Uzbekistan surveillance campaign leverages new spyware against human rights activists

Amnesty International says it's a "worrying" escalation in the intrusive surveillance of vulnerable groups.
Registan Square in Samarkand, Uzbekistan. (Henrik Berger Jørgensen)

Human rights activists and journalists in Uzbekistan, whom researchers have long claimed are victims of intrusive surveillance, are facing an increasingly sophisticated campaign in Uzbekistan, according to new findings from Amnesty International.

Last year, a Canadian non-profit, eQualitie, revealed that a group of unidentified attackers has targeted journalists and human rights defenders in Uzbekistan with spearphishing emails since 2016. In June, the attackers escalated their activity, and are now trying to leverage spyware against hundreds of targets, Amnesty said in research published Friday.

The advanced espionage efforts highlight how the surveillance threat to vulnerable groups in Uzbekistan is “more sophisticated than previously documented, and able to bypass some security tools [human rights defenders] use to protect themselves[,]” according to the Amnesty International blog detailing the analysis.

Human rights activists have been fighting against forced labor and torture in Uzbekistan’s criminal justice system, according to Human Rights Watch. Watchdog groups also have cited unfair criminal trials, and politically-motivated imprisonment in the country. Authorities typically claim they are fighting against terrorism or anti-state activity when targeting Muslim populations.


As part of the spearphishing campaign, the attackers have tweaked both Adobe Flash Player and Telegram Desktop installers to infect victim machines with spyware. The malware, derived from the open source Windows malware Quasar Rat, can capture screenshots, keystrokes, tracking cookies, and passwords, according to the analysis.

The attackers have also deployed Android spyware with capabilities of monitoring location, chat applications, text messages, and phone calls, and can record audio and video. The malware, a version of the open source Droid-Watcher, connected with a command-and-control server linked to the campaign, Amnesty found.

In all, several dozens of domains meant to target these vulnerable groups in Uzbekistan were created between May and September of last year, by Amnesty’s count. At least 170 accounts belonging to human rights activists, university personnel, or people working for governments of countries near Uzbekistan have been targeted since.

Uzbekistan’s intelligence agency, the National Security Service, has long been accused of spying on its citizens and violating human rights. In October, Kaspersky found that an NSS-linked group, dubbed SandCat, was developing malware with password-stealing capabilities in-house. And according to leaked emails, NSS at one point was buying capabilities from the Italian surveillance company Hacking Team, whose servers were in Uzbekistan as early as 2014, according to Citizen Lab.

Despite calls from the United Nations’ Special Rapporteur on the right to Freedom of Expression, David Kaye, for a moratorium on the export, sale, and transfer of privately developed surveillance tools, these kinds of sales and other surveillance activities appear to be continuing unabated.


It’s a “worrying evolution” in the surveillance that human rights defenders face, Amnesty noted.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts