Toplum TV Facebook page hacked via SMS interception

On November 3, the founders of Toplum TV, an online news platform, said their Facebook page was hacked. Hackers(s) removed several videos, including one Toplum TV shared yesterday, which was a discussion with an opposition politician Ali Karimli. According to the founders who spoke to AIW, the hacker(s) accessed the page through another founder’s Facebook account, deleted videos, page likes, and changed the name of the page. At the time of reporting this story, the Facebook page was recovered.

In a Facebook post, Alasgar Mammadli, one of the founders of the platform explained in detail how the hacker(s) accessed Toplum TV’s Facebook page by compromising his personal account first.

Translation: This morning at 8.54AM local time, my Facebook account was compromised. The compromise was made possible using my personal mobile phone number. The hacker acquired access to personal information illegally. I only learned about what happened half hour later as I was stuck in city traffic, and had limited access both to my mobile phone and personal computer.  The compromise was made possible by intercepting an SMS sent to my mobile sim card. Meaning, messages sent to my mobile number, were used in parallel by technical supervisors overseeing the telecommunication system in accordance with telecommunication law. Having accessed my personal account [the hacker(s)] were able to access Toplum TV Facebook page, changing its name, [only] deleting archived videos of live debates with Popular Front and Musavat party leaders, and removing several thousand Page likes. Clearly, the reason behind what happened is political intervention. The absolute lack of tolerance to public debates on Toplum TV’s platform has reached such a level, that the perpetrators unafraid, have committed a criminal act prohibited by Articles 271, 272, and 273 of the Criminal Code. This compromise is an act of crime and a grave violation of freedom of speech, privacy, and security of personal data. I demand that serious investigation and preventive action be taken by relevant authorities working within the information security space.

Toplum TV encouraged its readers and followers in a tweet to support their page after hacking:

Translation: Toplum TV’s Facebook page was compromised and its name changed to their name “toplan”. To support independent media, like our Facebook page, and help restore deleted followers.

SMS interceptions are commonly used in Azerbaijan. Below, are a few excerpts from a recent report published by AIW in partnership with International Partnership for Human Rights on the topic: 

The interception of SMS exchanges remains an acute problem in Azerbaijan. In recent years, scores of political activists, journalists, rights defenders, and independent media platforms have had their social media accounts compromised. In many of these cases, those affected have had SMS notification enabled as two-step verification (2FA) procedure for accessing their Facebook accounts. As a result, when their accounts were compromised, they were unable to restore access to the accounts relying on traditional troubleshooting steps offered by social media platforms such as Facebook. Thus, they were unable to retrieve password reset codes sent by Facebook by SMS as their messages were intercepted by the operators, only to be passed on to the relevant government bodies. This experience shows that mobile companies have been involved in many of these attacks. However, none of the operators have taken the blame, so far. The earliest example of SMS surveillance goes back to 2009 when 43 Azerbaijanis voted for Armenia’s entry in the Eurovision Song Contest through votes cast by SMS. A number of these people were summoned and questioned by the security services. In an interview with Azadliq Radio (the Azerbaijani service of Radio Free Europe/Radio Liberty), one of these televoters, Rovshan Nasirli said that the authorities demanded an “explanation” for his vote and told him it was a “matter of national security”. He told the service: “They were trying to put psychological pressure on me, saying things like: ‘You have no sense of ethnic pride. How come you voted for Armenia?’ They made me write out an explanation, and then they let me go.” The authorities did not deny that they had identified and summoned people who voted for Armenia, and argued that they were merely trying to understand the motives of these people.

Three years after the Eurovision scandal, an investigative documentary aired on Swedish TV called ‘’Mission: Investigate” revealed how the Swedish telecommunications giant TeliaSonera, which at the time owned a majority stake of Azercell, allowed “black boxes” to be installed within their telecommunications networks in Azerbaijan from as early as 2008. These boxes enabled security services and police to monitor all network communication, including internet traffic and phone calls in real-time without any judicial oversight. The exposure of these black boxes explains the type of technology the government was deploying already at the time of Eurovision in 2009. The investigation aired by Swedish TV also confirmed that wiretaps were used as evidence in politically motivated cases.

In 2014, an OCCRP investigation revealed how mobile operators were directly passing on information about their users to the respective government authorities. In a country where the government enjoys unprecedented control over the ICT industry and where some of the key players in the market such as mobile operators and ISPs are affiliated with the government or its officials, the findings of the investigation were not at all surprising. The 2014 investigation quoted the director of the Media Rights Institute, Rashid Hajili as saying that both mobile companies and ISPs were obliged to provide special facilities to the Ministry of National Security (MNS)91 for surveillance purposes in accordance with existing legal provisions as explained earlier. In the case of mobile companies, no court approval was sought to eavesdrop on the conversations and SMS exchanges of their customers – a common practice to this day. One of the first accounts of collaboration between mobile companies and the government is that of journalist Agil Khalil. In 2008, Khalil was working on a story about the alleged involvement of MNS employees in corrupt land deals. After taking photographs for the story, he was approached by MNS agents and beaten. The journalist escaped from his attackers and managed to take photos of them. Khalil filed a complaint with the police, and an investigation was opened but eventually dropped, without the perpetrators having been prosecuted or even identified. Soon after turning to the police, the journalist realized that he was being followed. When he filed another complaint with the police about the surveillance, police again failed to follow up. A few days later, Khalil was subjected to a new attack: this time, an unknown assailant stabbed and injured him. Khalil again turned to the police, accusing both the MNS and the mobile operator Azercell (whose services he was using ) of being responsible for the attack. He argued that the operator had helped the MNS to track down his whereabouts, thereby facilitating the attack. The involvement of Azercell in the case became more evident when the operator provided a local court, which examined the journalist’s complaint, with alleged SMS exchanges between Khalil and a man named Sergey Strekalin, who the MNS claimed was Khalil’s lover and had stabbed the journalist out of jealousy. When Khalil’s lawyer requested access to these SMS exchanges, Azercell refused, which called into question the authenticity of these messages. Khalil left Azerbaijan the same year after another attempted attack against him and the continued failure of the authorities to hold his assailants accountable. He took his case to the ECtHR, as a result of which the Azerbaijani government made a so-called unilateral declaration (an official admission) before this court in 2015 that it had violated Khalil’s right to life, freedom from ill-treatment, and freedom of expression and agreed to pay 28 000 EUR in compensation to him. As the government made this admission, there was no ECtHR ruling on the case.

In September, Toplum TV reported it lost 16k followers on its Facebook page. Facebook failed to explain how and why this took place. 

Hacks and compromised accounts continue to target journalists and activists in Azerbaijan [updated September 13]

Account compromise, website hacks, DDoS attempts, phishing are just a handful of tactics used to target journalists, rights defenders, and activists in Azerbaijan. 

Here is a list of new cases: 

Earlier in July, Azerbaijan Internet Watch reported a phishing attack that targeted some of the civil society activists. Following a forensic investigation carried out in partnership with Qurium, it was possible to confirm that the email was indeed a virus. According to preliminary conclusions, “the e-mail included a link to malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.

Then the civil society was targeted with another phishing, this time the sender pretended to be the National Endowment for Democracy inviting recipients of the email to apply for a Pegasus Grant. 

Preliminary forensic results indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: 

The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites

The malware that was observed is not sophisticated, and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.

The same month, Azerbaijan Internet Watch received confirmation that the former political prisoner, Tofig Yagublu’s Facebook profile was subject to numerous hacking attempts. 

In early August, former leader of the opposition Musavat party, Isa Gambar reported that all of his social media accounts were compromised including his Facebook profile, Facebook page, and Instagram account. 

The hackers, who took hold of Gambar’s Facebook profile, changed settings, recovery emails, and an affiliated phone number, and have since then shared irrelevant posts. 

On August 27, the website for popular platform HamamTimes was hacked. The team behind the platform, reported all of its content removed, suspecting that the hackers used the site’s vulnerability as a result of weak security protocols in place. So far, HamamTimes, managed to restore all of the website’s archive of stories however its hosting remains vulnerable to new targeting. 

HamamTimes was targeted before as reported by Azerbaijan Internet Watch in a mass phishing attack. 

On September 4, editor of anews.az news website, Naila Balayeva, reported that her Facebook account was compromised. The hacker switched the email account and the phone number originally registered for the profile. Although Balayeva was able to restore access to her email and change the emails, according to the journalist, the hacker continues to use Facebook as the owner often deleting posts that are critical either of the police or the government institutions.  

Anews.az and Balayeva were targeted before. Last year, several Facebook pages affiliated with the website were hacked. 

While it was possible to provide assistance in some of the cases, the response from platforms like Facebook, especially in the case of Gambar has been slow and at times, comical. So far, twice, the platform requested new emails not associated with the platform or any of its apps and twice, Gambar sent proof of identity.  

[Update] On September 9, political activist Bakhtiyar Hajiyev was reportedly threatened by Baku Police Chief Alekper Ismayilov over a Facebook post, that Hajiyev wrote the same day. The post, Hajiyev wrote on Facebook was addressing the Ministry of the Interior, specifically the Minister of the Interior, Vilayat Eyvazov. The activist alleged the ministry was delaying a response to his complaint submitted 50 days ago over a street hooligan. 

[From Hajiyev’s post on Facebook published on September 9, 2021] Instead of investigating why my Ministry of the Interior cannot question street hooligan, who is refusing to speak to them, humiliating police officers who show up at [the hooligan’s] home, Vilayat Eyvazov is going after me for reminding [the Ministry] of my complaint and is threatening me with arrest, death and blackmailing.  

The activist told Turan News Agency that he was summoned to the police on September 9 where Baku Police Chief, Alekper Ismayilov allegedly told Hajiyev less he removes the Facebook post, the activist would face a greater punishment than arrest. 

On September 12, Gubad Ibadoglu, Azerbaijani academic, and an economist reported that his Facebook profile and page were compromised. In an interview with Turan News Agency, Ibadoglu said despite his attempts to strengthen the security of his accounts, they were compromised anyway. “I got a message this morning that my password was changed using my own computer. This means that the hackers of the Azerbaijani government, even in London,” Ibadoglu told Turan. The fact that he received a notification informing him that his computer was the device from which the passwords were changed, means the device was infected with a virus containing some form of keylogger. It won’t be the first time, this type of information extraction is used to target Azerbaijani civil society. 

[Update] In September, online news platform Toplum TV, reported it lost 16k followers on its Facebook page. 

how to silence corruption: the tale of one citizen journalist and a government that does not want people to know the truth

The tale of corruption in Azerbaijan is no news to anyone familiar with the country’s history of money laundering, slush funds, and other fraudulent misconduct. From countless investigations, such as Caviar Diplomacy, Azerbaijani Laundromat and Panama Papers, and most recently OCCRP report about massive weapons deal with Congo-Brazzaville, the extent of involvement of key leadership figures of Azerbaijan in numerous financial schemes, deals, and investments, is astonishing. For years, the journalists who have been involved in these investigations have been and continue to be targeted. The most recent target is Mehman Huseynov, 28, a popular citizen journalist, and editor-in-chief of the SANCAQ, a socio-political magazine, which documents extensive corrupt practices and violations of human rights in Azerbaijan. Huseynov, shares his findings in short videos, explained in simple language, often with a touch of humor.

In 2017, shortly after President Ilham Aliyev, appointed his wife, Mehriban Aliyeva as the First Vice President, Huseynov did a short video, asking male residents of Baku, whether they would appoint their wives as first secretaries if they were heads of companies. Huseynov was arrested the following day and later ended up serving a two-year prison term on charges of slander. Some speculated this satirical video was the real cause behind the journalist’s arrest. 

Ahead of his release from jail in 2019, the authorities attempted at keeping him behind bars, albeit unsuccessfully, and Huseynov was released. 

This is not the first time Huseynov was persecuted for his activities. He was questioned by the police countless times, threatened, intimidated, placed under a travel ban for five years, his personal documents were confiscated. The Human Rights House Foundation has documented in detail the reprisals against Huseynov in recent years. 

Realising, physical surveillance, and intimidation were not enough, Huseynov’s Sancaq TV became a target.

Hacking alert: Instagram

Due to the popularity of his channel [Sancaq TV has a large following on Facebook, Instagram, and YouTube], there have been numerous attempts to break-in into Sancaq TV’s social media accounts. Huseynov was able to keep his accounts secure until he took time off from social media ahead of a medical operation after being diagnosed with cancer. The treatment and the operation were successful. It was time, for Huseynov to slowly pick up on where he left off.

Little did he know, that one of Sancaq TV’s social media accounts was compromised. “Unfortunately, government officials took advantage of my illness and in my absence hacked Sancaq TV’s Instagram account.  They sent fake messages on behalf of Instagram to my Azerbaijani mobile number and gained access,” explained Huseynov in his recollections to AIW.  

Months after Huseynov reported about the interception, it was possible to restore access to Sancaq TV’s Instagram account. 

Hacking alert: Facebook 

Since his recovery from cancer, Huseynov returned to Azerbaijan, from where he continued working on investigations into government corruption. Sancaq TV has featured some 13 separate investigations since then.

These investigations however have once again triggered perpetrators to silence Huseynov by taking over Sancaq TV’s Facebook page. While they have been unsuccessful in hacking the page, several fake Facebook pages called Sancaq TV have been created. The “owners” of these accounts are using these pages to report the original Sancaq TV Facebook page in an attempt to take it down on the grounds, that it is fake. Sancaq TV’s most recent expose explores a man named Gorxmaz Huseynov, the head of Azerbaijan Water Supply company, whose personal wealth is measured in multimillion-dollar businesses, from hospitals to tourism companies with zero accountability and transparency. 

So far, Huseynov remains defiant in his fight against corruption in Azerbaijan but so do the perpetrators behind the digital persecution campaign. Sancaq TV’s social media accounts can be accessed on Facebook, Instagram, and YouTube

facebook page affiliated with opposition hacked, again

On September 10, the Facebook page that belongs to an online news website bastainfo.com was hacked. Bastainfo.com is affiliated with the opposition party Musavat and is known for often running into problems with the authorities. Its editor was handed a five year suspended sentence in February 2019. The website bastainfo.com remains blocked for access in Azerbaijan. 

In January 2020, Azerbaijan Internet Watch reported how several Musavat party social media accounts were targeted. According to preliminary reports five Facebook pages, one Facebook group, and one website were targeted. 

Bastainfo.com page was targeted then as well. The page lost followers. During last week’s attack, bastainfo.com page lost some 5k followers, and content that was shared since 2017. 

Hacking and compromising Facebook, Instagram, and YouTube accounts (because these are popular platforms used by journalists and activists) is common in Azerbaijan and isn’t new. The online harassment of prominent accounts began several years ago at first, mostly on the level of government-sponsored trolls. Over the years, as the ruling government developed an interest in spyware technology, the types of attacks became more sophisticated while state-sponsored trolling and reliance on automated bots even though still used, became secondary. In each of these cases, finding the perpetrators have not been possible. And in cases when it was clear the attacker was an automated bot/state-sponsored troll the platform took no action. We finally know why. A former Facebook employee, Sophie Zhang, wrote a memo after getting fired from her job at the company revealing how the company dealt with fake accounts and bots. Among the countries, she has worked on and analyzed was Azerbaijan. “Ms. Zhang discovered that the ruling political party in Azerbaijan was also using false accounts to harass opposition figures. She flagged the activity over a year ago, she said, but Facebook’s investigation remains open and officials have not yet taken action over the accounts.” 

hacking alert: activists and journalists targeted online [ongoing, last update September 10]

Several activists and journalists had their Facebook accounts compromised in recent weeks in Azerbaijan. 

At the end of June, a veteran human rights lawyer, Intigam Aliyev, reported a break-in attempt into his Facebook profile. A few days later, an opposition group D18 reported their Facebook page was compromised. On July 2, journalist Aysel Umudova and activist Rustam Ismayilbeyli received messages from the Facebook platform informing them their passwords were reset. This happened despite the fact, that both users had 2FA enabled on their accounts. On July 6, journalist Fatima Movlamli’s Facebook profile was compromised. Yet again, despite 2FA and secure email service, the account was taken over by unknown users. Finally, on July 14, multiple social media users reported receiving password reset messages even though no such requests were made by the users.  

Targeting social media profiles, and pages, are common in Azerbaijan. In recent years, hacking of prominent accounts has led to mass content removal, loss of followers, and subscribers. On YouTube, account owners of popular channels report their videos are taken down by the platform due to copyright violation reports, have received strikes and in some cases, their accounts were deactivated by the platform. And yet, further investigations, indicate, that these copyright violations are indeed submitted by fake accounts and that the actual cause of the strike is nothing but a fluke.

This type of deliberate targeting limits the work of targeted account owners, whether they are human rights defenders, journalists, media platforms, or political activists. Responding to these digital attacks takes time, it also requires having the right contacts at platforms directly or vis-a-vis third parties. In addition, once the account is compromised the account owner, no longer has access to their platform for outreach, unable to share their work/updates, and face the reality of losing their audience.  

While there is some evidence pointing the attacks originate from the government-affiliated institutions, it’s been virtually impossible to prevent them from happening and keep the online community safe.

On September 10, Nigar Hezi, a political activist, said there was an attempt to compromise her Facebook account.  

Opposition activist, Instagram account hacked [updated]

May 9, Azerbaijani politician, Gultekin Hajibeyli’s Instagram account hacked and taken down. Instead, a fake profile impersonating Hajibeyli was set up, with her private mobile phone number shared publicly in the profile description. Hajibeyli, was targeted online previously.

Such attacks are common in Azerbaijan, where opposition politicians and independent activists are targeted online. Account “break-ins”, impersonations, blackmailing posts, content takedown requests on YouTube for alleged copyright violations are among some of the popular harassment tactics in practice.

Unlawfully obtained personal information of intimate nature, including photos, videos, and email exchanges are commonly used to target women activists. A most recent example is an online harassment campaign launched against political activist and former political prisoner Ilkin Rustamzade’s wife, Amina Rustamzade. Leaked personal pictures were shared on Facebook and Instagram by various accounts.

On May 12, the account impersonating Hajibeyli was successfully removed from Instagram.

On May 13, a new fake Instagram profile was created.