{ "id": "69056dc9-b06c-465f-82e7-f48bcbaa8370", "created_at": "2026-04-06T00:12:41.086303Z", "updated_at": "2026-04-10T13:12:39.917376Z", "deleted_at": null, "sha1_hash": "0322398047ccf4d6037f313740e5c9e92fb84c6d", "title": "Longhorn Cyber-Espionage Group Is Actually the CIA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 721302, "plain_text": "Longhorn Cyber-Espionage Group Is Actually the CIA\r\nBy Catalin Cimpanu\r\nPublished: 2017-04-10 ยท Archived: 2026-04-05 16:56:00 UTC\r\nSecurity researchers from Symantec have tied the CIA hacking tools leaked by WikiLeaks last month to a cyber-espionage\r\ngroup responsible for at least 40 hacks in 16 countries.\r\nThe group's activity came to light in 2014, when security researchers from Symantec first identified attacks from a common\r\nactor that appeared to have the backing of a North American nation.\r\nSymantec named the group Longhorn, while Kaspersky tracked its activity under the name of Lamberts.\r\nhttps://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nVault 7 dump helped reveal group's identity\r\nAfter WikiLeaks dumped Vault 7, a collection of documents allegedly stolen from the CIA, Symantec experts started going\r\nthrough those files, which were mostly wiki pages and manuals for all sorts of hacking tools.\r\nWikiLeaks claimed the files belonged to the CIA, saying hackers and contractors provided the data. Following the leak, the\r\nUS Department of Justice refused to admit some of the files in a US case, saying they're classified material, and\r\ninadvertently confirming their validity, even if the CIA never publicly acknowledging the leak.\r\nMany clues support Symantec's findings\r\nNow, following an analysis of the WikiLeaks Vault 7 documents, US cyber-security firm Symantec is sure the documents\r\ndescribe the modus operandi and some of the tools of the Longhorn cyber-espionage group, which they first discovered in\r\n2014, and tracked its activity back to 2007.\r\nThe tools used by Longhorn closely follow development timelines and technical specifications laid out in documents\r\ndisclosed by WikiLeaks. The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7\r\ndocuments, in addition to following leaked guidelines on tactics to avoid detection. Given the close similarities between the\r\ntools and techniques, there can be little doubt that Longhorn's activities and the Vault 7 documents are the work of the same\r\ngroup.\r\nTo sustain its conclusions, Symantec details its findings:\r\nA trojan detected by Symantec as Trojan.Corentry has all the features of the Fluxwire tool contained in the Vault 7 dump.\r\nThe Fluxwire changelog closely matches the timeline when Symantec detected new features in Corentry samples.\r\nUp until 2014, the CIA used GCC to compile Fluxwire samples, and then switched to MSVC, a detail also observed with\r\nCorentry samples.\r\nEarly Corentry samples contained a reference to the file path for the Fluxwire program database (PDB) file, linking Corentry\r\nwith Fluxwire.\r\nThe CIA Fire and Forget tool, used for the user-mode injection of a payload called Archangel resembles the modus operandi\r\nof a trojan Symantec detected as Backdoor.Plexor.\r\nThe way the CIA used cryptography for its tools matches how the Longhorn group operated:\r\n- inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks\r\n- key exchange once per connection\r\n- use of AES with a 32-bit key\r\nOther Vault 7 operational manuals describe attack techniques also used by the Longhorn group:\r\n- use of the Real-time Transport Protocol (RTP) as a means of command and control (C\u0026C) communications\r\n- usage of wipe-on-use as standard practice\r\n- in-memory string deobfuscation\r\n- use of a unique deployment-time key for string obfuscation\r\n- use of secure erase protocols involving renaming and overwriting\r\n- usage of a single domain and IP address combination per target for the C\u0026C server\r\nCIA accidentally hacked a computer in the US\r\nAccording to Symantec, Longhorn malware has been linked to attacks on 40 targets in 16 countries in the Middle East,\r\nEurope, Asia, and Africa.\r\nAt one point, Longhorn infected a computer in the United States, but the group quickly removed the malware within hours.\r\nhttps://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/\r\nPage 3 of 4\n\nWhile the Vault 7 dump helped Symantec link Longhorn with the CIA, the Shadow Brokers dump from last year helped\r\nKaspersky link the activities of a cyber-espionage group known as the Equation Group, active since the mid-90s, to the CIA.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/\r\nhttps://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/" ], "report_names": [ "longhorn-cyber-espionage-group-is-actually-the-cia" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "08623296-52be-4977-8622-50efda44e9cc", "created_at": "2023-01-06T13:46:38.549387Z", "updated_at": "2026-04-10T02:00:03.020003Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "Tilded Team", "EQGRP", "G0020" ], "source_name": "MISPGALAXY:Equation Group", "tools": [ "TripleFantasy", "GrayFish", "EquationLaser", "EquationDrug", "DoubleFantasy" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2d9fbbd7-e4c3-40e5-b751-27af27c8610b", "created_at": "2024-05-01T02:03:08.144214Z", "updated_at": "2026-04-10T02:00:03.674763Z", "deleted_at": null, "main_name": "PLATINUM COLONY", "aliases": [ "Equation Group " ], "source_name": "Secureworks:PLATINUM COLONY", "tools": [ "DoubleFantasy", "EquationDrug", "EquationLaser", "Fanny", "GrayFish", "TripleFantasy" ], "source_id": "Secureworks", "reports": null }, { "id": "e993faab-f941-4561-bd87-7c33d609a4fc", "created_at": "2022-10-25T16:07:23.460301Z", "updated_at": "2026-04-10T02:00:04.617715Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "APT-C-39", "Platinum Terminal", "The Lamberts" ], "source_name": "ETDA:Longhorn", "tools": [ "Black Lambert", "Blue Lambert", "Corentry", "Cyan Lambert", "Fluxwire", "Gray Lambert", "Green Lambert", "Magenta Lambert", "Pink Lambert", "Plexor", "Purple Lambert", "Silver Lambert", "Violet Lambert", "White Lambert" ], "source_id": "ETDA", "reports": null }, { "id": "e0fed6e6-a593-4041-80ef-694261825937", "created_at": "2022-10-25T16:07:23.593572Z", "updated_at": "2026-04-10T02:00:04.680752Z", "deleted_at": null, "main_name": "Equation Group", "aliases": [ "APT-C-40", "G0020", "Platinum Colony", "Tilded Team" ], "source_name": "ETDA:Equation Group", "tools": [ "Bvp47", "DEMENTIAWHEEL", "DOUBLEFANTASY", "DanderSpritz", "DarkPulsar", "DoubleFantasy", "DoubleFeature", "DoublePulsar", "Duqu", "EQUATIONDRUG", "EQUATIONLASER", "EQUESTRE", "Flamer", "GRAYFISH", "GROK", "OddJob", "Plexor", "Prax", "Regin", "Skywiper", "TRIPLEFANTASY", "Tilded", "UNITEDRAKE", "WarriorPride", "sKyWIper" ], "source_id": "ETDA", "reports": null }, { "id": "70db80bd-31b7-4581-accb-914cd8252913", "created_at": "2023-01-06T13:46:38.57727Z", "updated_at": "2026-04-10T02:00:03.028845Z", "deleted_at": null, "main_name": "Longhorn", "aliases": [ "the Lamberts", "APT-C-39", "PLATINUM TERMINAL" ], "source_name": "MISPGALAXY:Longhorn", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "23dfc9f5-1862-4510-a6ae-53d8e51f17b1", "created_at": "2024-05-01T02:03:08.146025Z", "updated_at": "2026-04-10T02:00:03.67072Z", "deleted_at": null, "main_name": "PLATINUM TERMINAL", "aliases": [ "APT-C-39 ", "Longhorn ", "The Lamberts ", "Vault7 " ], "source_name": "Secureworks:PLATINUM TERMINAL", "tools": [ "AfterMidnight", "Assassin", "Marble Framework" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434361, "ts_updated_at": 1775826759, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0322398047ccf4d6037f313740e5c9e92fb84c6d.pdf", "text": "https://archive.orkl.eu/0322398047ccf4d6037f313740e5c9e92fb84c6d.txt", "img": "https://archive.orkl.eu/0322398047ccf4d6037f313740e5c9e92fb84c6d.jpg" } }