May 9, Azerbaijani politician, Gultekin Hajibeyli’s Instagram account hacked and taken down. Instead, a fake profile impersonating Hajibeyli was set up, with her private mobile phone number shared publicly in the profile description. Hajibeyli, was targeted online previously.
Such attacks are common in Azerbaijan, where opposition politicians and independent activists are targeted online. Account “break-ins”, impersonations, blackmailing posts, content takedown requests on YouTube for alleged copyright violations are among some of the popular harassment tactics in practice.
Unlawfully obtained personal information of intimate nature, including photos, videos, and email exchanges are commonly used to target women activists. A most recent example is an online harassment campaign launched against political activist and former political prisoner Ilkin Rustamzade’s wife, Amina Rustamzade. Leaked personal pictures were shared on Facebook and Instagram by various accounts.
On May 12, the account impersonating Hajibeyli was successfully removed from Instagram.
On May 13, a new fake Instagram profile was created.
On the morning of April 22, an independent online news platform, abzas.net noticed strange activity on its website. Not only did the website lose, a month worth of published articles, but that some articles’ headlines were also changed.
In an interview with AIW, the website’s editor Ulvi Hasanli confirmed the attack. Hasanli said, this was not the first time, the website was under attack. “We have experienced DDoS attacks every month for a year between 2016 and 2017. Eventually, abzas.net was blocked in Azerbaijan and the website switched to .org”.
Hasanli confirmed that the team was able to restore back the missing articles and reverted back changed headlines.
While the team continues to investigate the source behind the attack, in an interview with Azadliq Radio, Hasanli said, they will seek legal remedy once they have sufficient evidence.
On April 21, several cities and administrative districts across the country reported experiencing internet disruptions.
The disruptions were reported on DeltaTelecom one of the only two companies in Azerbaijan licensed to connect international internet traffic [the second one being AzerTelecom]. Delta Telecom is considered the backbone internet provider in Azerbaijan and handles most of the ISP traffic. It owns a data center and provides hosting services.
One earlier report claimed the disruptions were the result of problems in the internet traffic coming in from Russia. The nature of these problems was not identified. And became clear shortly after, that this was not indeed the cause for disruptions.
According to Osman Gunduz, the head of Azerbaijan Internet Forum, it was the damage to the fiber optic cables connecting Delta Telecom’s second main center and the backbone itself during street excavations. As a result, Delta Telecom’s second main center started experiencing connectivity issues. This resulted in several ISPs and large companies experiencing major internet connectivity disruptions.
The Ministry of Transportation, Communication, and High Technologies (MCHT) is yet to issue a statement. In an interview, with a local online news platform Gafgazinfo the spokesperson Gunel Gozalova said the problem was not the damage caused to existing underground cables but issues with the commercial provider bringing Internet traffic into the country. “As a result of the countrywide quarantine regime during COVID19, many companies shifted their work to an online regime. The same goes for the education system where classes are now conducted in an online format. As a result, the country’s broadband internet network is overloaded. And sometimes, the preferred device installed at people’s homes does not meet currently increased demands.”
The spokesperson assured the ministry is doing its best to meet the spike in demands, working with experts around the clock.
It seems the spokesperson missed the memo [and so did the main news agency APA] from Delta Telecom because according to this media platform, who spoke with the director of the main internet provider [Public Television Channel] Delta Telecom, the disruptions were caused by “cable outage” during maintenance excavation work around one of capital’s automatic telephone exchange [ATS] locations.
As of April 22, Internet users across the country including in the capital continued reporting of weak signal or on-going disruptions in connections.
This is not the first time, major disruptions have been reported across the country.
In November 2015, massive Internet outage caused by a fire at a landline of the major Internet provider “Delta Telecom” left the country disconnected for at least 6 hours. In August 2016, some users experienced problems establishing an internet connection for several hours as a result of problems with Delta-Telecom’s infrastructure or as a result of debts owed by smaller providers to Delta Telecom. In October 2017, the MTCHT announced slow internet traffic across 23 regions due to AzTelekom’s [second government-owned internet provider] maintenance work to improve connectivity. In early July 2018, the country experienced its worst blackout in decades after a fire broke out at the country’s largest power plant.
In addition to accidents, technical, and other maintenance-related disruptions, there are intentional restrictions reported during certain political occasions such as political rallies or international events. In 2016 during the country-wide referendum, Virtual Road documented how authorities generated artificial internet network congestion within Azerbaijan to prevent access to the websites of both RFE/RL’s Azerbaijan Service and the Voice of America’s Azerbaijani services.
During the Islamic Solidarity Games, there were reports of users having difficulties accessing and using Skype, Viber, and WhatsApp. Only after the games were over, the Ministry of Transport, Communications, and High Technologies issued a statement confirming, “Temporary restrictions to telecom services (Skype, Viber, WhatsApp,etc.), [were] imposed in Azerbaijan as part of security measures during the 4th IslamicSolidarity Games.
Opposition activists say internet service sometimes slows down or stops working completely in the hours before rallies are set to begin. Similarly, residents in neighborhoods where rallies often take place, too have experienced connectivity issues for the duration of these events. In response to these disruptions, local ISPs argue that the connectivity issues are directly linked to the number and density of users gathered in one place during that specific time.
And last but not least, the quality of the internet in Azerbaijan lags behind even its closest neighbors. According to the annual Freedom on the Net report, in Azerbaijan, “the fixed broadband market lacks equality between operators. The absence of regulatory reform also inhibits the development of the sector. Osman Gunduz cites Azerbaijan’s underdeveloped infrastructure as a key obstacle toward attaining greater access and higher connection speeds. And in his most recent Facebook post, Gunduz wrote that the recent disruptions attest to existing problems despite the on-going effort invested in setting up stable information infrastructure in the country over the recent years.
June 17, Amina Rustamzade, wife of activist Ilkin Rustmazade attempted suicide after numerous posts violating her right to privacy [see below]. Rustamzade overdosed herself with sleeping pills. She was taken immediately to a clinical center where doctors were able to stabilize her condition. While her condition is stable, the perpetrator behind the harassment against Amina remains at large. Ilkin Rustamzade wrote on his Facebook, that his wife, received yet another message from the same user with the message “If Ilkin is not silent, then what happened earlier will happen again.”
***
Ilkin Rustamzade is a former political prisoner and activist who spent six years in jail on bogus charges. He was arrested in May 2013 on alleged hooliganism charges. Additional charges – inciting violence and organizing mass disorder in connection with a peaceful protest in 2013 – were added during his pre-trial detention period. Rustamzade was sentenced to eight years in jail in 2014. He was recognized “prisoner of conscience” by International rights watchdog Amnesty International.
Authorities released Rustamzade in March 2019 following a presidential pardon decree. But threats and harassment against him continue.
On April 7, Rustamzade was contacted by this profile on Facebook. The person behind the profile introduced himself as an officer working for the Special Security Services in Azerbaijan. In the brief exchange this person had with Rustamzade, he kept removing all of the messages after they were sent. As a result, there are few screenshots that actually contain any evidence of this person threatening Rustamzade.
In one message, the user tells Rustamzade to stop the campaign the activist started on change.org. The campaign calls on the Azerbaijan authorities to allocate funds for families who have been affected by the global pandemic that has also reached Azerbaijan. When Rustamzade refused to remove the campaign, that is when the person threatened Rustamzade to humiliate him and his family.
Shortly after, a Facebook page (that has now been successfully removed) was set up, with intimate pictures of Rustamzade’s wife Amina Rustamzade and posts using humiliating language.
On April 8, a new Facebook page was set up with similar content. There is also, an Instagram post, that was shared by this account on the social media platform. In addition, his fiance’s profile appears to have been added to an escort website with personal information including phone numbers.
Also on April 8, Rustamzade’s father, Bakir Khalilov was taken by the police when they could not locate Ilkin Rustamzade at his family home. When Rustamzade called to speak with his father, the police interrupted the conversation, took the phone away from the father and told Rustamzade unless he comes to the station, his father will be arrested. When police showed up at his father’s house, they claimed Rustamzade violated quarantine laws by leaving the house without informing the law enforcement. This is a new regulation that was introduced on April 5. Rustamzade moved out on April 2. Three days before the regulation was set in place.
Meanwhile, Rustamzade’s father falls into a threatened group category due to his age and health condition. He just recently had heart surgery.
Although his father has been released since then, Rustamzade is concerned both his father, and himself could be arrested and that threats against his family will continue.
Journalist Khadija Ismayilova wrote her on Facebook that “Police clearly is eager to use these SMS restrictions to harass activists.”
As of April 5, residents across Azerbaijan can only leave their apartments having informed local law enforcement via SMS, a phone call or if in possession of a special certificate of employment.
Azerbaijan remains among countries, which haven’t declared a “state of emergency”. Instead, they are referring to new restrictions as part of the “strict quarantine regime”.
How SMS notification system works
Permission to go outside is granted for the following reasons:
receiving medical treatment;
buying medication or groceries;
visiting a bank or a post office;
attending a funeral of a close relative
Before leaving, SMS is sent out with a national ID number indicating the reason for going outside. The sender then gets an SMS in response with a code, which can then be used when stopped by the police officers.
There is no further information about the tracking mechanism, its transparency, and whether authorities have developed or relying on a special tracking application to monitor its citizens.
So far, the new restriction has proven to serve the financial interests of the authorities.
Hebib Muntezir, Azerbaijan journalist wrote,
Translation: Yesterday (April 6), a total of 456thousand SMS was sent from 223thousand phone numbers. Of these 284thousand SMS (approximately 62%) were of irrelevant nature. Some received responses immediately, others in half hour, and some in an hour. 6 nationals who have violated the quarantine regime were arrested, 3800 were fined. If we take AZN100 per person that makes AZN380,000 [of collected fines] in just one day. #stayhome
The new fines were introduced on April 3. The fines range from AZN100-200 (USD60-USD120) and include up to a one month administrative arrest.
To understand the potential surveillance implications of this new restriction, AIW spoke to legal expert Emin Abbasov.
“Based on what we know so far, the goal is reportedly to limit freedom of the movement via permission regime relaying users’ requests via mobile devices. However, without knowing whether an SMS can be used to start tracking a mobile device (current assessment indicates that the mechanism in place isn’t used in tracking mobile devices) the notifications are only used to limit freedom of the movement. It is not an application. It is more like an information resource or a system. But the collection of information here is done on compulsory basis, not voluntarily. As a result, this should fall under special legal regime. That is, the issue is very complicated and still unclear. What is clear, however is that when there are limitations on rights and freedoms these limitations fall within the scope of the law on rights and freedoms. What becomes important under these circumstances, is that the emergency decrees issued by the executive authorities that interfere with the rights and freedoms envisaged in the Constitution or International treaties, are required to have a constitutional basis. Another issue is that there are noclear assurances as to whether the information resource (currently in use by the law enforcement) will be destroyed when there is no further need for it. We are yet to see these assurances. And overall, all of the currently adopted decisions are seemingly taken outside of the constitution.
It is indisputable that restrictive measures aimed at combating COVID19 pandemic have a legitimate purpose such as protection of health. However, respect for the rule of law and democratic principles in times of emergency requires that states respect the principle of legality even in an emergency situation. Compliance with the rule of law and democratic principles determines that the restriction of rights and freedoms enshrined in the constitution and international treaties may be limited either by laws (adopted by parliament) or by emergency decisions issued as a result of the extraordinary powers vested in the executive branch by the parliament. However, it is not clear that power of the Cabinet of Ministers in Azerbaijan to issue an emergency decrees that are restricting rights and freedoms are carried out in accordance with those principles.”
So far authorities have warned of further restrictive measures taken if the number of infected cases keeps growing and citizens do not follow through with imposed restrictions.
[Updated] On April 9, Azadliq Radio featured a story where political activist Izzatli Ruslan and investigative reporter Khadija Ismayilova said, requesting permission to leave via SMS, is against the national constitution, article 28 and that together with other representatives of civil society, they intend to take the matter to domestic courts. The right may only be limited in case of the state of emergency, which was not declared in Azerbaijan during the fight against C19.
Izzatli himself was fined in a total amount of 100AZN on the grounds of violating quarantine regimes when he did not provide the permission upon police request. Izzatli was headed to donate blood.
As of May 18, the compulsory requirement has been lifted as Azerbaijan joins the list of countries, slowly opening up.
May 22, member of D18 political movement and administrator of a Facebook page “Say no to corruption”, Jalil Zabitov was arrested and sentenced to five months on hooliganism charges.
April 22, member of opposition Popular Front party, Arif Babayev was sentenced to 30 days in administrative detention on charges of placing prohibited information online under Article 388.1.1 of the Code of Administrative Offenses.
April 13, journalist Ibrahim Vazirov with an online video news channel Kanal24 was arrested after police demanded he removes his online posts about the social and economic impact of COVID-19. Vazirov was sentenced to 25 days in administrative detention allegedly for disobeying police.
Several other journalists were detained while reporting on C19.
April 11, activist Nariman Abdulla sentenced to ten days in administrative detention on the grounds of violating the anti-epidemic, sanitary-hygienic and quarantine regime according to Azadliq Radio. Abdulla was taken by the police, from his house on April 10 in the city of Lankaran. His family members claim his detention is the result of his posts and comments on social media. Abdulla criticized the Minister of Labor and Social Protection over a lack of assistance for the poor families during the quarantine regime.
April 6, political activist Shakir Mammadov questioned over Facebook post then arrested on charges of hooliganism and sentenced to 15 days in administrative detention according to AzadliqRadio report.
Mammadov described his arrest as unlawful. Mammadov said he had informed local police he was going to the pharmacy after having texted a specified number. As soon as he left the apartment, he was apprehended by the local police in the city of Sumgayit and taken to the police station.
There he was asked to remove a Facebook post, where he wrote that during quarantine, people are unable to work, and therefore, have trouble providing for their families. Therefore the authorities should help. When he refused to remove the status, police charged him with hooliganism (according to police protocol Mammadov was stopped on the street for swearing. When the police approached him, they asked him why he was outside without a protective mask and gloves. When Mammadov disobeyed their questions, he was arrested).
April 4, journalist, Tezekhan Mirelemli was questioned over a Facebook post according to local media reports.
Translation: “Friends, today, I was called with an official letter to the Baku City Main Police Department. They wanted to speak with me about a Facebook status I shared after an incident that occurred near Hazi Aslanov metro stop. I gave my explanation and was let go. I would like to say, there was no violence used against me. Some friends, have shared news that I was beaten. I am telling you it is not true. As for the Facebook status – I deleted it. I knew it would be misinterpreted. I wanted to delete the status as soon as I shared it. I did not delete it in the evening because there was some troll activity. I would like to say I had no intention when sharing that Facebook status. I shared it because I wanted to prevent cases of abuse from happening again. I then deleted it because I did not want it to be misunderstood.”
The journalist’s post was about a police officer, according to Azadliq Radio reports but no further details are given.
Mirelemli was convicted on June 19, on hooliganism charges and sentenced to wear an electronic bracelet. The conviction also calls for the journalist’s confinement to his home, between 11pm and 7am every day for the next 12 months.
***
March 25, police in Azerbaijan, closely monitor discussions on the popular social media platform, Facebook. Some users reportedly are invited for questioning.
The national parliament adopted changes to the law on Information, Informatisation, and Protection of Information, ten days ago, and already, several social media users have been questioned by the police over their posts.
Local authorities are relying on the new article “Violating sanitary hygiene, quarantine and pandemic regimes” when questioning social media users.
On March 21, AIW reported of Ilgar Atayev, who was called in for questioning and charged with article 388.1 of the code of administrative offenses – sharing of prohibited information on the Internet or internet – telecommunication networks. Authorities claim, Atayev, shared information on COVID without quoting official sources and that the information provided was false.
Since then, at least two more cases have been reported.
In another case, Anar Malikov, an opposition activist, was sentenced to ten days of administrative detention for violating the pandemic regime on March 21. The court decision said Malikov violated the quarantine regime with his social media posts. No such legal liability is specified in Article 211 of the Code of Administrative Offenses.
March 18, members of Azerbaijan’s National Parliament approved proposed amendments to the law on Information, Informatisation and protection of Information during the first reading.
A special clause “information-telecommunication network” and “information-telecommunication network users” were added to article 13.2. of the law. While there are is no definition of what the “information-telecommunication network [and its users]” clause actually means, some media experts and journalists suggested this referred to social media platforms and the users. In Azerbaijan, the Ministry of Transportation, Communication and High Technologies already holds broad powers to block websites, without a court order. If these recent suggestions to the law are approved in the final reading, it would further deteriorate freedom of speech online as social media users, posting content the Ministry may deem as misinformation may be arrested and face charges.
One parliament member, Ganira Pashayeva, even suggested setting up a special unit that would monitor social media platforms, and hold those spreading rumors accountable.
On March 21, Ilgar Atayev was called in for questioning and charged with article 388.1 of the code of administrative offenses – sharing of prohibited information on the Internet or Internet – telecommunication networks. According to Meydan TV, an independent online news platform, although Atayev was informed that the charges were sent to court, he does not know what he is facing.
Authorities claim, Atayev, shared information on COVID without quoting official sources and that shared information was false.
The Law on Information, Informatisation, and Protection of Information
This law was first adopted in 1998. On March 10, 2017, a series of restrictive amendments were added to the law, converting the law from a technical regulation into content regulation:
article 13.1.3. create conditions for the regulation of the domain names not with participation of the parties of the internet community, but by relevant Ministry, which contradicts international norms, including ICANN recommendations in this regard;
article 13.2.3, all legal and ethical issues previously existing in various laws have been listed as prohibited information and it has been stressed that their dissemination is prohibited;
article 13.2.4, when the owner of the Internet information resource and its domain name posts the information, dissemination of which is prohibited or receives an application about that piece of shared information, it guarantees the removal of such information from the information resource;
article 13.2.5, when a hosting provider reveals in its information systems some information, dissemination of which in internet information resources is prohibited or receives information about it, it should undertake immediate measures for its removal by the owner of the information resource;
article 13.3.3, in cases of existence of real threat for the lawful interests of the state and society or in urgent cases when there is a risk for life or health of people, the access to internet information resource is temporarily restricted directly by the Ministry of Transport, Communications and High Technologies [restriction is applied without a court order. Although an application is made to the court, the decision to close down the online information source remains in force until the court handles the case or the decision is annulled.]
article 13.3.6, describes the List of information resources that are “blocked” which is curated and maintained by the Ministry [to this day, no such resource exists however, AIW has a list of online resources that are regularly monitored relying on OONI for blocking]. Independent legal experts believe, this kind of authority is restrictive in nature. Especially as it forces all host and Internet providers are imposed an obligation to prevent access to these resources.
According to the law, the Ministry of Transport, Hich Technologies and Communication is the executive authority deciding on the type of information that is relevant, which websites get blocked and what information must be removed and so on.
In Azerbaijan, a group of activists was targeted online following a non-violent march organized to mark International Women’s Day. The protest was violently dispersed by the police. Those detained were released after questioning. Last year, a similar attempt was quashed by the police. In October 2019, in an attempt to call on the authorities to take measures to combat drastic growth in the numbers of victims of domestic violence, the protesters were once again violently detained, sustaining physical injuries.
The digital attacks began already on March 8, when women’s rights activist and head of the Feminist Movement of Azerbaijan Gulnara Mehdiyeva and one of the main organizers of the march, realized, someone was trying to break into her Telegram account. Then her Gmail was hacked and much of her archive including photographs and documents were “downloaded” by the attacker. In less than 48 hours Mehdiyeva’s personal Facebook account was hacked. She was removed from several Facebook groups that focus on LGBTQI and women’s rights in Azerbaijan, where she was an “admin”. Then, these groups were compromised, suspended and one was deactivated. Both groups lost thousands of subscribers and content that were shared via the Facebook group page. Next in line was Mehdiyeva’s Protonmail.
Two of the Facebook groups targeted are Minority Magazine [Azerbaijan’s first digital magazine focusing on LGBT rights and issues] and Nefes LGBT Alliance Group.
The groups lost three years’ worth of content as a result of hacking.
Facebook page of Nafas LGBT Azerbaijan Alliance got attacked. Page is not accessible at all in search engine. It was possible to stop the deletion process of Minority, but seems like Nafas is going to be deleted once for all. Our work since 2012 is gone, written by @nabiyevcavid
Several other LGBTQI activists reported attempts to hack into their social media profiles and emails in correspondence with AIW. One of the activists Javid Nabiyev, shared via his Facebook profile his frustration with the platform itself. In an attempt to get Facebook to verify his account he was given the following response “We reviewed your account, and unfortunately, it is not eligible to be verified”.
This is not the first time, activists are targeted online in Azerbaijan. Sometimes more sophisticated technology is used as well. Facebook remains a popular online platform where journalists, independent and opposition news platforms, activists, dissidents, analysts, and observers share their opinions, publish research, and also organize. As a result, it is closely observed by the authorities. Or as one veteran analyst, Altay Goyushov said in an interview once, “Social networks are the only place where the government checks the public mood”. Not surprisingly, in February 2019, a Social Research Center was set up that “monitors public opinion” and delivers the results to the ruling government. AIW is too closely monitoring – the situation.
As for the LGBTQI community in Azerbaijan, its history is stained with systemic harassment, abuse, torture, arrests, and even death. Some of the community members have fled the country in an attempt to start a new life elsewhere.
On January 14, Azerbaijan Internet Watch reported a mass phishing attack that lasted for about a week. At the time of the report, it was possible to identify that the attacks were coming from an IP registered to the Ministry of the Interior. Almost a month later, the Qurium media foundation continues its investigation into the identity of the perpetrator.
The user @man474019 is active on hacking forums anti chat and rdot, as well as on nulled – forum used by cybercriminals to trade and purchase leaked or hacked information.
The last time our man was on antichat was February 17, 2020, likely deleting some of the remaining posts and information.
There are only four entries left on antichat that are visible – can you spot the difference between his current profile and what was there before?
Our man has also removed his avatar. In an earlier report, the man in the photo was identified as Alibay Mammadov. Unfortunately attempts to reach out to Mammadov for a comment failed.
Man must have noticed the reports. And although he may have been busy removing traces, they have already been well documented.
As we were expecting 🧐sandman4812av to delete his github account once the forensic report was released we made a backup copy.
Do not miss his interactions with Technowlogy-Pushpender/technowlogger https://t.co/OR9VTxyreu
On January 6, veteran human rights lawyer Intigam Aliyev received an email from another human rights lawyer Rasul Jafarov. Aliyev, spotted something was not right and forwarded the email he received to Javarov’s real email. This is not the first time, Jafarov is targeted. In 2017, the case was captured in detail by Amnesty International. Unlike Jafarov’s first experience, this time, the email was sent only to a handful of people (at least from what Jafarov was able to collect).
Based on the contents of the phishing email, together with Qurium , it was possible to identify the following information:
malware inside the WeTransfer link is written in python and compiled for windows;
the malware has been built using a software called technowlogger (more here);
The malware records keystrokes, passwords and sends them to a Gmail account after deactivating the antivirus program on your device;
In their forensic investigation, Qurium team was able to identify the email address: man474019 [ @ ] gmail.com. This user, has expressed interest in pen-testing tools, penetration testing and other forms of attacks in hacking forums. Including one attack against criminal.az (website currently blocked and it’s editor facing criminal prosecution).
The picture in the avatar displayed belongs to Alibay Mammadov. Together with Qurium, Azerbaijan Internet Watch suspects the attacker has stolen the identity of Mammadov.
According to this TEDx bio, Alibay Mammadov is based in Japan. He is the head of the Azerbaijan Japan Collaboration Association founded in Tokyo in 2016. The association aims to promote bilateral business relations between Japan and Azerbaijan. He is also the President of Azepro Co., Ltd. Azerbaijan Internet Watch has reached out to Mammadov, warning him of the situation however received no response in return.
The attacker seems to continue his research, as his most recent appearance in the forum was on January 14, 2020:
This, however, was not the last phishing attack.
On January 10, an independent online news platform HamamTimes was targeted with a similar phishing attack. The email came through a Gmail account that belongs to journalist Aziz Karimov.
A similar phishing attack was carried out against Azadliq Radio, Azerbaijan Service for Radio Free Europe Radio Liberty team.
On January 11, a larger group of civil society representatives received another WeTransfer link from Roberto Fasino. Fasino is the Head of the Secretariat, PACE Committee on Culture, Science, Education, and Media.
WeTransfer does not verify emails for validity when inserted in the sender or recipient box – you can insert anyone’s email. As a result, any email can be used, including that of Roberto Fasino in the sender box [see below].
According to Qurium forensics, the virus sent to HamamTimes and from Roberto Fasino is “powershell” exploit that can gain full access to a windows machine. It connects to an intermediary server where the attacker can connect to control the victim’s device. This is how the attack looks when broken down into steps:
The attacker prepared the “powershell” attack;
Obfuscate the code using HTML Guardian (HTA file);
Upload the file to We-transfer and mail to several victims [how the contact list has been obtained is still unclear – one scenario is that the sender’s email, in this case, roberto.fasino@coe.int was compromised;
Once the victim’s device is infected the attacker then continues to perform the attack performing “Reflective DLL” injection into the infected device and uploads the “merterpreter” code;
The final step, allows the attacker to have full access to a victim’s device, running commands remotely;
The forensics report also identified that the attacker has set up an account in ngrok.com service to hide his computer.
Once the virus is inside the infected device, it connects to the ngrok.com address 3.17.202.129 and port number 16885.
So far, attempts to reach ngrok.com founder Alan Shreve for a comment and assistance yield no results:
On January 14, new evidence showed the attacker was also using Facebook messenger to infect devices. The new evidence, as well as further investigations of the IP address of the attacker, revealed man474019 to be connected to the government of Azerbaijan and that this was the same location from where DDoS attacks against several independent and opposition websites were coordinated in 2017. The new report also shows that this network includes several ministries, as well as the presence of several firewalls with digital certificates signed by the national cert (cert.az)
Orkhan Shabanov, whose name and email appear in Hacking Team leaks indicated in Qurium’s report, is an employee at the Ministry of the Interior. In his capacity, Shabanov was among participants at the Open-ended intergovernmental expert group meeting to conduct a comprehensive study of the problem of cybercrime that took place in Vienna in March 2019.
What is phishing:
It is when you receive an email from someone who pretends to be someone you know, and phishes for your private information by asking you to download the attachment, or click on a link that would take you to a different page where you are prompted to enter some of your personal sensitive information, including passwords.
In 2019, Amnesty Tech released a detailed report on common phishing attacks used against journalists and rights defenders in MENA. Many of these conclusions apply to other countries as well.
The report describes the following most common types of phishing attempts:
“Reset your password” email – attacker impersonating Google alerts the owner of the account of an alleged unsuccessful login attempt. It then offers to secure the account. Once clicked on the provided link, it redirects you to a page that may look like your Gmail login page, but in fact, it is a fake;
“OAuth Phishing” – is a Web standard used to allow authentication over third-party services without the need of sharing passwords. It is used by companies like Google, Facebook, and Microsoft. According to Amnesty report, this type of phishing allows “attackers use the same architecture but in order to create malicious third-party applications and attempt to lure the targets into granting the applications access to their accounts (such as emails)”;
Google phishing abusing legitimate third-party applications – using the method, attackers abuse the authentication procedure employed by legitimate and verified third-party applications;
This post is based on the research of Azerbaijan Internet Watch and Qurium Media Foundation. A full forensic report by Quriu is available here.
Since the release of this and Qurium’s forensic report, man474019 seem to have removed some of the information from https://forum.antichat.ru/
You can see the difference from how the user profile looks now and from Wayback machine capture (July 2019). The picture is gone too.
How profile looks now.How profile looked July 2019