DDoS – Azerbaijan Internet Watch

new report documents a decade of censorship in Azerbaijan

Posted on July 16, 2021July 16, 2021 by aiw_admin

On July 16, Qurium Media Foundation released a report, “A Decade of Efforts To Keep Independent Azerbaijani Media Online”.

The report highlights the work carried out by Qurium since 2010 assisting targeted independent and opposition online news platforms in Azerbaijan. “For more than a decade, Qurium has monitored and mitigated a wide range of cyberattacks against the websites and since 2016, no less than twenty forensics reports have been released to document our findings,” reads the new report.

Denial of Service attacks

During five years (2010-2015), Qurium mitigated dozens of denial of service attacks against Azerbaijani media, and was forced to invest in mitigation hardware and to increase its Internet capacity. Commercial mitigation of denial of service was not possible for Azeri media organizations as the average cost for such services was close to 1,000 Euro/month for a small website.

During 2014-2016, several corporate efforts made Denial of Service more difficult for the attackers, both Cloudflare (2014) and later Google (2016) started to offer free protection to journalists and human rights groups and many stress testing services (aka “booters”) since then were dismantled by FBI, such as the infamous VDOS Booter and the Mirai botnet.

After three years of research of development (2014-2017), Qurium built its own mitigation hardware and upgraded its Internet capacity by a factor of 200. Although the Denial of service attacks slowly had decreased since 2017, new challenges emerged. Internet Network Interference.

Internet Network Interference

In late 2013, a new type of challenge emerged when we discovered that websites artificially were slowed down. Instead of blocking the websites that clearly would expose the motivations and those responsible for the disruptions, the websites were slowed down by limiting the amount of bandwidth available to reach them. Qurium was forced to develop a method to detect “Internet Congestion” and to keep moving affected websites to other IP addresses to keep them online. Other large providers, such as Akamai, hosting other Azeri media was also slowed down and was unable to respond effectively to the challenge.

Exposing a coordinated cyberwar strategy

Starting from 2017, the cyberwar landscape changed.

During that year, we received customized denial of service, pen testing and vulnerability scans and the first reports of targeted malware.

A series of diverse attacks and forensics analysis including tracing back the source of a malware sent to journalists helped us to confirm that new Ministry of Transport, Communications and High Technologies and the “hacker community” built around the government, sponsored cybersecurity events were actively targeting our hosted media.

After hosting and protecting Azeri media for almost seven years, we had no doubt about the actors behind the attacks, and could publicly document that a “State Actor” was orchestrating diverse forms of cyber attacks.

Deep Packet Inspection

Also in 2017, a new method used against independent and opposition media was identified by Qurium – the Deep Packet Inspection or shortly DPI.

In April 2017, we identified that new technical means were implemented in several operators to block some of the websites. The Azeri authorities had invested in Deep Packet Inspection equipment to block the media outlets once and for all.

By the end of April 2017 Qurium learned that there were a court order against some of our hosted media organizations. To our surprise, the websites under Deep Packet Inspection were many more than the ones mentioned in the court order. The court order stated that the listed websites (Azadliq.info, Azadliq.org, Azerbaycansaati.com, Meydan.tv and Turan TV) were “creating threats to the legitimate interests of the state and society” and must therefore be blocked.

After two years of research between 2017-2019, Qurium identified the use of DPI hardware from Allot Communications and Sandvine inside several operators in Azerbaijan.

Website flooding, phishing, and more

By 2018, many of the “stress testing services” often used to launch the Denial of Service attacks had been dismantled world wide. The attackers were forced to find new alternatives to conduct their traffic floods aiming to take the websites offline. During another forensic investigation we traced back this new source of denial of service to Russian Fineproxy (Region40). By identifying the service provider used to conduct the attacks, we could not only expose their business practices but also their management that kindly disabled the account of the attacker.

In late 2018, Denial of Service became a second priority in the strategy to harass Azeri media and once again other means were needed.

By April 2020, Qurium could finally link the denial of service attacks launched using Fineproxy service with the very same threat actor from the Ministry of Internal Affairs: sandman. Access to sandman github account provided us with a good insight of the toolset that was being used against online media and journalists in Azerbaijan.

A final report of our findings showed even more advanced capabilities, like the ability to create fake SMS or hijack SMS sent to the journalists giving the attackers the ability to take control over their social media accounts.

Phishing remains a major attack vector against journalists and human right activists, the latest phishing campaign in early July 2021 impersonated human rights watch so as to implant a malware capable of recording the desktop and webcam or exfiltrate all important documents of the victims.

Conclusion

What started in 2010 and went on for years with Denial of service attacks using third party stress testing services was extended with more sophisticated attacks in 2017 including targeted phishing and the introduction of dedicated hardware to block the websites using technologies as DART from Allot and PCEF from Sandvine.

The national blocking of many websites, not always supported by legal court orders, has been weaponized to limit visibility of the media in the country. Despite our multiple efforts to provide alternatives to make the content available, the blocking has had a huge impact in the revenue creation of the alternative media and the growth of readership.

After the introduction of Internet blocking by means of more sophisticated deep packet inspection against alternative websites in 2018, many of the blocked media opted to increase their presence in Facebook but that has proven to be an advantageous situation for the Azeri government and their secret cyber operations as Facebook has showed a bad track record in dealing with “coordinated inauthentic behavior” in the country.

You can read the full report here.

popular citizen journalist and activist detained

Posted on March 15, 2021March 15, 2021 by aiw_admin

On March 14, citizen journalist Mehman Huseynov and member of NIDA civic movement Ulvi Hasanli were detained by the police. Speaking to Turan News Agency, Mehman Huseynov said, police stopped both men while on an assignment, in Novkhani village, investigating Saleh Mammadov, a government official who is the Chairman of the Board of the Azerbaijan State Agency of Motor Roads. “We were stopped by the Road Patrol Service. They took us to the Absheron District Police office [Novkhani village is situated in Absheron administrative district]. They questioned us there. Took my drone.” Huseynov also said, after getting questioned at the police department, they were taken to a location they did not know as their eyes were tied. At the time, journalist Ulviyya Ali reported that both men were transferred to the Grave Crimes Unit.

After being held for several more hours both men were released, but authorities kept the drone.

In their statement, the Ministry of the Interior said, the operation of the drone, was illegal, even though according to Azerbaijan’s national aviation authority, the State Civil Aviation Authority of Azerbaijan (CAA), flying a drone is legal in Azerbaijan. That being said, there is no law or state regulations on flying drones in Azerbaijan. According to this BBC Azerbaijan service story from 2019, before flying a personal drone, the owner must seek permision first from the State Civil Aviation Authority.

Mehman Huseynov is the author of a popular Sancaq TV, a socio-political magazine, which documents extensive corrupt practices and violations of human rights in Azerbaijan.

In 2017, shortly after President Ilham Aliyev, appointed his wife, Mehriban Aliyeva as the First Vice President, Huseynov did a short video, asking male residents of Baku, whether they would appoint their wives as first secretaries if they were heads of companies. Huseynov was arrested the following day and later ended up serving a two-year prison term on charges of slander. Some speculated this satirical video was the real cause behind the journalist’s arrest.

Ahead of his release from jail in 2019, the authorities attempted at keeping him behind bars, albeit unsuccessfully, and Huseynov was released.

This is not the first time Huseynov was persecuted for his activities. He was questioned by the police countless times, threatened, intimidated, placed under a travel ban for five years, his personal documents were confiscated. The Human Rights House Foundation has documented in detail the reprisals against Huseynov in recent years. On March 9, AIW reported that Sancaq TV’s Facebook page was targeted in a series of hacking attempts and numerous fake Sancaq TV Facebook pages were set up. It was possible to remove only of those pages, as Facebook found no evidence that the other pages, were impersonating Sancaq TV due to lack of content shared on these pages.

Ulvi Hasanli is a member of NIDA civic union. He is also an editor of abzas.net, a news website covering human rights violations across the country. The website has been targeted since 2016 with DDoS attacks. In 2017 the website was blocked and the management team switched its extension to .org. Most recently the platform was targeted in February of this year. In April 2020, the website lost a month’s worth of published articles and some of the headlines of articles were changed.

OONI measurements indicate censorship remains

Posted on February 16, 2021 by aiw_admin

In its most recent measurement report, the Open Observatory of Network Interference [OONI] concludes that “while social media censorship in Azerbaijan appears to have been lifted, the media censorship remains.” These and other findings are based on the recent measurement report produced in partnership with OONI.

Here are some highlights.

Blocked websites

The news websites that presented signs of blocking in Azerbaijan (between December 2020 to February 2021) include:

🛑 azerbaycansaati.tv – at the time of blocking azerbaycansaati.tv in 2017, the Government of Azerbaijan claimed “a number of articles published” by the news website “included calls aimed at ‘forcible change of the constitutional order,’ ‘organization of mass riots,’ and other illegal activities.”

🛑 www.24saat.org – a more detailed report about how 24saat.org was blocked can be found in this report, published by Qurium in 2017.

🛑 www.abzas.net – DDoS attacks against abzas.net commenced on January 12, 2017, and lasted for eight days. During five full consecutive days, the website remained inaccessible until it was finally migrated to VirtualRoad.org’s secure hosting infrastructure.

🛑 www.azadliq.info – as a hosting provider for azadliq.info Qurium published this report about initial signs of blocking against this online news platform. The website was attacked numerous times according to documentation and forensic reports by Qurium. The technology deployed in these DDoS attacks was Allot and Sandvine DPI gear.

🛑 www.azadliq.org – the news website which represents the Azerbaijan Service for Radio Free Europe, was blocked on March 27, 2017.

🛑 www.gununsesi.org – signs of DPI technology used in blocking gununsesi.org were once again documented by Qurium.

🛑 www.kanal13.tv – was among blocked websites in 2017 while its editor prosecuted [charges were dropped three years later.]

🛑 www.meydan.tv – was also among the websites that were blocked in 2017 together with azerbaycansaati, azadliq.info and others.

🛑 www.occrp.org – in response to the leaks about Azerbaijan Laundromat published by the Organized Crime and Corruption Research Project [OCCRP], the government of Azerbaijan suspended access to OCCRP’s website.

There is no official data on the number of blocked websites in Azerbaijan. The Ministry of Communication, High Technologies and Transportation has so far failed to provide accurate lists. This in itself is a violation of Article 13.3.6 of the Law on Information, Informatisation and Access to Information, which requests the Ministry to prepare a list of blocked websites if it has blocked access to a resource and the court upheld this decision.

In July 2018, the Prosecutor General’s Office launched criminal investigations against four news websites: criminal.az, bastainfo.com, topxeber.az and fia.az. The former two were accused of “knowingly spreading false information,” while the latter two were accused of “spreading unfounded, sensational claims in order to confuse the public.” Criminal.az is an independent website, known for its coverage of crime-related news, while bastainfo.com is affiliated with the opposition party Musavat. The latter two are run-of-the-mill online news websites.

In addition to the usual suspects, video streaming service Vimeo appeared to be briefly blocked during the testing coverage:

Circumvention

Several circumvention tool websites appear to have been interfered with in Azerbaijan during the testing period, as illustrated below:

The good news are that access to social media sites and apps was restored during the testing period. The following chart shows that while WhatsApp and Telegram were blocked in November 2020, both apps (along with Facebook Messenger) have been accessible in recent months:

How you can help?

If you are interested in contributing to these tests you are welcome to try the following instructions.

news agency website DDoSed [updated]

Posted on May 15, 2020April 7, 2021 by aiw_admin

Turan, Azerbaijan’s independent news agency was subject to multiple DDoS (Distributed Denial of Service) attacks and was briefly blocked.

The incident took place between May 15 through 18.

The Agency’s Director, Mehman Aliyev said the hosting provider for the news agency failed due to an overwhelming amount of incoming traffic.

In an interview with AIW, Aliyev said the team spotted something was wrong on May 15 and immediately informed the host providers. “We were forced to stall all the work on the website by May 16 as the attacks were very serious. And although the website is operational, it will take time to fully secure the platform,” explained Aliyev.

A DDoS attack makes an online service unavailable as a result of incoming traffic from multiple sources making the hosting server unable to run as usual.

The agency head suspects authorities may be behind the attacks. “The equipment purchased by the authorities is being used not only against independent online news platforms, but also on Facebook, where political activists, journalists, and the news’ social media pages are targeted,” said Aliyev in an interview with AIW.

This is not the first time online news platforms are DDoSed in Azerbaijan

Over the years, authorities have been targeting Facebook pages and profiles of popular political activists as well as media platforms.

Responding to the attacks, Reporters Without Borders condemned the attacks:

#Azerbaijan: independent news agency @TuranAgentliyi is under repeated #DDos attacks! Each time after publishing critical materials on rights’ violation of opposition activists. @RSF_inter calls on the authorities to shed light on these #cyberattacks.

— RSF in English (@RSF_en) May 20, 2020

Meanwhile, on May 21, Investigative journalist, Khadija Ismayilova wrote that the Ministry of Communication, High Technologies, and Communication has sought court approval to prevent access to online news platforms Azadliq Radio, Meydan TV, Turan TV, and Azadliq newspaper via Facebook and VPN services.

Equipment

According to detailed reporting carried out in April 2018, by Virtual Road—a secure hosting project run by the media foundation Qurium, the government of Azerbaijan has been relying on Deep Packet Inspection (DPI) since March 2017. This equipment was purchased from an Israeli security company called Allot Communications. Reports by Virtual Road have shown evidence of the denial of service and other attacks against independent and opposition media news sites, that were traced to IP addresses associated with the government. This timeline describes how over the years, the government in Azerbaijan became aware of digital tools, for targeting civil society, especially at the time when much of the conversation was shifting online, amid on-going crackdown.

AIW has been monitoring these and other attacks since October 2019:

in October opposition movement Facebook page was hacked;
in November, a political figure’s Facebook page was hacked;
in December, leader of an opposition party had his Instagram account hacked into;
also in December, an activist’s YouTube channel was targeted;
in January, mass phishing attack targeted a significant number of civil society representatives;
also in January, the political figure targeted in October via her Facebook page was once again a target;
in February, several social media accounts affiliated with an opposition party were hacked;
in March, Facebook pages affiliated with an online news platform were targeted;
also in March, a group of activists was targeted online;
in April, journalist’s YouTube channel was targeted and videos were taken down;
also in April, a journalist was targeted online in a targeted online harassment campaign;
also in April, former political prisoner, parliamentary candidate reported multiple break-in attempts into his social media platforms – Facebook, Twitter, and Instagram;
in May, political figure targeted in November and in January was yet again, a target;
and other forms of legal constraints and technical interference.

During C19 authorities paid special attention to social media platforms and targeted several activists calling them in for questioning, arresting them, or imposing fines.

Mehman Aliyev considers these attacks an attempt to suffocate free speech. In an interview with Azadliq Radio in April, the head of Turan News Agency, said, “based on our previous experience we know it is the government behind the attacks. It is just now, they are more serious.” Aliyev believes it is the fear of the looming financial crisis and the social tension that is making the ruling government fearful of any criticism.