A new report from a cybersecurity firm provides new insights into malware linked to the CIA, including an odd list of internal references to pop culture ranging from carnival foods to obscure video games.
Kaspersky Lab released a detailed report Tuesday about an espionage group, which builds off of competitor Symantec's work released Monday. Symantec's report explained that an advanced persistent threat (APT) — a designation for hacking campaigns or groups with technical proficiency and patience — appears to have used tools described in WikiLeaks's spate of stolen CIA files that the site has released over the past month.
Kaspersky traced the campaign back to 2009 — two years earlier than Symantec had been following the attacks. Symantec had dubbed the attackers "Longhorn." Kaspersky has been calling them "Lambert."
The new report makes special note of code name evidence left behind after the attacks. APTs do not typically leave behind this kind of information, as it can be used to help profile an attacker.
"We really enjoyed going through the backstories of these codenames," wrote Kaspersky Lab, noting that finding recognizable code names was "very unusual."
Kaspersky linked six different malware programs to the group. Buried within the code for these different tools were references to "Star Trek," such as code names Spock Prosper and Spock Logical — the "Star Trek" character Spock used the catch phrases "live long and prosper" and "it's logical." Other television references included Gai and Shu, two characters from the anime series "Guilty Crown."
The code also references the true crime literary genre, the Japanese Playstation game "Ape Escape" and the viral YouTube Series "Bad Lip Reading, which once dubbed over NFL video to make it appear that running back Adrian Peterson was talking about a Doublesided Scooby Snack.
The programmers also snuck in a reference to the comic "Flash Gordon" and another to the martial art of Brazilian Jiu Jitsu via the codename and move Inverted Shot.
There were at least two references to carnivals games or foods, including Ringtoss Carnival and Funnelcake Carnival.
The Longhorn attacks spanned 50 targets in 16 nations in Europe, Asia and Africa, with a broad range of victims in both the public and private sector, according to Symantec.
Kaspersky gives fewer details about victims but does acknowledge at least one attack in the United Kingdom and at least one attack to infect computers using modified industrial software.