A new "threat actor" tied to Uzbekistan's State Security Service has been unmasked by threat researchers at Kaspersky Lab.
And the unmasking wasn't very hard to do, since, as Kim Zetter reports for Vice, the government group used Kaspersky antivirus software—which sent binaries of the malware it was developing back to Kaspersky for analysis. Uzbekistan has not been known for having a cyber-espionage capability. But the Uzbek SSS clearly had a big budget, and according to Kaspersky, the group went to two Israeli companies—NSO Group and Candiru—to buy those capabilities. Unfortunately for the group, it didn't also buy any sort of operational security know-how along with the exploits it used.
The group, labeled SandCat by Kaspersky, was discovered by researchers in October of 2018. The discovery was triggered when a previously identified malware downloader called Chainshot—a tool used by groups attributed to Saudi Arabia and the United Arab Emirates in the past—had been discovered on an infected computer somewhere in the Middle East. But this Chainshot trojan was connected to a different command-and-control network than previous versions and was using a different exploit to initially install. As the Kaspersky researchers looked for other machines infected with the malware and explored the infrastructure behind it, they found three more "zero-day" exploits used by the same group. Kaspersky reported the exploits, and they were each "burned" in turn as patches were deployed. The same exploits were also being used by the UAE and Saudi groups.
