A new “threat actor” tied to Uzbekistan’s State Security Service has been unmasked by threat researchers at Kaspersky Lab. And the unmasking wasn’t very hard to do, since, as Kim Zetter reports for Vice, the government group used Kaspersky antivirus software—which sent binaries of the malware it was developing back to Kaspersky for analysis.
Uzbekistan has not been known for having a cyber-espionage capability. But the Uzbek SSS clearly had a big budget, and according to Kaspersky, the group went to two Israeli companies—NSO Group and Candiru—to buy those capabilities. Unfortunately for the group, it didn’t also buy any sort of operational security know-how along with the exploits it used.
The group, labeled SandCat by Kaspersky, was discovered by researchers in October of 2018. The discovery was triggered when a previously identified malware downloader called Chainshot—a tool used by groups attributed to Saudi Arabia and the United Arab Emirates in the past—had been discovered on an infected computer somewhere in the Middle East. But this Chainshot trojan was connected to a different command-and-control network than previous versions and was using a different exploit to initially install.
As the Kaspersky researchers looked for other machines infected with the malware and explored the infrastructure behind it, they found three more “zero-day” exploits used by the same group. Kaspersky reported the exploits, and they were each “burned” in turn as patches were deployed. The same exploits were also being used by the UAE and Saudi groups.
Kaspersky Global Research and Analysis Team researcher Brian Bartholomew told Zetter, “I’d call [SandCat] my zero-day Pez dispenser because it seemed like every time we’d [find] another zero-day and patch it, they’d come up with another one.” The group was “burning through them like nothing,” he said, “which tells me one thing—that they have tons of money.”
Every time the Uzbek SSS’ exploit supplier would send new malware on a USB drive, someone would stick the drive into a computer running Kaspersky’s antivirus software to transfer it. Just as Kaspersky’s software did with the National Security Agency “Equation Group” malware that National Security Agency Tailored Access Operations developer Nghia Hoang Pho brought home with him to study, the anti-virus uploaded the new binaries to Kaspersky’s server for evaluation. And the machine those uploads came from was tied by domain registration data and a court case to the Uzbekistan SSS.