April 13, 2022
Social media giant Meta, the parent company of Facebook, Instagram and Whatsapp, has published an “Adversarial Threat Report,” which covers a “hybrid operation from Azerbaijan.”
“We disrupted a complex network in Azerbaijan that engaged in both cyber espionage and coordinated inauthentic behavior,” Meta said in its report.
The Azerbaijani network primarily targeted people from Azerbaijan, including democracy activists, opposition, journalists, and government critics abroad.
“This campaign was prolific but low in sophistication, and was run by the Azeri Ministry of Internal Affairs,” Meta said.
According to the researchers, the campaign combined a range of tactics — from phishing, social engineering, and hacking to coordinated inauthentic behavior. This operation targeted websites and the online accounts of democracy activists, opposition, and journalists in Azerbaijan in pursuit of what appears to be two goals: obtain personal information about the targets and promote particular narratives about them or on their behalf. They focused on news websites and a number of internet services, including Facebook, Twitter, LinkedIn, YouTube, and Russian VK and OK.
Meta has identified the following tactics, techniques, and procedures (TTPs) used by this threat actor across the internet:
● Compromised and spoofed websites: This group operated across the internet, with over 70 websites and domains that they either ran themselves or compromised. They targeted sites in Azerbaijan and, to a lesser extent, Armenia; a small number of sites had Russian or Turkish domains. Once they compromised these websites, the group harvested databases containing usernames and passwords, likely to further compromise online accounts of their targets who might have reused the same credentials across the internet. They also, at times, hosted credential phishing content on these websites.
● Malware and other malicious tools: This group scanned websites in the region for “low-hanging fruit” web vulnerabilities, using tools like Burpsuite and Netsparker. They then used publicly known techniques to compromise vulnerable sites before uploading one of numerous web shells in order to maintain persistent access. Similarly, to crack hashes obtained from compromised sites, they used publicly available hash-cracking tools. In its targeting of people, this threat actor is known to use both Windows and commodity surveillanceware for Android.
● Credential phishing: In its phishing activity, this group relied on compromised and spoofed websites where they asked people to enter their social media credentials so they could cast their vote in political polls. Through it, an attacker would obtain people’s credentials to take over their online accounts. This operation also attempted to drive people to their phishing web pages by sharing links to them on social media, including through compromised accounts of public figures or accounts posing as members of Facebook’s security team, many of which were detected and disabled by our automated systems.
● Industry reporting: Our findings corroborate previous public reporting about some of this activity by OC-Media and Qurium.
● Coordinated Inauthentic Behavior: The individuals behind this activity used fake and compromised accounts to run Pages and post as if they were the legitimate owners of these Pages and accounts. They typically posted in Azeri, including critical or compromising commentary about the government opposition, activists, journalists, and other members of civil society in Azerbaijan.