Meta’s quarterly adversarial report confirms suspicions of government sponsored targeting

This month, Meta released its pilot quarterly Adversarial Threat Report. Among the countries mentioned in the report, is Azerbaijan where the platform said it has identified “a hybrid network operated by the Ministry of the Internal Affairs.” According to the document, this network relied on, what Meta refers to as, “Coordinated Inauthentic Behavior [CIB]” in combination with cyber espionage, “compromising accounts and websites to post” on behalf of the Ministry. The ministry’s press office was quick to dismiss the findings, saying the findings were fictitious. 

To pundits familiar with Azerbaijan as well as this platform, it was not all surprising to see the country’s name on the list. This is also not the first time, Azerbaijan’s name appears in Facebook reports on CIB either.

Ample evidence collected over the recent years indicated how a thriving community of government-sponsored [in]authentic accounts targeted independent and opposition media pages and accounts; political activists and rights defenders’ profiles; and have done so over extended periods of time, causing reputational damage to the owners of targeted accounts, spreading false information, distorting facts, and engaging openly in harassment. These and other forms of content/user manipulation on social networks have also become more explicit, and brazen.

So, while it is great that Meta has taken notice and taken measures, it is too little, too late. And here is why. 

Pre-surveillance era 

Azerbaijan users embraced Facebook when it finally expanded beyond its limited geographical scope in 2006. By 2011 the number of Facebook users in Azerbaijan was 7percent. Fast forward eleven years, and according to Azerbaijan Press Agency, this number is around 58.4percent. Since the early years of Facebook, the platform quickly became a popular tool in the hands of activists and more broadly speaking civil society. Used to organize public events and workshops, and share information, Facebook also turned into a platform for political organizing. This continues to be the case to this day. But the platform’s popularity also attracted the attention of the ruling government. Nervous, of spillover from the Arab uprisings, monitoring of the platform became a norm. Scores of activists would get whisked from the streets, for questioning over the following years for public posts calling for protests or criticizing the authorities and government institutions, and politicians. 

It was only a matter of time, before a counter-narrative, sponsored and organized by the state institutions would appear on the platform. First in the form of youth movements sympathetic to the regime, and their members who meticulously searched for any criticism of the ruling government only to argue the opposite. And then gradually transitioning into a more systematic trolling, targeting, and harassment. Facebook profiles, were replaced with Facebook pages which were created to look like profiles but in reality, were facades for hundreds of inauthentic accounts. Gradually distorting facts and targeting users by “brigading” was combined with aggressive “cyber espionage.” The latter is perhaps the most common emergency, AzNet Watch has documented in recent years. 

But back at the headquarters of Facebook, nobody knew how much of a role the platform played in Azerbaijan and in many other countries across the world where the platform was utilized as a tool for information sharing, organizing, as well a political stage of some sort that opposition activists used and continue to use for their political messaging. I once, attempted to explain that to Zuckerberg but he did not want to listen, after all, he was on his honeymoon, touring Europe and the last thing he wanted to hear was the political, and social significance of his company in countries like Azerbaijan. 

Terminology worth knowing

Before diving any deeper let me explain some of the key terms for the sake of clarity. 

Coordinated Inauthentic Behavior

Coordinated efforts to manipulate public debate for a strategic goal where fake accounts are central to the operation. There are two tiers of these activities that we work to stop: 1) coordinated inauthentic behavior in the context of domestic, non-government campaigns and 2) coordinated inauthentic behavior on behalf of a foreign or government actor.

Coordinated Inauthentic Behavior (CIB) – domestic

When we find domestic, non-government campaigns that include groups of accounts and Pages seeking to mislead people about who they are and what they are doing while relying on fake accounts, we remove both inauthentic and authentic accounts, Pages, and Groups directly involved in this activity.

Foreign or Government Interference (FGI)

If we find any instances of CIB conducted on behalf of a government entity or by a foreign actor, we apply the broadest enforcement measures including the removal of every on-platform property connected to the operation itself and the people and organizations behind it.

Brigading: adversarial networks where people work together to mass comment, mass post, or engage in other types of repetitive mass behaviors to harass others or silence them.

Mass Reporting: adversarial networks where people work together to mass-report an account or content to get it incorrectly taken down from our platform.

Cyber espionage: when actors typically target people across the internet to collect intelligence, manipulate them into revealing information, and compromise their devices and accounts.

Now that the terminology is out of the way, what has been Azerbaijan’s performance in Facebook/Meta’s previous reports? Not good to say the least. 

Previously, Azerbaijan was mentioned in two CIB reports both published in October 2020. “We removed 589 Facebook accounts, 7,665 Pages, and 437 accounts on Instagram linked to the Youth Union of New Azerbaijani Party. This network originated in Azerbaijan and focused primarily on domestic audiences. We identified this network through an internal investigation into suspected fake engagement activity in the region,” read the report [New Azerbaijan Party is the ruling party of Azerbaijan that’s been in power since the early years of the country’s independence.]

“While the individuals behind this activity used fake accounts — some of which had been already detected and disabled by our automated systems, they primarily relied on authentic accounts to create Pages designed to look like user profiles — using false names and stock images — to comment and artificially boost the popularity of particular pro-government content. This network appeared to engage individuals in Azerbaijan to manage Pages with the sole purpose of leaving supportive and critical commentary on Pages of international and local media, public figures including opposition and the ruling party of Azerbaijan, to create a perception of wide-spread criticism of some views and wide-spread support of others. From what we’ve seen, it appears that most of the engagement these comments received were from within this network of Pages themselves. Our analysis shows that these comments were posted in what appears to be regular shifts during working hours in Azerbaijan on weekdays.”

Here the biggest credit goes to Facebook whistleblower Sophie Zhang who was the first person to flag these inauthentic accounts and pages to her management as early as 2018 [the year of the presidential election in Azerbaijan] who only took notice after she published an internal memo detailing, how the company was ignoring manipulation of its platform by political parties and heads of government not only in Azerbaijan but in a number of other countries. Zhang was fired after leaking the memo, allegedly over “poor performance.” By then, it was clear the company had to do something. They took notice and removed hundreds of accounts and thousands of pages, reported BuzzFeedNews. 

In April 2021, Facebook said it has removed another “124 Facebook accounts, 15 Pages, six Groups and 30 Instagram accounts from Azerbaijan that targeted primarily Azerbaijan and to a much lesser extent Armenia.” The “April 2021 Coordinated Inauthentic Behavior Report” said, that the network of accounts was discovered “as a result of [Facebook’s] internal investigation.” The report identified “third-party Android applications — Postegro and Nunu,” misleading users “into giving away their Instagram credentials.” At the time [the report was published in May 2021] the company said, its CIB investigation discovered links between the accounts “to individuals associated with the Defense Ministry of Azerbaijan.”

A month before this report was published, AzNet Watch investigated brigading against Meydan TV, an independent and now exiled online newsroom: 

What does art, shopping retail, web design, sports, cosmetics, and e-commerce website have in common? Absolutely nothing, except these, are all various categories available on Facebook when setting up pages. Since 2019, Facebook removed the limit on the number of pages a user can set up. Unfortunately, Facebook did not take into account, how this innocent feature update, if in the wrong hands, can do harm. In the case of Azerbaijan, this is exactly what happened, when Meydan TV, an independent Berlin-based news platform, shared a call for applications for a program, held in partnership with Brussels-based human rights organization, International Partnership for Human Rights in February 2021.

Also in April, The Guardian published this story explaining how Facebook allowed state-backed harassment campaigns, target-independent news outlets, and opposition politicians on its platform.  The story in The Guardian looked at another case of Azerbaijani online news platform – Azad Soz (Free Speech). Its Facebook account was flooded with over 1.5k comments over a post about two men sentenced to eight months. The Guardian investigation analyzed the top 300 comments and discovers that 294 out of 300 comments were inauthentic Facebook pages.  Just like in the case of Meydan TV. 

But it was not just Meydan TV and Azad Soz that were targeted. Mikroskop Media, an independent online news platform based in Riga, too experienced similar targeting. And so did Azadliq Radio, Azerbaijan language service for Radio Liberty.

Now a year later, the new report said it, “disrupted a complex network in Azerbaijan that engaged in both cyber espionage and coordinated inauthentic behavior. It primarily targeted people from Azerbaijan, including democracy activists, opposition, journalists, and government critics abroad. This campaign was prolific but low in sophistication and was run by the Azeri Ministry of Internal Affairs. It combined a range of tactics — from phishing, social engineering, and hacking to coordinated inauthentic behavior.” The list of tactics, techniques, and procedures (TTPs) used included: compromised and spoofed websites; malware and other malicious tools; credential phishing; and finally the CIB. 

Nothing illustrates the extent of control over the platform like real examples. Last month, AzNet Watch successfully helped restore access to a popular page on Facebook, called “Humans of Azerbaijan.” It was compromised in 2017 and remained inactive until fall last year when its new admins [suspected of being the state security services] started posting compromising content targeting various civil society activists. Eventually, the account was returned to its original owner, Mehman Huseynov. But its comeback was short. Earlier this month, the account was compromised yet again. The perpetrators argued with Facebook that Huseynov was in fact not who he said he was, and instead, sent Huseynov’s ID to the company to confirm their “real” identity. The perpetrator claimed that Huseynov hacked the page. Shortly after, all of the pages managed by Huseynov received multiple complaints making the same claims – that Huseynov was not the real Huseynov. Facebook responded by blocking all of Huseynov’s accounts. Including his own profile. The state security services have access to citizens’ private information – including copies of National IDs, phone numbers and other personal information. 

At the end of the day, what platforms like Meta must understand is that these are not some isolated cases but regular, targeted measures deployed by the government institutions and that to really tackle this kind of brazen behavior and prevent the damage inflicted on the platforms’ active users, the company must adopt measures that offer better protection to users, especially from certain civic groups who are often the main targets. Above all, understanding the political contexts and the role platforms like Facebook play in these contexts would be a step in the right direction. So will Meta take notice?  

Website fined for not removing comments on social media page

On February 3, the local court fined Azermedia, the founder of the online news platform yeniavaz.az in the total amount of 1500AZN (approximately 880USD). The prosecutor cited the failure of the website management to remove comments posted on the website’s Facebook page according to Azerbaijan service for Radio Liberty. 

In court, the prosecutor’s office representative said the website management carried the responsibility to remove comments on its social media accounts that are slanderous and insulting. But the lawyer, Nemat Karimli repeated that Azermedia did not violate any rules and that claims by the prosecutor’s office about responsibility to remove comments on social media platforms were baseless. 

Following the court’s decision, Karimli said they will be appealing the decision. 

The court decision follows the weeks-long process between the prosecutor’s office and the yeniavaz.az and concerns a series of articles the website published starting January 12. The published articles cover the case of political activist Tofig Yagublu who was detained during a rally in December, beaten, and then let go. The investigation concluded that Yagublu beat himself and that the police had no involvement in the physical injuries caused to the activist.   

The website was fined based on Article 388.1.1.2 of the Code of Administrative Offenses

for failure to take measures established by the Law of the Republic of Azerbaijan “On information, informatization and protection of information” in connection with the seizure of information prohibited for dissemination placed on the Internet information resources –

individuals shall be fined in the amount of 500 to 1000 manats, officials in the amount of 1000 to 1000 manats, or administrative detention for a period of up to one month shall be imposed on legal entities, depending on the circumstances of the case, legal entities shall be fined in the amount of 1500 to 2000 manats. is done.

Several social media users warned, one sentenced to 30 days of administrative detention

A series of new warnings were issued by the Prosecutor General office to social media users in Azerbaijan. In a statement issued by the Prosecutor General’s office, it claims five Azerbaijani citizens received a warning over their social media posts that the prosecutor’s office described as “violating stability, rights, and freedoms and casting a shadow over state’s efforts to strengthen defense capabilities.”

In addition, a citizen named Namig Aliyev was found guilty of violating the state law on Information, Informatisation, and Protection of Information. According to the prosecutor’s office, Aliyev, editor of Yeniavaz.com news website failed to remove a Facebook post about the story published by Yeniavaz.com website that qualified as “information prohibited from sharing.”

But a series of developments including a statement by Yeniavaz.com website editor show that not only did the Prosecutor Office provide false information about Namig Aliyev’s affiliation with Yeniavaz.com website but that the story the prosecutor office wanted removed directly referred to the prosecutor office earlier involvement in committing violence against an opposition activist.

Timeline of events

On December 1, 2021, a group of activists staged a protest in the capital Baku in support of jailed opposition activist Saleh Rustamov. During the protest, scores of activists were detained, including opposition figure Tofig Yagublu, a former political prisoner himself. The violence he faced in the hands of the police was widely reported on social media platforms.

The head of the Media and Public Relations Department of the Interior Ministry’s press service, while having denied any allegations of torture, promised to investigate the case of Yagublu. 

On January 12, the Prosectur Office said it had finalized the invetigation. According to the results, Yagublu was not tortured and that the signs of violence documented and widely reported were inflicted by Yagublu himself. The investigation claimed Yagublu harmed himsefl and that no police officer was involved in violence against Yagublu. 

Yeniavaz.com published three separate articles on the results of the investigation, most recent one on January 18, 2022. 

On January 24, Yeniavaz.com website editor Baylar Majidov, published a Facebook post, with the following text: 

“The prosecutor arrested a man named Namig Aliyev, and [Azerbaijani] media presented him as the director of Yeniavaz.com. Offically, we would like to note that not only do we not have an employee named Namiq Aliyev but he is certainly not the direcotr of Yeniavaz.com.”

Majidov also wrote that their newsroom never received an official request from the General Prosecutor office to remove any information from the website or from the news website’s social media accounts.   

Also on January 24, in another statement issued by the Prosecutor General Office, it announced its decision to sentence social media user Namig Aliyev to 30 days of aministrative detention for sharing information prohibited by law. The statement also said, the office launched administrative proceedings against Azermedia LLC, a legal entity representing the operations of yeniavaz.com on the grounds that the website failed to remove the information prohibited by law. 

On January 25, yeniavaz.com published a story by one of its authors, Anar Garakhanchalli being questioned at the Prosecutor General Office on January 20, 2022. There Garakhanchalli described the conversation he had: 
I was invited to the General Prosecutor office on January 20. After talking to me first about the state, the importance of the prosecutor office for the state and etc I asked them calmly what was the purpose of my invitiation. They told me, it was an article titled “Prosecutor office: ‘Tofig Yagublu’s state was caused as a result of him beating himself up'” that yeniavaz.com published on its website and shared on its Facebook page. So I asked, if there was something wrong about the story, whether it was a lie. They said, the story was correct, but we are concerned about the comments that were written under the post. I said, if the story was ture, if you have no objections then why am I here? I also added that Facebook has billions of users, how can we be held accountable for something written by others? The officer sitting across from me then said, we suspected that these responses would follow, after giving the story a headline like that. I told this this was ludicrous. You confirm yourself that the story is true, you do not object to any of the wording, and yet you are questioning the reporter’s intent?! 
After two hour long visit, Garakhanchalli was let go. 
No further statements were made by yeniavaz.com while the articles in question all remain available online at the time of writing of this post.
AIW previously documented a number of cases where social media users and journalists received warnings, or fines over their onlline posts. 

Political activist sentenced to ten years in jail

Member of a political opposition party Agil Humbatov was sentenced to ten years in jail after criticizing the president on Facebook. In a court ruling on November 15, Humbatov was charged with Article 126.2.4 of the Criminal Code – intentionally causing harm with an intent to commit hooliganism. The prosecutor alleged Humbatov, stabbed a man. According to Turan News Agency, the prosecutor said Humbatov stabbed Yaman Mammadov. 

Humbatov was detained on August 11 this year.

In his defense, the political activist, who is a member of Popular Front, said charges against him were bogus. The real reason behind his sentence was his social media posts and videos in which the activist was critical of the government, namely President Ilham Aliyev. 

In his most recent video, Humbatov complained of lack of employment opportunities and that with three children and lack of local government support, he had no other choice but to collect cardboard from waste. 

Previously, Humbatov was confined to treatment at a psychiatric clinic over his criticisms against the authorities online. He was also detained in March 2019 and sentenced to 30 days in administrative detention.

Blogger arrested in Azerbaijan

Sameddin Mammadov was reported missing on October 29. The witnesses said they saw a group of men, took Mammadov from his in Azerbaijan’s Jalilabad district, driving him in an unidentified direction. His son, Nahid Mammadov said the family learned their father was taken by the police days later. 

Mammadov, is a blogger covering developments from his region via his Facebook account. His son, Nahid Mammadov who spoke with Azadliq Radio, Azerbaijan Service for Radio Liberty said the allegations leveled against his father were illegal and groundless. “My father talked about problems from our district on social media. He was making videos. He was doing it with one purpose – the country’s leadership see what was happening in Jalilabad. My father was intimidated, and warned numerous times.” 

According to the son, his father is currently on a hunger strike. The family in the meantime asked to meet the president but was refused. 

Mammadov is accused of inflicting intentional body harm and hooliganism. Azadliq Radio spoke with the plaintiff, also a resident of the same district, Elshad Jafarov.  Jafarov claims Mammadov, his son, and nephew beat him up on September 27. “I don’t know why Mammadov was arrested. I did not know he was. I cannot say whether he was threatened because of his political activism. But I have testified to the police. I have spent 21 days at a hospital recovering from the beating. There is a forensics report,” Jafarov told Azadliq Radio. 

According to a post on Mammadov’s Facebook, the court dismissed his appeal and that he remains behind bars.  

Toplum TV Facebook page hacked via SMS interception

On November 3, the founders of Toplum TV, an online news platform, said their Facebook page was hacked. Hackers(s) removed several videos, including one Toplum TV shared yesterday, which was a discussion with an opposition politician Ali Karimli. According to the founders who spoke to AIW, the hacker(s) accessed the page through another founder’s Facebook account, deleted videos, page likes, and changed the name of the page. At the time of reporting this story, the Facebook page was recovered.

In a Facebook post, Alasgar Mammadli, one of the founders of the platform explained in detail how the hacker(s) accessed Toplum TV’s Facebook page by compromising his personal account first.

Translation: This morning at 8.54AM local time, my Facebook account was compromised. The compromise was made possible using my personal mobile phone number. The hacker acquired access to personal information illegally. I only learned about what happened half hour later as I was stuck in city traffic, and had limited access both to my mobile phone and personal computer.  The compromise was made possible by intercepting an SMS sent to my mobile sim card. Meaning, messages sent to my mobile number, were used in parallel by technical supervisors overseeing the telecommunication system in accordance with telecommunication law. Having accessed my personal account [the hacker(s)] were able to access Toplum TV Facebook page, changing its name, [only] deleting archived videos of live debates with Popular Front and Musavat party leaders, and removing several thousand Page likes. Clearly, the reason behind what happened is political intervention. The absolute lack of tolerance to public debates on Toplum TV’s platform has reached such a level, that the perpetrators unafraid, have committed a criminal act prohibited by Articles 271, 272, and 273 of the Criminal Code. This compromise is an act of crime and a grave violation of freedom of speech, privacy, and security of personal data. I demand that serious investigation and preventive action be taken by relevant authorities working within the information security space.

Toplum TV encouraged its readers and followers in a tweet to support their page after hacking:

Translation: Toplum TV’s Facebook page was compromised and its name changed to their name “toplan”. To support independent media, like our Facebook page, and help restore deleted followers.

SMS interceptions are commonly used in Azerbaijan. Below, are a few excerpts from a recent report published by AIW in partnership with International Partnership for Human Rights on the topic: 

The interception of SMS exchanges remains an acute problem in Azerbaijan. In recent years, scores of political activists, journalists, rights defenders, and independent media platforms have had their social media accounts compromised. In many of these cases, those affected have had SMS notification enabled as two-step verification (2FA) procedure for accessing their Facebook accounts. As a result, when their accounts were compromised, they were unable to restore access to the accounts relying on traditional troubleshooting steps offered by social media platforms such as Facebook. Thus, they were unable to retrieve password reset codes sent by Facebook by SMS as their messages were intercepted by the operators, only to be passed on to the relevant government bodies. This experience shows that mobile companies have been involved in many of these attacks. However, none of the operators have taken the blame, so far. The earliest example of SMS surveillance goes back to 2009 when 43 Azerbaijanis voted for Armenia’s entry in the Eurovision Song Contest through votes cast by SMS. A number of these people were summoned and questioned by the security services. In an interview with Azadliq Radio (the Azerbaijani service of Radio Free Europe/Radio Liberty), one of these televoters, Rovshan Nasirli said that the authorities demanded an “explanation” for his vote and told him it was a “matter of national security”. He told the service: “They were trying to put psychological pressure on me, saying things like: ‘You have no sense of ethnic pride. How come you voted for Armenia?’ They made me write out an explanation, and then they let me go.” The authorities did not deny that they had identified and summoned people who voted for Armenia, and argued that they were merely trying to understand the motives of these people.

Three years after the Eurovision scandal, an investigative documentary aired on Swedish TV called ‘’Mission: Investigate” revealed how the Swedish telecommunications giant TeliaSonera, which at the time owned a majority stake of Azercell, allowed “black boxes” to be installed within their telecommunications networks in Azerbaijan from as early as 2008. These boxes enabled security services and police to monitor all network communication, including internet traffic and phone calls in real-time without any judicial oversight. The exposure of these black boxes explains the type of technology the government was deploying already at the time of Eurovision in 2009. The investigation aired by Swedish TV also confirmed that wiretaps were used as evidence in politically motivated cases.

In 2014, an OCCRP investigation revealed how mobile operators were directly passing on information about their users to the respective government authorities. In a country where the government enjoys unprecedented control over the ICT industry and where some of the key players in the market such as mobile operators and ISPs are affiliated with the government or its officials, the findings of the investigation were not at all surprising. The 2014 investigation quoted the director of the Media Rights Institute, Rashid Hajili as saying that both mobile companies and ISPs were obliged to provide special facilities to the Ministry of National Security (MNS)91 for surveillance purposes in accordance with existing legal provisions as explained earlier. In the case of mobile companies, no court approval was sought to eavesdrop on the conversations and SMS exchanges of their customers – a common practice to this day. One of the first accounts of collaboration between mobile companies and the government is that of journalist Agil Khalil. In 2008, Khalil was working on a story about the alleged involvement of MNS employees in corrupt land deals. After taking photographs for the story, he was approached by MNS agents and beaten. The journalist escaped from his attackers and managed to take photos of them. Khalil filed a complaint with the police, and an investigation was opened but eventually dropped, without the perpetrators having been prosecuted or even identified. Soon after turning to the police, the journalist realized that he was being followed. When he filed another complaint with the police about the surveillance, police again failed to follow up. A few days later, Khalil was subjected to a new attack: this time, an unknown assailant stabbed and injured him. Khalil again turned to the police, accusing both the MNS and the mobile operator Azercell (whose services he was using ) of being responsible for the attack. He argued that the operator had helped the MNS to track down his whereabouts, thereby facilitating the attack. The involvement of Azercell in the case became more evident when the operator provided a local court, which examined the journalist’s complaint, with alleged SMS exchanges between Khalil and a man named Sergey Strekalin, who the MNS claimed was Khalil’s lover and had stabbed the journalist out of jealousy. When Khalil’s lawyer requested access to these SMS exchanges, Azercell refused, which called into question the authenticity of these messages. Khalil left Azerbaijan the same year after another attempted attack against him and the continued failure of the authorities to hold his assailants accountable. He took his case to the ECtHR, as a result of which the Azerbaijani government made a so-called unilateral declaration (an official admission) before this court in 2015 that it had violated Khalil’s right to life, freedom from ill-treatment, and freedom of expression and agreed to pay 28 000 EUR in compensation to him. As the government made this admission, there was no ECtHR ruling on the case.

In September, Toplum TV reported it lost 16k followers on its Facebook page. Facebook failed to explain how and why this took place. 

In Azerbaijan journalist gets 15 days in prison over a Facebook post

Anar Abdulla was sentenced to 15 days in prison over a Facebook post, according to OC Media reporting. But the charges pressed against the journalist accuse Abdulla of hooliganism and disobeying the police – the most common charges used against civic activists in Azerbaijan.

On September 14, Abdulla wrote a short post on his personal Facebook profile accusing the heads of administrative offices, of deceiving President Ilham Aliyev, while the people pay the price for it.

According to OC Media, the journalist was summoned to the police on October 5 for a “preventive conversation” however Abdulla was handcuffed and detained. The hearing that took place on October 6, where the journalist was sentenced to 15 days was closed to the local press. 

Speaking to OC Media, Abdulla’s lawyer, Zibeyda Sadigova, said, her client denied both charges. During the hearing, police alleged that the journalist disobeyed police orders and used profane language against the officers. Police pressed charges against the journalist as a result.  

In addition to hooliganism and disobeying police, politically motivated criminal charges used against civil society representatives include drug possession and illegal business activity. 

inauthentic pages target independent news platform – will Facebook take notice [part 3, the case of Azadliq Radio]

After The Guardian’s expose on Facebook overlooking trolling activity in Azerbaijan (and elsewhere) earlier this year, one would think that the platform would finally take notice and address how the platform is abused by trolls and the actors operating them. Instead, the loopholes remain and from the looks of it, the platform is doing little to address the use of Facebook Pages – at least in the case of Azerbaijan as pointed out here and here – to target independent media. The most recent example is this Facebook post, shared by Azerbaijan Service for Radio Liberty. The post, is a caricature by Gunduz Aghayev, addressing the rising cost of fuel in the country. Under the post, 549 comments to be exact claim all sorts of things – that the radio is biased, is lying, the economy is doing great, that the State Oil Company (SOCAR) knows exactly what it’s doing, etc. A closer look at the comments reveals that each belongs to a user operating a fake Facebook page. Earlier this month, AIW reported about Azerbaijan’s very own troll factory

Will Facebook take notice this time? 

Hacks and compromised accounts continue to target journalists and activists in Azerbaijan [updated September 13]

Account compromise, website hacks, DDoS attempts, phishing are just a handful of tactics used to target journalists, rights defenders, and activists in Azerbaijan. 

Here is a list of new cases: 

Earlier in July, Azerbaijan Internet Watch reported a phishing attack that targeted some of the civil society activists. Following a forensic investigation carried out in partnership with Qurium, it was possible to confirm that the email was indeed a virus. According to preliminary conclusions, “the e-mail included a link to malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.

Then the civil society was targeted with another phishing, this time the sender pretended to be the National Endowment for Democracy inviting recipients of the email to apply for a Pegasus Grant. 

Preliminary forensic results indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: 

The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites

The malware that was observed is not sophisticated, and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.

The same month, Azerbaijan Internet Watch received confirmation that the former political prisoner, Tofig Yagublu’s Facebook profile was subject to numerous hacking attempts. 

In early August, former leader of the opposition Musavat party, Isa Gambar reported that all of his social media accounts were compromised including his Facebook profile, Facebook page, and Instagram account. 

The hackers, who took hold of Gambar’s Facebook profile, changed settings, recovery emails, and an affiliated phone number, and have since then shared irrelevant posts. 

On August 27, the website for popular platform HamamTimes was hacked. The team behind the platform, reported all of its content removed, suspecting that the hackers used the site’s vulnerability as a result of weak security protocols in place. So far, HamamTimes, managed to restore all of the website’s archive of stories however its hosting remains vulnerable to new targeting. 

HamamTimes was targeted before as reported by Azerbaijan Internet Watch in a mass phishing attack. 

On September 4, editor of anews.az news website, Naila Balayeva, reported that her Facebook account was compromised. The hacker switched the email account and the phone number originally registered for the profile. Although Balayeva was able to restore access to her email and change the emails, according to the journalist, the hacker continues to use Facebook as the owner often deleting posts that are critical either of the police or the government institutions.  

Anews.az and Balayeva were targeted before. Last year, several Facebook pages affiliated with the website were hacked. 

While it was possible to provide assistance in some of the cases, the response from platforms like Facebook, especially in the case of Gambar has been slow and at times, comical. So far, twice, the platform requested new emails not associated with the platform or any of its apps and twice, Gambar sent proof of identity.  

[Update] On September 9, political activist Bakhtiyar Hajiyev was reportedly threatened by Baku Police Chief Alekper Ismayilov over a Facebook post, that Hajiyev wrote the same day. The post, Hajiyev wrote on Facebook was addressing the Ministry of the Interior, specifically the Minister of the Interior, Vilayat Eyvazov. The activist alleged the ministry was delaying a response to his complaint submitted 50 days ago over a street hooligan. 

[From Hajiyev’s post on Facebook published on September 9, 2021] Instead of investigating why my Ministry of the Interior cannot question street hooligan, who is refusing to speak to them, humiliating police officers who show up at [the hooligan’s] home, Vilayat Eyvazov is going after me for reminding [the Ministry] of my complaint and is threatening me with arrest, death and blackmailing.  

The activist told Turan News Agency that he was summoned to the police on September 9 where Baku Police Chief, Alekper Ismayilov allegedly told Hajiyev less he removes the Facebook post, the activist would face a greater punishment than arrest. 

On September 12, Gubad Ibadoglu, Azerbaijani academic, and an economist reported that his Facebook profile and page were compromised. In an interview with Turan News Agency, Ibadoglu said despite his attempts to strengthen the security of his accounts, they were compromised anyway. “I got a message this morning that my password was changed using my own computer. This means that the hackers of the Azerbaijani government, even in London,” Ibadoglu told Turan. The fact that he received a notification informing him that his computer was the device from which the passwords were changed, means the device was infected with a virus containing some form of keylogger. It won’t be the first time, this type of information extraction is used to target Azerbaijani civil society. 

[Update] In September, online news platform Toplum TV, reported it lost 16k followers on its Facebook page. 

Azerbaijan’s troll factory revealed [Updated Dec. 22]

Ever since 2013 revelations about Russia’s troll factory, many in Azerbaijan wondered whether the country’s leadership too operated its very own troll factory. Unlike its Russian version, known as the Internet Research Agency, there was only anecdotal evidence of whether this was really the case in Azerbaijan. There were no former “factory” employees who came forward or undercover journalists who temporarily worked there and exposed the work carried out later. Not until this month anyway. An investigation against the executive director of the State Media Support Fund Vugar Safarli now reveals that the suspicions were valid after all. And that upon specific instructions a group of “bloggers” were responsible for monitoring Facebook and leaving comments under posts that were critical of the government or relevant government institutions. 

The investigation is part of a criminal case launched against Vugar Safarli who until recently headed the State Fund for Media Development in Azerbaijan. Safarli was arrested in 2020 on charges of money laundering (allegedly 20million AZN) and abuse of authority. 

On September 2, Azerbaijan Service for Radio Free Europe, Azadliq Radio published parts of the testimony by Safarli where the former government official implicates not only that the government did indeed deploy trolls but that several high ranking officials including then Presidential advisor Ali Hasanov and former head of the Presidential Administration Ramiz Mehdiyev were well aware of this. Moreover, the building from where trolls operated belonged to Hasanov himself. 

“Ali Hasanov told me that the new rented space, will have internet bloggers who will work from there. And indeed there were a few, who sat there, working unofficially,” Safarli reportedly said in his statement according to Azadliq Radio reporting. 

“We were especially paying a closer attention to Facebook. Each of us operated a large number of fake profiles, which we used to leave comments. These comments were planned ahead of time. We would receive them in the morning. And that’s why often these comments were similar to each other as they were posted from different profiles,” shared one of the former employees who spoke to Azadliq Radio on condition of anonymity.

But leaving comments en masse was not the only requirement. “The Presidential Administration would send us topics of the day that we had to research and prepare material on. Then those materials were posted on various pro-government media platforms and published on pro-government television,” explained anonymous blogger in an interview with Azerbaijan Service.

Over the years, authorities denied any involvement in mass trolling or deployment of troll armies including Ali Hasanov himself who was known among government critics as the “King of trolls.” He repeated this as he was exiting office in January 2020 in an interview with BBC Azerbaijan service: “There is no army of trolls in Azerbaijan. There is simply the public supporting the president.” 

That public supporting the president was also mentioned by current member of the parliament Zahid Oruc, who told Azadliq Radio in a phone interview that “the party does not see millions of citizens who defend the leader of the current government as trolls.” 

Oruc did not directly deny the operation of troll armies in Azerbaijan. Instead, he said, “the party considered it incorrect to present a massive number of comments written on various platforms and coordinated from one single location as a government policy.”

Previously the ruling part of New Azerbaijan denied the operation of troll armies in Azerbaijan. Most recently the ruling party was exposed in a series of investigations released by The Guardian.   

A month prior to the release of The Guardian investigation Azerbaijan Internet Watch published this story exposing how some 500 inauthentic accounts on Facebook (almost all of them were set up as pages) targeted a Berlin-based online news platform Meydan TV and this story uncovered a similar pattern of targeting against another independent online news platform Mikroskop Media.

That the ruling government in Baku deployed trolls was not at all surprising. Surely, activists who had their own suspicions for the years have relied on the Internet and specifically the social media platform Facebook as the government silenced dissent offline. As the crackdown against Azerbaijan’s civil society intensified and culminated with the arrest of some of the high profile civil society activists in 2014 as well as targeting of independent news platforms, including Azadliq Radio, the internet, and specifically social media platforms became the remaining avenues for freedom of speech advocates who took to the platform to criticize the policies and decisions of the official Baku. Independent online news platforms, continue to rely on Facebook, Instagram, and YouTube to disseminate news as many of their websites are blocked for access in Azerbaijan.

Will Safarli’s exposure of the former government officials and their direct involvement in running a troll army change anything? Highly unlikely that the government of Azerbaijan survives on its greatest political tool – denialism.

[Update] Vugar Safarli was sentenced to ten years and six months on December 21, 2021, on charges of embezzlement of state funds. According to Turan News Agency, his business partners were too sentenced.