activist’s personal messages leaked after hacking

Last year, ahead of International Women’s Day March, one of the activists and organizers of the March in Baku had her Facebook, Gmail, Protonmail, and Telegram accounts compromised.

At the time, Gulnara Mehdiyeva reported that a hacker who got access to her Gmail account, downloaded her achieve of documents and photographs some of which were sensitive. Mehdiyeva offers support to victims of domestic violence and abuse, and is an advocate for gender equality in Azerbaijan.

In the course of the next 48 hours, Mehdiyeva’s Facebook account was hacked and her admin privileges at some of the Facebook groups that focus on women’s rights and LGBTQI were revoked. These groups were suspended and one was deactivated. Not to mention, thousands of subscribers and content were lost as a result.  

A year later, on February 25, Mehdiyeva was targeted in a different online campaign. The private audio messages obtained from Mehdiyeva’s Facebook account that was hacked last year, were leaked online by one Facebook page, Tənqidçi [translation Critic]. The group that leaked the audio recording, accused Mehdiyeva of being emotionally unstable, questioning her ability to help victims of abuse as well as her alleged involvement in a recent suicide of a young girl. In another post, the page admin shared a post from a Facebook user, humiliating Mehdiyeva and her work. 

The Facebook page in question, shares posts from their readers, and other content they find interesting. In one recent post, the admins shared how a group of Azerbaijani men have been exchanging pictures and private information about their former girlfriends. The admins of the page, claim, the men are violating several articles of criminal code by doing this, and yet, in a post that is targeting Mehdiyeva, the admins were doing just that. Deliberate online targeting 

Journalist questioned over alleged extortion charges

December 14, freelance journalist Nurlan Gahramanli (Libre) reported being questioned at the Baku City Main Police Department over alleged extortion charges. But Gahramanli refutes the claims and believes, the reason for his persecution is his live coverage of Victory Day protests on December 10 that he did over Facebook

“A police officer named Fuad Babayev invited me to the bureau. He told me that I have allegedly blackmailed a man named Tabriz Ahliyarli via ‘Orange Media’ Instagram account in November [the account previously managed by Gahramanli, but which he no longer has access to according to Gahramanli himself]. I told him, I never heard of the name,” the journalist told Meydan TV. Gahramanli does not rule out that the allegation of blackmail and extortion is the work of the Organized Crime department that detained and questioned Gahramanli on October 30. During his detention, his phone was confiscated and the department had access to it. Gahramanli believes it is possible that the department employees established contact with Tabriz Ahliyarli using Gahramanli’s ‘Orange Media’ Instagram account to later blackmail Gahramanli and use it as proof that indeed he has made contact with the alleged victim.

“During the questioning by Fuad Babayev, I was threatened with a criminal case and imprisonment,” Gahramanli told Meydan TV. 

The journalist publicized his visit to the Organized Crime Unit via various online news platforms. The following day the Ministry of the Interior called him and told him his phone was under surveillance and that if I continue my journalist work, persecution will continue and that I will be arrested.”

Meanwhile, the Ministry of the Interior has refuted Gahramanli’s claim that he was beaten during his detention at the Organized Crime Unit. Instead, the ministry said in an official statement that Gahramanli received a warning from the relevant authorities, following a series of complaints by “many citizens” who have informed the Ministry of the Interior, Gahramanli made contacts and befriended Armenians on social platforms, liked and shared their public posts critical of Azerbaijan. “Nurlan Gahramanli was invited to the police following these appeals and after getting his statement, he was given a warning and released. Gahramanli’s claims that he is being prosecuted by the authorities are baseless,” said the statement.   

spotted: sandvine back at it, this time, in Azerbaijan

In August, when people in Belarus took the streets across the country in protest of election results where incumbent President Lukashenka secured yet another victory in a contested presidential election, authorities deliberately cut the internet. Quickly, experts concluded DPI technology may be in use. By the end of August, it was reported that this DPI technology was produced by the Canadian company Sandvine and supplied to Belarus as part of a $2.5million contract with the Russian technology supplies Jet Infosystems.

DPI (Deep Packet Inspection) is known as digital eavesdropping that allows information extraction. More broadly as explained here, DPI “is a method of monitoring and filtering internet traffic through inspecting the contents of each packet that is transmitted through an inspection point, allowing for filtering out malware and unwanted traffic, but also real-time monitoring of communications, as well as the implementation of targeted blockings and shutdowns.” 

Canadian company Sandvine is owned by American private equity firm Francisco Partners.

 

Sandvine technology has been detected in many countries across the world, including in Ethiopia, Iran, as well as Turkey, and Syria as previously reported. One other country where Sandvine technology was reportedly deployed is Azerbaijan

In Azerbaijan, the DPI deployments have been used since March 2017. This was reported in January 2019, when VirtualRoad, the secure hosting project of the Qurium – Media Foundation published a report documenting fresh attacks against Azerbaijan’s oldest opposition newspaper Azadliq’s website (azadliq.info). The report concluded: “After ten months trying to keep azadliq.info online inside Azerbaijan using our Bifrost service and bypassing multi-million dollar DPI deployments, this is one more sign of to what extent a government is committed to information control”.  

Another report released in April 2018 showed evidence of the government of Azerbaijan using Deep Packet Inspection (DPI) since March 2017. The report also found out that this specialized security equipment was purchased at a price tag of 3 million USD from an Israeli security company Allot Communications.

Now, according to this story reported by Bloomberg, Sandvine worked with Delta Telecom – Azerbaijan’s main internet provider and owned by the government to install a system to block live stream videos from YouTube, Facebook, and Instagram. “The social media blackout came last week after deadly clashes with Armenia. As a result, people in Azerbaijan couldn’t reach websites including Facebook, WhatsApp, YouTube, Instagram, TikTok, LinkedIn, Twitter, Zoom, and Skype, according to internet monitoring organization Netblocks,” wrote Bloomberg. 

Azerbaijan Internet Watch has been monitoring the situation on the ground since September 27, the day when clashes began. Together with OONI, Azerbaijan Internet Watch reported that access to several social media applications and websites was blocked. 

Access to the Internet remains throttled in Azerbaijan as of writing this post. Many of the social media applications remain accessible only through a VPN provider. As a result, authorities have resorted to other means in order to prevent users from using VPN services. From banks to ISPs encouraging users not to use VPN services, this account on Facebook made a list of VPNs alleging they were of Armenian origin in order to discourage users.

facebook page affiliated with opposition hacked, again

On September 10, the Facebook page that belongs to an online news website bastainfo.com was hacked. Bastainfo.com is affiliated with the opposition party Musavat and is known for often running into problems with the authorities. Its editor was handed a five year suspended sentence in February 2019. The website bastainfo.com remains blocked for access in Azerbaijan. 

In January 2020, Azerbaijan Internet Watch reported how several Musavat party social media accounts were targeted. According to preliminary reports five Facebook pages, one Facebook group, and one website were targeted. 

Bastainfo.com page was targeted then as well. The page lost followers. During last week’s attack, bastainfo.com page lost some 5k followers, and content that was shared since 2017. 

Hacking and compromising Facebook, Instagram, and YouTube accounts (because these are popular platforms used by journalists and activists) is common in Azerbaijan and isn’t new. The online harassment of prominent accounts began several years ago at first, mostly on the level of government-sponsored trolls. Over the years, as the ruling government developed an interest in spyware technology, the types of attacks became more sophisticated while state-sponsored trolling and reliance on automated bots even though still used, became secondary. In each of these cases, finding the perpetrators have not been possible. And in cases when it was clear the attacker was an automated bot/state-sponsored troll the platform took no action. We finally know why. A former Facebook employee, Sophie Zhang, wrote a memo after getting fired from her job at the company revealing how the company dealt with fake accounts and bots. Among the countries, she has worked on and analyzed was Azerbaijan. “Ms. Zhang discovered that the ruling political party in Azerbaijan was also using false accounts to harass opposition figures. She flagged the activity over a year ago, she said, but Facebook’s investigation remains open and officials have not yet taken action over the accounts.” 

arqument.az Facebook page hacked

June 24, editor of an online news platform arqument.az Shamshad Agha reports that the platform’s Facebook page was hacked. 

The damage was significant Agha told AIW. Around 11,000 page likes were deleted as well as some 12,000 followers. All of the platform’s posts until March were also removed. 

The admins were able to restore access to the page since the attack.

Arqument.az website was blocked in August 2018, following a decision issued by Sabail District Court. A few days later, Baku Court of Appeal annulled district court’s decision. However, the website was blocked once again in April 2019 by the Ministry of Communication, Transportation and High Technologies after publishing the story about protests in Jalilabad district. This time, the blocking took place without a court order.

According to the editor, he was informed that unless he removes the reported story, the blocking will remain in place. However, the news platform refused and instead filed a lawsuit against the Ministry of Communication, Transportation and High Technologies. After that, the blocking was lifted by the Ministry while the platform’s lawsuit continues.

The website was also subject to cyber attacks following blocking.

amendments to the legislation raise alarm in Azerbaijan

March 18, members of Azerbaijan’s National Parliament approved proposed amendments to the law on Information, Informatisation and protection of Information during the first reading.

A special clause “information-telecommunication network”  and “information-telecommunication network users” were added to article 13.2. of the law. While there are is no definition of what the “information-telecommunication network [and its users]” clause actually means, some media experts and journalists suggested this referred to social media platforms and the users. In Azerbaijan, the Ministry of Transportation, Communication and High Technologies already holds broad powers to block websites, without a court order. If these recent suggestions to the law are approved in the final reading, it would further deteriorate freedom of speech online as social media users, posting content the Ministry may deem as misinformation may be arrested and face charges. 

One parliament member, Ganira Pashayeva, even suggested setting up a special unit that would monitor social media platforms, and hold those spreading rumors accountable. 

On March 21, Ilgar Atayev was called in for questioning and charged with article 388.1 of the code of administrative offenses – sharing of prohibited information on the Internet or Internet – telecommunication networks. According to Meydan TV, an independent online news platform, although Atayev was informed that the charges were sent to court, he does not know what he is facing.

Authorities claim, Atayev, shared information on COVID without quoting official sources and that shared information was false.

The Law on Information, Informatisation, and Protection of Information

This law was first adopted in 1998. On March 10, 2017, a series of restrictive amendments were added to the law, converting the law from a technical regulation into content regulation:

  •  article 13.1.3. create conditions for the regulation of the domain names not with participation of the parties of the internet community, but by relevant Ministry, which contradicts international norms, including ICANN recommendations in this regard;
  • article 13.2.3, all legal and ethical issues previously existing in various laws have been listed as prohibited information and it has been stressed that their dissemination is prohibited;
  • article 13.2.4, when the owner of the Internet information resource and its domain name posts the information, dissemination of which is prohibited or receives an application about that piece of shared information, it guarantees the removal of such information from the information resource;
  • article 13.2.5, when a hosting provider reveals in its information systems some information, dissemination of which in internet information resources is prohibited or receives information about it, it should undertake immediate measures for its removal by the owner of the information resource;
  • article 13.3.3, in cases of existence of real threat for the lawful interests of the state and society or in urgent cases when there is a risk for life or health of people, the access to internet information resource is temporarily restricted directly by the Ministry of Transport, Communications and High Technologies [restriction is applied without a court order. Although an application is made to the court, the decision to close down the online information source remains in force until the court handles the case or the decision is annulled.]
  • article 13.3.6, describes the List of information resources that are “blocked” which is curated and maintained by the Ministry [to this day, no such resource exists however, AIW has a list of online resources that are regularly monitored relying on OONI for blocking]. Independent legal experts believe, this kind of authority is restrictive in nature. Especially as it forces all host and Internet providers are imposed an obligation to prevent access to these resources.

According to the law, the Ministry of Transport, Hich Technologies and Communication is the executive authority deciding on the type of information that is relevant, which websites get blocked and what information must be removed and so on.