Longhorn (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

Longhorn (Back to overview)

aka: APT-C-39, Lamberts, PLATINUM TERMINAL, the Lamberts

Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name "Vault 7."

Associated Families

elf.vault8_hive osx.lambert win.lambert win.unidentified_020_cia_vault7

References

2022-01-21 ⋅ Twitter (@_CPResearch_) ⋅ Check Point Research
Tweet on WhiteLambert malware
Lambert

2021-10-01 ⋅ Objective-See ⋅ Runa Sandvik
Made In America: Green Lambert for OS X
Lambert

2020-03-02 ⋅ Qihoo 360 Technology ⋅ Qihoo 360
The CIA Hacking Group (APT-C-39) Conducts Cyber-Espionage Operation on China's Critical Industries for 11 Years
Longhorn

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
PLATINUM TERMINAL
TalentRAT Equation Group Longhorn

2019-09-30 ⋅ ⋅ Qianxin ⋅ Red Raindrop Team
Analysis and disclosure of the CIA's cyber arsenal
Lambert

2019-01-01 ⋅ Council on Foreign Relations ⋅ Cyber Operations Tracker
Longhorn
Longhorn

2018-06-15 ⋅ Youtube (defconswitzerland) ⋅ Costin Raiu
Area41 Keynote
Lambert Regin

2017-11-26 ⋅ Github (infoskirmish) ⋅ infoskirmish
Source Code of HIVE
Hive (Vault 8)

2017-09-09 ⋅ Wikileaks
Vault 8: Hive
Hive (Vault 8)

2017-04-10 ⋅ Symantec ⋅ A L Johnson
Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn

2017-04-10 ⋅ Bleeping Computer ⋅ Catalin Cimpanu
Longhorn Cyber-Espionage Group Is Actually the CIA
Longhorn

2017-04-10 ⋅ Symantec ⋅ Symantec Security Response
Longhorn: Tools used by cyberespionage group linked to Vault 7
Lambert Longhorn

2017-03-07 ⋅ Wikileaks ⋅ Wikileaks
Vault 7: CIA Hacking Tools Revealed
Unidentified 020 (Vault7)

Credits: MISP Project