Kaspersky finds Uzbekistan hacking op… because group used Kaspersky AV

Enlarge / SandCat is a "Pez dispenser" of zero-days, a Kaspersky researcher said, handing over new exploits for free. (credit: William Thomas Cain / Getty Images)

A new "threat actor" tied to Uzbekistan's State Security Service has been unmasked by threat researchers at Kaspersky Lab. And the unmasking wasn't very hard to do, since, as Kim Zetter reports for Vice, the government group used Kaspersky antivirus software-which sent binaries of the malware it was developing back to Kaspersky for analysis.

Uzbekistan has not been known for having a cyber-espionage capability. But the Uzbek SSS clearly had a big budget, and according to Kaspersky, the group went to two Israeli companies-NSO Group and Candiru-to buy those capabilities. Unfortunately for the group, it didn't also buy any sort of operational security know-how along with the exploits it used.

The group, labeled SandCat by Kaspersky, was discovered by researchers in October of 2018. The discovery was triggered when a previously identified malware downloader called Chainshot-a tool used by groups attributed to Saudi Arabia and the United Arab Emirates in the past-had been discovered on an infected computer somewhere in the Middle East. But this Chainshot trojan was connected to a different command-and-control network than previous versions and was using a different exploit to initially install.

Read 3 remaining paragraphs | Comments