In 2020, Azerbaijani hacker forums and channels published breached data and documents from some of the most important Armenian government institutions and electronic systems, including the “Mulberry Groupware” electronic document management system used for inter-departmental communication within the Armenian government, screenshots of hacked government websites, databases, footage from high-definition surveillance camera systems deployed in Yerevan and much more. As a result of these successful Azerbaijani attacks, many government websites were defaced, breached or taken offline for extended periods of time.
The scale and level of coordination of the attacks indicates careful planning and centralized coordination.
The Armenian side launched a number of retaliatory attacks, proving it has very capable hackers and IT specialists, but also raising questions – why weren’t those specialists consulted earlier to find and patch weaknesses on the government systems and prevent the often irreversible damage caused by the Azerbaijani attacks?
Admittedly, the public will only see the tip of the iceberg when it comes to such security breaches and the counter-attacks. However, the fact that Azerbaijani hacker sources publicized information about hacks and breaches in several bundles in June, July and September, with weeks or sometimes months in between, but the Armenian authorities didn’t do enough to stop the new breaches, is rather discouraging.
Below is an incomplete list of the publicized Azerbaijani attacks, most of which I have been able to verify:
On June 11, an Azerbaijani hacker group published a database of about 3,000 Armenian citizens who either tested positive for COVID-19 or were close contacts of people that were. The breach included names, addresses, phone numbers and passport numbers.
On June 24, another batch of data about 2,000 Armenians was published, including names and addresses.
On July 5, Azerbaijani hackers published data about Artsakh National Security Service officers. The batch included passport photos.
On July 6, passport data about hundreds of Armenians was released, which featured selfies with their passports and looked like the type of photos that are required by banks and loan agencies for remotely confirming the identity of their clients.
On July 7, Azerbaijani hackers published inventory lists from the Artsakh Defense Army. The data covered information about vehicles in the service.
On July 10, a video was released showing personal data of Armenian servicemen.
On July 13, Azerbaijani hackers defaced the Armenian government websites: gov.am, e-gov.am and primeminister.am. There were also discussions on some Azerbaijani hacker forums about the attacks on the mail.gov.am email server, but no proof or claims of a breach was publicized. On the same day, a Turkish hacker group claimed to have crashed the websites of the Armenian Central Bank and the Armenian Stock Exchange. Those sites were indeed temporarily taken offline or opened with great difficulty, most likely due to heavy distributed denial of service (DDoS) activity.
On July 14, the website of Electric Networks of Armenia, ena.am, was defaced by Azerbaijani hackers. According to the Personal Data Protection Agency of the Ministry of Justice, no database was compromised.
On July 17, a third party SMS text message operator was compromised and about 3,000 Armenian mobile subscribers received SMS messages, which appeared to be sent from the Armenian Ministry of Defense. Also on the same day, Azerbaijani hackers compromised 23 Armenian websites. Most of the websites were defaced or taken offline for several hours. Interestingly, some of the websites were funded by the European Union in Armenia under the “Boosting Competitiveness of Regional SMEs” project.
On August 4, Azerbaijani hackers published a screenshot of the Armenian Government’s VSPhere installation (virtual machines hosting Mulberry software) and claimed they had taken hold of the “Mulberry Groupware” electronic document management system. The Armenian Prime Minister’s spokesperson claimed that there was no proof that the hackers got hold of any data other than the published screenshot.
On August 7, Azerbaijani hackers published a cache of 1,300 documents from the 2016-17 archive of the Armenian Ministry of Transport, IT and Communications.
Following that series, which roughly coincided with the period before, during and after the fighting in Tavush in July 2020, the wave of breaches and hacks stopped for several weeks. They restarted together with the 2020 Artsakh War:
On September 27, Azerbaijani hackers published a database of about 1 million Armenian passports. Most of the data was outdated. On the same day, about 90 Armenian website addresses were redirected to an Azerbaijani propaganda page. The list included top Armenian news websites news.am, 1in.am, armtimes.com, hetq.am, armenpress.am, mediamax.am. Again, on the same day, the Azerbaijani hacking team published a large dump of official Armenian documents on a specially crafted website. The hackers claimed that the data came from the Armenian Ministry of Foreign Affairs, the Presidential administration and the Armenian National Security Service (NSS). On the very same day, DDoS attacks started on many Armenian news websites, which continued until mid-November.
On October 10, an attack of unprecedented scale took down about 50 of the most important Armenian government websites, as well as Artsakh websites.
At the start of October, Azerbaijani hackers presented evidence that they have penetrated Armenian Government servers. Gigabytes of data was published, some of it dated mid-September. The published data included official documents from the Metsamor Nuclear Power Plant (which the spokesperson for the Azerbaijani Ministry of Defense had threatened to target in July), Armenia’s Foreign Affairs Ministry, Defense Ministry and Presidential administration.
On November 9, Azerbaijani hackers published a phone database of Karabakh Telecom customers, featuring more than 58,000 records, including the addresses and phone numbers of Artsakh President Arayik Harutyunyan, his administration, MPs and military officials.
Throughout 2020, Azerbaijani hackers also carried out phishing attacks via email, Facebook, WhatsApp, Viber, Instagram and SMS. A number of Armenian Facebook and Instagram pages and accounts were broken into and used to spread Azerbaijani propaganda.
Hackers were also publishing video recordings from Armenian surveillance cameras. In many cases, the cameras weren’t even “hacked” per se; they were simply exposed on the public Internet, with unchanged default passwords, wide open for the taking.
These attacks reveal systemic weaknesses in Armenia’s public and private infrastructure, some of which (including the electronic tax management system) are blocked for access from outside Armenia even today, two months after the war.
The data breaches also demonstrate complete disregard for the handling and security of personal data by government and private institutions alike, including the military and financial institutions.
In many cases, breaches occurred due to the human factor: weak or reused passwords, lack of multifactor authentication, use of shadow IT at work, mixing work and personal accounts (email, social media). This in turn demonstrates a lack of actionable policies and training.
Looking at the types of attacks, we’ve seen cases of phishing and spear-phishing, social engineering attacks using email, various messengers, Facebook and Instagram, DDoS attacks, website defacements and websites hacks using a variety of exploits.
While all the cases mentioned have been widely reported, we have not seen anybody held responsible, although the National Security Service and the Personal Data Protection Agency have issued warnings and press releases about various attacks.
Interestingly, news websites and the financial sector suffered the least, although those were prime targets. The financial sector is traditionally strong in cybersecurity, as it has to meet many compliance standards and invests heavily in them. News websites, on the other hand, have lived through years of attacks from the Azerbaijani side and have hardened their online presence. Also, a very large group of Armenian IT professionals joined forces and put a lot of volunteer effort into protecting Armenian news websites during the 44-day war, which can explain the positive outcomes.
As mentioned, there were a range of retaliatory strikes from the Armenian side, but listing them is beyond the point of this article, especially as we were unable to independently verify most of those attacks for technical reasons. However, their number and complexity proves that the Armenian side has enough capacity to solve the problems it faces.
So the question is – why were we in such a dire state and what should be done to avoid the mistakes of the past?
Experts agree that one of the first steps should certainly be to investigate the previous attacks (where possible), write postmortems, draw lessons learned and recommendations for immediate mitigations. Another step that should have been done long ago is to conduct risk assessments for the key government bodies, key infrastructure and large private entities, develop action plans to address them and define bodies responsible for making sure that those plans are implemented.
Digital security expert Ruben Muradyan says the authorities should do more than just write various digital security strategies, which he has seen plenty of in the past 15 years.
“It has been a mess and will remain a mess,” Muradyan says. “Because all our state officials want everything to be great and consider their sole responsibility to say pompous toasts about it and hope that someone does the work for them.”
Pointing to the lack of information about any investigation into the dozens of hacking attacks described above, Muradyan says there needs to be a law about mandatory disclosure to victims when their personal data is compromised, so that they would at least be notified about the breaches.
The digital security expert stresses the need to create conditions for the development of a vibrant cybersecurity community, which can serve the public and private sectors alike. “People need to be able to make money doing cybersecurity, to conduct IT audits, to research bugs and threats. The community needs to be encouraged; new kids should enter the profession. We see none of that now. All we see is a mere festival of enthusiasm,” he explains.
Digital security consultant Samvel Martirosyan also points to the need for legislative changes. “We need to define very clearly what needs to be protected. Critical infrastructure, for example, should be clearly defined and the public and private sector should be tasked with protecting those assets,” he explains.
Both experts also stress the importance of clearly defining the state body responsible for the cybersecurity of the country, something like the Georgian Cyber Center.
The operators of critical infrastructure, big business and medium enterprises should have clearly-defined cybersecurity requirements. This would also create a demand in the local market for cybersecurity professionals and services and develop the industry.
Last but not least, people need to be educated about cybersecurity, which should be addressed at various levels by creating and enforcing policies and carrying out public information campaigns. Though there is a cost involved, we cannot afford to put it off any longer.