Azerbaijan: Activists targeted by ‘government-sponsored’ cyber attack
Azeri human rights activists, journalists and political dissidents have been the targets of a fraudulent and sustained ‘spear phishing’ campaign using emails and Facebook chat, apparently aimed at gaining access to their personal information and private communications, said Amnesty International in a new report launched today.
The investigation reveals that the attacks, which can compromise passwords and contacts, have been directed at various government critics for the past 13 months. Victims told Amnesty International they believed the Azerbaijani authorities are behind the attacks.
“Our research reveals that a targeted and coordinated cyber campaign is being waged against critical voices in Azerbaijan, many of whom are long-time victims of government repression,” said Claudio Guarnieri, Senior Technologist at Amnesty International.
“The malware used has been designed with the express intention of gathering as much private information as possible about a target. Given the profiles of those targeted, it is not hard to see why victims believe the authorities are responsible.”
Our research reveals that a targeted and coordinated cyber campaign is being waged against critical voices in Azerbaijan, many of whom are long-time victims of government repression
The report, ‘False Friends - how fake accounts and crude malware targeted dissidents in Azerbaijan’, details how victims have been targeted using a practice known as ‘spear phishing’, which involves an email with an attachment containing a virus - known as malware - being sent to a target from a fake address.
If the recipient of the email clicks on the attachment, a virus is downloaded which relays images of the target’s screen back to the attacker and enables them to record what the target is typing.
The emails were mostly sent from addresses impersonating prominent human rights and political activists.
One victim was the lawyer and human rights activist Rasul Jafarov, who was alerted to the attack when he received a phone call from a colleague in October 2016 warning him that he had been sent an email and attachment from an address very similar to his.
A former Amnesty International prisoner of conscience, Rasul Jafarov has previously spent more than a year and a half in prison on trumped-up, politically motivated charges stemming from his human rights work.
He told Amnesty International: “I believe that [the Azerbaijani authorities] are trying to closely watch everyone who is criticizing the government, who is implementing different activities, or projects or campaigns which the government doesn’t like.”
Based on analysis of the attempted impersonation of Rasul Jafarov, and the first-hand accounts of other Azeri activists, Amnesty International has uncovered widespread use of the practice, which started as early as November 2015.
In other cases documented in the report, a dissident website called ‘Anonymous Azerbaijan’ was targeted, while the internal communications of the online news service, Kanal 13, were accessed for over a week following an attack.
In another incident, malware was sent to several activists disguised as an invitation for a reception at the US Embassy in Baku.
The attachments in the fake emails are typically office documents with subjects that appear relevant to the recipient. One recent email included a document entitled ‘Political prisoners in Azerbaijan as of November 2016’, with the file’s metadata claiming it was created by human rights activist, Leyla Yunus.
Leyla Yunus and her activist husband Arif Yunus told Amnesty International they believed the cyberattacks came from the government.
An already hostile environment for critics of the government is now even more difficult in light of these revelations
“An already hostile environment for critics of the government is now even more difficult in light of these revelations,” said Denis Krivosheev, Deputy Director of Amnesty International’s Europe and Central Asia Programme.
“The chilling suggestion that all online activity is potentially being monitored has created unease among activists in Azerbaijan that is not only undermining their vital work, but also having a seriously detrimental impact on their day-to-day lives.”
Amnesty International was not able to trace the cyberattacks directly to any government officials or agencies. However, an online identity going by the name of "pantera" - which appears to control the malware used in the attacks - has used an IP address from a “block” of addresses that predominantly hosts government infrastructure, such as the Ministry of Foreign Affairs, Ministry of Justice and state-owned television.
Amnesty International presented the findings of the report to the Azeri government, who responded by saying the cases documented had not been reported to them and therefore have not been investigated.
Independent journalists, human rights and opposition political activists in Azerbaijan often face online harassment. They have been subjected to abusive comments and threats on social media and websites, including via a government-backed trolling campaign.
Monitoring of phone and internet communications in Azerbaijan is facilitated by laws which grant the authorities direct access to communications networks, a type of technical arrangement that has been criticized by the European Court of Human Rights. Surveillance can be carried out without the authorization of a judge “for the purpose of preventing of grave crimes against individuals or especially dangerous crimes against the State.”
Azerbaijani dissidents have long reported hacking attempts against people critical of the authorities. Research by Citizen Lab and other public disclosures indicate that Azerbaijan had sought to acquire intrusion software from the Italian company Hacking Team. Leaked emails from Hacking Team describe sales to the Ministry of National Security by the Israeli technology company NICE Systems and attempted meetings with the Ministry of Internal Affairs. These same emails portray Azerbaijani intelligence entities as struggling to successfully operate Hacking Team’s platform.