journalists, rights defenders, activists targeted with Pegasus – a global investigation

An international collaborative reporting on the #PegasusProject released simultaneously by a number of international media, including The Guardian, the Wire India, the Washington Post, and OCCRP among 12 others, the global investigation documents how NSO Group, an Israeli surveillance company, sold Pegasus, a hacking software, to authoritarian regimes to target human rights activists, journalists, and lawyers across the world based on an investigation into a massive data leak. The investigation and the list were coordinated and obtained by the Paris-based journalism nonprofit Forbidden Stories and advised by Amnesty International.

Among the countries revealed to be using Pegasus was also Azerbaijan.

Ever since traces of surveillance technology were revealed to be in use to targeted civil society in Azerbaijan, there were suspicions that among the technology deployed, was also Pegasus. The most recent investigation, confirms these suspicions.

The data leak, containing some 50,000 phone numbers also showed that some of the people identified as owners of the targeted phone numbers were people of interest by clients of NSO since 2016.

According to OCCRP, at least 1000 of those numbers are from Azerbaijan.

“Reporters spent months establishing the identity of the people behind the numbers, and succeeded in verifying nearly a quarter. While NSO Group describes itself as a company that helps governments detect and prevent terrorism and crime, the list of Azerbaijanis selected for targeting shows how the tool was systematically abused. All but a few of the numbers identified by reporters belonged to journalists, activists, lawyers, and members of the country’s beleaguered opposition.

Of the 245 Azerbaijani phone numbers on the list that were identified, a fifth belonged to reporters, editors, or media company owners.”

In its response, NSO Group, “claimed the data used by reporters was misinterpreted and that it does not allow its clients to abuse its software, which, it reiterated, is meant only to surveil criminals and terrorists,” while not responding to specific questions about Azerbaijan.

“NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations. The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.”

Among identified journalists and activists on the list are:

  • Khadija Ismayilova, journalist
  • Sevinc Vagifgizi, journalist, Meydan TV
  • Fatima Movlamli, activist/journalist
  • Ilkin Rustamzade, activist, and his former wife Amina
  • Nine current and former journalists from Azadliq.info
  • Bahaddin Haziyev, editor, “Bizim Yol” newspaper
  • Elkhan Shukurlu, editor-in-chief of Strateq.az
  • Avaz Zeynalli, editor-in-chief of Khural
  • Anar Orujov, founder of Kanal 13
  • Aziz Orujov, director of Kanal 13
  • Rauf Arifoglu, editor in chief of Musavat newspaper
  • Mehman Huseynov, former political prisoner, and citizen journalist
  • Bayram Mammadov (who died in Istanbul earlier this year) and Giyas Ibrahimov – the graffiti prisoners (Mammadov, his father, and Ibrahimov’s mother are all on the list

According to OCCRP, the list also includes “more than 40 Azerbaijani activists and their family members on the list. Their presence on the list begins in 2019.”

In its report, the Washington Post writes, “the list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.”

“The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministersalso appeared on the list.

Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.”

How does Pegasus work

According to Access Now, since 2016, some 46 countries were identified where NSO Group’s Pegasus has been in use. “Reports from Access NowCitizen Lab, and others all show that an alarming number of people targeted using Pegasus have been journalists, lawyers, and activists, whose only crime was speaking out against and reporting on the injustices in their home countries.”

In March of this year, AIW reported on a France-based blogger, whose phone too may have potentially been infected with Pegasus. At the time, there was only suspicion and no conclusive evidence. While this still may be the case, three months later, it is now confirmed, that not only the government in Azerbaijan has been using various methods, to crack down on dissent with arrests, intimidation, and physical threats against civil society, but that it has been doing so using authoritarian technology including Pegasus.

facebook page affiliated with opposition hacked, again

On September 10, the Facebook page that belongs to an online news website bastainfo.com was hacked. Bastainfo.com is affiliated with the opposition party Musavat and is known for often running into problems with the authorities. Its editor was handed a five year suspended sentence in February 2019. The website bastainfo.com remains blocked for access in Azerbaijan. 

In January 2020, Azerbaijan Internet Watch reported how several Musavat party social media accounts were targeted. According to preliminary reports five Facebook pages, one Facebook group, and one website were targeted. 

Bastainfo.com page was targeted then as well. The page lost followers. During last week’s attack, bastainfo.com page lost some 5k followers, and content that was shared since 2017. 

Hacking and compromising Facebook, Instagram, and YouTube accounts (because these are popular platforms used by journalists and activists) is common in Azerbaijan and isn’t new. The online harassment of prominent accounts began several years ago at first, mostly on the level of government-sponsored trolls. Over the years, as the ruling government developed an interest in spyware technology, the types of attacks became more sophisticated while state-sponsored trolling and reliance on automated bots even though still used, became secondary. In each of these cases, finding the perpetrators have not been possible. And in cases when it was clear the attacker was an automated bot/state-sponsored troll the platform took no action. We finally know why. A former Facebook employee, Sophie Zhang, wrote a memo after getting fired from her job at the company revealing how the company dealt with fake accounts and bots. Among the countries, she has worked on and analyzed was Azerbaijan. “Ms. Zhang discovered that the ruling political party in Azerbaijan was also using false accounts to harass opposition figures. She flagged the activity over a year ago, she said, but Facebook’s investigation remains open and officials have not yet taken action over the accounts.” 

social media activist arrested [updated June 22]

[Update] On June 17, Irshadov was reportedly detained over a social media post. According to Meydan TV, the blogger was detained for criticizing a new quarantine rule restricting the reopening of some mosques that was introduced by the Cabinet of Ministers. Irshadov was released after a preventative discussion, reported Meydan TV.

May 18, activist Elvin Irshadov, known online as “Umari Ali” was reportedly arrested in the city of Lenkoran. A court in Lenkoran sentenced Irshadov to 16days in administrative detention on charges of disobeying police orders on May 19.

Irshadov is known for his critical posts online and has been previously warned by city police over his online activism. In one of his recent social media posts, Irshadov criticized authorities over the recent dismissals of city administrative officials calling it a political cover-up.

Irshadov, is not the first activist targeted for online activism. In recent weeks, scores of activists were targeted by authorities across the country.

independent news site hacked

On the morning of April 22, an independent online news platform, abzas.net noticed strange activity on its website. Not only did the website lose, a month worth of published articles, but that some articles’ headlines were also changed. 

In an interview with AIW, the website’s editor Ulvi Hasanli confirmed the attack. Hasanli said, this was not the first time, the website was under attack. “We have experienced DDoS attacks every month for a year between 2016 and 2017. Eventually, abzas.net was blocked in Azerbaijan and the website switched to .org”. 

Hasanli confirmed that the team was able to restore back the missing articles and reverted back changed headlines. 

While the team continues to investigate the source behind the attack, in an interview with Azadliq Radio, Hasanli said, they will seek legal remedy once they have sufficient evidence.