WARNING: The content here only serves educational purpose. You are fully responsible for your actions.
We do not encourage any kind of sensitive activity or crime.

Uzbekistan's lack of OPSEC

Introduction

As you may already know, governments tend to conceal their operations in order to manipulate the population and expand their control as much as possible. However, sometimes they fail, and fail badly, exposing their actions to the world. This is exactly what happened in Uzbekistan a few years ago, and it is a case I would like to share with you today.

In the situation we will discuss in this blog post, the Uzbek government made such serious mistakes that its sensitive operations were discovered and monitored without the authorities even realizing it. The most striking part is that these errors were made by government employees who were supposed to be OPSEC specialists.

Uzbekistan intelligence agency

The State Security Service (SSS) is the national civilian intelligence and security agency of the Republic of Uzbekistan. It was created in 1991, succeeding the KGB in Uzbekistan. After the collapse of the Soviet Union, the SSS was established with responsibilities and structures similar to those of its predecessor, including paramilitary units and spetsnaz forces. It even continued to use technologies inherited from the KGB.

It is very important to understand this legacy, as it helps explain why these kinds of units operate with almost no limits when it comes to achieving their objectives.

For example, the SSS is known for:

• Promoting terrorism to provide a pretext for repressing policy
• Torturing citizens
• The Andijan massacre
• Internet censorship

As you can see, the SSS operates with virtually no limits. And even though many of its actions have been exposed to the world, it has not stopped.

First leak

In 2015, an initial leak exposed the SSS to the public, drawing the attention of security researchers worldwide. An Italian company, The Hacking team, that sold hacking software to governments and law enforcement agencies was hacked by Phineas Fisher. It was revealed that one of the company's clients was the Uzbek government, acting through the SSS. The hacker leaked thousands of emails exchanged between the firm and its various customers. These emails showed that the SSS had spent nearly one million dollars on hacking tools.

Phineas Fisher later explained how he hacked Hacking Team on Reddit. The motivation behind the attack was ideological, as he stated that Hacking Team was doing the dirty work for governments by helping them spy on their populations. Here is a quick summary of it.

The SandCat discovery

In 2018, Kaspersky researchers discovered SandCat, a hacker group that was developing malware known as Chainshot. This malware was found on a victim's machine in the Middle East. At the time, it appeared that the malware was also being used by two countries, the UAE and Saudi Arabia. However, in this case, it was clear that the malware was being used by another nation as well, although the group using this malware identity was unknown. It also appeared that SandCat was using a zero-day exploit to deploy Chainshot.

To uncover the group's identity, Kaspersky decided to analyze infected devices and investigate the attackers' infrastructure. This research led them to discover three additional zero-day exploits that were being used by the group. At that point, every time Kaspersky patched a vulnerability, a new one was discovered and exploited by the attacker group, which led to a new patch. An interesting point to keep in mind is that every patched vulnerability also affected operations carried out by the UAE and Saudi Arabia.

During the investigation, it appeared that SandCat's developers had installed Kaspersky on their development devices, with the telemetry feature enabled. It appears that they installed Kaspersky in order to test whether their malware would be detected, which is an understandable approach. However, leaving the telemetry feature enabled was one of the worst mistakes they could have made. Let me explain why:

Kaspersky's telemetry feature is designed to upload a copy of any files on a device that are detected as malicious. In short, it provides Kaspersky with a detailed view of the affected system. Every time the developers made changes to their malware, Kaspersky received the updated samples through telemetry and was able to patch the vulnerabilities being exploited. Moreover, every time the attackers' supplier sent SandCat a new exploit, it arrived on a drive that was scanned by Kaspersky when the developers plugged it into their computer, allowing Kaspersky to become aware of the vulnerability and patch it.

A quick guide to fail

Once Kaspersky gained access to the attackers' infrastructure, they discovered that the machines were using IP addresses linked to the itt.uz domain. This domain was registered to an entity in Tashkent, Uzbekistan, called “Military Unit 02616.” It was publicly known that this unit was responsible for performing digital forensics on electronic devices for the SSS.

It is very easy to identify who owns a domain name or an IP address, and it does not require advanced technical skills. Free websites like this one or this one are specifically designed for that purpose.

And here's the most striking part: the SSS was using the IP address 84.54.69.202 for their email domain, while the SandCat team was using 84.54.69.203. Anyone familiar with LAN setups will recognize what this implies: both IP addresses were using the same network to connect online. This close proximity clearly indicated to researchers that SandCat was directly linked to the SSS.

But it doesn't end there. Do you want to know how Kaspersky discovered the IP addresses of the development machines? It's so simple it's almost unbelievable. The developers were uploading their test files and malware samples to VirusTotal.

If you're not familiar, VirusTotal is a website where you can upload files to check whether they are malicious. However, every time it detects a malicious file, it also records the IP address of the machine that uploaded it. Since the SandCat team was developing malware, VirusTotal logged their IP addresses each time a file was flagged as malicious. The key point to understand here is that any malware developer capable of basic reasoning knows that you never upload a virus to an online testing platform from the same machine you use to develop it. There are many ways to hide your IP address, such as using VPNs, virtual machines, and other isolation techniques.

In 2018, SandCat began developing its own attack platform, named Sharpa. It is unclear whether this was because they were dropped by their vulnerability supplier or due to budget cuts, but what is certain is that, being rather poor developers, they continued to make serious mistakes. During their testing process, a developer took a screenshot of the Sharpa interface and inserted it into a Word document, which he then used to test whether he could infect a victim through this type of file. Since Kaspersky was installed on the device and telemetry was still enabled, Kaspersky researchers gained access to the Word file containing the screenshot.

This screenshot showed:

• Notes taken in Uzbek
• The IP addresses of the SandCat test machines
• The Sharpa interface used to track infected machines

Can you just imagine that a malware developer used a screenshot showing his native language, his infrastructure IP addresses, and a non-public interface for testing? He could have used any image, even a completely black one, but he chose to use this one. How is that even possible?

This is what we call an OPSEC mistake, yet another one. For educational purposes, when conducting sensitive activities, only the English language should be used. It is the international language and does not reveal clues about your real identity. English is used across the internet by people of all nationalities, and that is exactly why it should be preferred.

The leak of these IP addresses allowed Kaspersky to discover additional machines they were previously unaware of and to monitor them. With all the information gathered as a result of SandCat's OPSEC mistakes, Kaspersky was able to identify who was responsible for the malware and publish its findings online.

Conclusion

This story is essentially a simple guide on how to get caught online. The SSS made so many mistakes that it became a subject of ridicule for many security researchers around the world. And that is exactly what we want you to avoid when carrying out sensitive activities online. This blog is full of advice and security measures designed to help you remain anonymous and private online.

It is also an opportunity to see that some governments, which attempt to use technology to maintain control over their populations, can be so careless and overconfident that they fail miserably. We can do better than them to gradually reduce their control, and that is something we must strive to achieve.

Suggest changes
Crabmeat 2026-01-16
Donate XMR to the author:
89aWkJ8yabjWTDYcHYhS3ZCrNZiwurptzRZsEpuBLFpJgUfAK2aj74CPDSNZDRnRqeKNGTgrsi9LwGJiaQBQP4Yg5YtJw2U