Cyber Incident Victim: Centre1
Date:
Oct 2019
Location:
Uzbekistan
Summary
Uzbekistan's National Security Service Unit 02616 conducted cyberattacks targeting domestic dissidents, journalists, and human rights activists using commercially available surveillance tools from vendors like FinFisher and former Hacking Team services. The state-sponsored operation employed off-the-shelf spyware alongside their developing "Sharpa" hacking framework to compromise devices, focusing on internal critics including news outlets such as Centre1. Researchers attributed the activity to the military unit through operational security failures, with the attacks primarily aimed at enabling surveillance and gathering compromising materials to discredit government opponents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2019, researchers from Kaspersky disclosed that Uzbekistan's State Security Service (NSS), specifically Military Unit 02616, conducted cyberattacks against domestic dissidents using commercially available surveillance tools. The activity was attributed through operational security failures by the attackers, including testing malware on systems running Kaspersky antivirus software and registering malicious domains under real identities. One domain traced to O.T. Khodzhakbarov—an NSS officer publicly recognized in a 2005 presidential decree—linked directly to Military Unit 02616, a state-owned entity in Uzbekistan's business registry. The unit deployed FinFisher spyware and previously purchased tools from Hacking Team, as evidenced by 2015 Wikileaks emails confirming NSS as a customer. Targets included independent media outlets Fergana News, Eltuz, Centre1, and Palestine Chronicle, all critical of the Uzbek government. Kaspersky confirmed the attacks focused internally on human rights activists, journalists, and dissidents starting no later than October 2018, when Unit 02616 began developing its proprietary "Sharpa" hacking framework for computers and mobile devices.
The attacks occurred amid ongoing human rights concerns in Uzbekistan following President Karimov's death in 2016, with Amnesty International documenting state efforts to discredit critics using compromising materials obtained through surveillance. Kaspersky publicly exposed the campaign at the Virus Bulletin conference but did not disclose specific mitigation measures taken by victims. No responses were provided by the Uzbek government, NSS, FinFisher, or Memento Labs (Hacking Team's successor) to Reuters' inquiries. Citizen Lab researchers noted the NSS's established pattern of acquiring commercial hacking tools while pursuing independent capabilities, reflecting a broader trend among state actors transitioning from vendor reliance to self-developed infrastructure. The incident highlighted the accessibility of offensive cyber tools to governments targeting domestic dissent, with technical attribution relying exclusively on the attackers' operational errors rather than victim-reported data.