To folks at the cybersecurity firm Symantec, the hacking group they call “Longhorn” has always seemed like a state actor.
The group has hacked 40 “targets” in 16 nations, according to Symantec. Longhorn has gone after governments as well as groups involved in finance, energy, telecommunications, education and much more.
“All of the organizations targeted would be of interest to a nation-state attacker,” the Symantec Security Response team wrote on Monday.
They now believe that “nation-state attacker” is the CIA.
Symantec doesn’t say it outright, but it’s hard to come to any other conclusion. Longhorn uses the same malware and hacking techniques laid out in documents published by Wikileaks in a release called Vault 7. Wikileaks says those documents belong to the CIA, and — despite Wikileaks’s relatively new penchant for Russian government propaganda — basically no one doubts the claim.
Longhorn also uses tricks to cover their tracks that are outlined in the documents. Given all that, Symantec says “there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.”
Symantec has tracked the group for three years and watched as it added new wrinkles to its malware — wrinkles the CIA supposedly added to its own malware at around the same time. The timelines, Symantec says, are strikingly similar.
But Longhorn didn’t only have “all the hallmarks of a sophisticated cyber-espionage group.” Their malware and hacking techniques are unique to them, according to Symantec, and it’s not likely there’s some other super-sophisticated hacking group mimicking the techniques revealed by Wikileaks.
And the group also gives off a few clues that indicate it’s made up of people who live in North America and speak English. Their codewords, for example, include “SCOOBYSNACK.”
The CIA did not immediately respond to a request for comment.