hacking – Azerbaijan Internet Watch

Editor of an online news site arrested [Updated February 24, 2024]

Posted on November 20, 2023February 26, 2024 by aiw_admin

[Update February 24] The pre-trial detention period of Abzas Media journalist Nargiz Abusalamova was extended by another three months.

[Update February 21] Kanal 13 director Aziz Orujov’s pre-trial detention was extended by another month.

[Update January 13] Police arrested another Abzas Media journalist – Elnara Gasimova. She was sentenced to pretrial detention on January 15, 2024, for a period of two months and 17 days. She is facing the same charges as the rest of the journalists from Abzas Media, and if found guilty, she faces between six months and eight years in prison and a fine.

[Update December 4] Following the arrests of Kekalov, Vagifgizi, and Hasanli, three more journalists were arrested. Among them are Nargiz Abusalamova (Abzas Media reporter), Aziz Orujov (founder of online television channel Kanal 13), and Rufat Muradli (the host of the show on Kanal 13). There were also reports of a hacking attempt on Kanal 13’s YouTube channel. At least two videos were removed from the channel before Orujov’s brother could secure access to the account.

Abusalamova was questioned earlier as a witness in the investigation launched against Abzas Media. Still, authorities arrested the journalist on December 1 and sentenced her to three months in pre-trial detention. Speaking to journalists, Absalamova’s lawyer said the accusations were baseless, “The court argued that Absalamova can aid others involved in the case and hence, to prevent that from happening, her arrest was necessary.”

[Update November 23] Mahammad Kekalov was also sentenced to three months and 27 days on the same charges. Kekalov’s lawyer, Rovshana Rahimli, told Abzas Media she finally had a chance to meet Kekalov on November 23. During the meeting, Kekalov refused to proceed with Rahimli. He told her he had already been assigned a state lawyer and that he had committed no crime and would continue working with the state-assigned lawyer. The meeting took place in the presence of a state investigator. Friends and acquaintances fear Kekalov made this decision under duress. This request was not granted despite the lawyer’s attempts to meet Kekalov without any state representative. “I was surprised to hear Kekalov’s decision. He knows me. And despite me telling him that his family hired me, he pressed with his decision. He was very calm when we talked. And he did not explain the reason why he decided to refuse my services.” In addition, several other journalists were questioned as part of the investigation on November 23 – Nargiz Absalamova, Sahila Aslanova, Mina Alyarli, and Elnare Gasimova. Ulvi Hasanli’s wife, Rubaba Guliyeva, was also questioned.

[Update] Both Ulvi Hasanli and Sevinc Vagifgizi were sentenced by the Khatai District Court. Hasanli was sentenced to four months in pretrial detention, while Vagifgizi to three months and 29 days.

[Update] Sevinc Vagifgizi, who was en route to Baku [on the flight from Istanbul] on November 20, was also detained at the airport, according to reporting by independent Meydan TV. Several Azerbaijani activists who were on the same flight with her told Meydan TV she was detained once the plane landed in Azerbaijan. In an interview with Meydan TV at the airport before boarding her flight to Baku, Vagifgizi said she is certain that Hasanli’s arrest is directly related to the investigative work by Abzas media on the corruption among companies owned by individuals related to the ruling family doing business in Karabakh. Meanwhile, lawyer Zibeyde Sadighova told Meydan TV that Ulvi Hasanli is being charged with smuggling large amounts of goods or other subjects on preliminary arrangement by a group of persons [Article 206.3.2 of the Criminal Code of Azerbaijan]. On November 21, Vagifgizi was charged on similar grounds. According to Abzas media, Mahammad Kekalov, who writes about people with disabilities, was also detained on November 20. He was taken from his house against his will by plain-clothed police officers.

Abzas media also released an audio recording of Hasanli explaining what happened: “I was about to get into the taxi leaving my apartment, a car stopped in front of the taxi and a bunch of men showed up. They were all wearing masks. They called my name. I cannot recall at which point exactly I was hit. They took me there and brought me to the police station. We started arguing. Two officers hit me. Then the questioning began. They asked me why we [Abzas] did not write about Karabakh but instead wrote about corruption. “Aren’t there other problems to write about,” they asked me. The money [police claim to have found] was planted there, it is so obvious. Because of the place where they allegedly found it. It was in the hallway of the office, not even inside one of the rooms [clearly someone just dropped it there].” In a statement shared by Abaz media on their Facebook page, the platform said, “As Abzas media we inform you, that Hasanli’s detention, the search at his house and on the promises of the office, are unlawful. All that is happening is directly related to [Hasanli’s] journalism. We demand immediate release of Hasanli.”

The news of the missing journalist and editor of an online news platform Abzas Media, Ulvi Hasanli, started trickling on the morning of November 20. According to colleagues, Hasanli was en route to the airport when he went missing. The platform believes Hasanli’s arrest is over the platform’s series of investigations, exposing corruption within the government.

In an interview with Turan News Agency, the platform’s editor-in-chief, Sevinc Vagifgizi said, “Ulvi left home at 4.30 AM and was headed to the airport. However, he never boarded the plane and has not been in touch since.” Vagifgizi added she suspected Hasanli was detained at the airport.

Az-Net Watch spoke to Hasanli’s lawyer, Zibeyde Sadishova, who confirmed that Hasanli was indeed detained, except detention took place at Hasanli’s home as he was getting ready to leave. The police searched both Hasanli’s home and the office of Abzas Media. In the latter’s case, police claimed they had discovered 40,000EUR in cash. Hasanli denied having any connection to the money. It is suspected police planted the cash during the search.

Meanwhile, the lawyer also confirmed that the home of Vagifgizi was also searched. The police did not find anything there. According to the lawyer, Hasanli was beaten by the police.

Hasanli was most recently detained at the US Embassy in Baku when he filmed the flash mob organized by feminist activists in July 2023. A month prior, in June, Hasanli was questioned over a Facebook post that police asked he remove. In the post, Hasanli shared the pictures of two police officers who were in charge of detaining journalists covering an environmental protest outside of the capital.

Since 2016, Absaz media has been targeted with DDoS attacks. In 2017, the website was blocked from access inside the country, forcing the website managers to switch the website’s extension. In April 2020, the website was hacked and, as a result, lost a month’s worth of published articles, and some of the headlines changed. The platform was targeted again in February 2021.

News platform’s Facebook page hacked, year worth of content deleted

Posted on March 30, 2023 by aiw_admin

An online news platform in Azerbaijan, had its Facebook page hacked by unknown hackers. The incident was reported by the editor-in-chief Samira Gasimli via a Facebook post.

Translation: “Dear RLC followers, For the past two months we have been working on new shows and formats. We are getting ready to release new, more interesting, and different formats. If you have noticed, we have stopped sharing shows on our channel as a result. Despite the inactive channel, a few days ago, RLC’s Facebook page was hacked and all of the content shared in the past year was deleted, its format was changed, and so was the profile picture. We have experienced previous interventions to our Facebook page admin panel but we were able to mitigate the risk. We have reached out to Facebook in the meantime, requesting to reinstate all of the content that was deleted. The editor in chief of RLC, Samira Gasimli.”

The user who was able to hack the account – Jn Alaza – has a Facebook profile and a list of 40+ friends some of whom appear to be fake. There is no further information available. The profile photo did not lead to any results when running a reverse image search.

The news platform’s admins are trying to recover the deleted content but as previous experience has shown, Facebook has never (at least in the case of Azerbaijan) helped with content recovery.

A year in review – from online attacks to overall environment of internet censorship in Azerbaijan

Posted on December 16, 2022January 3, 2023 by aiw_admin

The following overview covers some of the prolific trends which illustrate the scope of digital authoritarianism and information controls in Azerbaijan observed and documented in the past year.

Introduction

This report covers the online attacks targeting personal information and devices of human rights defenders, activists, and democracy advocates in 2022. The data is collected through media monitoring and information that was made available by targeted individuals who received support and assistance in mitigating the targeting.

Overall, 2022 has been no different than recent years in terms of online attacks and internet censorship observed in Azerbaijan. Activists, human rights defenders, and democracy advocates received phishing attacks and were summoned to law-enforcement bodies for criticism voiced online where their personal data and devices were often interfered with in the absence of the owner’s consent.

In some cases, there were reported hacking attempts and installed spyware programs. In January – December 2022, we observed overall 10 such cases.

Hacking and phishing attacks usually targeted the social media and email accounts of targeted community members. These were possible through the interception of SMS messages (set up as 2FA). In fact, SMS interception has been the main practice, leading to the hacking of scores of personal accounts, the paralyzation of social media accounts, the deletion of online posts, and the dissemination of personal information belonging to the targets.

Among some of the prominent cases was political activist Bakhtiyar Hajiyev whose social media accounts were targeted on multiple accounts. Hajiyev was also kidnapped twice in April and August 2022 and he was taken to the law-enforcement bodies. Police gained access to his social media accounts by force and removed posts that were critical of the authorities and state institutions. Hajiyev was arrested on December 9, on bogus charges, and sentenced to 50 days in administrative detention [shortly after his arrest Hajiyev announced he was going on a hunger strike. According to media reports, he stopped the strike on December 29, 2022].

Another civil society member, Imran Aliyev was also kidnapped by the Main Department for Combatting Organized Crime where his devices and social media accounts were compromised against his will.

Abulfaz Gurbanli, also an active member of civil society, was phished through an email and WhatsApp messages in February 2022. A file disguised as grant-related information from a known donor organization containing a virus was sent to Gurbanli via his email. On WhatsApp, the activist received a message from someone impersonating herself as a BBC Azerbaijan Service journalist. The targeting resulted in the installation of spyware on his device and the hacking of his social media accounts.

At the time, Az-Net Watch requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. The further forensic report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll which look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” read the Qurium analysis.

Meanwhile, after taking over Gurbanli’s Facebook account, the hacker also deleted all of the content on at least seven of the community pages, where Gurbanli was an admin (screenshots below are from just two pages).

Az-Net Watch previously documented attacks through phishing emails sent to civil society activists last year. At the time, an email impersonating a donor organization was sent to a group of activists encouraging them to apply for a Pegasus Grant. Preliminary forensic results carried out at the time indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: “The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites. “The malware that was observed is not sophisticated and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.”

In another case, an online media outlet – ToplumTV – social media accounts were hacked by intercepting incoming SMS, set up as a two-step authentication method. This resulted in the removal of countless news posts as well as subscribers to the channel’s social media account. The media outlet was previously targeted in September and November 2021 – in both instances, the social media accounts were hacked by SMS interception.

Feminist activists also witnessed a surge in online phishing attacks and hacking attempts ahead of the International Women’s Day protest scheduled to take place on March 8, 2022. At least three activists received support to ensure online safety during this period. Similar attacks and targeting were documented last year. In addition to compromised accounts, some feminist activists have faced account impersonation. Most recently, activist Narmin Shahmarzade reported to Az-Net Watch, that a fake Instagram account impersonating the activist shared Sharmazade’s photos in the absence of her consent with inappropriate captions. Az-Net Watch is currently working with the platform to remove the fake account.

Users of social media platforms, who posted critical of the government comments and posts, were also summoned to law- enforcement bodies where they were either forced to hand in their devices and passwords to their social media accounts or to delete their posts that were critical of the government. At least in 5 cases, activists and bloggers faced administrative arrests and interference with their social media accounts for their criticism online and activism.

One of the most recently documented cases includes a blogger who was called into questioning after sharing a video on Facebook of the traffic police accepting a bribe. The blogger was forced to remove the video after the questioning at the police station. Aziz told Meydan TV that police threatened to keep him less he removed the video. After Aziz told the local media about the pressure from the police, the blogger was called back into the questioning together with his parents.

In November, prominent lawyer, Elchin Sadigov said the law enforcement refused to return his mobile devices after the lawyer, would not share his passwords. Sadigov was arrested in September 2022 together with an editor of an independent outlet. In an interview with Meydan TV, Sadigov said, he considered demands that he shares his login credentials were a violation of privacy.

Also in November, a member of D18 political movement, Afiaddin Mammadov, who was arrested on bogus charges and sentenced to 30 days in administrative detention said he was tortured by the local police officers after refusing to share his password to his device.

Other documented instances of social media users targeted over their online criticism this year include:

In April, Meta released its pilot quarterly Adversarial Threat Report in which the platform said it identified “a hybrid network operated by the Ministry of the Internal Affairs.” According to the document, this network relied on, what Meta refers to as, “Coordinated Inauthentic Behavior [CIB]” in combination with cyber espionage, “compromising accounts and websites to post” on behalf of the Ministry. According to the report, these coordinated online cyberattacks targeted journalists, civil society activists, human rights defenders, and members of opposition parties and movements in Azerbaijan. The ministry’s press office was quick to dismiss the findings, saying the findings were fictitious.

Azerbaijan was also among countries identified in Pegasus leaks targeting some 80 government critics among one thousand other Azerbaijanis identified in the targeting with Pegasus spyware.

The attacks and support provided, in the course of the past year, illustrate that no matter how well-prepared political activists and members of civil society are in Azerbaijan, digital security awareness is insufficient in autocratic contexts like Azerbaijan.

We also observed that existing legal remedies in the country are insufficient to find perpetrators behind such targeting and hold them to account. While in a few instances targeted community members filed official complaints, the investigative authorities showed reluctance in effectively investigating the incidents.

This year, Az-Net Watch published this detailed report about litigating Pegasus in Azerbaijan in which together with a legal expert we conclude that existing national legislation concerning privacy and surveillance is insufficient, and is left to vague and often overt interpretation in the hands of law enforcement and prosecutor office. As such, Azerbaijan continues to systematically fail in providing effective legal remedies and sound investigations against state-sponsored digital attacks and surveillance. Moreover, despite evidence-based reports of targeted and coordinated cyber attacks against activists, the government thus far has not investigated and/or provided effective legal guarantees. And in all cases filed for investigations, nearly a year later after Pegasus spyware has been identified to be in use, the law enforcement authorities are yet to take formal investigative actions.

In another report published this year together with a legal expert, Az-Net Watch identified serious gaps in data privacy protection mechanisms in Azerbaijan. Our analysis indicated that the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities. The analysis also indicated that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order.

Conclusion

These and other instances of digital threats and offline persecution for online activism illustrate that internet freedom in Azerbaijan continues to decline with no signs of abating. For yet another year, Azerbaijan was ranked “not free” in Freedom on the Net 2022 report released by Freedom House. In addition to scores of news websites currently blocked in the country (a practice observed since 2017), the state has also resorted to blocking or throttling access to social media platforms and communication applications in recent years. In September 2022 the state demonstrated its control over the internet by blocking access to TikTok on the grounds the platform was casting a shadow over military activities, revealing military secrets, and forming wrong public opinion. The blocking was carried out amid renewed military tensions between Armenia and Azerbaijan. Other users said they experienced issues accessing WhatsApp, Telegram, and slow internet connectivity speeds. Previously, during the second Karabakh war (in 2020), users in Azerbaijan faced internet restrictions as well.

Civic activists in Azerbaijan express concern over state control of the internet at a time, when social media platforms, and independent as well as opposition online news sites have become the sole sources of alternative information accessible to the public outside of traditional media.

The present environment is further exacerbated by the continued crackdown on civic activists as in the case of Bakhtiyar Hajiyev mentioned earlier in the report. In addition, a number of critical bills approved by the parliament this year, demonstrate a profound lack of interest on behalf of the state to ensure basic freedoms including freedom of the media and of association. As of February 2022, a restrictive new media law compels online media outlets to register with the government agency and has imposed a number of other critical requirements and criteria that critics say only serve the purpose of silencing independent journalists and news platforms.

On December 16, 2022, the parliament also approved a critical bill on political parties, introducing a new set of exhaustive restrictions on political parties.

As such, Azerbaijani civil society is facing a turbulent year ahead both offline and online in an environment dominated by state control on all forms of dissent leaving many wondering how far the state is willing to go to silence the critics.

online news platform hacked, content and followers removed

Posted on September 17, 2022September 17, 2022 by aiw_admin

On September 16, Toplum TV, an online news platform had its Facebook page hacked. The hacker accessed the account by hacking one employee’s personal Facebook profile. As a result, the news platform lost 26k of its followers and two weeks’ worth of shared content.

In an interview with Meydan TV, the platform’s director, journalist Khadija Ismayil said this was not the first time Toplum TV was targeted with a digital attack.

AIW documented the previous attack in November 2021. At the time, the hacking occurred through an SMS interception. In another attack documented in September 2021, Toplum TV reported it lost 16k followers on its Facebook page.

Ismayil in a Facebook post said, there were suspicions that a similar attempt was made this time around. The admin team is investigating the origins of the hack.

Access to the page has been restored at the time of writing this post.

in Azerbaijan rape survivor continues to face harassment online by the perpetrator

Posted on July 16, 2022July 16, 2022 by aiw_admin

Asgar Agazade was arrested last year following an accusation by a rape survivor. His victim, is an activist, Sanay Yagmur. Agazade has denied the accusation from the start however, seven months into the ongoing investigation and the trial, he is now facing a possible seven-year prison term. In addition, new evidence based on Agazade’s own statement now reveals that the perpetrator continued harassing and threatening Yagmur online.

The new evidence emerged during the hearing on June 22, in which, Agazade confessed hacking Yaghmur’s email address and obtaining private information about her travel itinerary which his family then used to target the activist on social media platforms and leaking the false information to local media with the goal of humiliating and further threatening the activist. The perpetrator’s family, alleged Yaghmur was lying about her studies abroad [Yaghmur left for her master’s degree last fall.]

Lawyer Zibeyde Sadigova, who represents Yagmur, said unlawfully obtaining personal information, and spreading it, is a criminal act in itself. However, no further steps have been taken to investigate this criminal act.

Some, including Yagmur’s family, suspect that the perpetrator was not acting alone in hacking into Yagmur’s email and obtaining private flight information and that the State Security Services was on the case as well.

In a separate blackmail attempt, the perpetrator’s family alleged in an interview with a website Axar.az that Yagmur lived in Istanbul and was married to a woman. The claim was later retracted by the perpetrator’s sister in an interview aired on the YouTube show “Let’s talk straight.”

Toplum TV Facebook page hacked via SMS interception

Posted on November 3, 2021November 3, 2021 by aiw_admin

On November 3, the founders of Toplum TV, an online news platform, said their Facebook page was hacked. Hackers(s) removed several videos, including one Toplum TV shared yesterday, which was a discussion with an opposition politician Ali Karimli. According to the founders who spoke to AIW, the hacker(s) accessed the page through another founder’s Facebook account, deleted videos, page likes, and changed the name of the page. At the time of reporting this story, the Facebook page was recovered.

In a Facebook post, Alasgar Mammadli, one of the founders of the platform explained in detail how the hacker(s) accessed Toplum TV’s Facebook page by compromising his personal account first.

Translation: This morning at 8.54AM local time, my Facebook account was compromised. The compromise was made possible using my personal mobile phone number. The hacker acquired access to personal information illegally. I only learned about what happened half hour later as I was stuck in city traffic, and had limited access both to my mobile phone and personal computer. The compromise was made possible by intercepting an SMS sent to my mobile sim card. Meaning, messages sent to my mobile number, were used in parallel by technical supervisors overseeing the telecommunication system in accordance with telecommunication law. Having accessed my personal account [the hacker(s)] were able to access Toplum TV Facebook page, changing its name, [only] deleting archived videos of live debates with Popular Front and Musavat party leaders, and removing several thousand Page likes. Clearly, the reason behind what happened is political intervention. The absolute lack of tolerance to public debates on Toplum TV’s platform has reached such a level, that the perpetrators unafraid, have committed a criminal act prohibited by Articles 271, 272, and 273 of the Criminal Code. This compromise is an act of crime and a grave violation of freedom of speech, privacy, and security of personal data. I demand that serious investigation and preventive action be taken by relevant authorities working within the information security space.

Toplum TV encouraged its readers and followers in a tweet to support their page after hacking:

Toplum TV-nin facebook səhifəsinə müdaxilə edərək onun adını dəyişdirib öz adları qoyulub (toplan)

Azad mediyaya dəstək olmaq üçün, facebook səhifəmizi bəyənərək, silinən izləyicilərin bərpa edilməsinə yardımçı ola bilərsiniz! pic.twitter.com/YJcPbt5VTS

— Toplumtv (@Toplumtv1) November 3, 2021

Translation: Toplum TV’s Facebook page was compromised and its name changed to their name “toplan”. To support independent media, like our Facebook page, and help restore deleted followers.

SMS interceptions are commonly used in Azerbaijan. Below, are a few excerpts from a recent report published by AIW in partnership with International Partnership for Human Rights on the topic:

The interception of SMS exchanges remains an acute problem in Azerbaijan. In recent years, scores of political activists, journalists, rights defenders, and independent media platforms have had their social media accounts compromised. In many of these cases, those affected have had SMS notification enabled as two-step verification (2FA) procedure for accessing their Facebook accounts. As a result, when their accounts were compromised, they were unable to restore access to the accounts relying on traditional troubleshooting steps offered by social media platforms such as Facebook. Thus, they were unable to retrieve password reset codes sent by Facebook by SMS as their messages were intercepted by the operators, only to be passed on to the relevant government bodies. This experience shows that mobile companies have been involved in many of these attacks. However, none of the operators have taken the blame, so far. The earliest example of SMS surveillance goes back to 2009 when 43 Azerbaijanis voted for Armenia’s entry in the Eurovision Song Contest through votes cast by SMS. A number of these people were summoned and questioned by the security services. In an interview with Azadliq Radio (the Azerbaijani service of Radio Free Europe/Radio Liberty), one of these televoters, Rovshan Nasirli said that the authorities demanded an “explanation” for his vote and told him it was a “matter of national security”. He told the service: “They were trying to put psychological pressure on me, saying things like: ‘You have no sense of ethnic pride. How come you voted for Armenia?’ They made me write out an explanation, and then they let me go.” The authorities did not deny that they had identified and summoned people who voted for Armenia, and argued that they were merely trying to understand the motives of these people.

Three years after the Eurovision scandal, an investigative documentary aired on Swedish TV called ‘’Mission: Investigate” revealed how the Swedish telecommunications giant TeliaSonera, which at the time owned a majority stake of Azercell, allowed “black boxes” to be installed within their telecommunications networks in Azerbaijan from as early as 2008. These boxes enabled security services and police to monitor all network communication, including internet traffic and phone calls in real-time without any judicial oversight. The exposure of these black boxes explains the type of technology the government was deploying already at the time of Eurovision in 2009. The investigation aired by Swedish TV also confirmed that wiretaps were used as evidence in politically motivated cases.

In 2014, an OCCRP investigation revealed how mobile operators were directly passing on information about their users to the respective government authorities. In a country where the government enjoys unprecedented control over the ICT industry and where some of the key players in the market such as mobile operators and ISPs are affiliated with the government or its officials, the findings of the investigation were not at all surprising. The 2014 investigation quoted the director of the Media Rights Institute, Rashid Hajili as saying that both mobile companies and ISPs were obliged to provide special facilities to the Ministry of National Security (MNS)91 for surveillance purposes in accordance with existing legal provisions as explained earlier. In the case of mobile companies, no court approval was sought to eavesdrop on the conversations and SMS exchanges of their customers – a common practice to this day. One of the first accounts of collaboration between mobile companies and the government is that of journalist Agil Khalil. In 2008, Khalil was working on a story about the alleged involvement of MNS employees in corrupt land deals. After taking photographs for the story, he was approached by MNS agents and beaten. The journalist escaped from his attackers and managed to take photos of them. Khalil filed a complaint with the police, and an investigation was opened but eventually dropped, without the perpetrators having been prosecuted or even identified. Soon after turning to the police, the journalist realized that he was being followed. When he filed another complaint with the police about the surveillance, police again failed to follow up. A few days later, Khalil was subjected to a new attack: this time, an unknown assailant stabbed and injured him. Khalil again turned to the police, accusing both the MNS and the mobile operator Azercell (whose services he was using ) of being responsible for the attack. He argued that the operator had helped the MNS to track down his whereabouts, thereby facilitating the attack. The involvement of Azercell in the case became more evident when the operator provided a local court, which examined the journalist’s complaint, with alleged SMS exchanges between Khalil and a man named Sergey Strekalin, who the MNS claimed was Khalil’s lover and had stabbed the journalist out of jealousy. When Khalil’s lawyer requested access to these SMS exchanges, Azercell refused, which called into question the authenticity of these messages. Khalil left Azerbaijan the same year after another attempted attack against him and the continued failure of the authorities to hold his assailants accountable. He took his case to the ECtHR, as a result of which the Azerbaijani government made a so-called unilateral declaration (an official admission) before this court in 2015 that it had violated Khalil’s right to life, freedom from ill-treatment, and freedom of expression and agreed to pay 28 000 EUR in compensation to him. As the government made this admission, there was no ECtHR ruling on the case.

In September, Toplum TV reported it lost 16k followers on its Facebook page. Facebook failed to explain how and why this took place.

Hacks and compromised accounts continue to target journalists and activists in Azerbaijan [updated September 13]

Posted on September 10, 2021September 30, 2021 by aiw_admin

Account compromise, website hacks, DDoS attempts, phishing are just a handful of tactics used to target journalists, rights defenders, and activists in Azerbaijan.

Here is a list of new cases:

Earlier in July, Azerbaijan Internet Watch reported a phishing attack that targeted some of the civil society activists. Following a forensic investigation carried out in partnership with Qurium, it was possible to confirm that the email was indeed a virus. According to preliminary conclusions, “the e-mail included a link to malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.

Then the civil society was targeted with another phishing, this time the sender pretended to be the National Endowment for Democracy inviting recipients of the email to apply for a Pegasus Grant.

Preliminary forensic results indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International:

The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites

The malware that was observed is not sophisticated, and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.

The same month, Azerbaijan Internet Watch received confirmation that the former political prisoner, Tofig Yagublu’s Facebook profile was subject to numerous hacking attempts.

In early August, former leader of the opposition Musavat party, Isa Gambar reported that all of his social media accounts were compromised including his Facebook profile, Facebook page, and Instagram account.

The hackers, who took hold of Gambar’s Facebook profile, changed settings, recovery emails, and an affiliated phone number, and have since then shared irrelevant posts.

On August 27, the website for popular platform HamamTimes was hacked. The team behind the platform, reported all of its content removed, suspecting that the hackers used the site’s vulnerability as a result of weak security protocols in place. So far, HamamTimes, managed to restore all of the website’s archive of stories however its hosting remains vulnerable to new targeting.

HamamTimes was targeted before as reported by Azerbaijan Internet Watch in a mass phishing attack.

On September 4, editor of anews.az news website, Naila Balayeva, reported that her Facebook account was compromised. The hacker switched the email account and the phone number originally registered for the profile. Although Balayeva was able to restore access to her email and change the emails, according to the journalist, the hacker continues to use Facebook as the owner often deleting posts that are critical either of the police or the government institutions.

Anews.az and Balayeva were targeted before. Last year, several Facebook pages affiliated with the website were hacked.

While it was possible to provide assistance in some of the cases, the response from platforms like Facebook, especially in the case of Gambar has been slow and at times, comical. So far, twice, the platform requested new emails not associated with the platform or any of its apps and twice, Gambar sent proof of identity.

[Update] On September 9, political activist Bakhtiyar Hajiyev was reportedly threatened by Baku Police Chief Alekper Ismayilov over a Facebook post, that Hajiyev wrote the same day. The post, Hajiyev wrote on Facebook was addressing the Ministry of the Interior, specifically the Minister of the Interior, Vilayat Eyvazov. The activist alleged the ministry was delaying a response to his complaint submitted 50 days ago over a street hooligan.

[From Hajiyev’s post on Facebook published on September 9, 2021] Instead of investigating why my Ministry of the Interior cannot question street hooligan, who is refusing to speak to them, humiliating police officers who show up at [the hooligan’s] home, Vilayat Eyvazov is going after me for reminding [the Ministry] of my complaint and is threatening me with arrest, death and blackmailing.

The activist told Turan News Agency that he was summoned to the police on September 9 where Baku Police Chief, Alekper Ismayilov allegedly told Hajiyev less he removes the Facebook post, the activist would face a greater punishment than arrest.

On September 12, Gubad Ibadoglu, Azerbaijani academic, and an economist reported that his Facebook profile and page were compromised. In an interview with Turan News Agency, Ibadoglu said despite his attempts to strengthen the security of his accounts, they were compromised anyway. “I got a message this morning that my password was changed using my own computer. This means that the hackers of the Azerbaijani government, even in London,” Ibadoglu told Turan. The fact that he received a notification informing him that his computer was the device from which the passwords were changed, means the device was infected with a virus containing some form of keylogger. It won’t be the first time, this type of information extraction is used to target Azerbaijani civil society.

[Update] In September, online news platform Toplum TV, reported it lost 16k followers on its Facebook page.

how to silence corruption: the tale of one citizen journalist and a government that does not want people to know the truth

Posted on March 9, 2021 by aiw_admin

The tale of corruption in Azerbaijan is no news to anyone familiar with the country’s history of money laundering, slush funds, and other fraudulent misconduct. From countless investigations, such as Caviar Diplomacy, Azerbaijani Laundromat and Panama Papers, and most recently OCCRP report about massive weapons deal with Congo-Brazzaville, the extent of involvement of key leadership figures of Azerbaijan in numerous financial schemes, deals, and investments, is astonishing. For years, the journalists who have been involved in these investigations have been and continue to be targeted. The most recent target is Mehman Huseynov, 28, a popular citizen journalist, and editor-in-chief of the SANCAQ, a socio-political magazine, which documents extensive corrupt practices and violations of human rights in Azerbaijan. Huseynov, shares his findings in short videos, explained in simple language, often with a touch of humor.

In 2017, shortly after President Ilham Aliyev, appointed his wife, Mehriban Aliyeva as the First Vice President, Huseynov did a short video, asking male residents of Baku, whether they would appoint their wives as first secretaries if they were heads of companies. Huseynov was arrested the following day and later ended up serving a two-year prison term on charges of slander. Some speculated this satirical video was the real cause behind the journalist’s arrest.

Ahead of his release from jail in 2019, the authorities attempted at keeping him behind bars, albeit unsuccessfully, and Huseynov was released.

This is not the first time Huseynov was persecuted for his activities. He was questioned by the police countless times, threatened, intimidated, placed under a travel ban for five years, his personal documents were confiscated. The Human Rights House Foundation has documented in detail the reprisals against Huseynov in recent years.

Realising, physical surveillance, and intimidation were not enough, Huseynov’s Sancaq TV became a target.

Hacking alert: Instagram

Due to the popularity of his channel [Sancaq TV has a large following on Facebook, Instagram, and YouTube], there have been numerous attempts to break-in into Sancaq TV’s social media accounts. Huseynov was able to keep his accounts secure until he took time off from social media ahead of a medical operation after being diagnosed with cancer. The treatment and the operation were successful. It was time, for Huseynov to slowly pick up on where he left off.

Little did he know, that one of Sancaq TV’s social media accounts was compromised. “Unfortunately, government officials took advantage of my illness and in my absence hacked Sancaq TV’s Instagram account. They sent fake messages on behalf of Instagram to my Azerbaijani mobile number and gained access,” explained Huseynov in his recollections to AIW.

Months after Huseynov reported about the interception, it was possible to restore access to Sancaq TV’s Instagram account.

Hacking alert: Facebook

Since his recovery from cancer, Huseynov returned to Azerbaijan, from where he continued working on investigations into government corruption. Sancaq TV has featured some 13 separate investigations since then.

These investigations however have once again triggered perpetrators to silence Huseynov by taking over Sancaq TV’s Facebook page. While they have been unsuccessful in hacking the page, several fake Facebook pages called Sancaq TV have been created. The “owners” of these accounts are using these pages to report the original Sancaq TV Facebook page in an attempt to take it down on the grounds, that it is fake. Sancaq TV’s most recent expose explores a man named Gorxmaz Huseynov, the head of Azerbaijan Water Supply company, whose personal wealth is measured in multimillion-dollar businesses, from hospitals to tourism companies with zero accountability and transparency.

So far, Huseynov remains defiant in his fight against corruption in Azerbaijan but so do the perpetrators behind the digital persecution campaign. Sancaq TV’s social media accounts can be accessed on Facebook, Instagram, and YouTube.

facebook page affiliated with opposition hacked, again

Posted on September 16, 2020 by aiw_admin

On September 10, the Facebook page that belongs to an online news website bastainfo.com was hacked. Bastainfo.com is affiliated with the opposition party Musavat and is known for often running into problems with the authorities. Its editor was handed a five year suspended sentence in February 2019. The website bastainfo.com remains blocked for access in Azerbaijan.

In January 2020, Azerbaijan Internet Watch reported how several Musavat party social media accounts were targeted. According to preliminary reports five Facebook pages, one Facebook group, and one website were targeted.

Bastainfo.com page was targeted then as well. The page lost followers. During last week’s attack, bastainfo.com page lost some 5k followers, and content that was shared since 2017.

Hacking and compromising Facebook, Instagram, and YouTube accounts (because these are popular platforms used by journalists and activists) is common in Azerbaijan and isn’t new. The online harassment of prominent accounts began several years ago at first, mostly on the level of government-sponsored trolls. Over the years, as the ruling government developed an interest in spyware technology, the types of attacks became more sophisticated while state-sponsored trolling and reliance on automated bots even though still used, became secondary. In each of these cases, finding the perpetrators have not been possible. And in cases when it was clear the attacker was an automated bot/state-sponsored troll the platform took no action. We finally know why. A former Facebook employee, Sophie Zhang, wrote a memo after getting fired from her job at the company revealing how the company dealt with fake accounts and bots. Among the countries, she has worked on and analyzed was Azerbaijan. “Ms. Zhang discovered that the ruling political party in Azerbaijan was also using false accounts to harass opposition figures. She flagged the activity over a year ago, she said, but Facebook’s investigation remains open and officials have not yet taken action over the accounts.”

activist blackmailed online [updated September 9]

Posted on September 8, 2020September 14, 2020 by aiw_admin

Rustam Ismayilbeyli is an 18-year-old activist from Azerbaijan who was arrested earlier this summer for staging a protest outside the Ministry of Education. Together with a group of students, he was demanding that the Ministry cancels tuition fees and exams for the academic semester as a result of Covid19. After three of the organizers including Ismayilbeyli were admitted to the ministry police dispersed the crowd and arrested Ismayilbeyli as soon as he exited the government building.

Ismayilbely was sentenced to 15 days in administrative detention on charges of allegedly disobeying police and violating the quarantine requirements.

During his detention, his social media accounts and email were hacked. Although he was able to restore access, he was among targets on June 15 when someone with access to his National ID requested a password reset from the social media platform Facebook. It took Ismayilbeyli two months to recover his account.

On September 7, a fake profile that belonged to the state security informed Ismayilbeyli that unless he steps down from being an organizer of an upcoming rally and starts collaborating with them, personal information including intimate photos of Ismayilbeyli and his girlfriend will be sent to his friends and acquaintances.

The first account that threatened Ismayilbeyli had since been removed, the second account that did post personal information has removed the post. Instead, Ismayilbeyli told AzNetWatch, the same information is sent around via Whatsapp messenger, with the US number. His email and cloud were compromised during his arrest and Ismayilbeyli suspects, this is when these images were acquired.

Using burner numbers on WhatsApp targeting activists is not new in Azerbaijan. There are plenty of resources online that actually share tips on how to create a secondary line on WhatsApp. What is problematic however is up until now, it was not possible to identify the perpetrators.

On September 9, Ismayilbeyli also reported an attempted break-in into his Telegram account. In a tweet Ismayilbeyli said he keeps receiving verification codes via SMS on his mobile but because he had 2FA in place the account was not compromised.

Telegram hesablarımıza müdaxilə var. Əsas Telegram accountuma girməyə çalışdılar, indi də digər işlətmədiyim nömrəmlə yeni Telegram accountu açıblar, niyə bilmirəm.

— Rüstəm İsmayılbəyli (@demokratelebe) September 9, 2020

Translation: There is an attempt to break in my telegram account. They tried taking over my main Telegram account. Now, using a number that I normally don’t use, they have opened a new account. Not sure why.

Bu dəqiqə mənə gələn smsləri oxuyub verification code’la telegram’a girməyə çalışırlar, amma two step’i keçə bilmirlər.

— Rüstəm İsmayılbəyli (@demokratelebe) September 9, 2020

Translation: Right now, reading the verification codes I am receiving via SMS, they are trying to break into my Telegram account, but they can’t get past the 2FA.

Older posts