{
	"id": "7ba338f8-7cc1-4355-bd11-355c3c249aee",
	"created_at": "2026-04-06T02:12:44.548877Z",
	"updated_at": "2026-04-10T13:13:05.647999Z",
	"deleted_at": null,
	"sha1_hash": "a46548c47e81f49b97800773d935686c78f1ded0",
	"title": "Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50503,
	"plain_text": "Researchers Say They Uncovered Uzbekistan Hacking Operations\r\nDue to Spectacularly Bad OPSEC\r\nBy Kim Zetter\r\nPublished: 2019-10-03 · Archived: 2026-04-06 01:32:45 UTC\r\nNation-state spy agencies are only as good as their operational security—the care they take to keep their digital\r\nspy operations from being discovered. But occasionally a government threat actor appears on the scene that gets it\r\nall wrong.\r\nThis is the case with a threat actor recently discovered by Kaspersky Lab that it’s calling SandCat—believed to be\r\nUzbekistan’s repressive and much-feared intelligence agency, the State Security Service (SSS).\r\nThe group’s lax operational security includes using the name of a military group with ties to the SSS to register a\r\ndomain used in its attack infrastructure; installing Kaspersky’s antivirus software on machines it uses to write new\r\nmalware, allowing Kaspersky to detect and grab malicious code still in development before it’s deployed; and\r\nembedding a screenshot of one of its developer’s machines in a test file, exposing a major attack platform as it\r\nwas in development. The group’s mistakes led Kaspersky to discover four zero-day exploits SandCat had\r\npurchased from third-party brokers to target victim machines, effectively rendering those exploits ineffective. And\r\nthe mistakes not only allowed Kaspersky to track the Uzbek spy agency’s activity but also the activity of other\r\nnation-state groups in Saudi Arabia and the United Arab Emirates who were using some of the same exploits\r\nSandCat was using.\r\n“These guys [Uzbekistan’s intelligence agency] have been around for quite a long time and up until now I’d never\r\nheard of Uzbekistan having a cyber capability,” said Brian Bartholomew, a researcher with Kaspersky’s Global\r\nResearch and Analysis Team who will present his findings about SandCat today in London at the VirusBulletin\r\nconference. “So it was kind of a shocker to me to know that they … were buying all of [these exploits] and\r\ntargeting all these people and yet no one has ever written about them.”\r\nThe SSS, previously known as the National Security Service, isn’t new to the spy game: It emerged in 1991 with\r\nthe collapse of the Soviet Union to succeed the KGB as Uzbekistan’s national intelligence agency and secret\r\npolice, adopting some of the KGB’s surveillance technologies as well as its oppressive tactics. Known for its\r\ntorture and human rights abuses, the SSS was revamped in early 2018 by the country’s new president, who sought\r\nto reform its repressive ways. But earlier this year the new head of the spy agency was booted after a year on the\r\njob, reportedly amid allegations that the agency had turned its spying capabilities against the new president and\r\nhis family.\r\nThe agency’s interest in offensive hacking operations were first exposed in 2015 when a hacker named Phineas\r\nFisher hacked the Hacking Team, an Italian firm that sells hacking tools to governments and law enforcement\r\nagencies, and published thousands of emails exposing the company’s correspondence with customers, including\r\nthe SSS. According to the emails, which cover the years 2011-2015, the SSS spent nearly a million dollars on\r\nHacking Team tools. But its hacking operations have gone largely unnoticed until recently.\r\nhttps://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec\r\nPage 1 of 4\n\nIn October 2018, researchers at Kaspersky stumbled across SandCat after discovering an already known piece of\r\nmalware called Chainshot on a victim’s machine in the Middle East. Chainshot had been used by two other nation-state threat actors in the Middle East in the past—groups security researchers have attributed to the UAE and\r\nSaudi Arabia—but the malware in this case was using infrastructure not associated with either of these countries,\r\nsuggesting it was a different group Kaspersky hadn’t seen before. SandCat was also using a zero-day exploit to\r\ninstall Chainshot.\r\nAs Kaspersky analyzed machines infected with the exploit and Chainshot, and began to dig into the group’s\r\ninfrastructure that was tied to the infections, it ultimately led Kaspersky to discover three more zero days used by\r\nthe same group each of which got essentially burned as the vulnerabilities they attacked got patched\r\n“I’d call [SandCat] my zero-day Pez dispenser,” Bartholomew told Motherboard, “because it seemed like every\r\ntime we’d [find] another zero-day and patch it, they’d come up with another one. [T]hey’re burning through them\r\nlike nothing, which tells me one thing—that they have tons of money.”\r\nThe discoveries didn’t seem to affect SandCat. But as each zero-day got burned for SandCat, it also got burned for\r\nSaudi Arabia and the UAE.\r\nWhen spy agencies purchase zero-day exploits from brokers, they often have two options: pay a premium rate for\r\nan exclusive right to use an exploit, or pay less for exploits that other customers of the broker also get to use. The\r\nlatter option comes with a risk, though—if any customer using a shared exploit is careless or reckless, this can\r\nresult in the exploit being caught, effectively burning it for anyone else who paid to use it.\r\n“All it takes is one sloppy customer,” Bartholomew said. “One customer who is bad at OPSEC ruins it for all the\r\nothers.”\r\nKaspersky believes SandCat purchased its exploits from two Israeli companies known as the NSO Group and\r\nCandiru but provided Motherboard with no evidence to support this. NSO Group is known for developing and\r\nselling some of the most powerful exploits for hacking mobile phones, including malware that has been used to\r\nspy on journalists and dissidents. Candiru is more of a full-service agency that provides, in addition to attack tools\r\nfor computers, a platform for managing attack operations. A spokeswoman for the NSO Group wouldn’t say\r\nwhether the company has ever sold exploits to the SSS but told Motherboard the company “does not develop or\r\nlicense any products for PC-related interception such as ‘Chainshot.’” Motherboard was unable to reach Candiru.\r\nA different Israeli company is known to have supplied surveillance equipment to Uzbekistan, suggesting strong\r\nties between the latter and the Israeli surveillance industry.\r\nInitially Kaspersky didn’t know who SandCat was, but it didn’t take a lot of work to tie it to Uzbekistan’s SSS.\r\nKaspersky discovered that SandCat’s developers had installed Kaspersky antivirus on their development machines\r\n—presumably to test whether malware they were developing inhouse could bypass the detection tool. But they’re\r\nusing it with the telemetry reporting feature of the antivirus tool enabled, which causes the antivirus software to\r\ngrab a copy of any files on the machines that it suspects are malicious and sends them back to Kaspersky for\r\nanalysis.\r\n“[T]hat’s how we caught a lot of this stuff … every time they would test it, our [software] would pull the binaries\r\nback,” Bartholomew said.\r\nhttps://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec\r\nPage 2 of 4\n\nFurthermore, any time SSS’s suppliers sent SandCat new exploits for use, they arrived on a thumb drive. When\r\nSandCat developers inserted the drive into their machines, the Kaspersky software would automatically scan it for\r\nmalware and grab files it deemed malicious.\r\n“I think we got one of those exploits before they even were able to use it,” Bartholomew said.\r\nHaving identified the systems SandCat used for development and testing, they discovered that these machines\r\nused IP addresses that resolved to the “itt.uz” domain. When Bartholomew looked up the registration information\r\nfor itt.uz, it showed a 2008 registration to an entity in Tashkent, Uzbekistan called “Military Unit 02616.” Military\r\nUnit 02616 is cited in an Uzbekistan court case for doing forensics on electronic devices seized from the\r\ndefendant by an investigative unit of the SSS.\r\n“Can it be this easy?” Bartholomew said he wondered. “I really wrestled hard with that for a long time thinking\r\nthere’s no way it’s this easy. But every piece of data that we have links back to the same thing.”\r\nSSS’s email domain resolved to the IP address 84.54.69.202, and the systems SandCat uses for developing and\r\ntesting its malware use a nearly identical address 84.54.69.203. SandCat uses these same machines to upload test\r\nfiles to Virus Total. Virus Total is a website that aggregates numerous anti-virus programs so that anyone can\r\nupload suspicious files to the site to see if it’s malicious. Attackers also sometimes upload their new malware to\r\nthe site to test if it can successfully bypass antivirus detection, but Virus Total records the IP address from which\r\nevery file is uploaded, which means that malicious files SandCat uploaded to the site for such testing can be traced\r\nback to SandCat’s machines.\r\n“As a developer you don’t upload to Virus Total, [but] if you do, don’t do it from the same IP addresses that you’re\r\nconducting your operations from,” Bartholomew said\r\nIn October 2018, during the time SandCat’s zero-days were starting to be discovered and burned, the group began\r\ndeveloping its own attack platform called Sharpa. Bartholomew thinks whoever supplied SSS with its zero-days\r\nand platform until then got fed up with so many of the tools being burned quickly, forcing SandCat to develop\r\ninhouse.\r\nIt’s also possible the change was simply due to a natural progression, however—many spy agencies start out using\r\na platform and malware purchased from others before developing internal capabilities to build their own. Or the\r\nmove might have been brought on by budgetary constraints after the new president announced in 2017 he planned\r\nto rein in the powers of the SSS, reduce the number of dissidents being monitored on government blacklists, and\r\ntransfer some SSS responsibilities to other agencies.\r\nBut if SandCat’s mistakes did cause its suppliers to fire it as a customer, the group didn’t reform its bad habits in\r\ndeveloping its new platform.\r\nIn the process of conducting some tests, one of SandCat’s developers took a screenshot of his desktop with a\r\ndetailed image of the Sharpa interface open on it, and put it in a test file that he ran on a machine with the\r\nKaspersky software on it. He wanted to be able to load Sharpa onto victim machines using a malicious Word file\r\nand for some reason used the screenshot of his desktop as part of the Word file. When Kaspersky’s software\r\ngrabbed the malicious file, the researchers learned about the new platform in development as well as other intel.\r\nThe screenshot, for example, shows developer notes written in Uzbek, confirming the language of the developers,\r\nhttps://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec\r\nPage 3 of 4\n\nand also shows the interface used to track and control Sharpa once it’s on infected machines. It also shows the IP\r\naddresses for SandCat’s test machines.\r\n“This was really important, because … we didn’t know about [these] addresses [before this]. So we were able to\r\ngo back in our telemetry and find more installations of more stuff because this IP address showed up in the\r\nscreenshot,” Bartholomew said.\r\nBartholomew refers to SandCat as “trash actors” because of their reckless mistakes. But he thinks their OPSEC\r\nfailures can be attributed to arrogance and inexperience.\r\n“A lot of the [nation-state threat actors] in that region have the same bravado. They just don’t care [about being\r\nstealth]. They adamantly deny everything. And if they get caught they get caught,” he said. But he notes that\r\nSandCat is still in the infant stage of development, even though it’s been active in spying a long time, and is bound\r\nto make rookie mistakes.\r\nIn publicly exposing the group’s mistakes now, it’s likely that SandCat will improve its OPSEC. But Bartholomew\r\nsays exposing them will also increase the number of researchers tracking them, which could help uncover more of\r\ntheir current victims and provide them with protection.\r\nSource: https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec\r\nhttps://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec"
	],
	"report_names": [
		"uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec"
	],
	"threat_actors": [
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "80cf66b8-27d2-4e87-b0d1-5bacacd9bb3d",
			"created_at": "2023-01-06T13:46:38.931567Z",
			"updated_at": "2026-04-10T02:00:03.149736Z",
			"deleted_at": null,
			"main_name": "SandCat",
			"aliases": [],
			"source_name": "MISPGALAXY:SandCat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "67ac502c-8cf8-46cb-98e8-c249e0f0298d",
			"created_at": "2022-10-25T16:07:24.149987Z",
			"updated_at": "2026-04-10T02:00:04.882099Z",
			"deleted_at": null,
			"main_name": "SandCat",
			"aliases": [],
			"source_name": "ETDA:SandCat",
			"tools": [
				"CHAINSHOT",
				"FinFisher",
				"FinFisher RAT",
				"FinSpy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b",
			"created_at": "2024-02-02T02:00:04.032871Z",
			"updated_at": "2026-04-10T02:00:03.532955Z",
			"deleted_at": null,
			"main_name": "Caramel Tsunami",
			"aliases": [
				"SOURGUM",
				"Candiru"
			],
			"source_name": "MISPGALAXY:Caramel Tsunami",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441564,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a46548c47e81f49b97800773d935686c78f1ded0.pdf",
		"text": "https://archive.orkl.eu/a46548c47e81f49b97800773d935686c78f1ded0.txt",
		"img": "https://archive.orkl.eu/a46548c47e81f49b97800773d935686c78f1ded0.jpg"
	}
}