdoor.Trojan.LH1 and Backdoor.Trojan.LH2 the four malware tools utilised within Longhorn’s armoury.

“Before deploying malware to a target, the Longhorn group will preconfigure it with what appears to be target-specific code words, and distinct C&C domains and IP addresses for communications back to the attackers,” said Symantec.

Within its coding, Symantec discovered some pretty quirky elements, such as the code words ‘groupid’ and ‘siteid’. While this could reference targets, it’s the more trivial, yet linked, words such as ‘REDLIGHT’ and ‘ROXANNE’ (references to Sting and The Police) that hint at an English-speaking organisation.

“Longhorn’s malware appears to be specifically built for espionage-type operations, with detailed system fingerprinting, discovery and exfiltration capabilities,” said Symantec.

“Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide,” it said.

“Taken in combination, the tools, techniques and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault7.”

Gordon Hunt was a journalist with Silicon Republic