{"id":29460,"date":"2019-10-03T14:13:26","date_gmt":"2019-10-03T14:13:26","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/30546\/Researchers-Say-They-Uncovered-Uzbekistan-Hacking-Operations-Due-To-Spectacularly-Bad-OPSEC.html"},"modified":"2019-10-03T14:13:26","modified_gmt":"2019-10-03T14:13:26","slug":"researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/","title":{"rendered":"Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/video-images.vice.com\/articles\/5d954716f42aae0009e0b8b8\/lede\/1570065345732-hacked-laptop.png?crop=1xw:1xh;center,center&amp;resize=1200:*\" class=\"ff-og-image-inserted\"><\/div>\n<p>Nation-state spy agencies are only as good as their operational security\u2014the care they take to keep their digital spy operations from being discovered. But occasionally a government threat actor appears on the scene that gets it all wrong.<\/p>\n<p>This is the case with a threat actor recently discovered by Kaspersky Lab that it\u2019s calling SandCat\u2014believed to be Uzbekistan\u2019s <a href=\"https:\/\/www.nytimes.com\/2018\/04\/01\/world\/asia\/uzbekistan-reform.html\" target=\"_blank\" rel=\"noopener noreferrer\">repressive and much-feared<\/a> intelligence agency, the State Security Service (SSS).<\/p>\n<p>The group\u2019s lax operational security includes using the name of a military group with ties to the SSS to register a domain used in its attack infrastructure; installing Kaspersky\u2019s antivirus software on machines it uses to write new malware, allowing Kaspersky to detect and grab malicious code still in development before it\u2019s deployed; and embedding a screenshot of one of its developer\u2019s machines in a test file, exposing a major attack platform as it was in development. The group\u2019s mistakes led Kaspersky to discover four zero-day exploits SandCat had purchased from third-party brokers to target victim machines, effectively rendering those exploits ineffective. And the mistakes not only allowed Kaspersky to track the Uzbek spy agency\u2019s activity but also the activity of other nation-state groups in Saudi Arabia and the United Arab Emirates who were using some of the same exploits SandCat was using.<\/p>\n<p>\u201cThese guys [Uzbekistan&#8217;s intelligence agency] have been around for quite a long time and up until now I\u2019d never heard of Uzbekistan having a cyber capability,&#8221; said Brian Bartholomew, a researcher with Kaspersky\u2019s Global Research and Analysis Team who will present his findings about SandCat today in London at the VirusBulletin conference. \u201cSo it was kind of a shocker to me to know that they &#8230; were buying all of [these exploits] and targeting all these people and yet no one has ever written about them.\u201d<\/p>\n<p>The SSS, previously known as the National Security Service, isn\u2019t new to the spy game: It emerged in 1991 with the collapse of the Soviet Union to succeed the KGB as Uzbekistan\u2019s national intelligence agency and secret police, <a href=\"https:\/\/www.wired.com\/2012\/12\/russias-hand\/\" target=\"_blank\" rel=\"noopener noreferrer\">adopting some of the KGB\u2019s surveillance technologies<\/a> as well as its oppressive tactics. <a href=\"https:\/\/www.amnesty.org.uk\/files\/webfm\/Documents\/issues\/eur_62_1086_2015_uzbekistantorture_fullreport.pdf?sMDvswFYigdhKzuEiNn89TaIgSBqYtF8\" target=\"_blank\" rel=\"noopener noreferrer\">Known for its torture and human rights abuses<\/a>, the SSS was revamped in early 2018 by the country\u2019s new president, who sought to reform its repressive ways. But earlier this year the new head of the spy agency was booted after a year on the job, reportedly amid <a href=\"https:\/\/eurasianet.org\/uzbekistan-head-of-security-services-gets-chop-amid-talk-of-surveillance\" target=\"_blank\" rel=\"noopener noreferrer\">allegations that the agency had turned its spying capabilities against the new president and his family<\/a>.<\/p>\n<p>The agency\u2019s interest in offensive hacking operations were first exposed in 2015 when a hacker named Phineas Fisher hacked the Hacking Team, an Italian firm that sells hacking tools to governments and law enforcement agencies, and published thousands of emails exposing the company\u2019s correspondence with customers, <a href=\"https:\/\/wikileaks.org\/hackingteam\/emails\/?q=itt.uz&amp;mfrom=&amp;mto=&amp;title=&amp;notitle=&amp;date=&amp;nofrom=&amp;noto=&amp;count=50&amp;sort=0#searchresult\" target=\"_blank\" rel=\"noopener noreferrer\">including the SSS<\/a>. According to the emails, which cover the years 2011-2015, the SSS spent nearly a million dollars on Hacking Team tools. But its hacking operations have gone largely unnoticed until recently.<\/p>\n<p>In October 2018, researchers at Kaspersky stumbled across SandCat after discovering an already known piece of malware called Chainshot on a victim\u2019s machine in the Middle East. Chainshot had been used by two other nation-state threat actors in the Middle East in the past\u2014groups security researchers have attributed to the UAE and Saudi Arabia\u2014but the malware in this case was using infrastructure not associated with either of these countries, suggesting it was a different group Kaspersky hadn\u2019t seen before. SandCat was also using a zero-day exploit to install Chainshot.<\/p>\n<p>As Kaspersky analyzed machines infected with the exploit and Chainshot, and began to dig into the group\u2019s infrastructure that was tied to the infections, it ultimately led Kaspersky to discover three more zero days used by the same group each of which got essentially burned as the vulnerabilities they attacked got patched<\/p>\n<p>\u201cI\u2019d call [SandCat] my zero-day Pez dispenser,\u201d Bartholomew told Motherboard, \u201cbecause it seemed like every time we\u2019d [find] another zero-day and patch it, they\u2019d come up with another one. [T]hey\u2019re burning through them like nothing, which tells me one thing\u2014that they have tons of money.\u201d<\/p>\n<p>The discoveries didn\u2019t seem to affect SandCat. But as each zero-day got burned for SandCat, it also got burned for Saudi Arabia and the UAE.<\/p>\n<p>When spy agencies purchase zero-day exploits from brokers, they often have two options: pay a premium rate for an exclusive right to use an exploit, or pay less for exploits that other customers of the broker also get to use. The latter option comes with a risk, though\u2014if any customer using a shared exploit is careless or reckless, this can result in the exploit being caught, effectively burning it for anyone else who paid to use it.<\/p>\n<p>\u201cAll it takes is one sloppy customer,\u201d Bartholomew said. \u201cOne customer who is bad at OPSEC ruins it for all the others.\u201d<\/p>\n<p>Kaspersky believes SandCat purchased its exploits from two Israeli companies known as the NSO Group and Candiru but provided Motherboard with no evidence to support this. NSO Group is known for developing and selling some of the most powerful exploits for hacking mobile phones, including malware that has been used to spy on <a href=\"https:\/\/www.vice.com\/en_us\/article\/59zajx\/mexicos-sloppy-hacking-attempts-expose-customers-of-a-dollar1-billion-spyware-company\" target=\"_blank\" rel=\"noopener noreferrer\">journalists<\/a> and <a href=\"https:\/\/www.vice.com\/en_us\/article\/mg7pjy\/ahmed-mansoor-million-dollar-dissident-government-spyware\" target=\"_blank\" rel=\"noopener noreferrer\">dissidents<\/a>. Candiru is more of a full-service agency that provides, in addition to attack tools for computers, a <a href=\"https:\/\/www.haaretz.com\/middle-east-news\/.premium-top-secret-israeli-cyberattack-firm-revealed-1.6805950\" target=\"_blank\" rel=\"noopener noreferrer\">platform for managing attack operations.<\/a> A spokeswoman for the NSO Group wouldn\u2019t say whether the company has ever sold exploits to the SSS but told Motherboard the company \u201cdoes not develop or license any products for PC-related interception such as \u2018Chainshot.\u2019\u201d Motherboard was unable to reach Candiru. A different Israeli company is known to have supplied <a href=\"https:\/\/equalit.ie\/deflect-labs-report-6\/\" target=\"_blank\" rel=\"noopener noreferrer\">surveillance equipment<\/a> to Uzbekistan, suggesting strong ties between the latter and the Israeli surveillance industry.<\/p>\n<p>Initially Kaspersky didn\u2019t know who SandCat was, but it didn\u2019t take a lot of work to tie it to Uzbekistan\u2019s SSS.<\/p>\n<p>Kaspersky discovered that SandCat\u2019s developers had installed Kaspersky antivirus on their development machines\u2014presumably to test whether malware they were developing inhouse could bypass the detection tool. But they\u2019re using it with the telemetry reporting feature of the antivirus tool enabled, which causes the antivirus software to grab a copy of any files on the machines that it suspects are malicious and sends them back to Kaspersky for analysis.<\/p>\n<p>\u201c[T]hat\u2019s how we caught a lot of this stuff \u2026 every time they would test it, our [software] would pull the binaries back,\u201d Bartholomew said.<\/p>\n<p>Furthermore, any time SSS&#8217;s suppliers sent SandCat new exploits for use, they arrived on a thumb drive. When SandCat developers inserted the drive into their machines, the Kaspersky software would automatically scan it for malware and grab files it deemed malicious.<\/p>\n<p>\u201cI think we got one of those exploits before they even were able to use it,\u201d Bartholomew said.<\/p>\n<p>Having identified the systems SandCat used for development and testing, they discovered that these machines used IP addresses that resolved to the \u201citt.uz\u201d domain. When Bartholomew looked up the registration information for itt.uz, it showed a 2008 registration to an entity in Tashkent, Uzbekistan called \u201cMilitary Unit 02616.\u201d Military Unit 02616 is <a href=\"https:\/\/uzxalqharakati.com\/ru\/archives\/22106\" target=\"_blank\" rel=\"noopener noreferrer\">cited in an Uzbekistan court case<\/a> for doing forensics on electronic devices seized from the defendant by an investigative unit of the SSS.<\/p>\n<p>\u201cCan it be this easy?\u201d Bartholomew said he wondered. \u201cI really wrestled hard with that for a long time thinking there\u2019s no way it\u2019s this easy. But every piece of data that we have links back to the same thing.\u201d<\/p>\n<p>SSS&#8217;s email domain resolved to the IP address 84.54.69.202, and the systems SandCat uses for developing and testing its malware use a nearly identical address 84.54.69.203. SandCat uses these same machines to upload test files to Virus Total. Virus Total is a website that aggregates numerous anti-virus programs so that anyone can upload suspicious files to the site to see if it\u2019s malicious. Attackers also sometimes upload their new malware to the site to test if it can successfully bypass antivirus detection, but Virus Total records the IP address from which every file is uploaded, which means that malicious files SandCat uploaded to the site for such testing can be traced back to SandCat\u2019s machines.<\/p>\n<p>\u201cAs a developer you don\u2019t upload to Virus Total, [but] if you do, don\u2019t do it from the same IP addresses that you\u2019re conducting your operations from,\u201d Bartholomew said<\/p>\n<p>In October 2018, during the time SandCat\u2019s zero-days were starting to be discovered and burned, the group began developing its own attack platform called Sharpa. Bartholomew thinks whoever supplied SSS with its zero-days and platform until then got fed up with so many of the tools being burned quickly, forcing SandCat to develop inhouse.<\/p>\n<p>It\u2019s also possible the change was simply due to a natural progression, however\u2014many spy agencies start out using a platform and malware purchased from others before developing internal capabilities to build their own. Or the move might have been brought on by budgetary constraints after the new president announced in 2017 he planned to rein in the powers of the SSS, <a href=\"https:\/\/www.reuters.com\/article\/us-uzbekistan-security-blacklist-idUSKCN1AV1O1\" target=\"_blank\" rel=\"noopener noreferrer\">reduce the number of dissidents being monitored on government blacklists<\/a>, and transfer some SSS responsibilities to other agencies.<\/p>\n<p>But if SandCat\u2019s mistakes did cause its suppliers to fire it as a customer, the group didn\u2019t reform its bad habits in developing its new platform.<\/p>\n<p>In the process of conducting some tests, one of SandCat\u2019s developers took a screenshot of his desktop with a detailed image of the Sharpa interface open on it, and put it in a test file that he ran on a machine with the Kaspersky software on it. He wanted to be able to load Sharpa onto victim machines using a malicious Word file and for some reason used the screenshot of his desktop as part of the Word file. When Kaspersky\u2019s software grabbed the malicious file, the researchers learned about the new platform in development as well as other intel. The screenshot, for example, shows developer notes written in Uzbek, confirming the language of the developers, and also shows the interface used to track and control Sharpa once it\u2019s on infected machines. It also shows the IP addresses for SandCat\u2019s test machines.<\/p>\n<p>\u201cThis was really important, because \u2026 we didn\u2019t know about [these] addresses [before this]. So we were able to go back in our telemetry and find more installations of more stuff because this IP address showed up in the screenshot,\u201d Bartholomew said.<\/p>\n<p>Bartholomew refers to SandCat as \u201ctrash actors\u201d because of their reckless mistakes. But he thinks their OPSEC failures can be attributed to arrogance and inexperience.<\/p>\n<p>\u201cA lot of the [nation-state threat actors] in that region have the same bravado. They just don\u2019t care [about being stealth]. They adamantly deny everything. And if they get caught they get caught,\u201d he said. But he notes that SandCat is still in the infant stage of development, even though it\u2019s been active in spying a long time, and is bound to make rookie mistakes.<\/p>\n<p>In publicly exposing the group\u2019s mistakes now, it\u2019s likely that SandCat will improve its OPSEC. But Bartholomew says exposing them will also increase the number of researchers tracking them, which could help uncover more of their current victims and provide them with protection.<\/p>\n<p>READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/30546\/Researchers-Say-They-Uncovered-Uzbekistan-Hacking-Operations-Due-To-Spectacularly-Bad-OPSEC.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":29461,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[7968],"class_list":["post-29460","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackergovernmentdata-losscyberwarzero-day"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2019-10-03T14:13:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"4800\" \/>\n\t<meta property=\"og:image:height\" content=\"2700\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC\",\"datePublished\":\"2019-10-03T14:13:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/\"},\"wordCount\":1920,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/10\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec.jpg\",\"keywords\":[\"headline,hacker,government,data loss,cyberwar,zero day\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/\",\"name\":\"Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/10\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec.jpg\",\"datePublished\":\"2019-10-03T14:13:26+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/10\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2019\\\/10\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec.jpg\",\"width\":4800,\"height\":2700},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,government,data loss,cyberwar,zero day\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackergovernmentdata-losscyberwarzero-day\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/","og_locale":"en_US","og_type":"article","og_title":"Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2019-10-03T14:13:26+00:00","og_image":[{"width":4800,"height":2700,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC","datePublished":"2019-10-03T14:13:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/"},"wordCount":1920,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec.jpg","keywords":["headline,hacker,government,data loss,cyberwar,zero day"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/","url":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/","name":"Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec.jpg","datePublished":"2019-10-03T14:13:26+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2019\/10\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec.jpg","width":4800,"height":2700},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/researchers-say-they-uncovered-uzbekistan-hacking-operations-due-to-spectacularly-bad-opsec\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,government,data loss,cyberwar,zero day","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackergovernmentdata-losscyberwarzero-day\/"},{"@type":"ListItem","position":3,"name":"Researchers Say They Uncovered Uzbekistan Hacking Operations Due To Spectacularly Bad OPSEC"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/29460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=29460"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/29460\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/29461"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=29460"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=29460"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=29460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}