LONDON/WASHINGTON (Reuters) - Uzbek intelligence officers have used commercially-available computer spying tools to launch a series of cyber attacks against activists and dissidents, researchers at Moscow-based cybersecurity firm Kaspersky said on Thursday.
The findings show how governments around the world are able to buy sophisticated hacking tools and expertise from outside vendors to spy on activists, journalists and political rivals.
Kaspersky researcher Brian Bartholomew named Unit 02616 of Uzbekistan’s National Security Service as the team behind the attacks. The service, also sometimes referred to by acronyms in Russian or Uzbek, changed its name to State Security Service last year but is still often referred to abroad as NSS.
According to two people with knowledge of the attacks, the targets of the NSS have included regional news outlets Fergana News, Eltuz, Centre1 and the Palestine Chronicle, all of which report on the Uzbek government. The publishers did not immediately respond to requests for comment.
Bartholomew, speaking at the Virus Bulletin cybersecurity conference in London, said he was able to attribute the activity directly because of mistakes the hackers made covering their tracks online. In some cases they tested their attacks on computers running Kaspersky’s antivirus software.
In one case, Kaspersky traced a cyber attack it was investigating to a domain listed in a public registry as belonging to a man named O.T. Khodzhakbarov. He had listed his organization in the directory as “Military Unit 02616”.
Publicly-available Uzbek business records show Military Unit 02616 is a state-owned entity. A person called Omonillakhon Tulkunovich Khodzhakbarov is named as an NSS officer in an Uzbek presidential degree awarding him a military honor in 2005.
The NSS did not respond to questions submitted via the Uzbek Foreign Ministry and Uzbek embassy in London. Reuters was unable to reach Khodzhakbarov for comment and the Uzbek presidential administration did not respond to questions about his role at the NSS or the award he received.
Kaspersky said it had detected Unit 02616 carrying out attacks using software from German firm FinFisher. FinFisher did not respond to repeated requests for comment.
Emails from an Italian spyware vendor, Hacking Team, posted on Wikileaks in 2015, showed that the NSS was a customer. After a merger this year, the company is now part of Swiss-Italian cyber intelligence firm Memento Labs, whose head, Paolo Lezzi, said the Uzbek government was not currently a customer and he had no knowledge of Hacking Team’s former operations.
Uzbekistan, a former Soviet republic of 32 million people in Central Asia, has made efforts to improve its human rights record following the death of President Islam Karimov, who ruled the country from 1989 until he died in 2016.
But the government is still regularly criticized by human rights groups over its actions against dissidents, including reports of torture and widespread surveillance of journalists and other activists.
Claudio Guarnieri, head of Amnesty International’s Security Lab project, said Uzbek authorities were known to target “people who are outspoken and critical about the conduct of the government” with cyber attacks in an effort to discredit them with compromising material.
Kaspersky’s Bartholomew declined to identify any specific targets of the NSS hacking but said the unit was attacking “human rights activists, journalists and other dissidents. We didn’t see much outside the country, it was internally focused.”
As well as purchasing off-the-shelf hacking tools, Unit 02616 began developing its own framework called “Sharpa” in October 2018 to hack computers and mobile phones, Bartholomew said. It is not clear whether the system has yet been used in any attacks.
Bill Marczak, a senior research fellow at Canada’s Citizen Lab research group, said it was common practice for customers of commercial spyware vendors to invest in efforts to develop their own in-house tools.
“Uzbekistan’s NSS has been on our radar for some time as an organization that’s been interested in acquiring offensive hacking tools,” he said.
Countries like this want to “advance their hacking capabilities quickly so they turn to outside vendors,” he added. “But the goal is always to eventually become more independent.”
Additional reporting by Raphael Satter in WASHINGTON and Olzhas Auyezov in ALMATY; Editing by