Azerbaijan Internet Watch was launched around the time when more evidence kept emerging, on the use of authoritarian technology in Azerbaijan. This technology allowed the perpetrator(s) (in most cases identified as an institution or individual affiliated with the government of Azerbaijan] to target Azerbaijan’s civil society. These revelations marked a significant shift in the way the authorities were persecuting its critics. In addition to offline measures – physical intimidation through kidnapping, arrests, detentions, questioning; bogus trials, and lengthy jail times; and adoption of restrictive new laws limiting the ability of civil society to work – there were new tools at the state’s disposal that could now deliver phishing attacks, DDoS attacks, targeted harassment, mass fake reporting on social media platforms, hacking of personal as well as public social media accounts and emails, leaking unlawfully obtained data, online blackmail, the use of trolls and bots, and more. In none of these documented cases, it was possible to hold the state or its institutions, or the actors to account. Dismissals have been a common response.
“By using its monopoly over the country’s information-technology infrastructure, it has disrupted internet access, placed temporary bans on social media services like TikTok, launched DDoS attacks, and used various digital-surveillance tools, including the Israeli spyware Pegasus, to target and censor activists and journalists. The democracy watchdog Freedom House now considers the internet in Azerbaijan “not free”.” Facebook is Failing Journalists, November 22, 2022, By Arzu Geybulla, for Project Syndicate
State-sponsored surveillance
In 2014, an OCCRP investigation revealed how mobile operators were directly passing on information about their users to the respective government authorities. Last year, AIW looked into the protection of personal data mechanisms that exist in the country. The research and legal analysis indicated that “the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities.” In addition, the analysis showed “that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. As such, the absence of clear and enforceable regulations to protect personal data against arbitrariness and flawed systems due to negligence puts personal data at a higher risk of infringements.” Additional findings included the following information confirming OCCRP’s revelations in 2014:
The Presidential Decree No. 507 dated June 19, 2001 (IV) “On the division of powers of search operations’ entities while carrying out search operations,” ensures that the Ministry of Internal Affairs and the State Security Service can autonomously connect to the communication networks of telecom operators. That being said, the presidential order regulating the conduct of this kind of search and operation activity in the telecom industry dated February 15, 2017, is not public.
The above-mentioned legal environment makes subscribers’ personal data accessible to the law-enforcement authorities given that all collected user personal data is accumulated in the database established together with the law enforcement authorities or is equipped with the technical means allowing law-enforcement authorities access users’ personal information. Also, according to Article 11 (IV) of the Law on Operation and Search Activities, the decision of the court (judge) or investigative body or the authorized subject of operative search activity on the implementation of operation-search measures can be accepted not only when there is an initiated criminal case but also in a wide range of circumstances.
In another report released in 2021, AIW identified the following loopholes grating the state further access to the personal information of citizens:
The Law on Telecommunication obligates network operators to install special equipment, provided by the State Security Service, Ministry of Internal Affairs, and Special State Protection Service onto the telecommunication networks enabling the Government to extract (intercept) data on anyone regardless of whether that person(s) is part of an investigation process or not.
The installment of special equipment within communication networks is regulated by the “Rules for equipping telecommunications operators and providers with additional technical means for conducting search operations, reconnaissance and counter-intelligence activities” issued by the Ministry of Transport, Communications, and High Technologies on June 14, 2016. The Rule obligates telecommunication operators and providers to create technical conditions for the conduct of relevant activities within the communication networks.
The Rule defines that Telecommunication Control System (hereinafter – TCS) – is special hardware and software that provides confidential control over the exchange of information of subjects targeted by the relevant measures (such as search and operation, intelligence, and counterintelligence activities), as well as all statistical data of the network. TNS consists of data extraction facilities, transport networks, and control centers.
The Rule also indicates that relevant measures in the communication networks are carried out in accordance with the requirements of the laws of the Republic of Azerbaijan “On Operation-Search Activity” and “On Intelligence and Counterintelligence Activity”.
However, while the Law on Operation-Search Activity may allow secret surveillance and seizure of private information, there are no rules or procedures within the national legislation for secret surveillance and intercepting information by government agencies. There are also no clearly defined rules on determining the grounds for such surveillance and interception activities, their duration, and whether such activities can be stopped by a court or other higher state authority.
The above legal and investigative findings may explain how in 2012, during the Internet Governance Forum held in Baku, Neelie Kroes’s [who at the time, was the Vice-President of the European Commission responsible for the Digital Agenda for Europe] advisors had their computers hacked. At the time, Ali Hasanov, who was serving as head of the Azerbaijani Presidential Administration Social and Political Department said, “there was no such interference, and couldn’t have been.” Hasanov was “one of the key figures defining the government’s policies regarding media, freedom of speech, and political liberties,” according to an OCCRP investigation into Hasanov and his family’s media business. At home, Hasanov was also known as the “King of trolls.” And although he denied his passion for trolls, even at the time when he was leaving his office in January 2020, as it turned out, Hasanov was a troll factory supplier. In September 2021, AIW published this story revealing how the government of Azerbaijan did indeed operate its own troll factory:
Ever since the 2013 revelations about Russia’s troll factory, many in Azerbaijan wondered whether the country’s leadership too operated its very own troll factory. Unlike its Russian version, known as the Internet Research Agency, there was only anecdotal evidence of whether this was really the case in Azerbaijan. There were no former “factory” employees who came forward or undercover journalists who temporarily worked there and exposed the work carried out later. Not until this month anyway. An investigation against the executive director of the State Media Support Fund Vugar Safarli now reveals that the suspicions were valid after all. And that upon specific instructions a group of “bloggers” were responsible for monitoring Facebook and leaving comments under posts that were critical of the government or relevant government institutions.
The investigation is part of a criminal case launched against Vugar Safarli who until recently headed the State Fund for Media Development in Azerbaijan. Safarli was arrested in 2020 on charges of money laundering (allegedly 20million AZN) and abuse of authority.
On September 2, Azerbaijan Service for Radio Free Europe, Azadliq Radio published parts of the testimony by Safarli where the former government official implicates not only that the government did indeed deploy trolls but that several high ranking officials including then Presidential advisor Ali Hasanov and former head of the Presidential Administration Ramiz Mehdiyev were well aware of this. Moreover, the building from where trolls operated belonged to Hasanov himself.
“Ali Hasanov told me that the new rented space, will have internet bloggers who will work from there. And indeed there were a few, who sat there, working unofficially,” Safarli reportedly said in his statement according to Azadliq Radio reporting.
Predating 2014 revelations, are a series of examples that were documented in this report showing how state-sponsored surveillance was used as early as 2008, albeit at the time, using less sophisticated technology such as black boxes and wiretaps.
In the years that followed, the state-sponsored surveillance got worse as has been documented either here or by other platforms. The culmination was the use of Pegasus and targeted harassment of civil society activists online through the dissemination of their personal data obtained through hacking of their devices as well as social media accounts.
As AIW described in this report:
Members of opposition political parties, independent journalists, political and human rights activists have long faced systematic pressure and persecution orchestrated by the government of Azerbaijan. The unprecedented crackdown against civil society that began in 2013, marked a new chapter, in the history of Azerbaijan’s civil society. One, marred by arrests and prosecution of high-profile activists, rights defenders, and journalists.
This systematic pressure and harassment were not only offline. It was only a matter of time, that the internet too would become a place to target activists, journalists, and human rights defenders, holding them accountable for their online criticisms on bogus accusations that often ended with lengthy jail sentences, forced apologies on public televisions (see The State of Internet Freedom in Azerbaijan report), detentions and further forms of persecution.
In a country where almost all avenues for freedom of expression and activism were eliminated, the internet, specifically online media platforms, and social media networks became new targets. To monitor discussions online, prevent citizens from accessing independent news online, or social media platforms, and to further curb freedoms online, the government of Azerbaijan embarked on a shopping spree, becoming a client of companies selling sophisticated surveillance equipment and technology.
By 2021, the government of Azerbaijan has successfully deployed a Remote Control System (RCS), Deep Packet Inspection (DPI), phishing, and spear-phishing attacks often with homegrown malware. The most recent addition to a wide variety of authoritarian technology deployed in Azerbaijan is Pegasus spyware.
The Law on Operation-Search Activity overseas phone tapping and information extraction from communication channels. Further, the third section of article 10 of the Law on Operation-Search Activity does not require a judicial act or supervision of higher authority while wiretapping and extracting information from technical communication channels unless there is a need to install technical devices such as voice, video, or photo recorders at the place of residence of the individuals.
In other words, anyone in Azerbaijan can be subject to such a form of oversight.
In Azerbaijan, “anyone” is often, a representative of Azerbaijan’s civil society. This includes political activists, rights defenders, journalists, members of opposition political parties and movements, and feminists, to name a few. As AIW documented in its February 2023 report:
2022 has been no different than recent years in terms of online attacks and internet censorship in Azerbaijan. Human rights defenders, activists, politicians, and media professionals in Azerbaijan are increasingly becoming victims of cybercrimes, including electronic surveillance, privacy infringement, and cyberstalking, due to their independent and legitimate professional activities. The online targeting of individuals critical of the government has become increasingly frequent and constant. And yet neither of these cases has been effectively investigated, and the perpetrators have not been identified.
Despite the active use of the criminal and administrative offenses legislation, including other technical resources to limit freedom of expression on the internet [including the blocking of key opposition and independent news websites, summoning and punishing individuals for critical opinions distributed online], the state systematically fails to provide effective investigation on the complaints of the individuals subject to unlawful covert surveillance (Pegasus), cyber-attacks, online blackmailing and hacking attempts against activists and media professionals. In most cases, reveal that online harassment against government critics is organized by the government or government-linked institutions.
In April 2022 report, Meta reported that it removed a hybrid network operated by the Ministry of Internal Affairs of Azerbaijan that combined cyber espionage with Coordinated Inauthentic Behavior (CIB) to target civil society in Azerbaijan by compromising accounts and websites to post on their behalf.
There has been a shift however in the use of technology. Based on the monitoring of cases documented by AIW, one scenario indicates that as a result of several forensic exposes tracking the source of phishing attacks and the use of other pervasive surveillance tools to the state, the latter now relies on targeting critics through online harassment and online targeting campaigns in order to damage and/or discredit their reputation. That and the use of restrictive new laws makes silencing dissent less reliant on technology. That being said, there are still cases of phishing attacks as was the case with activist Abulfaz Gurbanli, who was phished through an email and WhatsApp messages in February 2022. A file disguised as grant-related information from a known donor organization containing a virus was sent to Gurbanli via his email. On WhatsApp, the activist received a message from someone impersonating herself as a BBC Azerbaijan Service journalist. The targeting resulted in the installation of spyware on his device and the hacking of his social media accounts. At the time, AIW requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. The further forensic report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll which look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” read the Qurium analysis.
Targeted harassment: the case of Bakhtiyar Hajiyev
The most recent case of state-sponsored digital targeting is of political activist Bakhtiyar Hajiyev. Hajiyev was arrested in December 2022, shortly after his return to Azerbaijan from a trip abroad. Charged with hooliganism and contempt of court, the activist was then sentenced to 50 days in pretrial detention. That time however was extended twice, most recently until April 2023. Prior to his arrest, Hajiyev often criticized the Ministry of Internal Affairs over its targeted harassment. He was then abducted by unknown men and during his time in captivity was forced to delete his social media posts critical of the ministry. The investigations into Hajiyev’s kidnapping have not been conducted and up to this day, it remains unclear who were Hajiyev’s kidnappers. Throughout the past few years, Hajiyev was also the target of an online blackmail campaign. Three years ago, Hajiyev said there were multiple attempts to break into his social media and email accounts.
At the end of December 2022, while Hajiyev was already behind bars, some anonymous social media accounts shared private correspondence between Hajiyev and Vusala Mahirgizi, an editor. The leaked conversations alleged Hajiyev was a marionette of one of the clans [in reference to various clans in key government positions in Azerbaijan]. Hajiyev published a statement in which the activist said, the leaked correspondence was a violation of his privacy, given it was obtained through hacking of his personal accounts and that the allegations of him being a marionette, were false.
It is worth noting that this correspondence was leaked during calls for the activist’s release. The leak was largely viewed as an attempt to turn the activist into a scapegoat and weaken the advocacy campaign calling for his release.
Since February 22, 2023, however, Hajiyev has been the target of another blackmail campaign. At least six different Telegram channels have been disseminating conversations between Hajiyev and various women:
Identified Telegram channels:
-
https://t.me/bextiyarhaciyev18
-
https://t.me/baxtiyarifsa
-
https://t.me/+SzloVHfBVkg1YjEy
-
https://t.me/BextiyarinIfsasi
-
https://t.me/BextiyarinIfsasi
-
https://t.me/+DiENXqq3ed4zMzcy
Similar information was leaked by fake Facebook accounts. The leaked correspondence also contained sexually explicit photos of women appearing with Hajiyev. The online targeting of women with their faces publicly disclosed in these groups has led to at least two women being forced to leave their homes and go into hiding from their families, fearing reprisals for ‘immorality’ from their families.
Although there is proof that some of the shared correspondence was photoshopped the targeting has tarnished Hajiyev’s public image and placed the lives of women in the photos in danger.
The anonymous admins of these chats have also published the names of other activists, threatening to leak their conversations with Hajiyev as well. Some of these activists are advocates calling for Hajiyev’s release.
The Ministry of Internal Affairs refuted the claims that it may have been behind the leaked information. However, according to Hajiyev’s lawyers, Hajiyev arrived at the Baku General Police Department in his car and left his phone in the car. The car stayed there for three days and it is likely his phone was compromised during this period.
In October of last year, this story explained how Telegram is being used in Azerbaijan. “In Azerbaijan, the app has become a nexus for hate speech, propaganda, and the repression of dissent. In March 2021, multiple Telegram groups were identified in Azerbaijan sharing sex tapes and nude photographs of women. Among the victims were journalists, civic activists, and female family members of exiled political activists as well as ordinary women. The groups and pictures were reported to Telegram, but it took weeks before they were taken down. The damage to the women targeted was done. The channels shared sensitive videos of journalist Fatima Movlamli, the sister of exiled dissident blogger Mahammad Mirzali, civic activist Narmin Shahmarzade and Gunel Hasanli, daughter of opposition party leader Jamil Hasanli.”
Activists in Azerbaijan also pointed out that it is not Hajiyev’s reputation that is placed on the line with this blackmail campaign, but the women too, whose photographs are shared in the absence of their consent. Last year BBC published this investigation about the use of the platform in targeting women specifically “to harass, shame and blackmail them on a massive scale.” Gulnara Mehdiyeva, a feminist activist who has been targeted herself in the past, said in a Facebook post on February 28, “Terrible things are happening in the country. The government, which is responsible for protecting the safety of citizens, deliberately and knowingly wants to make those women victims of suicide or murder.” Two years ago, Mehdiyeva was targeted in a video shared via Facebook, containing a series of leaked private audio messages, that were extracted from Mehdiyeva’s social media accounts and emails. In a February 28 Facebook post, Mehdiyeva also wrote that not only faces of these women were not blurred but the perpetrators of the blackmail campaign also shared the names of the women and at least in one correspondence leaked, the home address of one woman. One of the women whose identity has been exposed in this campaign, was Tunay Aliyeva, an actress and model who said this blackmail campaign was a “cybercrime and invasion of people’s privacy.” In a letter addressed to the First Lady and the First Vice President Mehriban Aliyev, the actress asked that the First Lady personally stepped in, as a woman and a mother herself, in order to put an end to this “abomination.”
No-war activists and feminist activists
AIW has documented how activists who openly criticized the second Karabakh war were targeted by state-sponsored harassment before:
From public Facebook posts and pages targeting the activists, with threats of violence and physical harm, calls for public shaming and punishment, to questioning at Security Services, this has no doubt been one of the harshest, collective, online public harassment campaigns observed until now in Azerbaijan.
In a recent piece published by Lossi 36, Thijs Korsten and Viktoria Kobzeva also wrote:
Following the two-day war and increased public disapproval of Azerbaijan’s actions towards Armenia, government-linked media accounts launched a social media campaign. The photos and names of individuals who condemned the government’s aggression were circulated with the hashtag “Recognise the Traitor” on Facebook and Twitter. The people who were singled out are not marginal anti-war activists but rather prominent opposition figures, who the government sees as a greater threat.
The use of Telegram for the purpose of targeting and harassment has been in use not only in the case of Hajiyev. Previously AIW documented how the platform was used to target feminist activists too:
In recent days, at least three telegram channels were reported for sharing profane content targeting women in Azerbaijan. One channel called “Wretched men club” shared sensitive videos of journalist Fatima Movlamli, and exiled dissident blogger Mahammad Mirzali’s sister. Another group called “Expose bad-mannered girls” has targeted other women activists. A third one, targeted specifically one woman whose Facebook account was hacked shortly after the International Women’s Day march in Baku.
In the past, other women journalists and activists were targeted in an online harassment campaign.
Activist Gulnara Mehdiyeva was targeted with a video shared on Facebook, containing a series of leaked private audio messages, that were stolen when Mehdiyeva’s social media accounts and emails were hacked last year.
Activist Narmin Shahmarzade’s Facebook profile was hacked, her name changed alluding to her interference with people’s private lives. The hackers flooded her Facebook feed with private messages, some of which were fake, and shared nude photographs of her, including at least one edited photo and audio. Several hours later, a Telegram channel was set up, sharing Shahmarzade’s intimate photos. In an interview with VoA Azerbaijan service, Shahmarzade said, “When my account was hacked, video footage and other posts with criticism of the ruling government were deleted. Then, my personal messages on Facebook messenger were compromised. Some of them were shared after being edited and taken out of context. My personal phone number was exposed and as a result, I received numerous calls and messages of threatening nature.” Shahmarzade said, she has informed the Ministry of the Interior and the State Security Services and describes what happened to her, a crime and that she will be going to court. Shahmarzade also pointed out to AIW that the hacker who compromised her Facebook profile is likely the same person or member of the same group that targeted activist Gulnara Mehdiyeva last year because at least one of the audio that was shared via Shahmarzade’s hacked Facebook account targeting her, does not even belong to the activist and that she never had access to. Contrary, it was among material hijacked from Gulnara Mehdiyeva.
Among the women targeted, is also dissident blogger Mahammad Mirzali’s sister. Mirzali told AIW that the intimate video of his sister was leaked to harm him. “On February 15 my family members and I received several messages from a US number threatening me to stop my work. Otherwise, they told me they would release the videos of my sister. They told me they were not joking. They leaked the video on March 5. Later they shared the video on telegram channels. The same video was also sent to our relatives,” explained Mirzali. Mirzali suspects the authorities are behind this nasty campaign against his family. On March 14, Mirzali was reportedly stabbed by a group of unknown men. Mirzali is currently at the hospital.
In September 2020, activist Rustam Ismayilbeyli was intimidated by someone who presented himself as an employee of state security that unless Ismayilbeyli did not stop his activism, intimate pictures of his girlfriend would be leaked online.
In 2019, journalist Sevinc Osmangizi was the target of a smear campaign that accused her of being a double agent and working as a spy selling government secrets.
The same year, journalist Fatima Movlamli was targeted with a fake Facebook page created under her name, sharing intimate photos and videos of her in her bed.
In all of the incidents, the targets voiced their suspicion of the government involvement behind these attacks. No responsibility was taken.
Last year, feminist activist Sanay Yaghmur was targeted in a social media blackmail campaign. The perpetrators shared personal information about the activist which they obtained by hacking her email account.
The practices of digital authoritarianism widely used in Azerbaijan also extend beyond its borders. Last year, Ahmad Mammadli, the leader of a political movement D-18, reported that local authorities intercepted a letter of acceptance to a Master’s program from a university in Turkey. The authorities accused Mammadli of forging the letter.
This is not an exhaustive investigation and documentation by all means. But AIW will continue to document and monitor the situation and work with partners to keep exposing the use of information controls in Azerbaijan.
![another telegram channel another public targeting campaign [updated March 9]](https://www.az-netwatch.org/wp-content/uploads/2021/03/Telegram-600x400.jpeg)
