Symantec forces Longhorn cyberespionage group into the spotlight
According to Symantec’s research, Longhorn has infected targets in at least 16 countries across Middle East, Europe, Asia and Africa.
Cybersecurity specialist Symantec recently unveiled research findings surrounding the recent Vault 7 leak, which explored how the exposure of spying tools and operational protocols have led to cyberattacks against 40 targets across 16 countries.
Symantec's findings also exposed the source of these cyberattacks, the so-called Longhorn cyberespionage group that has been active since 2011.
Since its inception, the Longhorn group have utilised a variety of back door Trojans and zero-day vulnerabilities to compromise its targets. These included government and international organisations, as well as enterprises in the financial, telecoms, energy, IT, aerospace, natural resources and education sectors.
According to Symantec, the tools and attacks patterns utilised by Longhorn closely follow the technical specifications as detailed in the documents exposed by WikiLeaks. The timeline of development of Longhorn's attacks also match the timeline of the Vault 7 leaks.
Symantec first became aware of Longhorn's activities back in 2014, when the cyberespionage group released a zero-day exploit embedded in a Word document to infect a target with Plexor. Since then, the group's capabilities have grown both in scope and sophistication. More recent attacks include the use of malware tools, such as Corentry, Plexor, Backdoor.Trojan.LH1, and Backdoor.Trojan.LH2.
The cybersecurity specialist viewpoint of Longhorn prior to the Vault 7 leak, is that the organisation was a well-backed and resourceful organisation actively involved in intelligence gathering operations. Additionally, Symantec's analysis indicated that the Longhorn group is based in an English-speaking, North American country.