National Security Service

The National Security Service Unit 02616 functions as a dedicated cyber‑operations cell within Uzbekistan’s state security service, tasked with conducting offensive digital operations against perceived internal threats. Its core mission involves the collection of intelligence and the creation of compromising material that can be used to undermine the credibility of journalists, activists and media organisations critical of the government. To carry out these activities the unit relies on a suite of commercially available surveillance tools, notably FinFisher and the former Hacking Team spyware, which are deployed to infiltrate target systems and exfiltrate data. Beyond merely purchasing external capabilities, analysts have identified that Unit 02616 is simultaneously developing an indigenous hacking framework referred to as Sharpa, indicating a move toward self‑sufficient cyber weaponry. The Sharpa framework is described by researchers as a modular set of tools designed for prolonged offensive campaigns, allowing the unit to reduce dependence on third‑party products. This dual approach—leveraging off‑the‑shelf solutions while cultivating proprietary code—mirrors a broader pattern observed among state‑sponsored actors seeking durable cyber capabilities. The unit’s operational focus remains principally domestic, with its activities directed at individuals and outlets situated within Uzbekistan’s borders.

The public exposure of Unit 02616’s capabilities stemmed from a specific incident on 31 October 2019, when the unit launched a coordinated cyberattack against the news outlet Eltuz and several other dissident‑oriented platforms. Investigators traced the attack to the unit after noticing operational missteps, including the testing of malware on computers running Kaspersky antivirus and the registration of command‑and‑control domains linked to an identifiable National Security Service officer. These errors provided the forensic foothold that allowed cybersecurity researchers to attribute the campaign to Unit 02616 and to detail its intent to gather compromising material for discreditation purposes. As an integral component of the National Security Service of Uzbekistan, the unit operates under the direct authority of the state and is headquartered in the country’s capital, reflecting its institutional embedding within the national security hierarchy. Its status as a government‑owned entity distinguishes it from independent cyber‑criminal groups and aligns its mandate with objectives of internal stability and regime preservation. Consequently, Unit 02616 exemplifies how a state security service can evolve its cyber arsenal by combining purchased spyware with home‑grown frameworks while concentrating its efforts on silencing domestic dissent.