Azeri human rights activists, journalists and political dissidents have been the targets of a fraudulent and sustained ‘spear phishing’ campaign using emails and Facebook chat, apparently aimed at gaining access to their personal information and private communications, said Amnesty International in a new report launched today.
The investigation reveals that the attacks, which can compromise passwords and contacts, have been directed at various government critics for the past 13 months. Victims told Amnesty International they believed the Azerbaijani authorities are behind the attacks.
“Our research reveals that a targeted and coordinated cyber campaign is being waged against critical voices in Azerbaijan, many of whom are long-time victims of government repression,” said Claudio Guarnieri, Senior Technologist at Amnesty International.
“The malware used has been designed with the express intention of gathering as much private information as possible about a target. Given the profiles of those targeted, it is not hard to see why victims believe the authorities are responsible.”
The report, ‘False Friends - how fake accounts and crude malware targeted dissidents in Azerbaijan’, details how victims have been targeted using a practice known as ‘spear phishing’, which involves an email with an attachment containing a virus - known as malware - being sent to a target from a fake address.
If the recipient of the email clicks on the attachment, a virus is downloaded which relays images of the target’s screen back to the attacker and enables them to record what the target is typing.
The emails were mostly sent from addresses impersonating prominent human rights and political activists.
One victim was the lawyer and human rights activist Rasul Jafarov, who was alerted to the attack when he received a phone call from a colleague in October 2016 warning him that he had been sent an email and attachment from an address very similar to his.
Amnesty International was not able to trace the cyberattacks directly to any government officials or agencies. However, an online identity going by the name of “pantera” - which appears to control the malware used in the attacks - has used an IP address from a “block” of addresses that predominantly hosts government infrastructure, such as the Ministry of Foreign Affairs, Ministry of Justice and state-owned television.
Amnesty International presented the findings of the report to the Azeri government, who responded by saying the cases documented had not been reported to them and therefore have not been investigated.
