If You Only Work on Your Malware on Weekdays, You Might Be a CIA Hacker

Carolyn Kaster/AP

AA Font size + Print

Analysts at Symantec found a curious pattern in malware alleged to have been developed by the CIA: all the timestamps are Monday through Friday.

Hacking tools that WikiLeaks says were developed by the CIA have now been linked to an operation that targeted governments and corporations all over the world during the past six years. The tools, which include malware that can be used to take control of myriad devices and applications, were described in 9,000 documents and files that WikiLeaks released last month in an archive it calls Vault 7.

After analyzing the details of the malware described in the archive, investigators at Symantec found close forensic matches to several pieces of invasive software they had been tracking since 2014. That malware had infected at least 40 targets in 16 countries since 2011, the company said in a blog post, and was possibly active as far back as 2007.

Long before WikiLeaks claimed the malware was created by the CIA, Symantec had already assumed the group responsible—which it dubbed “Longhorn”—was government-sponsored. That assumption was based on several factors, such as the global scope of the group’s operation, the level of sophistication of the malware itself, and one other telling detail:

“The group appeared to work a standard Monday to Friday working week, based on timestamps and domain name registration dates, behavior which is consistent with state-sponsored groups,” the company said in a blog post about its analysis, published April 10.

In nearly every imaginable way, this is malware that carefully covers its tracks. When it sends stolen data back to its makers, it does so through private servers using a custom encryption protocol, and limits the amount of data it sends in each burst to avoid detection. If it ends up on a non-targeted computer, it uninstalls itself within hours. But what it doesn’t do is hide the fact that it was created by developers who don’t work on weekends.

The group appeared to work a standard Monday to Friday working week

Symantec was analyzing the Vault 7 documents for a piece of malware the archive called Fluxwire; the company realized that timestamps in the Fluxwire development logs matched the timeline for the addition of new features to malware Symantec had been tracking and calling Corentry.

“New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later,” Symantec said in its blog post, “leaving little doubt that Corentry is the malware described in the leaked document.”

Those timestamps not only helped investigators match one piece of malware to another, and indicated a Monday-to-Friday schedule, but also indicated activity consistent with an American time zone. Indeed, before analyzing the Vault 7 documents, Symantec had already concluded that Longhorn was a group based in North America. That was partly based on the American time zones they saw, but also on the finding that Longhorn primarily targeted devices in Europe, Asia, Africa, and the Middle East—and seemed particularly averse to American computers.

“On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally,” the blog post said.

Another indication of the malware’s provenance were English words found within it. One piece of malware contained code words like “REDLIGHT” and “ROXANNE,” in an apparent reference to the band the Police. Another contained the code word “SCOOBYSNACK,” which “would be most familiar in North America,” according to the blog post.

US government officials have not confirmed or denied that the Vault 7 documents are authentic.

Close [ x ] More from DefenseOne

Thank you for subscribing to newsletters from DefenseOne.com.
We think these reports might interest you:

  • Ongoing Efforts in Veterans Health Care Modernization

    This report discusses the current state of veterans health care

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Top 5 Findings: Security of Internet of Things To Be Mission-Critical

    As federal agencies increasingly leverage these capabilities, government security stakeholders now must manage and secure a growing number of devices, including those being used remotely at the “edge” of networks in a variety of locations. With such security concerns in mind, Government Business Council undertook an indepth research study of federal government leaders in January 2017. Here are five of the key takeaways below which, taken together, paint a portrait of a government that is increasingly cognizant and concerned for the future security of IoT.

  • Coordinating Incident Response on Posts, Camps and Stations

    Effective incident response on posts, camps, and stations is an increasingly complex challenge. An effective response calls for seamless conversations between multiple stakeholders on the base and beyond its borders with civilian law enforcement and emergency services personnel. This whitepaper discusses what a modern dispatch solution looks like -- one that brings together diverse channels and media, simplifies the dispatch environment and addresses technical integration challenges to ensure next generation safety and response on Department of Defense posts, camps and stations.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation


When you download a report, your information may be shared with the underwriters of that document.