Hackers from the State Security Service (SSS) of Uzbekistan developed viruses on computers with Kaspersky Anti-Virus installed. A malicious code was successfully detected, and the full information (along with screenshots) was sent to developers. Kaspersky Lab has published a report on a hacker group from the State Security Service of Uzbekistan, Mezon reports.
According to Reuters, Kaspersky Lab specialists were able to identify a cybercriminal group allegedly associated with the SSS.
One of the dubious practices included the use of the “name of a military unit associated with the SSS” to register the domain involved in the attacks.
In the course of the study, experts found that the IP addresses of the machines used to test malware are associated with the itt.uz domain registered at the military unit No.02616, located in Tashkent. Moreover, SandCat uploaded malware samples to Virus Total from the same computers. According to Mezon, at the time of publication of the news, information about the domain owner was available in the public domain:
Scouts were discovered in the following manner:
- they used for development of viruses IP addresses and a domain registered with real data of the military unit No.02616;
- the military unit No.02616 appears in several high-profile criminal cases as an expert center on cyber threats;
- they installed Kaspersky Anti-Virus on computers on which new viruses were being developed;
- an IP address of the SSS mail server is 184.108.40.206, and SandCat hackers used an address that differs by only one digit: 220.127.116.11;
- they allowed the antivirus to detect malicious code and included a screenshot of the virus development in the test file, which was sent to Kaspersky Lab.