Hacks and compromised accounts continue to target journalists and activists in Azerbaijan [updated September 13]

Account compromise, website hacks, DDoS attempts, phishing are just a handful of tactics used to target journalists, rights defenders, and activists in Azerbaijan. 

Here is a list of new cases: 

Earlier in July, Azerbaijan Internet Watch reported a phishing attack that targeted some of the civil society activists. Following a forensic investigation carried out in partnership with Qurium, it was possible to confirm that the email was indeed a virus. According to preliminary conclusions, “the e-mail included a link to malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.

Then the civil society was targeted with another phishing, this time the sender pretended to be the National Endowment for Democracy inviting recipients of the email to apply for a Pegasus Grant. 

Preliminary forensic results indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: 

The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites

The malware that was observed is not sophisticated, and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.

The same month, Azerbaijan Internet Watch received confirmation that the former political prisoner, Tofig Yagublu’s Facebook profile was subject to numerous hacking attempts. 

In early August, former leader of the opposition Musavat party, Isa Gambar reported that all of his social media accounts were compromised including his Facebook profile, Facebook page, and Instagram account. 

The hackers, who took hold of Gambar’s Facebook profile, changed settings, recovery emails, and an affiliated phone number, and have since then shared irrelevant posts. 

On August 27, the website for popular platform HamamTimes was hacked. The team behind the platform, reported all of its content removed, suspecting that the hackers used the site’s vulnerability as a result of weak security protocols in place. So far, HamamTimes, managed to restore all of the website’s archive of stories however its hosting remains vulnerable to new targeting. 

HamamTimes was targeted before as reported by Azerbaijan Internet Watch in a mass phishing attack. 

On September 4, editor of anews.az news website, Naila Balayeva, reported that her Facebook account was compromised. The hacker switched the email account and the phone number originally registered for the profile. Although Balayeva was able to restore access to her email and change the emails, according to the journalist, the hacker continues to use Facebook as the owner often deleting posts that are critical either of the police or the government institutions.  

Anews.az and Balayeva were targeted before. Last year, several Facebook pages affiliated with the website were hacked. 

While it was possible to provide assistance in some of the cases, the response from platforms like Facebook, especially in the case of Gambar has been slow and at times, comical. So far, twice, the platform requested new emails not associated with the platform or any of its apps and twice, Gambar sent proof of identity.  

[Update] On September 9, political activist Bakhtiyar Hajiyev was reportedly threatened by Baku Police Chief Alekper Ismayilov over a Facebook post, that Hajiyev wrote the same day. The post, Hajiyev wrote on Facebook was addressing the Ministry of the Interior, specifically the Minister of the Interior, Vilayat Eyvazov. The activist alleged the ministry was delaying a response to his complaint submitted 50 days ago over a street hooligan. 

[From Hajiyev’s post on Facebook published on September 9, 2021] Instead of investigating why my Ministry of the Interior cannot question street hooligan, who is refusing to speak to them, humiliating police officers who show up at [the hooligan’s] home, Vilayat Eyvazov is going after me for reminding [the Ministry] of my complaint and is threatening me with arrest, death and blackmailing.  

The activist told Turan News Agency that he was summoned to the police on September 9 where Baku Police Chief, Alekper Ismayilov allegedly told Hajiyev less he removes the Facebook post, the activist would face a greater punishment than arrest. 

On September 12, Gubad Ibadoglu, Azerbaijani academic, and an economist reported that his Facebook profile and page were compromised. In an interview with Turan News Agency, Ibadoglu said despite his attempts to strengthen the security of his accounts, they were compromised anyway. “I got a message this morning that my password was changed using my own computer. This means that the hackers of the Azerbaijani government, even in London,” Ibadoglu told Turan. The fact that he received a notification informing him that his computer was the device from which the passwords were changed, means the device was infected with a virus containing some form of keylogger. It won’t be the first time, this type of information extraction is used to target Azerbaijani civil society. 

[Update] In September, online news platform Toplum TV, reported it lost 16k followers on its Facebook page. 

how to silence corruption: the tale of one citizen journalist and a government that does not want people to know the truth

The tale of corruption in Azerbaijan is no news to anyone familiar with the country’s history of money laundering, slush funds, and other fraudulent misconduct. From countless investigations, such as Caviar Diplomacy, Azerbaijani Laundromat and Panama Papers, and most recently OCCRP report about massive weapons deal with Congo-Brazzaville, the extent of involvement of key leadership figures of Azerbaijan in numerous financial schemes, deals, and investments, is astonishing. For years, the journalists who have been involved in these investigations have been and continue to be targeted. The most recent target is Mehman Huseynov, 28, a popular citizen journalist, and editor-in-chief of the SANCAQ, a socio-political magazine, which documents extensive corrupt practices and violations of human rights in Azerbaijan. Huseynov, shares his findings in short videos, explained in simple language, often with a touch of humor.

In 2017, shortly after President Ilham Aliyev, appointed his wife, Mehriban Aliyeva as the First Vice President, Huseynov did a short video, asking male residents of Baku, whether they would appoint their wives as first secretaries if they were heads of companies. Huseynov was arrested the following day and later ended up serving a two-year prison term on charges of slander. Some speculated this satirical video was the real cause behind the journalist’s arrest. 

Ahead of his release from jail in 2019, the authorities attempted at keeping him behind bars, albeit unsuccessfully, and Huseynov was released. 

This is not the first time Huseynov was persecuted for his activities. He was questioned by the police countless times, threatened, intimidated, placed under a travel ban for five years, his personal documents were confiscated. The Human Rights House Foundation has documented in detail the reprisals against Huseynov in recent years. 

Realising, physical surveillance, and intimidation were not enough, Huseynov’s Sancaq TV became a target.

Hacking alert: Instagram

Due to the popularity of his channel [Sancaq TV has a large following on Facebook, Instagram, and YouTube], there have been numerous attempts to break-in into Sancaq TV’s social media accounts. Huseynov was able to keep his accounts secure until he took time off from social media ahead of a medical operation after being diagnosed with cancer. The treatment and the operation were successful. It was time, for Huseynov to slowly pick up on where he left off.

Little did he know, that one of Sancaq TV’s social media accounts was compromised. “Unfortunately, government officials took advantage of my illness and in my absence hacked Sancaq TV’s Instagram account.  They sent fake messages on behalf of Instagram to my Azerbaijani mobile number and gained access,” explained Huseynov in his recollections to AIW.  

Months after Huseynov reported about the interception, it was possible to restore access to Sancaq TV’s Instagram account. 

Hacking alert: Facebook 

Since his recovery from cancer, Huseynov returned to Azerbaijan, from where he continued working on investigations into government corruption. Sancaq TV has featured some 13 separate investigations since then.

These investigations however have once again triggered perpetrators to silence Huseynov by taking over Sancaq TV’s Facebook page. While they have been unsuccessful in hacking the page, several fake Facebook pages called Sancaq TV have been created. The “owners” of these accounts are using these pages to report the original Sancaq TV Facebook page in an attempt to take it down on the grounds, that it is fake. Sancaq TV’s most recent expose explores a man named Gorxmaz Huseynov, the head of Azerbaijan Water Supply company, whose personal wealth is measured in multimillion-dollar businesses, from hospitals to tourism companies with zero accountability and transparency. 

So far, Huseynov remains defiant in his fight against corruption in Azerbaijan but so do the perpetrators behind the digital persecution campaign. Sancaq TV’s social media accounts can be accessed on Facebook, Instagram, and YouTube

facebook page affiliated with opposition hacked, again

On September 10, the Facebook page that belongs to an online news website bastainfo.com was hacked. Bastainfo.com is affiliated with the opposition party Musavat and is known for often running into problems with the authorities. Its editor was handed a five year suspended sentence in February 2019. The website bastainfo.com remains blocked for access in Azerbaijan. 

In January 2020, Azerbaijan Internet Watch reported how several Musavat party social media accounts were targeted. According to preliminary reports five Facebook pages, one Facebook group, and one website were targeted. 

Bastainfo.com page was targeted then as well. The page lost followers. During last week’s attack, bastainfo.com page lost some 5k followers, and content that was shared since 2017. 

Hacking and compromising Facebook, Instagram, and YouTube accounts (because these are popular platforms used by journalists and activists) is common in Azerbaijan and isn’t new. The online harassment of prominent accounts began several years ago at first, mostly on the level of government-sponsored trolls. Over the years, as the ruling government developed an interest in spyware technology, the types of attacks became more sophisticated while state-sponsored trolling and reliance on automated bots even though still used, became secondary. In each of these cases, finding the perpetrators have not been possible. And in cases when it was clear the attacker was an automated bot/state-sponsored troll the platform took no action. We finally know why. A former Facebook employee, Sophie Zhang, wrote a memo after getting fired from her job at the company revealing how the company dealt with fake accounts and bots. Among the countries, she has worked on and analyzed was Azerbaijan. “Ms. Zhang discovered that the ruling political party in Azerbaijan was also using false accounts to harass opposition figures. She flagged the activity over a year ago, she said, but Facebook’s investigation remains open and officials have not yet taken action over the accounts.” 

hacking alert: activists and journalists targeted online [ongoing, last update September 10]

Several activists and journalists had their Facebook accounts compromised in recent weeks in Azerbaijan. 

At the end of June, a veteran human rights lawyer, Intigam Aliyev, reported a break-in attempt into his Facebook profile. A few days later, an opposition group D18 reported their Facebook page was compromised. On July 2, journalist Aysel Umudova and activist Rustam Ismayilbeyli received messages from the Facebook platform informing them their passwords were reset. This happened despite the fact, that both users had 2FA enabled on their accounts. On July 6, journalist Fatima Movlamli’s Facebook profile was compromised. Yet again, despite 2FA and secure email service, the account was taken over by unknown users. Finally, on July 14, multiple social media users reported receiving password reset messages even though no such requests were made by the users.  

Targeting social media profiles, and pages, are common in Azerbaijan. In recent years, hacking of prominent accounts has led to mass content removal, loss of followers, and subscribers. On YouTube, account owners of popular channels report their videos are taken down by the platform due to copyright violation reports, have received strikes and in some cases, their accounts were deactivated by the platform. And yet, further investigations, indicate, that these copyright violations are indeed submitted by fake accounts and that the actual cause of the strike is nothing but a fluke.

This type of deliberate targeting limits the work of targeted account owners, whether they are human rights defenders, journalists, media platforms, or political activists. Responding to these digital attacks takes time, it also requires having the right contacts at platforms directly or vis-a-vis third parties. In addition, once the account is compromised the account owner, no longer has access to their platform for outreach, unable to share their work/updates, and face the reality of losing their audience.  

While there is some evidence pointing the attacks originate from the government-affiliated institutions, it’s been virtually impossible to prevent them from happening and keep the online community safe.

On September 10, Nigar Hezi, a political activist, said there was an attempt to compromise her Facebook account.  

Opposition activist, Instagram account hacked [updated]

May 9, Azerbaijani politician, Gultekin Hajibeyli’s Instagram account hacked and taken down. Instead, a fake profile impersonating Hajibeyli was set up, with her private mobile phone number shared publicly in the profile description. Hajibeyli, was targeted online previously.

Such attacks are common in Azerbaijan, where opposition politicians and independent activists are targeted online. Account “break-ins”, impersonations, blackmailing posts, content takedown requests on YouTube for alleged copyright violations are among some of the popular harassment tactics in practice.

Unlawfully obtained personal information of intimate nature, including photos, videos, and email exchanges are commonly used to target women activists. A most recent example is an online harassment campaign launched against political activist and former political prisoner Ilkin Rustamzade’s wife, Amina Rustamzade. Leaked personal pictures were shared on Facebook and Instagram by various accounts.

On May 12, the account impersonating Hajibeyli was successfully removed from Instagram.

On May 13, a new fake Instagram profile was created.