Ilham Aliyev at the World Economic Forum at Davos 2018. Photo CC BY 4.0: Wiki. Some rights reserved.On 11 April, Azerbaijani president Ilham Aliyev will be re-elected to his fourth term in office while his major rivals sit in jail or boycott the snap elections. Despite the certain result, hackers, apparently acting on the orders of the Azerbaijani government, have used cheap ransomware, imported surveillance hardware and bullying tactics to head off any freedom of expression or organisation online.
In addition to the nuts and bolts of how an authoritarian state works to prevent the sort of online organisation that once dominated headlines worldwide, this is also a story about how the built-in deniability of cyber-attacks insulates Azerbaijan from unwanted attention from the international community – and how inexpensive and accessible cyber-authoritarianism can be in 2018.
Turning up the pressure
The pressure campaign in question began a few weeks after President Ilham Aliyev returned from the Eastern Partnership Summit in Brussels in late November 2017. It was also around the time that an appeals court uphold an order to block the country’s five major independent news websites.
MeydanTV’s website as accessed from inside Azerbaijan, February 2018.The first piece of malware was sent to a Baku-based journalist in mid-December from the hacked Facebook account of a well-known opposition activist. The journalist absent-mindedly opened it, before realising their mistake and securing their device. Another file came in a few hours later from a similarly hacked account of a fellow journalist, which was not opened.
The first malware used in the campaign, obtained by Civil Rights Defenders, was written in early December and sent off to the first target within a few weeks – a fast enough development time to suggest the developers were more interested in getting their product out as fast as possible, rather than ensuring it actually worked as intended.
However, the campaign was not limited to phishing alone. In the first week of January, enough bogus YouTube copyright complaints were filed against Meydan TV (a Berlin-based independent media that is the frequent target of Azerbaijani government ire) that the social media company removed a number of the videos, threatening Meydan TV with removal from the platform. Six videos of Radio Free Europe/Radio Liberty’s Azerbaijani service were also removed. YouTube eventually reversed their decision and restored all of the videos.
Later in January, a wide variety of Azerbaijanis journalists connected to Meydan TV, as well as a number of political figures, began to receive malware from hacked accounts of fellow journalists and activists on Facebook Messenger. The ease with which the hackers accessed numerous accounts, all of whom contacted by Civil Rights Defenders insisted they had two-factor authentication turned on, is a strong indication of government involvement. Facebook’s “real name” policy, an Azerbaijani law that requires all SIM cards to be registered to a personal identification number, and the government’s use of “black boxes” that allow it to monitor all unencrypted telecommunications traffic, means hackers with access to the government’s “black boxes” can trigger a password reset on a Facebook account and intercept the resulting security message before it can reach the user.
The tactics Azerbaijan use are cheap and widely available, and primarily effective because the international community does not seriously attempt to compel them to stop
The hackers didn’t rely on Facebook alone, and later began sending phishing emails from spoofed addresses. Although these emails appeared, at a glance, to come from the email accounts of Meydan TV staff and volunteers, they were actually sent via a common email app called LeafPHPMailer 2.7. Apps of this type are used by businesses (and email scammers) to send mass emails, and allow the user to alter how the name of the sender will appear to the recipient.
To further disguise their identity, the hackers used copies of the app on several different websites, which they appear to have selected simply by googling “LeafPHPMailer 2.7”. A Google search for that term returns search results of websites that have installed the app but haven’t properly secured access by requiring a login.
However, as the hackers put no real effort into making the emails look authentic – many including the same message twice, once in Azerbaijani and once in broken English – this line of attack was not as successful as the Facebook-based phishing.
An analysis of some of the malware used in the attacks by the cybersecurity activist outfit VirtualRoad showed it was neither similar to the expensive commercial surveillance products Azerbaijan once purchased from Hacking Team, or the less-effective homemade spyware it was caught using in 2016. Instead, it appeared to be simple ransomware, likely purchased on a hacker forum on the dark web. The purpose was not to gather intelligence, but instead to disrupt and cause havoc in activist and journalist networks.
An examination of the data of a Facebook account that was taken over by the same hacker who attempted to delete Meydan TV’s Facebook page (the hacker reset both accounts’ email addresses to the same email account) shows the same strategy at work. Despite having access to the account for more than a day, the hacker did not download any Facebook data and did not use it for any purpose other than to send dozens of friend requests to other Azerbaijani accounts.
At the time, the motives behind and timing for the attacks were not clear. Azerbaijani activists and journalists are used to harassment and the state has a well-documented history of mass surveillance, but the intensity and lack of interest in intelligence-gathering were both new. When President Ilham Aliyev surprised observers on 5 February by calling for snap elections in April, everything quickly made sense in retrospect.
Election campaign posters promoting incumbent president Ilham Aliyev, presidential and other presidential candidates in Baku. (c) Aziz Karimov/Zuma Press/PA Images. All rights reserved.On 27 March, Facebook returned around 100,000 followers of Meydan TV who had been blocked or removed by the hacker, and is currently in the process of recovering their archive of stories. The attack was ultimately unsuccessful, but it did both waste a certain amount of some Meydan TV staff members’ time. It also sent a rather unambiguous message to the rest of Azerbaijan’s online journalist and activist community about the state’s stance towards dissent online.
The Azerbaijani government focuses the bulk of its energy on social media because it has been openly blocking the primary Azerbaijani independent media websites since early 2017. According to research published by VirtualRoad, which also hosts several independent Azerbaijani websites, the government uses equipment bought from the Israeli firm Allot Communications for $3m to block the websites using deep package inspection. The hardware was originally purchased to monitor secure messenger traffic during the 2015 European Games. Bribes and kickbacks made as part of its purchase were part of a wide-ranging corruption scandal that resulted in numerous prosecutions, resignations of high-ranking ministers, and the reorganisation of several government ministries.
However, no censorship system is impenetrable. One year after the government began formally blocking critical websites, VirtualRoad found several weaknesses in Allot Communications’ system – in part by purchasing a cheaper version of the $3m hardware second-hand on Ebay, and unblocked the websites it hosts in late March. These included websites that had been blocked by court order, like Azadliq.info, and smaller websites the state blocked without bothering with the usual legal fig leaf, such as Abzas.net.
VirtualRoad also pinpointed the source of the equipment and the attacks against independent media websites as servers belonging to Azintelecom LLC, a wholly owned subsidiary of the Azerbaijani government. Rather than attempting to identify and fix the security holes that VirtualRoad exploited to penetrate Azerbaijan’s firewall, hackers at Azintelecom IP addresses – who at first neglected to turn on a virtual private network to hide their identity – have responded by launching penetration tests against VirtualRoad’s servers, but have not yet attempted to “hack back” or otherwise harm their system.
On the morning of 9 April, Azintelecom shifted tactics and began blocking each site’s individual IP address. VirtualRoad responded by swiftly moving each site to a new virtual server, forcing the Azerbaijani government to play a game of whack-a-mole that continued at press time.
Azintelecom also recently purchased Azercell, the country’s largest telecommunications company, from Sweden’s Telia in February in an opaque sale that appears to have been well below any reasonably assessed value for the company.
Forum for free speech
The internet, and Facebook in particular, has been the sole venue for free speech or organising outside of state structures in Azerbaijan for years. A thorough harassment campaign, launched in the wake of the Arab Spring, forced free-thinking organisations to close, harassed and arrested many of their members, and pressured any venue that was foolish enough to offer a non-approved group a place to gather. Independent thinkers moved online and often abroad.
Laws and attacks on online activists have only accelerated in the last several years. In 2016, the government both outlawed insulting the president online and sentenced the deputy chairman of the opposition Popular Front Party to ten years’ imprisonment for a single critical Facebook post. In early 2017, the country’s most popular blogger Mehman Huseynov was sentenced to two years’ imprisonment on fabricated charges after he refused orders to stop posting his popular corruption-themed blogs and videos on Facebook.
As states with advanced capabilities continue to push the envelope of cyber-espionage, they open up space for others to act without drawing international attention or major headlines
In all these respects, Azerbaijan is not especially unique or extreme when compared to other authoritarian states. It has yet to poison one of its dissidents abroad. It does not employ the small army of spies and assassins that Ramzan Kadyrov uses to keep the Chechen diaspora in check. It does not have China or Russia’s advanced hacking units, and it also appears to have thrown in the towel on acquiring expensive foreign-made hacking tools.
Azerbaijan’s tactics may be crude, thuggish and done on the cheap, but in the current geopolitical climate, they are also effective. Western policymakers tend to view hacking and online harassment as a technological problem with a technical, rather than a political, solution. The difficulties inherent in conclusively attributing cyber attacks enable political leaders to avoid taking a stance at all, to the increasing detriment of political and social rights.
The modern tendency to confuse technical and political issues is not limited to cybersecurity, or even to the internet and internet-related issues in general, but it is here where it is the most evident and acute. Although the conventional wisdom has come a long ways since the pollyannish western attitudes towards the Arab Spring and Iran’s Green Revolution, a general belief persists that technology will allow policymakers to hack their way out of complex problems.
Azerbaijan is an excellent case study. It can effectively spy on and bully its citizens online without access to the sort of cybertools available to the United States, Russia or other wealthy countries because its citizens expect to be surveilled by their government, and have no legal recourse or ability to compel their government to respect due process.
To exacerbate matters, protections against surveillance that citizens of wealthy countries take for granted are much harder to obtain. Most Azerbaijanis are forced to rely on pirated and extremely insecure versions of common software because international intellectual property agreements make legal copies unaffordable – a large part of why the cheap, off-the-rack ransomware used as part of this campaign was so effective.
Even in the event an activist, journalist, or human rights defender has the means and the expertise to secure her devices and communications, security services have no compunction about finding a physical method of making a target unlock their phone or laptop.
What to do
Western states have prioritised developing cybersecurity policy responses for private businesses and infrastructure. This is understandable, but it overlooks how methods that authoritarian states develop for use against activists and journalists are often later employed against other states and international businesses.
The responsibility for protecting activists has been delegated to tech and social media giants who have become the backbone of the modern internet, with mixed results (Twitter’s continued failure to address trolling is a notable example.) However, even with new scandals about Facebook or YouTube erupting on a biweekly basis, no western government has seriously raised the issue of regulating their behaviour.
Even if such an unlikely political consensus were to emerge, it would not be sufficient. Facebook and Twitter can and do need to be more responsive to complaints of state-backed harassment, and support for programmes like TechSoup and Google’s VPN service are valuable tools for those on the front lines of human rights. But tech giants’ best conceivable effort would be a poor substitute for tangible diplomatic engagement or even a relaxation of the international copyright restrictions that unfairly punish lower-income countries and citizens of authoritarian states.
Western governments need to face up to their own complicity, put their own houses in order, and use all diplomatic and legal means to live up to their international commitments to human rights
The tactics Azerbaijan use are cheap and widely available, and primarily effective because the international community does not seriously attempt to compel them to stop. So what to do?
First and foremost, there is no substitute for diplomatic engagement and holding Azerbaijan to its international commitments to human rights and rule of law. The software Azerbaijan uses is cheap and widely available, and even international pariahs have little difficulty in acquiring surveillance hardware – Allot Communications was caught selling similar technology to Iran back in 2011. Western governments would not react to a violent crackdown on street protests by attempting to limit a government’s access to tear gas, nightsticks, and small arms, and it would be equally ineffective to do the same with cyberweapons.
Second, western countries need to seriously examine how the secrecy inherent in the modern global financial system aids and abets grand corruption. The Azerbaijani state is heavily invested in intimidating and surveilling its population because its primary activity is not governing, but defrauding its citizens – a practice that is made possible through the west’s maintenance of a system of tax havens, shell companies, and unscrupulous financial services firms. The west provides the Azerbaijani state with both the tools to oppress its citizenry and a place to hide the spoils.
One last step democratic countries could take would be to more rigorously regulate the private corporations that produce and sell surveillance software and hardware, instead of the current model that pays lip service to regulation but prioritises profits over fundamental human rights. Allot Communications is still around to help Azerbaijan censor the internet seven years after being caught helping Israel’s arch-rival do the same, and even the industry’s poster child for bad behaviour, Italy’s Hacking Team, is currently supplying spyware to at least 14 countries.
As states with advanced capabilities continue to push the envelope of cyber-espionage, they open up space for others to act without drawing international attention or major headlines, but the consequences for both everyday citizens and activists are no less real. No algorithm or hack is going to reverse this trend – western governments need to face up to their own complicity, put their own houses in order, and use all diplomatic and legal means to live up to their international commitments to human rights.
The authors would like to thank Arzu Geybullayeva, who provided research, translation and much more to both Civil Rights Defenders and VirtualRoad without which this piece would not have been possible.