How Uzbekistan’s security service (allegedly) began developing its own malware

For years, Uzbekistan’s feared intelligence agency, the National Security Service, has been accused of aggressively spying on citizens and abusing human rights in the Central Asian country under the guise of its counterterrorism and security operations. Now, the NSS’s reported use of hacking tools in that activity is coming into clearer view, thanks to new research.

The ex-Soviet state’s hackers appear to be shedding their training wheels and making a lot of noise in the process. After burning multiple zero-day exploits acquired from vendors, an NSS-linked group dubbed SandCat has over the last year been testing malware it developed on its own, according to Brian Bartholomew, security researcher at cybersecurity company Kaspersky.

The evolution shows how a proliferation of surveillance vendors has made it easier for relatively obscure governments to acquire and develop their own hacking tools. Before this project, Bartholomew hadn’t tracked any cyber-activity out of Uzbekistan.

“I did not know they had a capability,” he said.

That capability, or at least the malware behind it, is now under “rapid development,” according to Bartholomew. SandCat has its own trojanized desktop application for the messaging service Telegram as well as a password stealer, among other tools, he said. The group has yet to go after actual targets with the new tools, according to Bartholomew, but it could be only a matter of time.

Why exactly SandCat went in-house with its malware development is unclear. Perhaps vendors stopped selling their tools to NSS because the agency kept revealing them, Bartholomew mused. Regardless, SandCat shows how, once exposed to the power of software exploits, an organization will look to hone its capabilities in pursuit of its interests.

“If they would have had better op-sec [operational security] in how they handled these exploits, we probably would have never caught them,” added Bartholomew, who will present his months-long investigation of SandCat on Thursday at the Virus Bulletin security conference in London.

SandCat either doesn’t care about its cyber-operations getting detected or it has some of the worst operational security on record. Bartholomew’s investigation reveals that the group used the same domain for enterprise email as it did to test its malware. The hackers also uploaded a screenshot of their own system in a Microsoft Word document as part of their testing, giving Bartholomew a view of their file directory and other data. SandCat tested its malicious code on Kaspersky’s antivirus software, putting the group firmly on Bartholomew’s radar.

Neither Uzbekistan’s foreign ministry nor the country’s embassy in Washington responded to a request for comment on the research. An email address used to register some of the domains used by SandCat did not respond to CyberScoop’s questions.

A long digital trail

Historically, SandCat has gone after journalists and human rights activists with the malware it acquired from vendors, Bartholomew said. That coincides with reports in recent years of the hacking and dumping of Uzbek journalists emails, for example.

Since coming to power in 2016, Uzbek President Shavkat Mirziyoyev has sought to rein in, reform (and reportedly change the name of) the NSS, also known by its Russian-language acronym SNB.

Yelisey Boguslavskiy, a cybersecurity analyst originally from neighboring Kazakhstan who is well versed in the region’s geopolitics, said Uzbekistan has one of the more sophisticated intelligence services in the region and that it made sense that NSS would build out its digital capabilities.

The Uzbek security apparatus has looked to leverage technology from both local and regional companies in support of its broad mandate to collect intelligence and coordinate with allies on security issues, according to Boguslavskiy, who is director of research at cybersecurity company Advanced Intelligence.  The Uzbek security service “will keep implementing advanced cyber technologies to achieve [its] goals,” he added.

There is a long digital trail tying SandCat to some of the most notorious surveillance vendors in the business. Leaked emails of the Italian vendor Hacking Team show that the NSS was a client. There is also evidence, courtesy of the nonprofit Privacy International, that NSS has worked with surveillance vendors Verint and Nice Systems.

Through it all, SandCat has been using the same relatively small set of digital infrastructure to expand its operations, making it relatively simple to track. Bartholomew suspects that in going public with his findings, he could lose some visibility on SandCat’s activity.

“I have a feeling that … once this gets out, you might see some shifting” in the group’s activity, he told CyberScoop. That said, he added, “I feel like now I’ve collected enough in telemetry and observed enough that we should be able to follow these guys, even if they change gears.”