Qurium – Azerbaijan Internet Watch

Deliberate targeting in pro government media leads to targeted attacks online – the case of Abulfaz Gurbanli [Updated]

Posted on February 17, 2022February 17, 2022 by aiw_admin

It’s been months since an investigation led by an international consortium of journalists and technology experts revealed how Pegasus, a hacking software developed and sold by an Israeli surveillance company, NSO group targeted civil society representatives globally. On the country lists of phone numbers identified to have been targeted with Pegasus were numbers that belonged to dozens of civil society activists in Azerbaijan. Abulfaz Gurbanli, a political activist, was among them.

After learning that his device was infected, Gurbanli wiped his entire device and had it reset. On February 15 after plugging his device into a power adapter, Gurbanli’s device was remotely reset. Shortly after, he lost access to his Gmail account. The reset got rid of the google authenticator Gurbanli had set up to access his email account. Within hours, the political activist also lost access to his Facebook profile. Although the URL was briefly inaccessible on Facebook, it has been reinstated. Gurbanli finally secured access to his account on February 17.

In addition to a remote reset, Gurbanli also had multiple attempts to hack into his Facebook and Telegram accounts earlier. AIW spoke with a digital security expert who took a closer look at the IP address where these attempts originated from, indicating that it was the same IP that targeted other activists in the past few months.

There is suspicion that Gurbanli’s device was re-infected with Pegasus. But these suspicions can only be confirmed after a thorough device forensic analysis.

Fake interview request

On February 15, Gurbanli received an email from BBC Azerbaijan Service asking him for an interview.

Screenshot of the email sent to Gurbanli on February 15.

The journalist, who introduced herself as Sevinc, also contacted Gurbanli via WhatsApp.

Screenshot of Gurbanli receiving a message on WhatsApp.

Translation:

Sevinc: Hello Mr. Abulfaz. Writing to you from BBC Azerbaijan service, journalist Sevinc. I have a few questions about the agenda topics. Can you please share your email address and send us suitable pictures for the BBC website?
Gurbanli: Hello Ms. Sevinc. Thank you. I wanted to clarify whether you are referring to stories published on virtualaz.org and haqqin.az when you refer to the agenda topics?
Sevinc: It is about your projects and other political agenda.
Gurbanli: [sends his email address]
Sevinc: ok, check your email, there is a file with questions you can check on your computer. If the file requests a code, just write bbc and send us a suitable picture.
Gurbanli: Ms. Sevinc how do I know the link you have sent does not have a virus. I hope you understand this and I apologize for hesitating.
Sevinc: Mr. Abulfaz, the file does not contain virus, don’t worry. Can you please send a picture?

AzNet Watch has written to azeri@bbc.co.uk – the official email address of the Azerbaijan service informing the service of the incident.

AzNet Watch also requested assistance from Qurium media to analyze the link shared in the email and despite the journalist’s assurances, the link did contain a virus. “The mail pointed to a RAR compressed file in Google Drive that once downloaded required a password to be decrypted. The password to decrypt the file was included in the phishing e-mail: bbc. Compressed files that are password protected are common in malware phishing attacks as the files can not be scanned by antivirus,” concluded Qurium in its preliminary report. Further forensics report identified malware written in AutoIT. Once the link (in our case the link to a drive where the alleged journalist left questions for the political activist) was opened, the hacker through the deployed malware installed a persistent backdoor in the system. “The software connects to the domain name smartappsfoursix{.}xyz to download the rest of his software requirements. It downloads gpoupdater.exe and libcurl.dll that look responsible for uploading files to the command and control server. During the execution of the malware several (10) screenshots of the Desktop were uploaded to the server,” reads the Qurium analysis.

Meanwhile, after taking over Gurbanli’s Facebook account, the hacker also deleted all of the content on at least seven of the community pages, where Gurbanli was an admin (screenshots below are from just two pages).

Screenshot of Şəki İcma İnkişaf Mərkəzi Facebook page

Screenshot of İcma Akademiyası Facebook page

These attacks came shortly after a pro-government media published an article targeting Gurbanli accusing the political activist of allegedly organizing color revolutions in Azerbaijan.

new report documents a decade of censorship in Azerbaijan

Posted on July 16, 2021July 16, 2021 by aiw_admin

On July 16, Qurium Media Foundation released a report, “A Decade of Efforts To Keep Independent Azerbaijani Media Online”.

The report highlights the work carried out by Qurium since 2010 assisting targeted independent and opposition online news platforms in Azerbaijan. “For more than a decade, Qurium has monitored and mitigated a wide range of cyberattacks against the websites and since 2016, no less than twenty forensics reports have been released to document our findings,” reads the new report.

Denial of Service attacks

During five years (2010-2015), Qurium mitigated dozens of denial of service attacks against Azerbaijani media, and was forced to invest in mitigation hardware and to increase its Internet capacity. Commercial mitigation of denial of service was not possible for Azeri media organizations as the average cost for such services was close to 1,000 Euro/month for a small website.

During 2014-2016, several corporate efforts made Denial of Service more difficult for the attackers, both Cloudflare (2014) and later Google (2016) started to offer free protection to journalists and human rights groups and many stress testing services (aka “booters”) since then were dismantled by FBI, such as the infamous VDOS Booter and the Mirai botnet.

After three years of research of development (2014-2017), Qurium built its own mitigation hardware and upgraded its Internet capacity by a factor of 200. Although the Denial of service attacks slowly had decreased since 2017, new challenges emerged. Internet Network Interference.

Internet Network Interference

In late 2013, a new type of challenge emerged when we discovered that websites artificially were slowed down. Instead of blocking the websites that clearly would expose the motivations and those responsible for the disruptions, the websites were slowed down by limiting the amount of bandwidth available to reach them. Qurium was forced to develop a method to detect “Internet Congestion” and to keep moving affected websites to other IP addresses to keep them online. Other large providers, such as Akamai, hosting other Azeri media was also slowed down and was unable to respond effectively to the challenge.

Exposing a coordinated cyberwar strategy

Starting from 2017, the cyberwar landscape changed.

During that year, we received customized denial of service, pen testing and vulnerability scans and the first reports of targeted malware.

A series of diverse attacks and forensics analysis including tracing back the source of a malware sent to journalists helped us to confirm that new Ministry of Transport, Communications and High Technologies and the “hacker community” built around the government, sponsored cybersecurity events were actively targeting our hosted media.

After hosting and protecting Azeri media for almost seven years, we had no doubt about the actors behind the attacks, and could publicly document that a “State Actor” was orchestrating diverse forms of cyber attacks.

Deep Packet Inspection

Also in 2017, a new method used against independent and opposition media was identified by Qurium – the Deep Packet Inspection or shortly DPI.

In April 2017, we identified that new technical means were implemented in several operators to block some of the websites. The Azeri authorities had invested in Deep Packet Inspection equipment to block the media outlets once and for all.

By the end of April 2017 Qurium learned that there were a court order against some of our hosted media organizations. To our surprise, the websites under Deep Packet Inspection were many more than the ones mentioned in the court order. The court order stated that the listed websites (Azadliq.info, Azadliq.org, Azerbaycansaati.com, Meydan.tv and Turan TV) were “creating threats to the legitimate interests of the state and society” and must therefore be blocked.

After two years of research between 2017-2019, Qurium identified the use of DPI hardware from Allot Communications and Sandvine inside several operators in Azerbaijan.

Website flooding, phishing, and more

By 2018, many of the “stress testing services” often used to launch the Denial of Service attacks had been dismantled world wide. The attackers were forced to find new alternatives to conduct their traffic floods aiming to take the websites offline. During another forensic investigation we traced back this new source of denial of service to Russian Fineproxy (Region40). By identifying the service provider used to conduct the attacks, we could not only expose their business practices but also their management that kindly disabled the account of the attacker.

In late 2018, Denial of Service became a second priority in the strategy to harass Azeri media and once again other means were needed.

By April 2020, Qurium could finally link the denial of service attacks launched using Fineproxy service with the very same threat actor from the Ministry of Internal Affairs: sandman. Access to sandman github account provided us with a good insight of the toolset that was being used against online media and journalists in Azerbaijan.

A final report of our findings showed even more advanced capabilities, like the ability to create fake SMS or hijack SMS sent to the journalists giving the attackers the ability to take control over their social media accounts.

Phishing remains a major attack vector against journalists and human right activists, the latest phishing campaign in early July 2021 impersonated human rights watch so as to implant a malware capable of recording the desktop and webcam or exfiltrate all important documents of the victims.

Conclusion

What started in 2010 and went on for years with Denial of service attacks using third party stress testing services was extended with more sophisticated attacks in 2017 including targeted phishing and the introduction of dedicated hardware to block the websites using technologies as DART from Allot and PCEF from Sandvine.

The national blocking of many websites, not always supported by legal court orders, has been weaponized to limit visibility of the media in the country. Despite our multiple efforts to provide alternatives to make the content available, the blocking has had a huge impact in the revenue creation of the alternative media and the growth of readership.

After the introduction of Internet blocking by means of more sophisticated deep packet inspection against alternative websites in 2018, many of the blocked media opted to increase their presence in Facebook but that has proven to be an advantageous situation for the Azeri government and their secret cyber operations as Facebook has showed a bad track record in dealing with “coordinated inauthentic behavior” in the country.

You can read the full report here.

attention: phishing attack detected

Posted on July 16, 2021 by aiw_admin

On July 8, Azerbaijan Internet Watch received a notification that an email sent on behalf of Human Rights Watch reached a number of prominent Azerbaijani civil society activists. The email contained an attachment “Human Rights Invoice Form Document – 2021.docx” prompting the recipient to download the attached file.

AIW, reached out to partners at Qurium to analyze the attachment. The forensics confirmed the suspicions that the email was indeed a virus. According to preliminary conclusions, “the e-mail included a link to malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.

Screenshot from the original email that was sent.

Phishing incidents targeting civil society activists are common in Azerbaijan.

Numerous reports, including several by AIW, in partnership with Qurium, documented and investigated these attacks, over the recent years [see below].

A detailed report by Qurium presents an analysis of the malware and explains how it was built, its capabilities, and where it was hosted. Among the findings were:

desktoprecord
webcamrecord
download
implant
makepersistent
massdownload
stopimplant
upload
uploadexec
wmicexec
aueval

In addition to taking screen captures and webcam recording, there was another interesting detail – insufficient knowledge or lack of an auto-correct program run on a computer or the user, developing the malware. As captured by Qurium, there were several grammatical mistakes in the pop-up window informing the owner of the device who downloaded the email “Unsopported Microsoft Word version!” & @CRLF & “File corrupted. Error numer: 0x65415681.”

Qurium also released its report titled “A decade of efforts to keep Azerbaijani media online” that sums up the assistance the platform has provided since 2010 including monitoring and mitigating a wide range of cyberattacks against the websites in Azerbaijan and since 2016, releasing no less than twenty forensics reports to document their findings.

Further, read:

March 19, 2017 – False Friends: How Fake Accounts and Crude Malware Targeted Dissidents in Azerbaijan, Amnesty International
January 14, 2020 – mass phishing attack against Azerbaijan civil society [updated], AIW/Qurium
January 15, 2020 – FISHING PHISHERS IN AZERBAIJAN, Qurium
February 20, 2020 –the “man” behind the phishing attacks, AIW/Qurium
March 8, 2021 – spotted, phishing attack on opposition activist [updated march 9], AIW

spotted: sandvine back at it, this time, in Azerbaijan

Posted on October 8, 2020November 27, 2020 by aiw_admin

In August, when people in Belarus took the streets across the country in protest of election results where incumbent President Lukashenka secured yet another victory in a contested presidential election, authorities deliberately cut the internet. Quickly, experts concluded DPI technology may be in use. By the end of August, it was reported that this DPI technology was produced by the Canadian company Sandvine and supplied to Belarus as part of a $2.5million contract with the Russian technology supplies Jet Infosystems.

DPI (Deep Packet Inspection) is known as digital eavesdropping that allows information extraction. More broadly as explained here, DPI “is a method of monitoring and filtering internet traffic through inspecting the contents of each packet that is transmitted through an inspection point, allowing for filtering out malware and unwanted traffic, but also real-time monitoring of communications, as well as the implementation of targeted blockings and shutdowns.”

Canadian company Sandvine is owned by American private equity firm Francisco Partners.

Sandvine technology has been detected in many countries across the world, including in Ethiopia, Iran, as well as Turkey, and Syria as previously reported. One other country where Sandvine technology was reportedly deployed is Azerbaijan.

In Azerbaijan, the DPI deployments have been used since March 2017. This was reported in January 2019, when VirtualRoad, the secure hosting project of the Qurium – Media Foundation published a report documenting fresh attacks against Azerbaijan’s oldest opposition newspaper Azadliq’s website (azadliq.info). The report concluded: “After ten months trying to keep azadliq.info online inside Azerbaijan using our Bifrost service and bypassing multi-million dollar DPI deployments, this is one more sign of to what extent a government is committed to information control”.

Another report released in April 2018 showed evidence of the government of Azerbaijan using Deep Packet Inspection (DPI) since March 2017. The report also found out that this specialized security equipment was purchased at a price tag of 3 million USD from an Israeli security company Allot Communications.

Now, according to this story reported by Bloomberg, Sandvine worked with Delta Telecom – Azerbaijan’s main internet provider and owned by the government to install a system to block live stream videos from YouTube, Facebook, and Instagram. “The social media blackout came last week after deadly clashes with Armenia. As a result, people in Azerbaijan couldn’t reach websites including Facebook, WhatsApp, YouTube, Instagram, TikTok, LinkedIn, Twitter, Zoom, and Skype, according to internet monitoring organization Netblocks,” wrote Bloomberg.

Azerbaijan Internet Watch has been monitoring the situation on the ground since September 27, the day when clashes began. Together with OONI, Azerbaijan Internet Watch reported that access to several social media applications and websites was blocked.

Access to the Internet remains throttled in Azerbaijan as of writing this post. Many of the social media applications remain accessible only through a VPN provider. As a result, authorities have resorted to other means in order to prevent users from using VPN services. From banks to ISPs encouraging users not to use VPN services, this account on Facebook made a list of VPNs alleging they were of Armenian origin in order to discourage users.