Cyber Threat Actor: Unit 02616 of Uzbekistan’s National Security Service
| Actor Type | Location | Known Incidents |
Nation State
|
Uzbekistan
|
6 incidents |
|---|
Profile
Unit 02616 is a cyber unit affiliated with Uzbekistan’s National Security Service, which was renamed the State Security Service but continues to be referenced abroad as the NSS. The unit operates under the Uzbek state and is publicly identified by its numeric designation, appearing in official records as a state‑owned military unit. Its known aliases include Unit 02616 of Uzbekistan’s National Security Service, Unit 02616 (Uzbekistan’s National Security Service), and simply Unit 02616. The actor’s location is Uzbekistan, and its activities are directed internally against domestic entities rather than foreign targets.
The unit’s typical targeting focuses on domestic dissidents, journalists, human rights activists, and independent media outlets that report on Uzbek governance, such as Fergana News, Eltuz, Centre1, and the Palestine Chronicle. Its strategic objective, as described in multiple investigations, is to conduct surveillance and gather compromising material that can be used to discredit government critics, indicating an espionage‑repression motive rather than financial gain or disruptive intent. The attacks are characterized by a focus on internal victims, with little evidence of outward‑directed operations against entities outside Uzbekistan.
In terms of tactics, techniques, and procedures, Unit 02616 has employed commercially available surveillance tools from vendors such as FinFisher and the former Hacking Team (now part of Memento Labs). Researchers noted that the unit tested its malware on systems running Kaspersky antivirus software, which exposed operational security missteps. Additionally, the unit began developing an in‑house hacking framework called Sharpa in October 2018, intending to complement off‑the‑shelf spyware with proprietary capabilities for compromising computers and mobile devices. Attribution to the Uzbek state security service was established by Kaspersky researchers through domain registration traces linking an NSS officer, O.T. Khodzhakbarov, to the infrastructure used in the attacks, as well as through the identification of the unit’s name in public business records. The 2019 campaign, which combined FinFisher/Hacking Team tools with the emerging Sharpa framework, represents a notable publicly reported operation that illustrates the unit’s blend of purchased spyware and indigenous tool development.
