In 2020, Azerbaijani hacker forums and channels published breached data and documents from some of the most important Armenian government institutions and electronic systems, including the “Mulberry Groupware” electronic document management system used for inter-departmental communication within the Armenian government, screenshots of hacked government websites, databases, footage from high-definition surveillance camera systems deployed in Yerevan and much more. As a result of these successful Azerbaijani attacks, many government websites were defaced, breached or taken offline for extended periods of time.
The scale and level of coordination of the attacks indicates careful planning and centralized coordination.
The Armenian side launched a number of retaliatory attacks, proving it has very capable hackers and IT specialists, but also raising questions – why weren’t those specialists consulted earlier to find and patch weaknesses on the government systems and prevent the often irreversible damage caused by the Azerbaijani attacks?
Admittedly, the public will only see the tip of the iceberg when it comes to such security breaches and the counter-attacks. However, the fact that Azerbaijani hacker sources publicized information about hacks and breaches in several bundles in June, July and September, with weeks or sometimes months in between, but the Armenian authorities didn’t do enough to stop the new breaches, is rather discouraging.
Below is an incomplete list of the publicized Azerbaijani attacks, most of which I have been able to verify:
Following that series, which roughly coincided with the period before, during and after the fighting in Tavush in July 2020, the wave of breaches and hacks stopped for several weeks. They restarted together with the 2020 Artsakh War:
These attacks reveal systemic weaknesses in Armenia’s public and private infrastructure, some of which (including the electronic tax management system) are blocked for access from outside Armenia even today, two months after the war.
The data breaches also demonstrate complete disregard for the handling and security of personal data by government and private institutions alike, including the military and financial institutions.
In many cases, breaches occurred due to the human factor: weak or reused passwords, lack of multifactor authentication, use of shadow IT at work, mixing work and personal accounts (email, social media). This in turn demonstrates a lack of actionable policies and training.
Looking at the types of attacks, we’ve seen cases of phishing and spear-phishing, social engineering attacks using email, various messengers, Facebook and Instagram, DDoS attacks, website defacements and websites hacks using a variety of exploits.
While all the cases mentioned have been widely reported, we have not seen anybody held responsible, although the National Security Service and the Personal Data Protection Agency have issued warnings and press releases about various attacks.
Interestingly, news websites and the financial sector suffered the least, although those were prime targets. The financial sector is traditionally strong in cybersecurity, as it has to meet many compliance standards and invests heavily in them. News websites, on the other hand, have lived through years of attacks from the Azerbaijani side and have hardened their online presence. Also, a very large group of Armenian IT professionals joined forces and put a lot of volunteer effort into protecting Armenian news websites during the 44-day war, which can explain the positive outcomes.
As mentioned, there were a range of retaliatory strikes from the Armenian side, but listing them is beyond the point of this article, especially as we were unable to independently verify most of those attacks for technical reasons. However, their number and complexity proves that the Armenian side has enough capacity to solve the problems it faces.
So the question is – why were we in such a dire state and what should be done to avoid the mistakes of the past?
Experts agree that one of the first steps should certainly be to investigate the previous attacks (where possible), write postmortems, draw lessons learned and recommendations for immediate mitigations. Another step that should have been done long ago is to conduct risk assessments for the key government bodies, key infrastructure and large private entities, develop action plans to address them and define bodies responsible for making sure that those plans are implemented.
Digital security expert Ruben Muradyan says the authorities should do more than just write various digital security strategies, which he has seen plenty of in the past 15 years.
“It has been a mess and will remain a mess,” Muradyan says. “Because all our state officials want everything to be great and consider their sole responsibility to say pompous toasts about it and hope that someone does the work for them.”
Pointing to the lack of information about any investigation into the dozens of hacking attacks described above, Muradyan says there needs to be a law about mandatory disclosure to victims when their personal data is compromised, so that they would at least be notified about the breaches.
The digital security expert stresses the need to create conditions for the development of a vibrant cybersecurity community, which can serve the public and private sectors alike. “People need to be able to make money doing cybersecurity, to conduct IT audits, to research bugs and threats. The community needs to be encouraged; new kids should enter the profession. We see none of that now. All we see is a mere festival of enthusiasm,” he explains.
Digital security consultant Samvel Martirosyan also points to the need for legislative changes. “We need to define very clearly what needs to be protected. Critical infrastructure, for example, should be clearly defined and the public and private sector should be tasked with protecting those assets,” he explains.
Both experts also stress the importance of clearly defining the state body responsible for the cybersecurity of the country, something like the Georgian Cyber Center.
The operators of critical infrastructure, big business and medium enterprises should have clearly-defined cybersecurity requirements. This would also create a demand in the local market for cybersecurity professionals and services and develop the industry.
Last but not least, people need to be educated about cybersecurity, which should be addressed at various levels by creating and enforcing policies and carrying out public information campaigns. Though there is a cost involved, we cannot afford to put it off any longer.