Click to see full-size image
Kaspersky Labs recently discovered a new threat actor called “SandCat” which allegedly originates from Uzbekistan.
What is notable for this discovery is that this government “threat actor” gets everything about hacking “wrong.”
The ones behind SandCat are allegedly Uzbekistan’s State Security Service (SSS).
“SandCat is a threat actor in the Central Asia region that has largely gone unnoticed, dating back to 2008. Kaspersky has recently been able to identify which nation is behind this group, even down to military unit numbers and names of individuals. While Kaspersky has written about the name ‘SandCat’ previously, we have not publicly attributed it to anyone until now,” Kaspersky’s Brian Bartholomew said.
SandCat has allegedly been operating for over 10 years and various zero-day exploits and malware have been attributed to them. They also appear to have an “unlimited budget.”
“This actor is interesting for a number of reasons: they have been operating at some level of capacity for over 10 years; they seem to have an infinite budget to purchase exploits and toolkits from a multitude of suppliers; more recently they have begun to develop their own malware in-house; and they have repeatedly targeted journalists and human rights activists in the region.”
The Vice reported on Bartholomew’s presentation, quite in-depth and the ridiculousness of painting Uzbekistan as a hacker powerhouse, but one that is so exquisitely bad that it is rather funny.
The allegedly Uzbeki SandCat misadventures include:
- Using the name of a military group with ties to the SSS to register a domain used in its attack infrastructure;
- Installing Kaspersky’s antivirus software on machines it uses to write new malware, allowing Kaspersky to detect and grab malicious code still in development before it’s deployed;
- Embedding a screenshot of one of its developer’s machines in a test file, exposing a major attack platform as it was in development.
This allegedly allowed Kaspersky to discover for zero-day exploits, among other things. It also allowed Kaspersky to track other threat actors from other states such as Saudi Arabia and the UAE, who were employing the same exploits.
“These guys [Uzbekistan’s intelligence agency] have been around for quite a long time and up until now I’d never heard of Uzbekistan having a cyber capability,” Bartholomew said. “So it was kind of a shocker to me to know that they … were buying all of [these exploits] and targeting all these people and yet no one has ever written about them.”
Allegedly the Uzbeki SSS agency’s interest in offensive hacking was exposed in 2015. a hacker named Phineas Fisher hacked the Hacking Team, an Italian firm that sells hacking tools to governments and law enforcement agencies, and published thousands of emails exposing the company’s correspondence with customers, including the SSS. Allegedly the Uzbeki intelligence service was a customer of Hacking Team.
In October 2018, researchers at Kaspersky stumbled across SandCat after discovering an already known piece of malware called Chainshot on a victim’s machine in the Middle East.
“I’d call [SandCat] my zero-day Pez dispenser,” Bartholomew told Motherboard, “because it seemed like every time we’d [find] another zero-day and patch it, they’d come up with another one. [T]hey’re burning through them like nothing, which tells me one thing—that they have tons of money.”
Allegedly SandCat was so bad at operational security that it ruined zero-day exploits for everybody, including Saudi Arabia and the UAE.
“All it takes is one sloppy customer,” Bartholomew said. “One customer who is bad at OPSEC ruins it for all the others.”
Kaspersky believes SandCat purchased its exploits from two Israeli companies known as the NSO Group and Candiru, but there was no evidence to support the claims.
The way Kaspersky discovered SandCat was because the Uzbeki master hackers installed their antivirus product on their machines when they were testing malware.
“[T]hat’s how we caught a lot of this stuff … every time they would test it, our [software] would pull the binaries back,” Bartholomew said.
Furthermore, any time SSS’s suppliers sent SandCat new exploits for use, they arrived on a USB drive, and the malware files would be caught by the Kaspersky antivirus. Which is also quite the advertisement for Kaspersky’s solutions.
“I think we got one of those exploits before they even were able to use it,” Bartholomew said.
Kaspersky then discovered that the machines used P addresses that resolved to the “itt.uz” domain, which since 2008 were registered to an entity in Tashkent, Uzbekistan called “Military Unit 02616.”
“Can it be this easy?” Bartholomew said he wondered. “I really wrestled hard with that for a long time thinking there’s no way it’s this easy. But every piece of data that we have links back to the same thing.”
Then, SandCat uploaded files to Virus Total (a diagnostic website that allows you to upload a file and have it scanned and see if it is malicious).
“As a developer you don’t upload to Virus Total, [but] if you do, don’t do it from the same IP addresses that you’re conducting your operations from,” Bartholomew said.
According to Kaspersky’s Bartholomew this was an important discover since it proves that hackers in the region allegedly don’t care at all about being undetected.
“This was really important, because … we didn’t know about [these] addresses [before this]. So we were able to go back in our telemetry and find more installations of more stuff because this IP address showed up in the screenshot,” Bartholomew said.
“A lot of the [nation-state threat actors] in that region have the same bravado. They just don’t care [about being stealth]. They adamantly deny everything. And if they get caught they get caught,” he said.
Of course, after naming and shaming, they are likely to improve their Operational Security. So the credibility of the presentation and reports should surely be, at least slightly, scrutinized. Since with the claims, Kaspersky and Co are basically giving them advice and helping them in their hacking adventures.
MORE ON THE TOPIC:
big mistake
Who has ‘unlimited budgets’? Probably proxies of Uncle $cam.
Don’t give them money or matches https://www.youtube.com/watch?v=8hCCCRAcTAA