Cyber Incident Victim: Palestine Chronicle
Date:
Oct 2019
Location:
Uzbekistan
Summary
Uzbekistan's National Security Service Unit 02616 conducted cyber attacks against dissidents and critical media outlets, including the Palestine Chronicle, using commercially available surveillance tools from vendors like FinFisher and former Hacking Team services. The unit also developed its own hacking framework called "Sharpa" to compromise computers and mobile devices, primarily targeting domestic human rights activists and journalists to gather compromising material for discreditation purposes. Kaspersky researchers attributed the activity to the Uzbek agency through operational security failures, including testing malware on systems running their antivirus software and leaving identifiable registry entries linking attacks to a state-owned military unit.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between 2018 and 2019, Uzbekistan’s National Security Service (NSS), specifically Military Unit 02616, conducted cyberattacks targeting dissident journalists and activists using commercially available surveillance tools. Researchers from Kaspersky Lab identified the unit’s activities through operational security failures, including testing malware on systems running Kaspersky antivirus software and failing to conceal ownership of infrastructure. One domain used in attacks was publicly registered to O.T. Khodzhakbarov, an NSS officer recognized in a 2005 presidential decree, with organizational affiliation listed as "Military Unit 02616." Uzbek business records confirmed this unit as a state-owned entity. The attackers deployed spyware from German vendor FinFisher and previously utilized tools from Italy’s Hacking Team, as evidenced by 2015 Wikileaks emails showing NSS as a customer. Targets included regional news outlets Fergana News, Eltuz, Centre1, and the Palestine Chronicle, all critical of the Uzbek government. Kaspersky attributed the activity to internal dissident surveillance rather than transnational operations, noting the unit’s focus on compromising human rights activists and journalists.
Unit 02616 expanded its capabilities by developing an in-house hacking framework called "Sharpa" starting in October 2018, designed to infect computers and mobile devices. This aligned with a documented pattern of governments initially purchasing commercial spyware before investing in proprietary tools. The Uzbek government did not respond to Reuters’ requests for comment submitted via its Foreign Ministry and London embassy, nor did it address inquiries about Khodzhakbarov’s role. Memento Labs, Hacking Team’s successor firm, stated Uzbekistan was no longer a customer but declined to comment on historical operations. The attacks occurred amid ongoing human rights concerns in Uzbekistan, where authorities faced allegations of torture and pervasive monitoring of critics despite post-2016 reforms following President Karimov’s death. Amnesty International noted Uzbekistan’s pattern of using cyber operations to discredit dissidents with compromising materials, though specific impacts on the Palestine Chronicle or other outlets were not detailed in public findings. Kaspersky’s disclosure highlighted the unit’s operational security lapses as the primary factor enabling attribution.