14 DAY TRIAL // Symantec wasn't the only security firm keeping an eye on what is now believed to be one of CIA's teams, as folks over at Kaspersky were doing the same thing. Instead of Longhorn, however, they'd called the group "The Lamberts."
Pretty much like folks from Symantec, Kaspersky had been watching The Lamberts for years, since 2014, more specifically, when an attack was observed taking advantage of a zero-day vulnerability (CVE-2014-4148). The attack at the time leveraged malware Kaspersky called "BlackLambert," targeting an unnamed high profile organization in Europe.
Kaspersky tracks back The Lamberts to at least 2008 and says they've been using multiple sophisticated attack tools against high-profile victims, with their arsenal including network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers. Their tools work both for Windows and OSX, with the latest samples noticed by Kaspersky created in 2016.
"Although the operational security displayed by actors using the Lamberts toolkit is very good, one sample includes a PDB path that points to a project named 'Archan~1' (perhaps 'Archangel'). The root folder on the PDB path is named 'Hudson'. This is one of the very few mistakes we’ve seen with this threat actor," Kaspersky notes.
Elementary, my dear Watson
According to Symantec, following the Vault 7 Wikileaks revelations regarding CIA's hacking tools, they've been able to correlate the tools mentioned there to a group they've been calling "Longhorn." They'd long believed the group was state-sponsored due to the fact that they seemed to work Monday to Friday and they had ample capabilities. Following Vault 7, they were able to correlate some 40 attacks across 16 countries in Europe, the Middle East, Asia and Africa, focusing on organizations operating in various sectors, such as financial, telecoms, energy, aerospace, information technology, education, and natural resources.
"The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the tools and techniques, there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group," Symantec wrote in its presentation.