A new “threat actor” tied to Uzbekistan’s State Safety Service has been unmasked by menace researchers at Kaspersky Lab. And the unmasking wasn’t very laborious to do, since, as Kim Zetter stories for Vice, the federal government group used Kaspersky antivirus software program—which despatched binaries of the malware it was creating again to Kaspersky for evaluation.
Uzbekistan has not been recognized for having a cyber-espionage functionality. However the Uzbek SSS clearly had a giant funds, and in line with Kaspersky, the group went to 2 Israeli firms—NSO Group and Candiru—to purchase these capabilities. Sadly for the group, it did not additionally purchase any form of operational safety know-how together with the exploits it used.
The group, labeled SandCat by Kaspersky, was found by researchers in October of 2018. The invention was triggered when a beforehand recognized malware downloader known as Chainshot—a instrument utilized by teams attributed to Saudi Arabia and the United Arab Emirates previously—had been found on an contaminated pc someplace within the Center East. However this Chainshot trojan was linked to a special command-and-control community than earlier variations and was utilizing a special exploit to initially set up.
Because the Kaspersky researchers appeared for different machines contaminated with the malware and explored the infrastructure behind it, they discovered three extra “zero-day” exploits utilized by the identical group. Kaspersky reported the exploits, and so they had been every “burned” in flip as patches had been deployed. The identical exploits had been additionally being utilized by the UAE and Saudi teams.
Kaspersky World Analysis and Evaluation Staff researcher Brian Bartholomew informed Zetter, “I’d call [SandCat] my zero-day Pez dispenser because it seemed like every time we’d [find] another zero-day and patch it, they’d come up with another one.” The group was “burning through them like nothing,” he said, “which tells me one thing—that they have tons of money.”
Each time the Uzbek SSS’ exploit provider would ship new malware on a USB drive, somebody would stick the drive into a pc working Kaspersky’s antivirus software program to switch it. Simply as Kaspersky’s software program did with the Nationwide Safety Company “Equation Group” malware that Nationwide Safety Company Tailor-made Entry Operations developer Nghia Hoang Pho introduced dwelling with him to review, the anti-virus uploaded the brand new binaries to Kaspersky’s server for analysis. And the machine these uploads got here from was tied by area registration knowledge and a court docket case to the Uzbekistan SSS.