Security company Symantec has attributed cyberattacks against at least 40 targets in 16 different countries to spying and operational protocols revealed in a CIA operational toolkit made public by WikiLeaks.

According to Symantec, a group which the company refers to as Longhorn used tools that closely follow the development timelines and technical specifications laid out in the documents disclosed by WikiLeaks.

The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection, said Symantec.

Some of the documents disclosed by WikiLeaks outline specifications and requirements for malware tools. One document is a development timeline for a piece of malware called Fluxwire, containing a changelog of dates for when new features were incorporated, Symantec said.

These dates align closely with the development of one Longhorn tool called Trojan.Corentry which the security firm sees as evidence that Corentry is the malware described in the leaked document. Symantec also identifies other strains of Longhorn malware, which it connects to a single actor.

“Longhorn has used advanced malware tools and zero-day vulnerabilities to infiltrate a string of targets worldwide. Taken in combination, the tools, techniques, and procedures employed by Longhorn are distinctive and unique to this group, leaving little doubt about its link to Vault 7.” said Symantec.

Even though Symantec did not specifically mention CIA in its post, WikiLeaks gave a detailed account of how the tools had been taken from CIA’s Center for Cyber Intelligence.