Threat Group Cards: A Threat Actor Encyclopedia

APT group: Subgroup: Longhorn, The Lamberts

Names	Longhorn (Symantec) The Lamberts (Kaspersky) Platinum Terminal (SecureWorks) APT-C-39 (Qihoo 360)
Country	USA
Sponsor	State-sponsored, CIA
Motivation	Information theft and espionage
First seen	2009
Description	A subgroup of the CIA. Some operations and tooling used by this group were exposed in the [Vault 7/8] leaks on WikiLeaks in 2017. (Symantec) Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. Longhorn’s malware appears to be specifically built for espionage-type operations, with detailed system fingerprinting, discovery, and exfiltration capabilities. The malware uses a high degree of operational security, communicating externally at only select times, with upload limits on exfiltrated data, and randomization of communication intervals—all attempts to stay under the radar during intrusions. For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by the attackers; however they use privacy services to hide their real identity. The IP addresses are typically owned by legitimate companies offering virtual private server (VPS) or webhosting services. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.
Observed	Sectors: Aerospace, Aviation, Education, Energy, Financial, Government, IT, Oil and gas, Research, Telecommunications. Countries: China and 16 countries in the Middle East, Europe, Asia and Africa.
Tools used	Black Lambert, Blue Lambert, Corentry, Cyan Lambert, Gray Lambert, Green Lambert, Lambert, Magenta Lambert, Pink Lambert, Purple Lambert, Silver Lambert, Violet Lambert, White Lambert and everything in the [Vault 7/8] archives.
Information	<https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7> <https://securelist.com/unraveling-the-lamberts-toolkit/77990/> <http://blogs.360.cn/post/APT-C-39_CIA_EN.html> <https://github.com/RedDrip7/APT_Digital_Weapon/tree/master/Lamberts>

Last change to this card: 04 April 2022

Download this actor card in PDF or JSON format