Cyber Incident Victim: National Security Service
Date:
Oct 2019
Location:
Uzbekistan
Summary
Uzbekistan's National Security Service Unit 02616 conducted cyberattacks against dissidents and critical media outlets, including Eltuz, using commercially available surveillance tools such as FinFisher and former Hacking Team spyware. The unit, identified through operational errors like testing malware on systems running Kaspersky software and domain registration linked to an NSS officer, targeted journalists and activists primarily within Uzbekistan to gather compromising material for discreditation purposes. Researchers also observed the unit developing an in-house hacking framework called Sharpa, reflecting a broader trend of state actors transitioning from purchased tools to proprietary capabilities for sustained offensive operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2019, researchers from Kaspersky disclosed that Uzbekistan’s State Security Service (NSS), specifically Military Unit 02616, conducted cyberattacks against domestic dissidents and independent media outlets using commercially available surveillance tools. The attacks targeted regional news organizations including Fergana News, Eltuz, Centre1, and the Palestine Chronicle, all known for reporting critically on the Uzbek government. Kaspersky attributed the activity to Unit 02616 after identifying operational security failures by the attackers, such as testing malware on systems running Kaspersky antivirus software and failing to obscure ownership of infrastructure used in the attacks. One domain linked to the intrusions was publicly registered to O.T. Khodzhakbarov, an NSS officer honored in a 2005 presidential decree, with the registry listing his affiliation as Military Unit 02616—a state-owned entity confirmed through Uzbek business records. The hackers deployed spyware from German firm FinFisher and had previously been identified as customers of Italy’s Hacking Team, as evidenced by 2015 emails leaked from the latter. Hacking Team’s successor firm, Memento Labs, stated Uzbekistan was no longer a client but declined to comment on historical operations.
The campaign reflected Uzbekistan’s broader pattern of digital surveillance against critics, despite post-2016 reforms following President Karimov’s death. Kaspersky noted the attacks focused internally on human rights activists, journalists, and dissidents, with Unit 02616 developing its own hacking framework, “Sharpa,” by October 2018 to compromise computers and mobile devices, though its operational use remained unconfirmed. Amnesty International’s Security Lab documented Uzbek authorities’ use of cyber operations to discredit critics by planting compromising material. Citizen Lab researchers highlighted the NSS’s history of procuring commercial spyware to accelerate its capabilities while pursuing in-house tool development for greater autonomy. The Uzbek government did not respond to requests for comment regarding the allegations, Khodzhakbarov’s role, or the military award. FinFisher also did not address inquiries about its software’s use in the attacks. Kaspersky’s disclosure underscored the global proliferation of government-sponsored cyber espionage leveraging both market-ready and custom-built tools.