Meta has disrupted a complex network in Azerbaijan that engaged in both cyber espionage and coordinated inauthentic behavior., the company said in its latest Adversarial Threat Report.
The network primarily targeted people from Azerbaijan, including democracy activists, opposition, journalists, and government critics abroad. This campaign was prolific but low in sophistication, and was run by the Azerbaijani Ministry of Internal Affairs. It combined a range of tactics — from phishing, social engineering, and hacking to coordinated inauthentic behavior.
This operation targeted websites and the online accounts of democracy activists, opposition, and journalists in Azerbaijan in pursuit of what appears to be two goals: obtain personal information about the targets and promote particular narratives about them or on their behalf. They focused on news websites and a number of internet services, including Facebook, Twitter, LinkedIn, YouTube, and Russian VK and OK.
Meta identified the following tactics, techniques, and procedures (TTPs) used by this threat actor
across the internet:
● Compromised and spoofed websites: This group operated across the internet, with over 70 websites and domains that they either ran themselves or compromised. They targeted sites in Azerbaijan and, to a lesser extent, Armenia; a small number of sites had Russian or Turkish domains. Once they compromised these websites, the group harvested databases containing usernames and passwords, likely to further compromise online accounts of their targets who might have reused the same credentials across the internet. They also, at times, hosted credential phishing content on these websites.
● Malware and other malicious tools: This group scanned websites in the region for “low-hanging fruit” web vulnerabilities, using tools like Burpsuite and Netsparker. They then used publicly known techniques to compromise vulnerable sites before uploading one of numerous web shells in order to maintain persistent access. Similarly, to crack hashes obtained from compromised sites, they used publicly available hash-cracking tools. In its targeting of people, this threat actor is known to use both Windows and commodity surveillance ware for Android.
● Credential phishing: In its phishing activity, this group relied on compromised and spoofed websites where they asked people to enter their social media credentials so they could cast their vote in political polls. Through it, an attacker would obtain people’s credentials to take over their online accounts. This operation also attempted to drive people to their phishing web pages by sharing links to them on social media, including through compromised accounts of public figures or accounts posing as members
of Facebook’s security team, many of which were detected and disabled by Facebook’s automated systems.
● Coordinated Inauthentic Behavior: The individuals behind this activity used fake and compromised accounts to run Pages and post as if they were the legitimate owners of these Pages and accounts. They typically posted in Azeri, including critical or compromising commentary about the government opposition, activists, journalists, and other members of civil society in Azerbaijan.