https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec
By Kim Zetter
Vice.com
October 3, 2019
Nation-state spy agencies are only as good as their operational security—the
care they take to keep their digital spy operations from being discovered. But
occasionally a government threat actor appears on the scene that gets it all
wrong.
This is the case with a threat actor recently discovered by Kaspersky Lab that
it’s calling SandCat—believed to be Uzbekistan’s repressive and much-feared
intelligence agency, the State Security Service (SSS).
The group’s lax operational security includes using the name of a military
group with ties to the SSS to register a domain used in its attack
infrastructure; installing Kaspersky’s antivirus software on machines it uses
to write new malware, allowing Kaspersky to detect and grab malicious code
still in development before it’s deployed; and embedding a screenshot of one of
its developer’s machines in a test file, exposing a major attack platform as it
was in development. The group’s mistakes led Kaspersky to discover four
zero-day exploits SandCat had purchased from third-party brokers to target
victim machines, effectively rendering those exploits ineffective. And the
mistakes not only allowed Kaspersky to track the Uzbek spy agency’s activity
but also the activity of other nation-state groups in Saudi Arabia and the
United Arab Emirates who were using some of the same exploits SandCat was
using.
“These guys [Uzbekistan's intelligence agency] have been around for quite a
long time and up until now I’d never heard of Uzbekistan having a cyber
capability," said Brian Bartholomew, a researcher with Kaspersky’s Global
Research and Analysis Team who will present his findings about SandCat today in
London at the VirusBulletin conference. “So it was kind of a shocker to me to
know that they ... were buying all of [these exploits] and targeting all these
people and yet no one has ever written about them.”
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
