Kaspersky security researchers were able to uncover some hacking operations launched by what's believed to be an intelligence agency in Uzbekistan. According to the researchers, the Uzbekistan spies were easy to catch due to their incredibly bad operational security (opsec).
A SandCat and Mouse Game
As reported by Vice, Kaspersky researchers recently found a hacking group that it believes is an intelligence agency from Uzbekistan. Kaspersky originally named the group “SandCat,” but now it's believed that SandCat is actually the Uzbekistan government's State Security Service (SSS).
One of the group's questionable opsec practices included using "the name of a military group with ties to the SSS" for registration of one the domains in the attack infrastructure, according to Vice.
Another error SandCat made was installing Kaspersky Anti-Virus on the same machines it used to write the new malware. This allowed Kaspersky's antivirus telemetry to detect and collect the malicious code before it was deployed. Kaspersky actually got into Kaspersky actually got into big trouble over this feature not too long ago, when the U.S. government accused the vendor of stealing classified documents this way. But in this situation, Kaspersky used its antivirus’ detection feature to learn about four new zero-day exploits that SandCat had purchased from third-party security vulnerability brokers. Kaspersky was later able to uncover the activities of Saudi and United Arab Emirates (UAE) state hacking groups that had purchased the same tools.
How SandCat Developed Its Hacking Capabilities
We know from an earlier hack against Hacking Team, an Italian company that sells hacking tools to government and law enforcement, that the SSS was a customer in 2011. Hacking Team was one of the most infamous surveillance tools companies from Italy that was selling surveillance and hacking software to repressive governments. But SSS’ cyber activities have flown under the radar until now.
Kaspersky actually uncovered traces of SandCat activities since 2018, but at the time it didn’t have reason to believe SandCat was the SSS. In 2018, SandCat was using a piece of malware called “Chainshot” that had also been used by the Saudi Arabia and UAE state groups. However, SandCat was using a different attack infrastructure from the other two countries, which led Kaspersky to believe that it must be an unrelated hacking group. One thing the Kaspersky researchers did know at the time is that whichever group it was, it had significant financial backing. They concluded this from the fact that the SandCat hackers were burning (using and them losing them to discovery by others) through their exploits like nothing. However, burning the exploits so quickly meant that Saudi Arabia and UAE couldn’t use them anymore either.
Kaspersky believes that for the latest attacks, SandCat purchased exploits from two Israeli companies, NSO Group and Candiru. The NSO Group has been accused in the past of selling surveillance tools to governments that target journalists and dissidents, but the company has denied the allegations. Candiru provides a surveillance and hacking operations management platform as a service to interested hacking groups.
The companies may have stopped selling its tools to SandCat in 2018. That’s when Kaspersky believes that the SandCat group might have started developing its own in-house tools. However, their poor opsec execution made it much easier for the group to get caught.
Kaspersky researchers believe that the recent discovery may force SandCat to improve its opsec, but at the same time it may have also put them in the spotlight. More security researchers are also now expected to look for SandCat tools and perhaps identify more of their victims.