Article by Arzu Geybulla
On January 7th 2019,VirtualRoad, the secure hosting project of the Qurium – Media Foundation published a report documenting fresh attacks against Azerbaijan’s oldest opposition newspaper Azadliq’s website (azadliq.info). The report concluded: “After ten months trying to keep azadliq.info online inside Azerbaijan using our Bifrost service and bypassing multi-million dollars DPI deployments, this is one more sign of to what extent a government is committed to information control”. The DPI deployments also known as Deep Packet inspection have been used in Azerbaijan since March 2017 and is best described as digital eavesdropping that allows information extraction.
But Azadliq newspaper wasn’t the only media outlet targeted. On December 27, 2018 another opposition media outlet Abzas.net was informed by Facebook, that its Facebook page had been removed due to “community standards violations”. Just days prior to the removal, the admins of the page reported being attacked by hundreds of trolls and they believe the page was taken down as a result of anonymous reports alleging the page was in such violation. The page remains inaccessible at the time of writing of this piece.
Other outlets that have been under attack since November of last year, include the independent news platform Azadliq Radio (unrelated to the newspaper), the Azerbaijan Service for Radio Free Europe, which reported its Facebook page was hacked on November 24th 2018 and in the space of several hours, all of the videos and photos shared on the page up until the day the page was still active, were removed. Since the attack, the radio was able to take back control of its Facebook page. Last January, the Facebook page of the Berlin-based Meydan TV – a news site which covers events in Azerbaijan in three languages – also lost control of its Facebook page. The hacker, deleted all of the posts, videos and photos that were shared on the page since its launch in 2014.
For pundits observing this sequence of recent attacks it is nothing surprising or new since Azerbaijan started expressing its interest in purchasing surveillance spyware since as early as December 2011 when the National Security Services (which was officially dissolved in December 2015 and replaced by a new body of National Security Services) reached out to NICE Systems (an official reseller for Hacking Team based in Israel) with an interest to purchase “lawful hacking solutions”. In one of the leaked Hacking Team emails dating to May 2012, the following message further clarified the specific interest of the National Security Services. “[…] the customer stressed that they are interested in ISP-based infection (HT NIA), and mobile infections.” The next email exchange between the providers zooms further into the details of the demo, mentioning the “interception of skype through ISP/MIM; interception of Skype on mobile (android, IOs and windows) and PC (IOs and Windows)’’. Among other tools offered by the Remote Control System, the Ministry of National Security was especially interested in the TNI (Tactical Network Injector), a RCS module that monitors a target’s network and injects an agent into selected Web resources and RMI (Remote Mobile Infection) which allows RCS agents to be installed on mobile phones.
What RCS technology allows is for data collection on infected devices both online and offline. The data is obtained through records by keystroke loggers and the system also allows hackers to turn on device cameras and microphones without the user’s knowledge.
One of the examples of this technology being used to target civic activists was reported by Amnesty International in its 2017 report. According to Amnesty, malware was detected on a computer of Ramin Hacili, the President of the Azerbaijan European Movement in 2015. The malware opens a bundled document that acts as a decoy once run by the victim. “It profiles the victim’s system (collecting IP addresses and system settings. The agent then continually records the keystrokes of the user and captures screenshots, most likely in order to obtain credentials for online platforms such as email and social media”. The same malware was used against human rights lawyer and former political prisoner Rasul Jafar, and others.
Other forms of attacks have included artificial internet network congestion, as documented by the VirtualRoad 2016 report, which helped to prevent access to a number of news websites in Azerbaijan (majority of those websites have been officially blocked as of May 2017). In its following report published in 2017, VirtualRoad also showed evidence of DDoS (Distributed Denial of Service) and other attacks traced to government associated IP address against independent media outlets.
With the most recent attacks against Azadliq newspaper, Azadliq radio and other platforms, it is now clear, that in addition to resorting to a media crackdown, political intimidation and other forms of government pressure against media freedom and free speech, the government of Azerbaijan has successfully deployed a range of specialised and technical information control systems such as DDoS attacks, website blocking, hacking of social media accounts and emails of independent civil society activists, content takedown requests from YouTube, mass deployment of civil servants and youth volunteers as trolls, and the use of Deep Packet Inspection tools.
Where does this technology come from?
According to VirtualRoad’s assessment, the DDoS attacks observed between October 2016 and March 2017 originated from dedicated servers operated by Azerbaijani system administrators, which made VirtualRoad conclude that the attackers were close to the country’s cybersecurity community. VirtualRoad also discovered botnet attacks against abzas.net and azadliq.info before these websites were blocked after the legal amendments in 2017.
Another report released in April 2018 showed evidence of the government of Azerbaijan using Deep Packet Inspection (DPI) since March 2017. The report also found out that this specialised security equipment was purchased at a price tag of 3 million USD from an Israeli security company Allot Communications.
Having done work with NICE Systems, the government of Azerbaijan was well accustomed to be doing work with Israeli companies. In their newly released report, VirtualRoad also looks at how it became evident that Azerbaijan was also using Procera-Sandvine, a networking equipment company specializing in network traffic management and Deep Packet Inspection based in Waterloo, Canada in conjunction with Allot Communications technology. Previously the same company’s devices were used “to deliver nation-state malware in Turkey and indirectly into Syria, and to covertly raise money through affiliate ads and cryptocurrency mining in Egypt”, according to the detailed Citizen Lab report.
Why any of this should matter?
In a country where independent media has been reduced to a handful of operating journalists, with prisons notorious for ‘welcoming’ reporters and civic activists with open arms, and courts renowned for being efficient in sentencing on false charges, deployment of such sophisticated technology that allows the ruling government to have an open back door to citizens’ online and offline history, isn’t just alarming, but a direct violation of basic rights to privacy, anonymity, and safety.
In a most recent case of crackdown is Mehman Huseynov. A citizen journalist who had been documenting government corruption, social inequalities and other issues on his popular YouTube channel Sancaq TV. Huseynov was sentenced two years ago on charges of slander. Due to be released in March 2019, Huseynov is now facing new charges for allegedly “resisting a representative of the authorities with the use of violence dangerous to his health and life,” which could carry an additional sentence of up to seven years in prison. On December 26th 2018 after hearing about the new charges, Huseynov went on hunger strike.
The new accusations prompted mass support on social media, while some activists attempted to rally in support of Huseynov in an unsanctioned protest in Baku which resulted in administrative arrests and fines. An international outcry followed suit with several rights watchdog groups as well as the Council of Europe Commissioner for Human Rights, Dunja Mijatović, calling on the authorities of Azerbaijan to immediately drop the new charges and release Huseynov.
Huseynov insists he is innocent and so does the community of supporters who believe the new charges carry the sole purpose of keeping Huseynov behind bars while authorities disagree. Since his hunger strike, and the start of the international pressure, government representatives have stressed that Huseynov is in jail for breaking the law and thus serving his time for committed crimes.
On January 11th2019 a statement apparently ‘written’ by Huseynov was circulated on social networks. In the statement, addressed at the media, Huseynov writes that “he is well, and that he is recovering from the earlier hunger strike. And that he expects the criminal investigation launched against him to be just”. But very few believed in the authenticity of the statement.
His lawyer, Shahla Humbatova who saw Huseynov just a day before, said he never mentioned anything about a statement. “Unlike what is written in the statement, he told me he will continue refusing to eat solid foods and only drink juice and milk. He told me he will do so until March 2, which is the scheduled day of his release”, said Humbatova in an interview with Azadliq Radio, Azerbaijan Service for Radio Free Europe. Mehman’s brother, Emin Huseynov, confirmed the letter was fabricated.
In a country where justice rarely prevails, forced and fabricated statements should come as no surprise. The question that remains to be answered however is how much further, can one government go when already it has all the power it can possess.