Cyber Incident Victim: Fergana News
Date:
Oct 2019
Location:
Uzbekistan
Summary
Uzbekistan's National Security Service Unit 02616 conducted cyberattacks targeting domestic critics, including Fergana News and other independent media outlets, using commercially available surveillance tools such as FinFisher and former Hacking Team spyware. The state-sponsored hackers employed these off-the-shelf capabilities alongside a custom-developed framework called Sharpa to compromise devices belonging to human rights activists, journalists, and dissidents, aiming to surveil and discredit critics through compromising materials. Kaspersky researchers attributed the activity to the Uzbek unit based on operational security failures, including testing malware on systems running their antivirus software and domain registration traces linking to a publicly identified NSS officer.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2019, researchers from Kaspersky disclosed that Uzbekistan’s National Security Service (NSS), specifically Military Unit 02616, conducted cyber espionage operations against domestic dissidents and media outlets using commercially available surveillance tools. The attacks, attributed through operational security failures by the hackers, targeted regional news organizations including Fergana News, Eltuz, Centre1, and Palestine Chronicle, all known for reporting critically on the Uzbek government. Kaspersky linked the activity to Unit 02616 after tracing malicious domains to O.T. Khodzhakbarov, an NSS officer publicly associated with the military unit in state records and a 2005 presidential decree. The hackers utilized FinFisher spyware and had historical ties to Italian vendor Hacking Team, as evidenced by 2015 Wikileaks emails confirming the NSS as a customer. Unit 02616 also developed an in-house hacking framework named "Sharpa" starting in October 2018, though its operational use remained unconfirmed at the time of reporting. Kaspersky detected the attacks partly because the unit tested malware on systems running its antivirus software, exposing technical fingerprints.
The campaign reflected Uzbekistan’s broader pattern of state surveillance under President Shavkat Mirziyoyev, who succeeded long-time ruler Islam Karimov in 2016. While the government had made nominal human rights improvements post-Karimov, organizations like Amnesty International documented continued targeting of critics through cyber operations designed to obtain compromising information for discrediting purposes. Claudio Guarnieri of Amnesty’s Security Lab noted Uzbek authorities focused on outspoken journalists and activists, aligning with Kaspersky’s observation that attacks were “internally focused” on human rights defenders and media. The NSS did not respond to Reuters’ requests for comment via diplomatic channels, and FinFisher’s parent company, Memento Labs, stated Uzbekistan was no longer a client while declining to discuss historical Hacking Team transactions. Citizen Lab researchers confirmed the NSS’s longstanding pursuit of offensive cyber capabilities, emphasizing a trend where states initially rely on commercial spyware before developing proprietary tools like Sharpa to achieve operational independence. The incidents underscored the accessibility of surveillance technologies to governments accused of suppressing dissent, with no publicized remediation efforts by targeted entities.