Analysts at Symantec found a curious pattern in malware alleged to have been developed by the CIA: all the timestamps are Monday through Friday.
Hacking tools that WikiLeaks says were developed by the CIA have now been linked to an operation that targeted governments and corporations all over the world during the past six years. The tools, which include malware that can be used to take control of myriad devices and applications, were described in 9,000 documents and files that WikiLeaks released last month in an archive it calls Vault 7.
After analyzing the details of the malware described in the archive, investigators at Symantec found close forensic matches to several pieces of invasive software they had been tracking since 2014. That malware had infected at least 40 targets in 16 countries since 2011, the company said in a blog post, and was possibly active as far back as 2007.
Long before WikiLeaks claimed the malware was created by the CIA, Symantec had already assumed the group responsible—which it dubbed “Longhorn”—was government-sponsored. That assumption was based on several factors, such as the global scope of the group’s operation, the level of sophistication of the malware itself, and one other telling detail:
“The group appeared to work a standard Monday to Friday working week, based on timestamps and domain name registration dates, behavior which is consistent with state-sponsored groups,” the company said in a blog post about its analysis, published April 10.
In nearly every imaginable way, this is malware that carefully covers its tracks. When it sends stolen data back to its makers, it does so through private servers using a custom encryption protocol, and limits the amount of data it sends in each burst to avoid detection. If it ends up on a non-targeted computer, it uninstalls itself within hours. But what it doesn’t do is hide the fact that it was created by developers who don’t work on weekends.
Symantec was analyzing the Vault 7 documents for a piece of malware the archive called Fluxwire; the company realized that timestamps in the Fluxwire development logs matched the timeline for the addition of new features to malware Symantec had been tracking and calling Corentry.
“New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later,” Symantec said in its blog post, “leaving little doubt that Corentry is the malware described in the leaked document.”
Those timestamps not only helped investigators match one piece of malware to another, and indicated a Monday-to-Friday schedule, but also indicated activity consistent with an American time zone. Indeed, before analyzing the Vault 7 documents, Symantec had already concluded that Longhorn was a group based in North America. That was partly based on the American time zones they saw, but also on the finding that Longhorn primarily targeted devices in Europe, Asia, Africa, and the Middle East—and seemed particularly averse to American computers.
“On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally,” the blog post said.
Another indication of the malware’s provenance were English words found within it. One piece of malware contained code words like “REDLIGHT” and “ROXANNE,” in an apparent reference to the band the Police. Another contained the code word “SCOOBYSNACK,” which “would be most familiar in North America,” according to the blog post.
US government officials have not confirmed or denied that the Vault 7 documents are authentic.