Cyber Incident Victim: Uzbekistan's State Security Service Unit 02616
Date:
Oct 2019
Location:
Uzbekistan
Summary
Uzbekistan's State Security Service Unit 02616 conducted cyber attacks against domestic activists, journalists, and dissidents using commercially available surveillance tools from vendors including FinFisher and former Hacking Team infrastructure. Kaspersky researchers attributed the activity to the unit through operational security failures, such as testing malware on systems running their antivirus software and domain registration traces linking to an identified NSS officer. The unit also developed an in-house hacking framework called Sharpa for compromising devices, reflecting a broader trend of state actors blending purchased spyware with proprietary capabilities. Attacks focused on compromising targets to obtain discrediting materials, aligning with documented patterns of government surveillance against critics. The operations primarily targeted internal victims, including regional news outlets reporting on Uzbek governance.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In October 2019, researchers from Kaspersky disclosed that Uzbekistan’s State Security Service (NSS), specifically Military Unit 02616, conducted cyber attacks against domestic dissidents using commercially available surveillance tools. The activity was attributed through technical evidence linking attacks to a domain registered under O.T. Khodzhakbarov, an NSS officer recognized in a 2005 presidential decree, with public records confirming Unit 02616 as a state-owned entity. Attackers employed FinFisher spyware—developed by a German firm—and had historical ties to Italy’s Hacking Team, as evidenced by 2015 Wikileaks emails showing NSS as a customer. Operational security failures enabled attribution, including testing malware on systems running Kaspersky antivirus software and leaving digital footprints traceable to Khodzhakbarov’s domain registration. Targets included independent media outlets Fergana News, Eltuz, Centre1, and Palestine Chronicle, which reported critically on the Uzbek government. By October 2018, Unit 02616 began developing an in-house hacking framework named “Sharpa” for compromising computers and mobile devices, though its operational use remained unconfirmed at the time of reporting. Kaspersky confirmed the attacks focused internally on human rights activists, journalists, and political dissidents without significant cross-border operations.
The campaign reflected Uzbekistan’s broader pattern of state surveillance under President Shavkat Mirziyoyev, who succeeded Islam Karimov in 2016 amid nominal human rights reforms. Amnesty International documented authorities using cyber attacks to gather compromising material against critics, aiming to discredit them publicly. Despite NSS’s rebranding to the State Security Service in 2018, its tactics aligned with historical allegations of torture and monitoring of activists. Unit 02616’s procurement of foreign tools and shift toward developing indigenous capabilities like Sharpa followed a trend observed by researchers like Citizen Lab’s Bill Marczak, where states initially rely on vendors before pursuing operational independence. No containment measures or victim remediation efforts were disclosed; targeted publishers did not respond to requests for comment, and Uzbek authorities ignored inquiries submitted via diplomatic channels. FinFisher and Memento Labs (Hacking Team’s successor) denied ongoing relationships with Uzbekistan, though historical collaboration was verified through leaked records. The incident underscored the global proliferation of commercially supported state hacking, particularly against civil society groups in authoritarian contexts.