SYMBOLCOMMON_NAMEaka. SYNONYMS

Longhorn  (Back to overview)

aka: Lamberts, the Lamberts, APT-C-39, PLATINUM TERMINAL

Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name "Vault 7."


Associated Families
elf.vault8_hive osx.lambert win.lambert win.unidentified_020_cia_vault7

References
2022-01-21Twitter (@_CPResearch_)Check Point Research
@online{research:20220121:whitelambert:e5581c9, author = {Check Point Research}, title = {{Tweet on WhiteLambert malware}}, date = {2022-01-21}, organization = {Twitter (@_CPResearch_)}, url = {https://twitter.com/_CPResearch_/status/1484502090068242433}, language = {English}, urldate = {2022-01-25} } Tweet on WhiteLambert malware
Lambert
2021-10-01Objective-SeeRuna Sandvik
@online{sandvik:20211001:made:832ee10, author = {Runa Sandvik}, title = {{Made In America: Green Lambert for OS X}}, date = {2021-10-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x68.html}, language = {English}, urldate = {2021-10-24} } Made In America: Green Lambert for OS X
Lambert
2020-03-02Qihoo 360 TechnologyQihoo 360
@online{360:20200302:cia:d88b9c9, author = {Qihoo 360}, title = {{The CIA Hacking Group (APT-C-39) Conducts Cyber-Espionage Operation on China's Critical Industries for 11 Years}}, date = {2020-03-02}, organization = {Qihoo 360 Technology}, url = {http://blogs.360.cn/post/APT-C-39_CIA_EN.html}, language = {English}, urldate = {2020-03-03} } The CIA Hacking Group (APT-C-39) Conducts Cyber-Espionage Operation on China's Critical Industries for 11 Years
Longhorn
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:platinum:3145483, author = {SecureWorks}, title = {{PLATINUM TERMINAL}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/platinum-terminal}, language = {English}, urldate = {2020-05-23} } PLATINUM TERMINAL
TalentRAT Equation Group Longhorn
2019-09-30QianxinRed Raindrop Team
@online{team:20190930:analysis:e586631, author = {Red Raindrop Team}, title = {{Analysis and disclosure of the CIA's cyber arsenal}}, date = {2019-09-30}, organization = {Qianxin}, url = {https://ti.qianxin.com/blog/articles/network-weapons-of-cia/}, language = {Chinese}, urldate = {2022-05-04} } Analysis and disclosure of the CIA's cyber arsenal
Lambert
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:longhorn:effa072, author = {Cyber Operations Tracker}, title = {{Longhorn}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/longhorn}, language = {English}, urldate = {2019-12-20} } Longhorn
Longhorn
2018-06-15Youtube (defconswitzerland)Costin Raiu
@online{raiu:20180615:area41:6009950, author = {Costin Raiu}, title = {{Area41 Keynote}}, date = {2018-06-15}, organization = {Youtube (defconswitzerland)}, url = {https://www.youtube.com/watch?v=jeLd-gw2bWo}, language = {English}, urldate = {2020-01-09} } Area41 Keynote
Lambert Regin
2017-11-26Github (infoskirmish)infoskirmish
@online{infoskirmish:20171126:source:5c10b38, author = {infoskirmish}, title = {{Source Code of HIVE}}, date = {2017-11-26}, organization = {Github (infoskirmish)}, url = {https://github.com/infoskirmish/hive}, language = {English}, urldate = {2023-02-01} } Source Code of HIVE
Hive (Vault 8)
2017-09-09Wikileaks
@online{wikileaks:20170909:vault:cbebf31, author = {Wikileaks}, title = {{Vault 8: Hive}}, date = {2017-09-09}, url = {https://wikileaks.org/vault8/}, language = {English}, urldate = {2023-02-01} } Vault 8: Hive
Hive (Vault 8)
2017-04-10Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20170410:longhorn:97fddcb, author = {Catalin Cimpanu}, title = {{Longhorn Cyber-Espionage Group Is Actually the CIA}}, date = {2017-04-10}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/}, language = {English}, urldate = {2019-12-20} } Longhorn Cyber-Espionage Group Is Actually the CIA
Longhorn
2017-04-10SymantecSymantec Security Response
@online{response:20170410:longhorn:e48f344, author = {Symantec Security Response}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7}, language = {English}, urldate = {2020-01-09} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-04-10SymantecA L Johnson
@online{johnson:20170410:longhorn:811e6dc, author = {A L Johnson}, title = {{Longhorn: Tools used by cyberespionage group linked to Vault 7}}, date = {2017-04-10}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn
2017-03-07WikileaksWikileaks
@online{wikileaks:20170307:vault:839b275, author = {Wikileaks}, title = {{Vault 7: CIA Hacking Tools Revealed}}, date = {2017-03-07}, organization = {Wikileaks}, url = {https://wikileaks.org/ciav7p1/cms/page_34308128.html}, language = {English}, urldate = {2020-01-08} } Vault 7: CIA Hacking Tools Revealed
Unidentified 020 (Vault7)

Credits: MISP Project