ETDA ThaiCERT
Report
Search
Home > List all groups > Subgroup: Longhorn, The Lamberts

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Subgroup: Longhorn, The Lamberts

NamesLonghorn (Symantec)
The Lamberts (Kaspersky)
APT-C-39 (Qihoo 360)
CountryUSA USA
SponsorState-sponsored, CIA
MotivationInformation theft and espionage
First seen2009
DescriptionA subgroup of the CIA.

Some operations and tooling used by this group were exposed in the [Vault 7/8] leaks on WikiLeaks in 2017.

(Symantec) Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker.

Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally.

Longhorn’s malware appears to be specifically built for espionage-type operations, with detailed system fingerprinting, discovery, and exfiltration capabilities. The malware uses a high degree of operational security, communicating externally at only select times, with upload limits on exfiltrated data, and randomization of communication intervals—all attempts to stay under the radar during intrusions.

For C&C servers, Longhorn typically configures a specific domain and IP address combination per target. The domains appear to be registered by the attackers; however they use privacy services to hide their real identity. The IP addresses are typically owned by legitimate companies offering virtual private server (VPS) or webhosting services. The malware communicates with C&C servers over HTTPS using a custom underlying cryptographic protocol to protect communications from identification.
ObservedSectors: Aerospace, Aviation, Education, Energy, Financial, Government, IT, Oil and gas, Research, Telecommunications.
Countries: China and 16 countries in the Middle East, Europe, Asia and Africa.
Tools usedBlack Lambert, Blue Lambert, Corentry, Cyan Lambert, Gray Lambert, Green Lambert, Lambert, Magenta Lambert, Pink Lambert, Silver Lambert, Violet Lambert, White Lambert and everything in the [Vault 7/8] archives.
Information<https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7>
<https://securelist.com/unraveling-the-lamberts-toolkit/77990/>
<http://blogs.360.cn/post/APT-C-39_CIA_EN.html>
<https://github.com/RedDrip7/APT_Digital_Weapon/tree/master/Lamberts>

Last change to this card: 17 July 2020

Download this actor card in PDF or JSON format

Previous: CIA
Next: Subgroup: [Unnamed group USA]

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key