A year in review – from online attacks to overall environment of internet censorship in Azerbaijan

The following overview covers some of the prolific trends which illustrate the scope of digital authoritarianism and information controls in Azerbaijan observed and documented in the past year. 

Introduction 

This report covers the online attacks targeting personal information and devices of human rights defenders, activists, and democracy advocates in 2022. The data is collected through media monitoring and information that was made available by targeted individuals who received support and assistance in mitigating the targeting.  

Overall, 2022 has been no different than recent years in terms of online attacks and internet censorship observed in Azerbaijan. Activists, human rights defenders, and democracy advocates received phishing attacks and were summoned to law-enforcement bodies for criticism voiced online where their personal data and devices were often interfered with in the absence of the owner’s consent. 

In some cases, there were reported hacking attempts and installed spyware programs. In January – December 2022, we observed overall 10 such cases.

Hacking and phishing attacks usually targeted the social media and email accounts of targeted community members. These were possible through the interception of SMS messages (set up as 2FA). In fact, SMS interception has been the main practice, leading to the hacking of scores of personal accounts, the paralyzation of social media accounts, the deletion of online posts, and the dissemination of personal information belonging to the targets.

Among some of the prominent cases was political activist Bakhtiyar Hajiyev whose social media accounts were targeted on multiple accounts. Hajiyev was also kidnapped twice in April and August 2022 and he was taken to the law-enforcement bodies. Police gained access to his social media accounts by force and removed posts that were critical of the authorities and state institutions. Hajiyev was arrested on December 9, on bogus charges, and sentenced to 50 days in administrative detention [shortly after his arrest Hajiyev announced he was going on a hunger strike. According to media reports, he stopped the strike on December 29, 2022]. 

Another civil society member, Imran Aliyev was also kidnapped by the Main Department for Combatting Organized Crime where his devices and social media accounts were compromised against his will.

Abulfaz Gurbanli, also an active member of civil society, was phished through an email and WhatsApp messages in February 2022. A file disguised as grant-related information from a known donor organization containing a virus was sent to Gurbanli via his email. On WhatsApp, the activist received a message from someone impersonating herself as a BBC Azerbaijan Service journalist. The targeting resulted in the installation of spyware on his device and the hacking of his social media accounts. 

At the time, Az-Net Watch requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. The further forensic report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll which look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” read the Qurium analysis.

Meanwhile, after taking over Gurbanli’s Facebook account, the hacker also deleted all of the content on at least seven of the community pages, where Gurbanli was an admin (screenshots below are from just two pages). 

Az-Net Watch previously documented attacks through phishing emails sent to civil society activists last year. At the time, an email impersonating a donor organization was sent to a group of activists encouraging them to apply for a Pegasus Grant. Preliminary forensic results carried out at the time indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: “The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites. “The malware that was observed is not sophisticated and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.”

In another case, an online media outlet – ToplumTV – social media accounts were hacked by intercepting incoming SMS, set up as a two-step authentication method. This resulted in the removal of countless news posts as well as subscribers to the channel’s social media account. The media outlet was previously targeted in September and November 2021 – in both instances, the social media accounts were hacked by SMS interception.

Feminist activists also witnessed a surge in online phishing attacks and hacking attempts ahead of the International Women’s Day protest scheduled to take place on March 8, 2022. At least three activists received support to ensure online safety during this period. Similar attacks and targeting were documented last year. In addition to compromised accounts, some feminist activists have faced account impersonation. Most recently, activist Narmin Shahmarzade reported to Az-Net Watch, that a fake Instagram account impersonating the activist shared Sharmazade’s photos in the absence of her consent with inappropriate captions. Az-Net Watch is currently working with the platform to remove the fake account. 

Users of social media platforms, who posted critical of the government comments and posts, were also summoned to law- enforcement bodies where they were either forced to hand in their devices and passwords to their social media accounts or to delete their posts that were critical of the government. At least in 5 cases, activists and bloggers faced administrative arrests and interference with their social media accounts for their criticism online and activism. 

One of the most recently documented cases includes a blogger who was called into questioning after sharing a video on Facebook of the traffic police accepting a bribe. The blogger was forced to remove the video after the questioning at the police station. Aziz told Meydan TV that police threatened to keep him less he removed the video. After Aziz told the local media about the pressure from the police, the blogger was called back into the questioning together with his parents. 

In November, prominent lawyer, Elchin Sadigov said the law enforcement refused to return his mobile devices after the lawyer, would not share his passwords. Sadigov was arrested in September 2022 together with an editor of an independent outlet. In an interview with Meydan TV, Sadigov said, he considered demands that he shares his login credentials were a violation of privacy. 

Also in November, a member of D18 political movement, Afiaddin Mammadov, who was arrested on bogus charges and sentenced to 30 days in administrative detention said he was tortured by the local police officers after refusing to share his password to his device.

Other documented instances of social media users targeted over their online criticism this year include: 

In April, Meta released its pilot quarterly Adversarial Threat Report in which the platform said it identified “a hybrid network operated by the Ministry of the Internal Affairs.” According to the document, this network relied on, what Meta refers to as, “Coordinated Inauthentic Behavior [CIB]” in combination with cyber espionage, “compromising accounts and websites to post” on behalf of the Ministry. According to the report, these coordinated online cyberattacks targeted journalists, civil society activists, human rights defenders, and members of opposition parties and movements in Azerbaijan. The ministry’s press office was quick to dismiss the findings, saying the findings were fictitious. 

Azerbaijan was also among countries identified in Pegasus leaks targeting some 80 government critics among one thousand other Azerbaijanis identified in the targeting with Pegasus spyware. 

The attacks and support provided, in the course of the past year, illustrate that no matter how well-prepared political activists and members of civil society are in Azerbaijan, digital security awareness is insufficient in autocratic contexts like Azerbaijan. 

We also observed that existing legal remedies in the country are insufficient to find perpetrators behind such targeting and hold them to account. While in a few instances targeted community members filed official complaints, the investigative authorities showed reluctance in effectively investigating the incidents. 

This year, Az-Net Watch published this detailed report about litigating Pegasus in Azerbaijan in which together with a legal expert we conclude that existing national legislation concerning privacy and surveillance is insufficient, and is left to vague and often overt interpretation in the hands of law enforcement and prosecutor office. As such, Azerbaijan continues to systematically fail in providing effective legal remedies and sound investigations against state-sponsored digital attacks and surveillance. Moreover, despite evidence-based reports of targeted and coordinated cyber attacks against activists, the government thus far has not investigated and/or provided effective legal guarantees. And in all cases filed for investigations, nearly a year later after Pegasus spyware has been identified to be in use, the law enforcement authorities are yet to take formal investigative actions. 

In another report published this year together with a legal expert, Az-Net Watch identified serious gaps in data privacy protection mechanisms in Azerbaijan. Our analysis indicated that the national legislation on personal data protection does not effectively protect individuals against the arbitrary use of their personal data by both public and private entities. The analysis also indicated that the national laws restrict and control personal data with intrusive measures, such as equipping telecom networks with special devices, and real-time access to vast amounts of personal data, in the absence of a criminal investigation or judicial order. 

Conclusion 

These and other instances of digital threats and offline persecution for online activism illustrate that internet freedom in Azerbaijan continues to decline with no signs of abating. For yet another year, Azerbaijan was ranked “not free” in Freedom on the Net 2022 report released by Freedom House. In addition to scores of news websites currently blocked in the country (a practice observed since 2017), the state has also resorted to blocking or throttling access to social media platforms and communication applications in recent years. In September 2022 the state demonstrated its control over the internet by blocking access to TikTok on the grounds the platform was casting a shadow over military activities, revealing military secrets, and forming wrong public opinion. The blocking was carried out amid renewed military tensions between Armenia and Azerbaijan. Other users said they experienced issues accessing WhatsApp, Telegram, and slow internet connectivity speeds. Previously, during the second Karabakh war (in 2020), users in Azerbaijan faced internet restrictions as well. 

Civic activists in Azerbaijan express concern over state control of the internet at a time, when social media platforms, and independent as well as opposition online news sites have become the sole sources of alternative information accessible to the public outside of traditional media. 

The present environment is further exacerbated by the continued crackdown on civic activists as in the case of Bakhtiyar Hajiyev mentioned earlier in the report. In addition, a number of critical bills approved by the parliament this year, demonstrate a profound lack of interest on behalf of the state to ensure basic freedoms including freedom of the media and of association. As of February 2022, a restrictive new media law compels online media outlets to register with the government agency and has imposed a number of other critical requirements and criteria that critics say only serve the purpose of silencing independent journalists and news platforms. 

On December 16, 2022, the parliament also approved a critical bill on political parties, introducing a new set of exhaustive restrictions on political parties. 

As such, Azerbaijani civil society is facing a turbulent year ahead both offline and online in an environment dominated by state control on all forms of dissent leaving many wondering how far the state is willing to go to silence the critics. 

police detains peace activist. meanwhile activists face restrictions on Facebook [Updated October 24]

[Update] Speaking to a group of journalists on October 20, activist Ahmed Mammadli said his arrest was ordered by the state and that he was now being sent against his will to complete the compulsory military service less he drops his advocacy around peaceful coexistence between the two nations. The authorities said they would guarantee his safety and allow him to pursue his education abroad if he complied. But Mammadli is defiant and vowed to fight such measures from happening to any activist in the country. “I and our movement, won’t allow for this to happen again,” said Mammadli. “I refused their offer because my values are not for sale,” explained Mammadli to journalists at a press conference held in Baku shortly after his release from detention. 

On September 20, police in Baku arrested a political activist, and the chairman of the Democracy 1918 (D18) movement Ahmed Mammadli. Mamadli was detained by men in non-uniforms and later sentenced to 30 days in administrative detention on bogus charges. The local police claimed Mammadli was arrested on the grounds of resisting the police.

Mammadli was among a handful of civil society activists who made public calls for peace, regarding the recent clashes between Armenia and Azerbaijan. 

In his posts, Mammadli criticized the state for the recent clashes, saying the responsible officials, including the President of Azerbaijan, Ilham Aliyev, should be held accountable. “One day, Ilham Aliyev will answer before the international courts the crimes he committed not only against the Azerbaijani people but also against the Armenian people. The first task of a democratic Azerbaijan will be to punish those who make nations hostile to each other,” wrote Mammadli on September 15. In another post, Mammadli, called the president a “dictator” who had “blood on his hands”.

Mammadli announced he was going on a hunger strike following his arrest.

During the most recent clashes between Armenia and Azerbaijan, the State Security Service blocked access to TikTok.  

Separately journalists from independent news platforms reported attempts to hack into their social media accounts during the most recent clashes due to their critical coverage. Verbal attacks on peace activists and journalists providing critical coverage of the escalations were also documented. Both journalists and activists said their social media accounts were getting temporarily suspended by Facebook as a result of mass (fake) reporting.

Giyas Ibrahim, was among those whose personal Facebook profile was suspended likely as a result of inauthentic accounts mass porting the profile to the platform and abusing the platform’s community standards. Although access to his profile resumed after the 6-day restrictions ended, the activist’s posts continue to be moved lower in the feed. In a notice Ibrahim received from Facebook, the platform claimed, Ibrahim posted something that violated Facebook’s policies.

In a separate case, activist and founder of Azad Soz platform, Tural Sadiqli said Facebook suspended access to his own profile over a post, the platform claimed was in violation of its community standards. The said post was about the story of a man who self-immolated outside a government building that normally provides citizens in need with housing. The rest of the post talked about the reactions of various government institutions including the one outside of which the man set himself on fire. This temporary suspension delayed Sadiqli’s work updating the Facebook page of Azad Soz, a popular anti-government online platform, that Sadiqli administers.

Meta’s quarterly adversarial report confirms suspicions of government sponsored targeting

This month, Meta released its pilot quarterly Adversarial Threat Report. Among the countries mentioned in the report, is Azerbaijan where the platform said it has identified “a hybrid network operated by the Ministry of the Internal Affairs.” According to the document, this network relied on, what Meta refers to as, “Coordinated Inauthentic Behavior [CIB]” in combination with cyber espionage, “compromising accounts and websites to post” on behalf of the Ministry. The ministry’s press office was quick to dismiss the findings, saying the findings were fictitious. 

To pundits familiar with Azerbaijan as well as this platform, it was not all surprising to see the country’s name on the list. This is also not the first time, Azerbaijan’s name appears in Facebook reports on CIB either.

Ample evidence collected over the recent years indicated how a thriving community of government-sponsored [in]authentic accounts targeted independent and opposition media pages and accounts; political activists and rights defenders’ profiles; and have done so over extended periods of time, causing reputational damage to the owners of targeted accounts, spreading false information, distorting facts, and engaging openly in harassment. These and other forms of content/user manipulation on social networks have also become more explicit, and brazen.

So, while it is great that Meta has taken notice and taken measures, it is too little, too late. And here is why. 

Pre-surveillance era 

Azerbaijan users embraced Facebook when it finally expanded beyond its limited geographical scope in 2006. By 2011 the number of Facebook users in Azerbaijan was 7percent. Fast forward eleven years, and according to Azerbaijan Press Agency, this number is around 58.4percent. Since the early years of Facebook, the platform quickly became a popular tool in the hands of activists and more broadly speaking civil society. Used to organize public events and workshops, and share information, Facebook also turned into a platform for political organizing. This continues to be the case to this day. But the platform’s popularity also attracted the attention of the ruling government. Nervous, of spillover from the Arab uprisings, monitoring of the platform became a norm. Scores of activists would get whisked from the streets, for questioning over the following years for public posts calling for protests or criticizing the authorities and government institutions, and politicians. 

It was only a matter of time, before a counter-narrative, sponsored and organized by the state institutions would appear on the platform. First in the form of youth movements sympathetic to the regime, and their members who meticulously searched for any criticism of the ruling government only to argue the opposite. And then gradually transitioning into a more systematic trolling, targeting, and harassment. Facebook profiles, were replaced with Facebook pages which were created to look like profiles but in reality, were facades for hundreds of inauthentic accounts. Gradually distorting facts and targeting users by “brigading” was combined with aggressive “cyber espionage.” The latter is perhaps the most common emergency, AzNet Watch has documented in recent years. 

But back at the headquarters of Facebook, nobody knew how much of a role the platform played in Azerbaijan and in many other countries across the world where the platform was utilized as a tool for information sharing, organizing, as well a political stage of some sort that opposition activists used and continue to use for their political messaging. I once, attempted to explain that to Zuckerberg but he did not want to listen, after all, he was on his honeymoon, touring Europe and the last thing he wanted to hear was the political, and social significance of his company in countries like Azerbaijan. 

Terminology worth knowing

Before diving any deeper let me explain some of the key terms for the sake of clarity. 

Coordinated Inauthentic Behavior

Coordinated efforts to manipulate public debate for a strategic goal where fake accounts are central to the operation. There are two tiers of these activities that we work to stop: 1) coordinated inauthentic behavior in the context of domestic, non-government campaigns and 2) coordinated inauthentic behavior on behalf of a foreign or government actor.

Coordinated Inauthentic Behavior (CIB) – domestic

When we find domestic, non-government campaigns that include groups of accounts and Pages seeking to mislead people about who they are and what they are doing while relying on fake accounts, we remove both inauthentic and authentic accounts, Pages, and Groups directly involved in this activity.

Foreign or Government Interference (FGI)

If we find any instances of CIB conducted on behalf of a government entity or by a foreign actor, we apply the broadest enforcement measures including the removal of every on-platform property connected to the operation itself and the people and organizations behind it.

Brigading: adversarial networks where people work together to mass comment, mass post, or engage in other types of repetitive mass behaviors to harass others or silence them.

Mass Reporting: adversarial networks where people work together to mass-report an account or content to get it incorrectly taken down from our platform.

Cyber espionage: when actors typically target people across the internet to collect intelligence, manipulate them into revealing information, and compromise their devices and accounts.

Now that the terminology is out of the way, what has been Azerbaijan’s performance in Facebook/Meta’s previous reports? Not good to say the least. 

Previously, Azerbaijan was mentioned in two CIB reports both published in October 2020. “We removed 589 Facebook accounts, 7,665 Pages, and 437 accounts on Instagram linked to the Youth Union of New Azerbaijani Party. This network originated in Azerbaijan and focused primarily on domestic audiences. We identified this network through an internal investigation into suspected fake engagement activity in the region,” read the report [New Azerbaijan Party is the ruling party of Azerbaijan that’s been in power since the early years of the country’s independence.]

“While the individuals behind this activity used fake accounts — some of which had been already detected and disabled by our automated systems, they primarily relied on authentic accounts to create Pages designed to look like user profiles — using false names and stock images — to comment and artificially boost the popularity of particular pro-government content. This network appeared to engage individuals in Azerbaijan to manage Pages with the sole purpose of leaving supportive and critical commentary on Pages of international and local media, public figures including opposition and the ruling party of Azerbaijan, to create a perception of wide-spread criticism of some views and wide-spread support of others. From what we’ve seen, it appears that most of the engagement these comments received were from within this network of Pages themselves. Our analysis shows that these comments were posted in what appears to be regular shifts during working hours in Azerbaijan on weekdays.”

Here the biggest credit goes to Facebook whistleblower Sophie Zhang who was the first person to flag these inauthentic accounts and pages to her management as early as 2018 [the year of the presidential election in Azerbaijan] who only took notice after she published an internal memo detailing, how the company was ignoring manipulation of its platform by political parties and heads of government not only in Azerbaijan but in a number of other countries. Zhang was fired after leaking the memo, allegedly over “poor performance.” By then, it was clear the company had to do something. They took notice and removed hundreds of accounts and thousands of pages, reported BuzzFeedNews. 

In April 2021, Facebook said it has removed another “124 Facebook accounts, 15 Pages, six Groups and 30 Instagram accounts from Azerbaijan that targeted primarily Azerbaijan and to a much lesser extent Armenia.” The “April 2021 Coordinated Inauthentic Behavior Report” said, that the network of accounts was discovered “as a result of [Facebook’s] internal investigation.” The report identified “third-party Android applications — Postegro and Nunu,” misleading users “into giving away their Instagram credentials.” At the time [the report was published in May 2021] the company said, its CIB investigation discovered links between the accounts “to individuals associated with the Defense Ministry of Azerbaijan.”

A month before this report was published, AzNet Watch investigated brigading against Meydan TV, an independent and now exiled online newsroom: 

What does art, shopping retail, web design, sports, cosmetics, and e-commerce website have in common? Absolutely nothing, except these, are all various categories available on Facebook when setting up pages. Since 2019, Facebook removed the limit on the number of pages a user can set up. Unfortunately, Facebook did not take into account, how this innocent feature update, if in the wrong hands, can do harm. In the case of Azerbaijan, this is exactly what happened, when Meydan TV, an independent Berlin-based news platform, shared a call for applications for a program, held in partnership with Brussels-based human rights organization, International Partnership for Human Rights in February 2021.

Also in April, The Guardian published this story explaining how Facebook allowed state-backed harassment campaigns, target-independent news outlets, and opposition politicians on its platform.  The story in The Guardian looked at another case of Azerbaijani online news platform – Azad Soz (Free Speech). Its Facebook account was flooded with over 1.5k comments over a post about two men sentenced to eight months. The Guardian investigation analyzed the top 300 comments and discovers that 294 out of 300 comments were inauthentic Facebook pages.  Just like in the case of Meydan TV. 

But it was not just Meydan TV and Azad Soz that were targeted. Mikroskop Media, an independent online news platform based in Riga, too experienced similar targeting. And so did Azadliq Radio, Azerbaijan language service for Radio Liberty.

Now a year later, the new report said it, “disrupted a complex network in Azerbaijan that engaged in both cyber espionage and coordinated inauthentic behavior. It primarily targeted people from Azerbaijan, including democracy activists, opposition, journalists, and government critics abroad. This campaign was prolific but low in sophistication and was run by the Azeri Ministry of Internal Affairs. It combined a range of tactics — from phishing, social engineering, and hacking to coordinated inauthentic behavior.” The list of tactics, techniques, and procedures (TTPs) used included: compromised and spoofed websites; malware and other malicious tools; credential phishing; and finally the CIB. 

Nothing illustrates the extent of control over the platform like real examples. Last month, AzNet Watch successfully helped restore access to a popular page on Facebook, called “Humans of Azerbaijan.” It was compromised in 2017 and remained inactive until fall last year when its new admins [suspected of being the state security services] started posting compromising content targeting various civil society activists. Eventually, the account was returned to its original owner, Mehman Huseynov. But its comeback was short. Earlier this month, the account was compromised yet again. The perpetrators argued with Facebook that Huseynov was in fact not who he said he was, and instead, sent Huseynov’s ID to the company to confirm their “real” identity. The perpetrator claimed that Huseynov hacked the page. Shortly after, all of the pages managed by Huseynov received multiple complaints making the same claims – that Huseynov was not the real Huseynov. Facebook responded by blocking all of Huseynov’s accounts. Including his own profile. The state security services have access to citizens’ private information – including copies of National IDs, phone numbers and other personal information. 

At the end of the day, what platforms like Meta must understand is that these are not some isolated cases but regular, targeted measures deployed by the government institutions and that to really tackle this kind of brazen behavior and prevent the damage inflicted on the platforms’ active users, the company must adopt measures that offer better protection to users, especially from certain civic groups who are often the main targets. Above all, understanding the political contexts and the role platforms like Facebook play in these contexts would be a step in the right direction. So will Meta take notice?