Uzbekistan's State Security Service Unit 02616

Unit 02616 is a specialized element of Uzbekistan's State Security Service tasked with conducting offensive cyber operations. Its primary mission involves surveilling and compromising the digital assets of individuals and organisations deemed critical of the government. The unit carries out these operations by deploying commercially available surveillance tools acquired from vendors such as FinFisher and the former Hacking Team infrastructure. In addition to leveraging third‑party spyware, Unit 02616 has developed an in‑house hacking framework known as Sharpa to compromise devices and exfiltrate data. The unit’s activities are directed at domestic activists, journalists, and dissidents who report on or criticize Uzbek governance. By targeting these groups, the unit seeks to gather information that can be used to produce discrediting material against its perceived opponents.

The operational profile of Unit 02616 became publicly known after a Kaspersky Lab investigation linked a series of attacks dated 31 October 2019 to the unit through identifiable mistakes in its tradecraft. Researchers noted that the unit tested its malware on systems running Kaspersky antivirus, leaving traces that facilitated attribution. Domain registration records associated with the campaign were also traced back to an identified officer of the National Security Service, further confirming the unit’s involvement. These operational security lapses contrast with the unit’s capability to blend purchased spyware with its proprietary Sharpa framework, illustrating a hybrid approach to cyber espionage. The focus of the attacks remained internal, with regional news outlets covering Uzbek governance among the primary victims. Unit 02616 exemplifies a state‑backed cyber unit that combines external tool acquisition with internal development to surveil and suppress dissent within Uzbekistan.