Summary of our technical findings

We documented a series of spearphishing attempts using a custom malware agent that has targeted critics of the Azerbaijani government over at least thirteen months. The recent samples of the malware are consistent with independent reports of an increase in the compromise of social media accounts of activists. The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites

The malware that was observed is not sophisticated, and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.

Campaigns of impersonation

The e-mail impersonation of Rasul Jafarov around October 2016 exposed a larger operation. Based on the results of Amnesty International’s analysis and the first-hand accounts of Azeri activists, it became clear that this was not an isolated incident. It appears that, starting as early as November 2015, Azerbaijani actors appear to have repeatedly used a custom malware agent in a broad campaign targeting political dissidents and human rights activists in Azerbaijan.

In two cases, Amnesty International were able to identify the targets of attacks because screenshots of the attackers contacting the targets via Facebook messenger were later dumped in a public location.

Screenshot of the Facebook conversation.

In the first of these cases, in January 2016, the target was the administrator of a site named “Anonymous Azerbaijan” and a member of a group active in hacking and defacing websites. The attacker sent him the malware, pretending it was a pirated version of Havij, a popular penetration testing tool. The Facebook groups that he administered, his personal Facebook profile, and Anonymous Azerbaijan’s site, have since disappeared. From Internet Archives snapshots, the Anonymous Azerbaijan forum appears to have been defaced by unknown actors within days of the compromise, and was later suspended by the hosting company.

In the second case, occurring a few days after the first compromise, a Facebook profile that claimed to belong to the writer Saday Shekerli approached the Facebook administrator of Kanal 13, an Internet news media service. At the time of the intrusion Saday Shekerli had recently been arrested on charges of tax evasion. Shekerli’s profile claimed to have an article for review for the news agency, and sent the target the malware agent disguised as a Word document.

Screenshot of the Facebook conversation.

As a result of this compromise, the attackers had access to Kanal 13’s communications for a little over a week, documenting the internal operations of Kanal 13 and the individual’s private life. Kanal 13 journalists subsequently faced prosecution over their reporting. Though there is no suggestion that the malware attack and the later prosecution are related, it is interesting to note that this attack also fits the pattern whereby targets of the malware attacks also face legal problems with the authorities.

The Azerbaijan Anonymous and Kanal 13 spearphishing attempts describe a common pattern of intrusions with rudimentary malware. Other samples of the malware agent appear to have posed as updates for Adobe Flash or other consumer software, a common tactic in similar attacks.

In yet another attack, the malware was distributed pretending to be an invitation for a reception at the US Embassy in Baku. Several activists said they had received this fake invitation.

In most cases, as with the one impersonating Rasul Jafarov, the malware would attempt to open an Office document that would appear legitimate.

These documents were often ostensibly concerning subjects relevant to the recipients. In one recent sample, the document extracted purports to be a list of “political prisoners in Azerbaijan” as of November 2016. The document metadata claims that the attachment was originally created by “leyla_yunus” — a reference to the Azerbaijani human rights activist Leyla Yunus.

Other information about earlier attacks lends further suspicion as to the origin and intent of the campaign. Ramin Hacılı, the President of the Azerbaijani European Movement, an organization that has advocated for closer political and cultural relations with Europe, appears to have been compromised by the same malware. In the middle of his campaign for the parliamentary elections in October 2015, he abruptly left the country. In an interview where he discusses why he left the country, he noted that his computer had been infected by a virus that communicated with the same address as the primary Command & Control server of the malware. The malware reportedly found on his computer is the earliest known version, and was uploaded to VirusTotal in November 2015. In the article, Hacılı also recounts his struggle to take down an old domain under his name that had been re-appropriated to host malware (“raminhacili.info”) in September 2015, a domain which is flagged by Google as malicious.

Hacili told Amnesty International that he had left Azerbaijan during the 2015 parliamentary campaign in order to seek technical assistance with his computer from acquaintances in Turkey, and that he returned as soon as he had found and neutralized the malware affecting his computer. He said that since that time, there have been repeated attacks on his website whenever he publishes information about those he believes are behind the hacking attacks against him. He said that he made a formal complaint to the police about one and half years ago, but has not had any update about his complaint in the intervening time.

Homegrown Malware

The malware in this campaign, which we dubbed AutoItSpy, is a very simple combination of two programs written with AutoIt. When run by the victim, the malware attempts to open a bundled document that acts as a decoy. In the background, the agent is installed to a persistent location and set to run on startup. From there, it profiles the victim’s system (collecting IP addresses and system settings). The agent then continually records the keystrokes of the user and captures screenshots, most likely in order to obtain credentials for online platforms such as email and social media.

For more on AutoItSpy, see our full report here.

Who is behind the campaign?

While AutoItSpy appears to have been developed by Azeri-language speakers and uses infrastructure inside Azerbaijan, no observed indicators directly associate it with a particular individual or entity. AutoItSpy does overlap with other sustained campaigns to compromise Azerbaijan-related sites, as documented by VirtualRoad.org and the testimonies Amnesty collected. The IP addresses identified in AutoItSpy campaign and related attacks against websites also overlap with known government infrastructure, however, this is not in itself an indicator of state involvement.

Who is Pantera?

A month prior to the first detected sample of AutoItSpy, an individual under the pseudonym “P_a_n_t_e_r_a” and “pantera” entered an IRC chat room related to open source network monitoring software from the same IP address as the primary Command & Control server. On multiple occasions, publicly-available logs describe pantera requesting technical support related to configuring alerts for a system intended to monitor a mail server from a computer isolated from the Internet. This interest further aligns with AutoItSpy’s exfiltration of data through a public mail server. In earlier logs from the same year, pantera is found to have accessed the chat room from an alternative address on the same ISP (85.132.24.74). This address arises in claims of defacement of the site “Avropa.info” in February 2014, as well as the attempts documented by VirtualRoad.org. While the slight difference in time lends to a weaker connection between Pantera and AutoItSpy, the described connection to malicious behavior lends further weight to there being a relationship.

#zabbix-2015.04.16.log:07:31 -!- P_a_n_t_e_r_a [~P_a_n_t_e@85.132.24.74] has joined #zabbix

…

#zabbix-2015.05.06.log:14:49 <P_a_n_t_e_r_a> i will use it in isolated pc

#zabbix-2015.05.06.log:15:15 <P_a_n_t_e_r_a> Server has no internet access &

…

#zabbix-2015.10.20.log:13:07 -!- [P_a_n_t_e_r_a] [~P_a_n_t_e@85.132.78.164] has joined #zabbix

The network address block (85.132.78.0/24) used for AutoItSpy’s mail server appears to be mostly populated by the communications infrastructure of natural resource, financial, and banking sector companies in Azerbaijan; this could be commercially leased infrastructure.

More intriguingly, the other network address block (85.132.24.0/22) used previously by the pantera actor predominantly hosts government infrastructure, such as the Ministry of Foreign Affairs, Ministry of Justice and state-owned television.

While these details do not provide conclusive evidence that would implicate the government of Azerbaijan or any other entity as responsible for the attacks described in this report, they do indicate that those behind the campaign have maintained costly infrastructure to sustain the targeted surveillance campaign for unclear motivations.

Response of the Azerbaijani Government

A draft of this report was provided to an official e-mail address for the Azerbaijani Embassy in London, who provided the following comment from a separate address: