Cyber Incident Victim: Regional News Outlet
Date:
Oct 2019
Location:
Uzbekistan
Summary
Uzbekistan's National Security Service Unit 02616 conducted cyberattacks against domestic dissidents, journalists, and human rights activists using commercially available surveillance tools from vendors including FinFisher and Hacking Team. The unit targeted multiple regional news outlets reporting on government activities and developed an in-house hacking framework called "Sharpa" for compromising devices. Kaspersky researchers attributed the campaign to the state entity through operational security failures, including testing malware on systems running their antivirus software and domain registration errors exposing military unit affiliations. The attacks aimed to surveil and discredit critics by seeking compromising information, reflecting broader patterns of government-sponsored digital repression against internal opposition voices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2019, researchers from Kaspersky disclosed that Uzbekistan’s State Security Service (formerly the National Security Service or NSS) conducted cyber espionage campaigns against domestic dissidents using commercially available surveillance tools. The activity was attributed to Military Unit 02616, a state-owned entity within the NSS, based on operational security failures that exposed their infrastructure. Attackers tested malware on systems running Kaspersky antivirus software and registered malicious domains under the name of O.T. Khodzhakbarov, an NSS officer recognized in a 2005 presidential decree. Public records linked Khodzhakbarov’s domain registration directly to Military Unit 02616. The unit deployed spyware from German firm FinFisher and had previously been identified as a customer of Italy’s Hacking Team in leaked 2015 emails. After Hacking Team’s merger into Memento Labs, its leadership confirmed Uzbekistan was no longer a client but did not comment on historical transactions. Starting in October 2018, Unit 02616 developed an in-house hacking framework named Sharpa for compromising computers and mobile devices, though its operational use remained unconfirmed at the time of reporting.
The campaigns primarily targeted journalists and activists within Uzbekistan, including regional news outlets Fergana News, Eltuz, Centre1, and the Palestine Chronicle, which routinely covered government activities. Kaspersky confirmed the attacks focused on human rights defenders, journalists, and political dissidents without naming specific individuals. Amnesty International noted Uzbek authorities sought to discredit critics by weaponizing compromised materials obtained through surveillance. The Uzbek government did not respond to requests for comment regarding the allegations, Khodzhakbarov’s role, or his military award. Cybersecurity analysts observed that while Uzbekistan initially relied on external vendors like FinFisher and Hacking Team to accelerate capabilities, its investment in Sharpa indicated a strategic shift toward developing autonomous offensive tools. Citizen Lab researchers corroborated the NSS’s longstanding interest in acquiring commercial spyware as part of this progression toward technical independence.