Editor of an online news site arrested [Updated February 24, 2024]

[Update February 24] The pre-trial detention period of Abzas Media journalist Nargiz Abusalamova was extended by another three months. 

[Update February 21] Kanal 13 director Aziz Orujov’s pre-trial detention was extended by another month.

[Update January 13] Police arrested another Abzas Media journalist – Elnara Gasimova. She was sentenced to pretrial detention on January 15, 2024, for a period of two months and 17 days. She is facing the same charges as the rest of the journalists from Abzas Media, and if found guilty, she faces between six months and eight years in prison and a fine. 

[Update December 4] Following the arrests of Kekalov, Vagifgizi, and Hasanli, three more journalists were arrested. Among them are Nargiz Abusalamova (Abzas Media reporter), Aziz Orujov (founder of online television channel Kanal 13), and Rufat Muradli (the host of the show on Kanal 13). There were also reports of a hacking attempt on Kanal 13’s YouTube channel. At least two videos were removed from the channel before Orujov’s brother could secure access to the account.

Abusalamova was questioned earlier as a witness in the investigation launched against Abzas Media. Still, authorities arrested the journalist on December 1 and sentenced her to three months in pre-trial detention. Speaking to journalists, Absalamova’s lawyer said the accusations were baseless, “The court argued that Absalamova can aid others involved in the case and hence, to prevent that from happening, her arrest was necessary.” 

[Update November 23] Mahammad Kekalov was also sentenced to three months and 27 days on the same charges. Kekalov’s lawyer, Rovshana Rahimli, told Abzas Media she finally had a chance to meet Kekalov on November 23. During the meeting, Kekalov refused to proceed with Rahimli. He told her he had already been assigned a state lawyer and that he had committed no crime and would continue working with the state-assigned lawyer. The meeting took place in the presence of a state investigator. Friends and acquaintances fear Kekalov made this decision under duress. This request was not granted despite the lawyer’s attempts to meet Kekalov without any state representative. “I was surprised to hear Kekalov’s decision. He knows me. And despite me telling him that his family hired me, he pressed with his decision. He was very calm when we talked. And he did not explain the reason why he decided to refuse my services.” In addition, several other journalists were questioned as part of the investigation on November 23 – Nargiz Absalamova, Sahila Aslanova, Mina Alyarli, and Elnare Gasimova. Ulvi Hasanli’s wife, Rubaba Guliyeva, was also questioned. 

[Update] Both Ulvi Hasanli and Sevinc Vagifgizi were sentenced by the Khatai District Court. Hasanli was sentenced to four months in pretrial detention, while Vagifgizi to three months and 29 days. 

[Update] Sevinc Vagifgizi, who was en route to Baku [on the flight from Istanbul] on November 20, was also detained at the airport, according to reporting by independent Meydan TV. Several Azerbaijani activists who were on the same flight with her told Meydan TV she was detained once the plane landed in Azerbaijan. In an interview with Meydan TV at the airport before boarding her flight to Baku, Vagifgizi said she is certain that Hasanli’s arrest is directly related to the investigative work by Abzas media on the corruption among companies owned by individuals related to the ruling family doing business in Karabakh.  Meanwhile, lawyer Zibeyde Sadighova told Meydan TV that Ulvi Hasanli is being charged with smuggling large amounts of goods or other subjects on preliminary arrangement by a group of persons [Article 206.3.2 of the Criminal Code of Azerbaijan]. On November 21, Vagifgizi was charged on similar grounds. According to Abzas media, Mahammad Kekalov, who writes about people with disabilities, was also detained on November 20. He was taken from his house against his will by plain-clothed police officers.

Abzas media also released an audio recording of Hasanli explaining what happened: “I was about to get into the taxi leaving my apartment, a car stopped in front of the taxi and a bunch of men showed up. They were all wearing masks. They called my name. I cannot recall at which point exactly I was hit. They took me there and brought me to the police station. We started arguing. Two officers hit me. Then the questioning began. They asked me why we [Abzas] did not write about Karabakh but instead wrote about corruption. “Aren’t there other problems to write about,” they asked me. The money [police claim to have found] was planted there, it is so obvious. Because of the place where they allegedly found it. It was in the hallway of the office, not even inside one of the rooms [clearly someone just dropped it there].” In a statement shared by Abaz media on their Facebook page, the platform said, “As Abzas media we inform you, that Hasanli’s detention, the search at his house and on the promises of the office, are unlawful. All that is happening is directly related to [Hasanli’s] journalism. We demand immediate release of Hasanli.”

The news of the missing journalist and editor of an online news platform Abzas Media, Ulvi Hasanli, started trickling on the morning of November 20. According to colleagues, Hasanli was en route to the airport when he went missing. The platform believes Hasanli’s arrest is over the platform’s series of investigations, exposing corruption within the government. 

In an interview with Turan News Agency, the platform’s editor-in-chief, Sevinc Vagifgizi said, “Ulvi left home at 4.30 AM and was headed to the airport. However, he never boarded the plane and has not been in touch since.” Vagifgizi added she suspected Hasanli was detained at the airport.

Az-Net Watch spoke to Hasanli’s lawyer, Zibeyde Sadishova, who confirmed that Hasanli was indeed detained, except detention took place at Hasanli’s home as he was getting ready to leave. The police searched both Hasanli’s home and the office of Abzas Media. In the latter’s case, police claimed they had discovered 40,000EUR in cash. Hasanli denied having any connection to the money. It is suspected police planted the cash during the search.

Meanwhile, the lawyer also confirmed that the home of Vagifgizi was also searched. The police did not find anything there. According to the lawyer, Hasanli was beaten by the police. 

Hasanli was most recently detained at the US Embassy in Baku when he filmed the flash mob organized by feminist activists in July 2023. A month prior, in June, Hasanli was questioned over a Facebook post that police asked he remove. In the post, Hasanli shared the pictures of two police officers who were in charge of detaining journalists covering an environmental protest outside of the capital. 

Since 2016, Absaz media has been targeted with DDoS attacks. In 2017, the website was blocked from access inside the country, forcing the website managers to switch the website’s extension. In April 2020, the website was hacked and, as a result, lost a month’s worth of published articles, and some of the headlines changed. The platform was targeted again in February 2021. 

new report documents a decade of censorship in Azerbaijan

On July 16, Qurium Media Foundation released a report, “A Decade of Efforts To Keep Independent Azerbaijani Media Online”. 

The report highlights the work carried out by Qurium since 2010 assisting targeted independent and opposition online news platforms in Azerbaijan. “For more than a decade, Qurium has monitored and mitigated a wide range of cyberattacks against the websites and since 2016, no less than twenty forensics reports have been released to document our findings,” reads the new report.

Denial of Service attacks

During five years (2010-2015), Qurium mitigated dozens of denial of service attacks against Azerbaijani media, and was forced to invest in mitigation hardware and to increase its Internet capacity. Commercial mitigation of denial of service was not possible for Azeri media organizations as the average cost for such services was close to 1,000 Euro/month for a small website.

During 2014-2016, several corporate efforts made Denial of Service more difficult for the attackers, both Cloudflare (2014) and later Google (2016) started to offer free protection to journalists and human rights groups and many stress testing services (aka “booters”) since then were dismantled by FBI, such as the infamous VDOS Booter and the Mirai botnet.

After three years of research of development (2014-2017), Qurium built its own mitigation hardware and upgraded its Internet capacity by a factor of 200. Although the Denial of service attacks slowly had decreased since 2017, new challenges emerged. Internet Network Interference.

Internet Network Interference

In late 2013, a new type of challenge emerged when we discovered that websites artificially were slowed down. Instead of blocking the websites that clearly would expose the motivations and those responsible for the disruptions, the websites were slowed down by limiting the amount of bandwidth available to reach them. Qurium was forced to develop a method to detect “Internet Congestion” and to keep moving affected websites to other IP addresses to keep them online. Other large providers, such as Akamai, hosting other Azeri media was also slowed down and was unable to respond effectively to the challenge.

Exposing a coordinated cyberwar strategy

Starting from 2017, the cyberwar landscape changed. 

During that year, we received customized denial of service, pen testing and vulnerability scans and the first reports of targeted malware.

A series of diverse attacks and forensics analysis including tracing back the source of a malware sent to journalists helped us to confirm that new Ministry of Transport, Communications and High Technologies and the “hacker community” built around the government, sponsored cybersecurity events were actively targeting our hosted media.

After hosting and protecting Azeri media for almost seven years, we had no doubt about the actors behind the attacks, and could publicly document that a “State Actor” was orchestrating diverse forms of cyber attacks.

Deep Packet Inspection

Also in 2017, a new method used against independent and opposition media was identified by Qurium – the Deep Packet Inspection or shortly DPI. 

In April 2017, we identified that new technical means were implemented in several operators to block some of the websites. The Azeri authorities had invested in Deep Packet Inspection equipment to block the media outlets once and for all.

By the end of April 2017 Qurium learned that there were a court order against some of our hosted media organizations. To our surprise, the websites under Deep Packet Inspection were many more than the ones mentioned in the court order. The court order stated that the listed websites (Azadliq.info, Azadliq.org, Azerbaycansaati.com, Meydan.tv and Turan TV) were “creating threats to the legitimate interests of the state and society” and must therefore be blocked.

After two years of research between 2017-2019, Qurium identified the use of DPI hardware from Allot Communications and Sandvine inside several operators in Azerbaijan.

Website flooding, phishing, and more

By 2018, many of the “stress testing services” often used to launch the Denial of Service attacks had been dismantled world wide. The attackers were forced to find new alternatives to conduct their traffic floods aiming to take the websites offline. During another forensic investigation we traced back this new source of denial of service to Russian Fineproxy (Region40). By identifying the service provider used to conduct the attacks, we could not only expose their business practices but also their management that kindly disabled the account of the attacker.

In late 2018, Denial of Service became a second priority in the strategy to harass Azeri media and once again other means were needed.

By April 2020, Qurium could finally link the denial of service attacks launched using Fineproxy service with the very same threat actor from the Ministry of Internal Affairs: sandman. Access to sandman github account provided us with a good insight of the toolset that was being used against online media and journalists in Azerbaijan.

A final report of our findings showed even more advanced capabilities, like the ability to create fake SMS or hijack SMS sent to the journalists giving the attackers the ability to take control over their social media accounts.

Phishing remains a major attack vector against journalists and human right activists, the latest phishing campaign in early July 2021 impersonated human rights watch so as to implant a malware capable of recording the desktop and webcam or exfiltrate all important documents of the victims.

Conclusion

What started in 2010 and went on for years with Denial of service attacks using third party stress testing services was extended with more sophisticated attacks in 2017 including targeted phishing and the introduction of dedicated hardware to block the websites using technologies as DART from Allot and PCEF from Sandvine.

The national blocking of many websites, not always supported by legal court orders, has been weaponized to limit visibility of the media in the country. Despite our multiple efforts to provide alternatives to make the content available, the blocking has had a huge impact in the revenue creation of the alternative media and the growth of readership.

After the introduction of Internet blocking by means of more sophisticated deep packet inspection against alternative websites in 2018, many of the blocked media opted to increase their presence in Facebook but that has proven to be an advantageous situation for the Azeri government and their secret cyber operations as Facebook has showed a bad track record in dealing with “coordinated inauthentic behavior” in the country.

You can read the full report here.

popular citizen journalist and activist detained

On March 14, citizen journalist Mehman Huseynov and member of NIDA civic movement Ulvi Hasanli were detained by the police. Speaking to Turan News Agency, Mehman Huseynov said, police stopped both men while on an assignment, in Novkhani village, investigating Saleh Mammadov, a government official who is the Chairman of the Board of the Azerbaijan State Agency of Motor Roads. “We were stopped by the Road Patrol Service. They took us to the  Absheron District Police office [Novkhani village is situated in Absheron administrative district]. They questioned us there. Took my drone.” Huseynov also said, after getting questioned at the police department, they were taken to a location they did not know as their eyes were tied. At the time, journalist Ulviyya Ali reported that both men were transferred to the Grave Crimes Unit. 

After being held for several more hours both men were released, but authorities kept the drone. 

In their statement, the Ministry of the Interior said, the operation of the drone, was illegal, even though according to Azerbaijan’s national aviation authority, the State Civil Aviation Authority of Azerbaijan (CAA), flying a drone is legal in Azerbaijan. That being said, there is no law or state regulations on flying drones in Azerbaijan. According to this BBC Azerbaijan service story from 2019, before flying a personal drone, the owner must seek permision first from the State Civil Aviation Authority.

Mehman Huseynov is the author of a popular Sancaq TV, a socio-political magazine, which documents extensive corrupt practices and violations of human rights in Azerbaijan. 

In 2017, shortly after President Ilham Aliyev, appointed his wife, Mehriban Aliyeva as the First Vice President, Huseynov did a short video, asking male residents of Baku, whether they would appoint their wives as first secretaries if they were heads of companies. Huseynov was arrested the following day and later ended up serving a two-year prison term on charges of slander. Some speculated this satirical video was the real cause behind the journalist’s arrest. 

Ahead of his release from jail in 2019, the authorities attempted at keeping him behind bars, albeit unsuccessfully, and Huseynov was released. 

This is not the first time Huseynov was persecuted for his activities. He was questioned by the police countless times, threatened, intimidated, placed under a travel ban for five years, his personal documents were confiscated. The Human Rights House Foundation has documented in detail the reprisals against Huseynov in recent years. On March 9, AIW reported that Sancaq TV’s Facebook page was targeted in a series of hacking attempts and numerous fake Sancaq TV Facebook pages were set up. It was possible to remove only of those pages, as Facebook found no evidence that the other pages, were impersonating Sancaq TV due to lack of content shared on these pages.

Ulvi Hasanli is a member of NIDA civic union. He is also an editor of abzas.net, a news website covering human rights violations across the country. The website has been targeted since 2016 with DDoS attacks. In 2017 the website was blocked and the management team switched its extension to .org. Most recently the platform was targeted in February of this year. In April 2020, the website lost a month’s worth of published articles and some of the headlines of articles were changed.

OONI measurements indicate censorship remains

In its most recent measurement report, the Open Observatory of Network Interference [OONI] concludes that “while social media censorship in Azerbaijan appears to have been lifted, the media censorship remains.” These and other findings are based on the recent measurement report produced in partnership with OONI. 

Here are some highlights.

Blocked websites

The news websites that presented signs of blocking in Azerbaijan (between December 2020 to February 2021) include:

🛑 azerbaycansaati.tv – at the time of blocking azerbaycansaati.tv in 2017, the Government of Azerbaijan claimed “a number of articles published” by the news website “included calls aimed at ‘forcible change of the constitutional order,’ ‘organization of mass riots,’ and other illegal activities.” 

🛑 www.24saat.org – a more detailed report about how 24saat.org was blocked can be found in this report, published by Qurium in 2017. 

🛑 www.abzas.net – DDoS attacks against abzas.net commenced on January 12, 2017, and lasted for eight days. During five full consecutive days, the website remained inaccessible until it was finally migrated to VirtualRoad.org’s secure hosting infrastructure.

🛑 www.azadliq.info – as a hosting provider for azadliq.info Qurium published this report about initial signs of blocking against this online news platform. The website was attacked numerous times according to documentation and forensic reports by Qurium. The technology deployed in these DDoS attacks was Allot and Sandvine DPI gear.

🛑 www.azadliq.org – the news website which represents the Azerbaijan Service for Radio Free Europe, was blocked on March 27, 2017. 

🛑 www.gununsesi.org – signs of DPI technology used in blocking gununsesi.org were once again documented by Qurium.

🛑 www.kanal13.tv – was among blocked websites in 2017 while its editor prosecuted [charges were dropped three years later.] 

🛑 www.meydan.tv – was also among the websites that were blocked in 2017 together with azerbaycansaati, azadliq.info and others. 

🛑 www.occrp.org – in response to the leaks about Azerbaijan Laundromat published by the Organized Crime and Corruption Research Project [OCCRP], the government of Azerbaijan suspended access to OCCRP’s website.

There is no official data on the number of blocked websites in Azerbaijan. The Ministry of Communication, High Technologies and Transportation has so far failed to provide accurate lists. This in itself is a violation of Article 13.3.6 of the Law on Information, Informatisation and Access to Information, which requests the Ministry to prepare a list of blocked websites if it has blocked access to a resource and the court upheld this decision.

In July 2018, the Prosecutor General’s Office launched criminal investigations against four news websites: criminal.az, bastainfo.com, topxeber.az and fia.az. The former two were accused of “knowingly spreading false information,” while the latter two were accused of “spreading unfounded, sensational claims in order to confuse the public.” Criminal.az is an independent website, known for its coverage of crime-related news, while bastainfo.com is affiliated with the opposition party Musavat. The latter two are run-of-the-mill online news websites.

In addition to the usual suspects, video streaming service Vimeo appeared to be briefly blocked during the testing coverage:

Circumvention

Several circumvention tool websites appear to have been interfered with in Azerbaijan during the testing period, as illustrated below:

The good news are that access to social media sites and apps was restored during the testing period. The following chart shows that while WhatsApp and Telegram were blocked in November 2020, both apps (along with Facebook Messenger) have been accessible in recent months:

How you can help?

If you are interested in contributing to these tests you are welcome to try the following instructions

news agency website DDoSed [updated]

Turan, Azerbaijan’s independent news agency was subject to multiple DDoS (Distributed Denial of Service) attacks and was briefly blocked. 

The incident took place between May 15 through 18.

The Agency’s Director, Mehman Aliyev said the hosting provider for the news agency failed due to an overwhelming amount of incoming traffic.

In an interview with AIW, Aliyev said the team spotted something was wrong on May 15 and immediately informed the host providers. “We were forced to stall all the work on the website by May 16 as the attacks were very serious. And although the website is operational, it will take time to fully secure the platform,” explained Aliyev. 

A DDoS attack makes an online service unavailable as a result of incoming traffic from multiple sources making the hosting server unable to run as usual.

The agency head suspects authorities may be behind the attacks. “The equipment purchased by the authorities is being used not only against independent online news platforms, but also on Facebook, where political activists, journalists, and the news’ social media pages are targeted,” said Aliyev in an interview with AIW.

This is not the first time online news platforms are DDoSed in Azerbaijan

Over the years, authorities have been targeting Facebook pages and profiles of popular political activists as well as media platforms.

Responding to the attacks, Reporters Without Borders condemned the attacks:

Meanwhile, on May 21, Investigative journalist, Khadija Ismayilova wrote that the Ministry of Communication, High Technologies, and Communication has sought court approval to prevent access to online news platforms Azadliq Radio, Meydan TV, Turan TV, and Azadliq newspaper via Facebook and VPN services.

Equipment

According to detailed reporting carried out in April 2018, by Virtual Road—a secure hosting project run by the media foundation Qurium, the government of Azerbaijan has been relying on Deep Packet Inspection (DPI) since March 2017. This equipment was purchased from an Israeli security company called Allot Communications. Reports by Virtual Road have shown evidence of the denial of service and other attacks against independent and opposition media news sites, that were traced to IP addresses associated with the government. This timeline describes how over the years, the government in Azerbaijan became aware of digital tools, for targeting civil society, especially at the time when much of the conversation was shifting online, amid on-going crackdown. 

AIW has been monitoring these and other attacks since October 2019: 

  • in October opposition movement Facebook page was hacked;
  • in November, a political figure’s Facebook page was hacked;
  • in December, leader of an opposition party had his Instagram account hacked into;
  • also in December, an activist’s YouTube channel was targeted;
  • in January, mass phishing attack targeted a significant number of civil society representatives;
  • also in January, the political figure targeted in October via her Facebook page was once again a target;
  • in February, several social media accounts affiliated with an opposition party were hacked;
  • in March, Facebook pages affiliated with an online news platform were targeted;
  • also in March, a group of activists was targeted online;
  • in April, journalist’s YouTube channel was targeted and videos were taken down;
  • also in April, a journalist was targeted online in a targeted online harassment campaign; 
  • also in April, former political prisoner, parliamentary candidate reported multiple break-in attempts into his social media platforms – Facebook, Twitter, and Instagram;
  • in May, political figure targeted in November and in January was yet again, a target;
  • and other forms of legal constraints and technical interference.

 

During C19 authorities paid special attention to social media platforms and targeted several activists calling them in for questioning, arresting them, or imposing fines.

Mehman Aliyev considers these attacks an attempt to suffocate free speech. In an interview with Azadliq Radio in April, the head of Turan News Agency, said, “based on our previous experience we know it is the government behind the attacks. It is just now, they are more serious.” Aliyev believes it is the fear of the looming financial crisis and the social tension that is making the ruling government fearful of any criticism.