Symantec claims evidence that Wikileaks' Vault 7 tools were used in cyber-espionage campaign in 16 countries

'Longhorn' group used hacking tools detailed by Wikileaks' Vault 7 releases to attack targets in Middle East, Europe and Africa

Symantec claims to have found firm evidence that the Vault 7 hacking tools, which Wikileaks started releasing last month, were indeed used by a North American cyber-espionage group in a campaign against targets across the world.

Vault 7 is the codename given by WikiLeaks to documents that it claims reveal the hacking capabilities of the US Central Intelligence Agency (CIA). Critics, though, claim that the documents are out-of-date by several years and have suggested that Wikileaks has over-hyped their importance.

However, according to Symantec, a well-resourced intelligence-gathering organisation based in the US, which it calls Longhorn, had been using these spying tools in cyber attacks against targets in at least 16 countries across the Middle East, Europe, Asia and Africa.

Symantec said that the tools used by Longhorn closely follow development timelines and technical specifications laid out in the documents so far disclosed by WikiLeaks.

This includes some of the same cryptographic protocols specified in the Vault 7 documents, in addition to leaked guidelines on tactics to avoid detection.

"Given the close similarities between the tools and techniques, there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group," claimed Symantec.

One example Symantec gave of Longhorn's use of Vault 7 information is for a tool called Trojan.Corentry.

The Vault 7 leaks included a document with a development timeline for a piece of malware called Fluxwire, which included a changelog of dates for when new features were incorporated. Symantec said that these dates closely align with the development of the Longhorn Corentry tool.

"New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document," it said.

Vault 7 also detailed a specification for user-mode injection of a payload by a tool called Archangel. The specification of the payload and the interface used to load it were closely matched in another Longhorn tool, called Backdoor.Plexor.

Other Vault 7 information that has been used to help develop Longhorn tools include cryptographic protocols that malware tools should follow, the use of a real-time transport protocol (RTP) as a means of command and control communications, in-memory string de-obfuscation, employing wipe-on-use as standard practice, and using secure-erase protocols, involving renaming and overwriting.

"Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide.

"Taken in combination, the tools, techniques and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault 7," Symantec claimed.