exiled blogger continues to receive threats [updated March 31]

[Update] On March 30, exiled blogger Mahammad Mirzali shared screenshots of new threats he has been receiving from unknown numbers. In one message the sender says he has a new incriminating video of Mirzali’s sister. In another, the sender claims there is new material about members of the opposition Popular Front Party that he will be sharing shortly. Yet in another message, the sender claims to have intimate videos of Kemale Beneniyarli, the chairman of the women’s council of the Popular Front Party. In the same message, the sender offers an alternative link to a Telegram channel in case the first channel is removed.


 On March 14, AIW reported that Azerbaijani blogger, Mahammad Mirzali was stabbed in the city of Nantes, France. Mirzali, runs a YouTube channel, Made in Azerbaijan. On March 14, Mirzali was attacked by a group of men and was hospitalized after receiving multiple stab wounds. According to Reporters Without Borders, Mirzali underwent surgery that lasted more than six hours.   

On March 21, while recovering at the hospital, Mirzali received yet another message on WhatsApp from a man named Andres Gragmel, “This is the last warning. We can kill you without any problem. You’ve seen that we’re not afraid of anyone (…) If you continue to insult our sisters, we’ll have you killed with a bullet to the head fired by a sniper.” 

Reporters Without Borders is asking to place Mirzali under police protection following the most recent and previous attacks [Mirzali was shot at in October 2020 as he was getting into his car.]

Threat messages and endless calls via WhatsApp from unknown numbers [often US numbers] are not new. Scores of activists in Azerbaijan have complained about this before. And Azerbaijani activists are not the only ones targeted this way. 

In May 2019, WhatsApp discovered that attackers were able to install surveillance software on both iPhones and Android phones by ringing up targets using the app’s phone call function reported FT. The surveillance software is developed by Israeli NSO Group. It transmits a malicious code even if owners of mobile devices do not answer the calls. It can also remotely and covertly extract valuable intelligence from mobile devices, by sharing all phone activity including communications and location data with the attacker once the device is infected. “In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones,” reported FT in May 2019. 

In October 2019, BBC reported about Faustin Rukundo, a Rwandan exile who lives in the UK, receiving a call from an unknown number on WhatsApp. When Rukondo answered, the line was silent, after that the phone went dead, reported the BBC. In Rukundo’s case, the dialed number had a country code for Sweden. He kept receiving calls from the exact same number as well as other numbers on WhatsApp. Eventually, he figured something was wrong. Then researchers at Citizen Lab confirmed that Rukundo was indeed targeted with Pegasus. 

The same month, WhatsApp “confirmed that the exploit (a software or command that leverages a specific software vulnerability in order to execute some unwanted code on the vulnerable device) was deployed by the Israeli-based surveillance tool vendor NSO Group. The exploit could deliver intrusive spyware on the target’s mobile device without the targeted person having to click on a malicious link. The targeted person would simply see a missed call on WhatsApp,” reported Amnesty International.

According to Amnesty the way the spyware worked was: 

  • The security vulnerability in question was in the code that Whatsapp uses to establish a new voice or video call. In order to exploit this, the digital attack initiated WhatsApp calls to the target’s device.
  • Attackers may have tried to exploit this issue by making calls multiple times during the night when the target was likely to be asleep and not notice these calls.
  • Successful infection of the target’s device may result in the app crashing. There is a possibility that the attacker may also remotely erase evidence of these calls from the device’s call logs.
  • Evidence of failed attacks may appear as missed calls from unknown numbers in your WhatsApp call log.

In January 2020, Nagpur-based human rights lawyer Nihalsing Rathod who has been receiving strange calls via WhatsApp over the last two years from international numbers was informed that his phone was infected. Rathod, just like Rukundo, answered these calls, only to receive silence on the other end of the line. 

According to Access Now, since 2016, some 46 countries were identified where NSO Group’s Pegasus has been in use. “Reports from Access NowCitizen Lab, and others all show that an alarming number of people targeted using Pegasus have been journalists, lawyers, and activists, whose only crime was speaking out against and reporting on the injustices in their home countries.”

Whether the same technology is being used to target Azerbaijan acvtivists is yet to be investigated. Although Azerbaijan has acquired sophisticated surveillance technology over the years, Pegasus was not one of them, not from the available information. But the resemblance of the nature of these calls and the target group, raise concerns. 

Azerbaijan September – November 2020 OONI Measurement Results

On September 27, the government in Azerbaijan introduced a series of restrictions on Internet access as a result of military operations in Nagorno Karabakh. Users in Azerbaijan were left with limited Internet access while access to a number of social media platforms, as well as communication apps, were restricted. 

Azerbaijan Internet Watch, and OONI collected data based on OONI measurements from Azerbaijan. Below is the report looking at data between September 2020 to November 2020. 

According to collected OONI data, Azerbaijan experienced the blocking of independent media websites as well as signs of potential circumvention tool site blocking. However, further OONI Prote testing is required to confirm these censorship events. Azerbaijan Internet Watch continues to monitor the situation. 

Starting on September 27, a number of social media services indicated signs of blocking in Azerbaijan. Among these were:

Whatsapp: between 27th September 2020 to 11th November 2020 , all OONI Probe WhatsApp tests showed signs of WhatsApp blocking. This is illustrated through OONI Probe WhatsApp measurements collected from multiple local networks in Azerbaijan. Previously according to the same measurements, no such instances were documented. The measurements indicated that attempted connections to WhatsApp’s registration service and web interface (web.whatsapp.com) failed. In some cases HTTP request to web.whatsapp.com succeeded while HTTPS request failed as illustrated below. 

This could be an indication of SNI based filtering of WhatsApp. We also observe that the tls_handshakes field presented failures, further suggesting that access to WhatsApp was blocked in Azerbaijan by means of SNI based filtering.

This pattern was seen across multiple ISPs in Azerbaijan between 27th September 2020 to 11th November 2020.

Telegram: Similarly to the testing of WhatsApp, OONI measurements presented signs of Telegram blocking in Azerbaijan between 27th September 2020 to 11th November 2020. But unlike WhatsApp, a few Telegram tests during this period were successful. This is illustrated through OONI Probe Telegram measurements collected from multiple local networks in Azerbaijan between 1st September 2020 to 27th November 2020. The following table illustrates OONI measurements collected from the testing of Telegram and WhatsApp on 5 different networks in Azerbaijan between September 2020 to November 2020.

We not only observed similarities between the date range of potential blocking (of WhatsApp and Telegram), but we also saw potentially similar censorship techniques, as the HTTP requests to Telegram Web (web.telegram.org) timed out as well. Similarly to WhatsApp, we observed a timeout in the TLS handshake, suggesting TLS level interference of Telegram as well. As a result, it is possible that internet users in Azerbaijan couldn’t use the Telegram and WhatsApp mobile apps (on the tested networks) during this time period (between 27th September 2020 to 11th November 2020), even though connections to the tested app endpoints succeeded.

Social media sites: apart from WhatsApp and Telegram, several social media websites presented signs of blocking as well, starting from early October 2020. These include:

It is however, important to note these sites’ limited testing coverage limits Azerbaijan Internet Watch and OONI’s confidence with respect to their blocking, and they have not been tested more recently especially after the conflict ended.

AIW and OONI continue monitoring the situation with blocking.

spotted: sandvine back at it, this time, in Azerbaijan

In August, when people in Belarus took the streets across the country in protest of election results where incumbent President Lukashenka secured yet another victory in a contested presidential election, authorities deliberately cut the internet. Quickly, experts concluded DPI technology may be in use. By the end of August, it was reported that this DPI technology was produced by the Canadian company Sandvine and supplied to Belarus as part of a $2.5million contract with the Russian technology supplies Jet Infosystems.

DPI (Deep Packet Inspection) is known as digital eavesdropping that allows information extraction. More broadly as explained here, DPI “is a method of monitoring and filtering internet traffic through inspecting the contents of each packet that is transmitted through an inspection point, allowing for filtering out malware and unwanted traffic, but also real-time monitoring of communications, as well as the implementation of targeted blockings and shutdowns.” 

Canadian company Sandvine is owned by American private equity firm Francisco Partners.

 

Sandvine technology has been detected in many countries across the world, including in Ethiopia, Iran, as well as Turkey, and Syria as previously reported. One other country where Sandvine technology was reportedly deployed is Azerbaijan

In Azerbaijan, the DPI deployments have been used since March 2017. This was reported in January 2019, when VirtualRoad, the secure hosting project of the Qurium – Media Foundation published a report documenting fresh attacks against Azerbaijan’s oldest opposition newspaper Azadliq’s website (azadliq.info). The report concluded: “After ten months trying to keep azadliq.info online inside Azerbaijan using our Bifrost service and bypassing multi-million dollar DPI deployments, this is one more sign of to what extent a government is committed to information control”.  

Another report released in April 2018 showed evidence of the government of Azerbaijan using Deep Packet Inspection (DPI) since March 2017. The report also found out that this specialized security equipment was purchased at a price tag of 3 million USD from an Israeli security company Allot Communications.

Now, according to this story reported by Bloomberg, Sandvine worked with Delta Telecom – Azerbaijan’s main internet provider and owned by the government to install a system to block live stream videos from YouTube, Facebook, and Instagram. “The social media blackout came last week after deadly clashes with Armenia. As a result, people in Azerbaijan couldn’t reach websites including Facebook, WhatsApp, YouTube, Instagram, TikTok, LinkedIn, Twitter, Zoom, and Skype, according to internet monitoring organization Netblocks,” wrote Bloomberg. 

Azerbaijan Internet Watch has been monitoring the situation on the ground since September 27, the day when clashes began. Together with OONI, Azerbaijan Internet Watch reported that access to several social media applications and websites was blocked. 

Access to the Internet remains throttled in Azerbaijan as of writing this post. Many of the social media applications remain accessible only through a VPN provider. As a result, authorities have resorted to other means in order to prevent users from using VPN services. From banks to ISPs encouraging users not to use VPN services, this account on Facebook made a list of VPNs alleging they were of Armenian origin in order to discourage users.