Executive Summary

In late January 2026, three government information systems in Uzbekistan were targeted by cyberattacks over a four-day period (January 27–30), resulting in the exposure of approximately 60,000 unique data records [15]. Initial claims circulating on social media and Reddit suggested that up to 15 million citizen records had been compromised through a breach of the central OAuth server of the e-government (E-Gov) platform [1][3]. However, following an official investigation, Digital Technologies Minister Sherzod Shermatov confirmed on February 12 that the actual scope was significantly smaller[15].

The Government of Uzbekistan responded promptly, launching an investigation through its Cybersecurity Center and establishing an operational task force [1][2]. In the days following the initial disclosure, online microcredit issuance was temporarily suspended as a precautionary measure, and banks reinforced their security postures [9].

This incident occurs against a backdrop of escalating cyber threats — with over 7 million cyber threats prevented in 2024 and 107 million in 2025 [15], and a 68-fold increase in cybercrime over the past five years (from 863 crimes in 2019 to 58,800 in 2024) [16]. Separate research from Group-IB and Kaspersky has documented an active advanced persistent threat group known as Bloody Wolf (also tracked as Stan Ghouls) that has been conducting targeted operations against government agencies and financial institutions across Central Asia, including Uzbekistan [4][5]. While no direct attribution has been made between Bloody Wolf and this specific breach, the group's sustained focus on the region underscores the increasingly sophisticated threat environment facing Uzbekistan's digital infrastructure.

1. What Happened

Between January 27 and 30, 2026, information systems of three government agencies in Uzbekistan were targeted by cyberattacks [15]. On or around February 1–2, links to several resources, including darknet platforms, were shared on social media and Reddit claiming that data from Uzbekistan's government information systems had been posted online [1]. The data was allegedly sourced from government information systems, with the central OAuth authentication server of the e-government (E-Gov) platform identified as the potential point of compromise [1][3].

The OAuth server serves as a trusted single sign-on gateway, enabling citizens and institutions to authenticate across a wide range of government and non-government services. Because of its centralized role, any compromise of this system has the potential to cascade across connected platforms.

Confirmed Scope (February 12 Update)

According to Digital Technologies Minister Sherzod Shermatov's press conference on February 12, 2026 [15]:

Systems Identified as Potentially Impacted

Based on reports from multiple credible Uzbek news outlets including Gazeta.uz, UzDaily.uz, and Zamin.uz [1][2][3]:

Data Types Potentially Exposed

Data Category

Details

Personal Identifiers

Full name, date of birth, internal user ID

Contact Information

Phone number, email address, residential address

Identity Documents

Passport number and related details

Authentication Data

Logins, passwords, user photographs

Sensitive Records

Workplace details, medical histories, government service records

2. How It Happened

While the official investigation by Uzbekistan's Cybersecurity Center is still underway, cybersecurity experts have offered preliminary assessments of the likely attack vectors.

The Central OAuth Server as a Single Point of Entry

The e-government OAuth server functions as the authentication backbone for dozens of interconnected services. OAuth 2.0 is an industry-standard authorization framework widely used around the world. However, as noted by security researchers globally, OAuth implementations are inherently prone to misconfiguration if not continuously audited and hardened. In centralized deployments, compromising the OAuth provider grants cascading access to all relying parties.

Supply Chain Attack Hypothesis

Dmitry Paleyev, Director of the corporate cybersecurity firm ONESEC, suggested this may not have been a single isolated breach but rather a supply chain attack [1]. In such scenarios, compromising one component within a connected infrastructure can grant lateral access to other systems in the same network. This is a well-documented tactic used by advanced threat actors globally.

Contributing Factors in Context

Uzbekistan has been undergoing rapid digital transformation, with significant investment in e-government services. The country aims to digitize 70% of public services and expand its IT services exports to $5 billion by 2030 as part of the Uzbekistan–2030 Strategy [17]. Over 760 public services have already been digitized, with approximately 10 million citizens using digital platforms annually [18]. The incident highlights a universal challenge: the need for cybersecurity maturity to scale in lockstep with digital adoption.

Expert Perspective: "The actual threat may be greatly exaggerated and may not correspond to reality. As experience shows, this data is often greatly exaggerated and compiled from various sources, including old data and data collected from various systems." — Dmitry Paleyev, Director, ONESEC [1]

3. Government Response

The Government of Uzbekistan demonstrated a proactive and organized response. Multiple agencies acted swiftly to address public concerns, initiate investigations, and issue guidance to citizens [1][2].

Response Timeline

Date

Action

Jan 27–30

Three government information systems targeted by cyberattacks [15]

Feb 1–2

Links to darknet resources shared on Reddit and social media [1]

Feb 3

Cybersecurity Center confirmed investigation launch; issued public guidance [1]

Feb 3

National Social Protection Agency confirmed cyberattack on archival database; task force established [2]

Feb 3

Statistics Committee confirmed census data stored encrypted on separate servers [1]

Feb 3–4

Tax Committee and Interior Ministry denied breaches; systems functioning normally [1]

Feb 5–6

Online microcredit issuance suspended; Central Bank reinforced oversight [9]

Feb 12

Minister Shermatov confirmed ~60,000 records exposed; additional OneID safeguards [15]

4. Impact on the Financial Sector

Microcredit Suspension

Uzbekistan temporarily suspended online microcredit issuance following reports that compromised citizen data could be used to fraudulently obtain microloans [9]. This action, while disruptive, reflects a responsible approach to protecting citizens from secondary exploitation.

Banking Sector Response

Multiple banks reinforced their authentication and monitoring systems. The Central Bank maintained that core banking infrastructure had not been directly compromised [2].

Voluntary Credit Ban Service

Uzbekistan introduced a voluntary credit ban service in June 2025, allowing citizens to prohibit loan issuance without personal authorization (Law No. ZRU-1043) [19]. By October 2025, approximately 150,000 citizens had enrolled [20]. By January 1, 2026, enrollment had risen to over 438,000 [21]. The breach is expected to further accelerate adoption.

Cybercrime Growth Context

According to the Interior Ministry's Cybercrime Center, Uzbekistan experienced a 68-fold increase in cybercrime between 2019 and 2024 — from 863 crimes in 18 categories to 58,800 in 62 categories [16]. Between 2021 and 2024, cybercrimes resulted in the theft of over 1.9 trillion soums ($148.9 million) from citizens [16].

5. Active Threat Landscape: Bloody Wolf

Independent of this breach, published research from leading cybersecurity firms has documented sustained threat activity targeting the region.

Threat Actor Overview

A threat group tracked as Bloody Wolf — also identified by Kaspersky as Stan Ghouls [5] — has been conducting targeted operations against organizations in Central Asia since at least late 2023. The group primarily targets government agencies, financial institutions, and IT companies [4]. According to Kaspersky, the primary motivation appears to be financial gain, though their methods also suggest cyberespionage capabilities [5].

Activity Timeline

Period

Activity

Late 2023

Group first identified, targeting Kazakhstan and Russia [5]

May 2025

Kaspersky first flags NetSupport RAT config [5]

Jun 2025

Campaign in Kyrgyzstan targeting government, financial, IT sectors [4]

Oct 2025

Operations expand to Uzbekistan [4]

Nov 2025

Group-IB / UKUK publish joint advisory [4]

Feb 5, 2026

Kaspersky identifies ~50 victims in Uzbekistan, 60+ total [5]

Key Findings

Group-IB / UKUK (November 2025): Documented a sustained campaign by Bloody Wolf targeting government structures and financial systems in Kyrgyzstan and Uzbekistan, employing sophisticated social engineering and impersonating government ministries [4][3].

Kaspersky Securelist (February 5, 2026): Identified ~50 compromised organizations in Uzbekistan across manufacturing, finance, and IT. About 10 devices in Russia also impacted. The group used spear-phishing emails in Russian and Uzbek. Infrastructure was also hosting Mirai IoT malware, suggesting potential toolkit expansion (assessed with low confidence) [5].

Media Coverage: Campaigns covered by The Hacker News [6], Infosecurity Magazine [7], SC Media, and Cyberpress.

⚠ Important Note on Attribution

There is no publicly confirmed direct attribution between Bloody Wolf / Stan Ghouls and the January 2026 government agency breach. However, the group's documented targeting of Uzbek government systems illustrates the advanced and persistent nature of threats facing the country's digital infrastructure.

6. Prior Cybersecurity Incidents

Date

Incident

Source

2023

Over 11.2 million cyberattacks on web resources

[22]

2024

Over 7 million cyber threats prevented

[15]

2025

Over 107 million cyber threats prevented

[15]

Jul 2025

Hacker forum listing: 21M citizen records for sale

[10]

Aug 2025

Uzbekistan Airways data breach — passports, system credentials

[10]

8. Remediation Framework

Based on NIST CSF 2.0, ISO 27001:2022, and CIS Controls v8 [11]:

Phase 1: Immediate Containment

  1. Isolate and audit the OAuth server — full forensic audit including token issuance logs, session records, API access patterns
  2. Mandatory credential reset — enforce password reset; invalidate all OAuth tokens and session cookies
  3. Enable MFA — across all government portals and relying party applications
  4. Revoke and rotate all API keys — all shared secrets and client secrets in the OAuth ecosystem
  5. Dark web monitoring — engage threat intelligence services to track compromised data distribution

Phase 2: Structural Hardening

  1. Zero Trust Architecture — verify every access request; implement micro-segmentation
  2. Deploy SIEM and EDR — continuous monitoring and rapid threat detection
  3. Privileged Access Management — control and audit privileged access to authentication infrastructure
  4. Network segmentation — isolate critical authentication systems from general traffic
  5. Regular penetration testing — periodic red team exercises on government-facing systems

Phase 3: Long-Term Resilience

  1. National cybersecurity workforce development
  2. Incident response planning — develop and regularly test comprehensive IR plans
  3. Supply chain security audits — ongoing assessments of third-party vendors
  4. Public awareness campaigns — citizen education on password hygiene, phishing, data protection

Per guidance from the Cybersecurity Center and Digital Technologies Ministry [1][15]:

  1. Change all passwords immediately, especially for government services
  2. Enable two-factor authentication on all accounts
  3. Do not share personal information with unknown parties
  4. Avoid suspicious websites and links received via email or messaging
  5. Use strong, unique passwords for government and financial services
  6. Monitor financial accounts — consider activating the voluntary credit ban via my.gov.uz
  7. Report suspicious activity to the Cybersecurity Center and law enforcement
  8. Be vigilant against social engineering — attackers may pose as bank employees and cite known personal details to request SMS codes [15]

10. Sources and References