Symantec
The company Symantec recently published the results of studying the information published by WikiLeaks. It’s about Vault 7, a package of documents describing the principles of the software used by the CIA to break into computers and computer systems of individuals and organizations.
A special group was engaged in cyber espionage in the CIA, which was dubbed Longhorn in Symantec. Its participants infected computer networks of governmental bodies of different countries, telecommunications, energy enterprises as well as aircraft manufacturers were infected. The package of tools, which WikiLeaks representatives stated, was used, according to Symantec, from 2007 to 2011. During this time, the group has modestly at least 40 goals in 16 different states, including the Middle East, Europe, Asia, Africa and the United States (in this case, most likely by mistake).
Longhorn’s instrumentation was very extensive. Symantec succeeded in finding a correspondence between the information provided by WikiLeaks and the attacks carried out in the past, using various methods. This is the coincidence of cryptographic protocols (for example, customized RC5 protocol), changes in the compiler used and methods of attacking computer networks and systems. As it turned out, the company Symantec closely monitored to the best of its ability for the activities of Longhorn in 2014. In any case, it was then that Symantec discovered a new malware distributed in Word documents.
“Longhorn used modern cybernetic tools and zero-day vulnerabilities to defeat targets around the world,” the company said on its blog. “The system of methods, tools and methods used by Longhorn has stood out among others, so there is little doubt that the group is involved in all of these attacks.”
One of the indicators that tracked was Fluxwire. The changes to which the software was exposed correspond to the program described by Symante. Specialists of this company, however, called the corrupted Corentry malware. But it, as far as can be judged, exactly corresponds to the software, which appears in the WikiLeaks archives as FluxWire. For example, the changes in FluxWare documented by WikiLeaks are fully consistent with the Corentry changes that Symantec fixed. If simpler, then this is the same software with specific elements of “behavior”, which is described both by Symantec and WikiLeals. On February 25, 2015, Symantec specialists noted that the developers of this software now use the Microsoft Visual C ++ compiler. The same data is contained in the archive Vault 7.
Much more similar points can be found in the software, which in Vault7 is listed under the name Archangel. On Symantec archives, it passes as Plexor. Specifications and modules of this software are almost equally described in the archives of the CIA and Symantec. There is no doubt that this is also the same program. Vault7 has information on the cryptographic features of the CIA software’s network activity. These features are noted in Symantec.
“Before sending its malware to the target, Longhorn was preconfiguring the software package, traces of which could be detected by specific words, C & C domains and IP addresses that should Was to “communicate” this software. Longhorn used words written in capital letters, often “groupid” and “siteid”, which were used to identify campaigns and victims. More than 40 such identifiers were studied, very often they were words from films, including characters, food or music. One example is the reference to the group “The Police”, with the code words REDLIGHT and ROXANNE, “says the report of experts from Symantec.
WikiLeaks published the first part of the collection of secret documents of the CIA on March 8. This collection, called Vault 7, gives a good idea of the scale of the cyberspace work of this organization. With the help of programs developed by its employees, the CIA was able to penetrate the computer networks of virtually any organization. After the promulgation of these documents, it became clear that the capabilities of the CIA are superior to those of the NSA.
Now WikiLeaks does not publish the source code of the tools, information about which is contained in the first part of the archive. This is done for various reasons, including the danger of getting such information in the hands of cybercriminals.
Well, the CIA reaction is quite natural. “As we said earlier, Julian Assange is not at all a bastion of truth and honesty. American society should be deeply moved by the disclosure of Wikileaks documents, which leads to a limitation of the CIA’s ability to protect America from terrorists and other intruders, “the press secretary of the department said.
