Introduction
Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name βVault 7.β
Activities and Tactics
Targeted Sectors: Telecoms, Aerospace, Energy, Education, Government, Administration, Finance, News - Media, Private sector, Government
Country of Origin: πΊπΈ United States
Risk Level: High
First Seen: 2017
Last Activity: 2017
Incident Type: Espionage
Suspected Victims: Global
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- SPACESHIP
- Trojan.Karagany
- Trojan.Mebromi
- Back Orifice
- Back Orifice 2000
- UNITEDRAKE
- CrossRat
Attribution and Evidence
Country of Origin: United States Additional attribution information pending cataloguing.
References
References pending cataloguing.