10 April 2018

Summary

In 2015, the Azerbaijani government purchased specialized security equipment to be used to monitor and block social media during the Baku 2015 European Games. As a result of a major corruption scandal in Azerbaijan that involved high-rank government officials and business men with close ties to the government, we could see the ties between corruption, power and information control. As a part of our investigation, we learned that the equipment procure for information control in 2015, was bought from the infamous Israeli security company Allot Communications, who got the worlds’ attention in 2011, when they got caught providing advanced ICT equipment to Iran, via a middle man in Denmark. The equipment was procured for no less than 3 million dollar, and the investigation revealed a complex network of bribes and kick-back payments to the network of actors that was involved in the tender. As it was not bad enough to invest government funds to control information to the population, the funds belonging to the people of Azerbaijan came into the hand of corrupted government officials and well connected business men.

When the Azerbaijani government enabled the DPI features of the Allot Communications box in March 2017, and blocked some of the major independent media sites in the country, Virtualroad.org begun the quest for a solution to circumvent the blocking. One year later, we are proud to announce that thanks to hard work and a negligible budget, we have identified a weakness in the 3 million dollar DPI investment, that allows us to circumvent the blocking.

One year after the blocking of azadliq.info, 24saat.org and abzas.net by means of DPI equipment from Allot Communications worth 3 million dollars, the sites are once again reachable to the Azerbaijani population.

PART 1: Infamous Israeli security firm assists in silencing Azerbaijani dissidents

Based on a wide range of public documentation, leaked material, access to similar hardware, study of functional specifications , and analyses of traffic behaviors, Qurium is certain that the Azerbaijani government is using DPI equipment from the Israeli company Allot Communications. Allot got known to the international community back in 2011, when they got caught selling a similar product to the authoritarian regime in Iran, despite strict trade sanctions with the country. The purchase was made via a broker in Denmark, who re-labeled the equipment and distributed the boxes to its final destination, reported an in-depth article by Bloomberg in 2011.

When looking into the Azerbaijani corruption scandal from 2015 of a tender and procurement process for specialized ICT equipment, we found the price tag of the Allot equipment. 3 million USD to silence the dissidents.

What does a “3 million dollar” box look like?

Deep Packet Inspection (DPI) technology is able to monitor each individual packet transversing a physical link. Opposite to routers and other more simple network devices, the DPI technology can look into very specific details of a traffic flow. Many DPI devices are designed and sold to solve “quality of service” problems. For example, a network provider might prefer to speed up certain websites and slow down or block others. In the case of “Allot Service Gateway”, the hardware offers the possibility to redirect traffic and block specific websites. Allot calls these features: Blocking: WebSafe, DPI SNI, DPI MITM or Monitoring: Clear See.

The Allot Sigma sits in the network “inline”. This means that all the Internet traffic is “transversing” the unit for inspection. The BP-204 blade is designed so in case of hardware failure or software maintenance the traffic never gets interrupted. In smaller versions of the technology an external unit known as “external bypass module” is used.

What is DART?

Each vendor in the DPI industry has its own “sales jargon” to sell similar features. In the case of Allot, they use the name “DART”. According to Allot, their DART is not recognizing the traffic based on common signatures as IP addresses or port numbers, but inspects the characteristics of the traffic flows to find distinctive traffic patterns.

Their sales representatives claim that DART can properly identify and block malicious traffic and ensure that the network is “clean”. After all, Allot’s motto is:

Allot: Analyze Network & User Behavior – Know it. Control it. Secure it.

The URL Filtering feature is described as “Many countries have declared it illegal to distribute certain types of content over the Internet”.

Understanding DART

Ideally, we would have bought the Allot Sigma platform for testing and evaluation. However, our budget did not allow a expenditure of 572.832 USD (even though shipping was free of charge!). So how did we learn more about DART? It turns out that Allot also sells a non “carrier grade platform” with DART technology, aka the “NetEnforcer”. The AC-1440 or AC-3000 can be found in Ebay for 500 USD.

Sales offer of an Allot Sigma platform for 572.832 USD. Shipping included.

The AC-1440 or AC-3000 (aka NetEnforcer) can be found in Ebay for 500 USD.

PART 2: Follow the money – find the criminals

The story starts in October 2015 when the Azerbaijan’s President, Ilham Aliyev, fires his Minister of Communications, Ali Abbasov, weeks after the dismissal of the Minister of National Security, Eldar Mahmudov and the arrests of high-ranking former security officials. No reasons were given for Abbasov’s dismissal but we later learned that the General Directorate for Combating Corruption in Azerbaijan filed a criminal case involving dozens of officials from the Ministry of Communications and High Technologies. A press release about the case can be found here. The criminal case involved bribes, kick-backs and arranged tenders. Some of the tenders involved purchase of specialized ICT equipment used to initially block social media, but later even independent news sites. Some of those news sites were hosted with Qurium, and that is why this court case caught our attention…

One year later (Nov 2016) something unexpected happened. The pro-government news sites qafqazinfo.az and lent.az publish key details about the “Ministry of ICT” corruption investigation. Apparently, it was clean-up time within the ministry, and someone had to take the blame.

Pro-government media reporting on the 2.8 million dollar investment in ICT equipment from Allot Communications.

2 milyon 872 min dollar isə İsrailin “Allot Communications” firmasının hesabına göndərilib. Buna səbəb isə Milli Təhlükəsizlik Nazirliyinin “Avropa Oyunları” öncəsi Azərbaycandakı operatorlarla danışıqlar, Facebook, Viber və Whatsapp yazışmalarını izləmək üçün İsraildən gətirtdiyi avadanlıqların alınması olub. Yəni, MTN-nin şifarişi ilə A. Kərimov və MTN işçisi Riyad İsrailə gedərək bu şirkətlə görüşüblər. A.Kərimov rəhbəri olduğu “AKEY” MMC vasitəsilə bu işləri görüb. Həmin şirkətin texniki direktoru Cəmil Abdulayev istintaqa ifadəsində bu barədə məlumat verib və bildirib ki, İsraldəki görüşdə o da iştirak edib. Həmin avadanlıqlar alınıb ölkəyə gətirildikdən sonra Azərbaycanda “Delta Telecom”, “Azərtelecom”, “Azercell”, “Bakcell” və “Azerfon” şirkətlərində MTN avadanlıqları üçün ayrılmış ayrıca otaqda quraşdırılıb.

The articles reveal that almost 3 million dollars were paid to “Allot Communications” in Israel for the purchase of equipment for the Baku 2015 European Games. The equipment was dedicated to monitor Facebook, Viber and Whatsapp networks and was purchased by the Ministry of National Security (MTN). The articles also reveal that A. Karimov (founder, AKEY) and Jamil Abdullayev (technical director, AKEY), traveled to Israel with “Riyad” from the Ministry of National Security. After the purchase, the “specialized” equipment was installed in a special room in the premises of each and one of the five operators (Azertelecom, Azercell, Bakcell, Azerfon and Delta Telecom) for the Ministry of Security.

Who are the key players?

A. Karimov (founder, AKEY)

In December 2015, the Binagadi court in Baku declared Karimov wanted and arrested in absentia as he avoided the investigation.

To get to know Karimov, which plays a key role in the corruption investigation, we have studied reports from State media in Azerbaijan, and accessed material from the Offshore Leaks Database provided by ICIJ (international Consortium of Investigative Journalists). We have learned that Karinov’s full name is Ayaz Karimov, founder of several companies, including Stellford, Cartburg, Caspian NC and AKEY. Some of his companies act as Internet carriers, such as Caspian Telecom LLC (AS201167) , Stellford LLC 2011-2014 (AS41997) and Connect (AS61304). The Offshore Leaks Database provided us with the following information about Karimov and his businesses.

Ayaz Karimov https://offshoreleaks.icij.org/nodes/12104444
Caspian Telecom Ltd. https://offshoreleaks.icij.org/nodes/10119447
Stellford Ltd https://offshoreleaks.icij.org/nodes/219899

According to several news reports, Ayaz Karimov and Anar Mahmudo (son of the former Ministry of Security), established the company Cartburg Networks Corp, a subsidiary of Caspian Telecommunication and responsible for channeling money from “awarded tenders”. One of the tenders concerned the provision of international telecommunication services as telephony over IP with Belarusian Beltelecom in April 2015 and the purchase of Allot Communications equipment for the European Games. This is not the first time that Allot has been involved in cases where they equipment has been used for surveillance. In 2011, Electronic Frontier Foundation (EFF) exposed the role of Allot’s technology in Iran.

According to Azeri.today there was an inspection of equipment installed and serviced by AKEY LLC employees in Aztelekom LLC, Azercell Telecom LLC, Bakcell LLC. The inspection concluded that the equipment in Aztelekom LLC belonged to Cartburg NC, and the equipment in the other two locations belonged to the Ministry of Security. The equipment in Aztelekom was in station S-12 with an estimate cost of 113,000 USD.

Y. Mammadov

Yashar Mammadov worked as network technician of AKEY and publishes in his CV and Linkedin profile that his skills include “Allot Communication Sigma and Tera” and “Network surveillance equipment”.

Cheat Sheet – who is who?

In the Ministries

Elmir Velizadeh: (Deputy) Minister of Ministry of Communications and Technology, frequently participating in ICT Events as Bakutel and the events organized by the Israeli Chamber of Commerce with Allot Communications.

Ali Abbasov: Former Minister of Communications and Technology. Fired in October 2015 before the “Ministry of National Security Corruption Scandal” was made public. Now appointed adviser to the Azerbaijan National Academy of Sciences (ANAS).

Eldar Mahmudov: Minister of National Security, involved in the purchase of ICT equipment channeled via his son’s company “Caspian Telecommunications”.

Vidali Zeynalov: Former Head of Minister of National Security. Sentenced to 13 years in prison to channel and benefit from awarded tenders.

In the Tender Network

Anar Mahmudov: Son of the Minister of National Security. Friend of Ayar Karimov and co-owner of AKEY, the company involved in the purchase of Allot Communications’ DPI equipment.

Ayar Karimov: Co-owner of AKEY and other offshore ventures such as Internet provider and consultancy Stellford. His company was involved in the purchase of Allot Communications’ DPI.

Jamil Adbullayev: Technical director of AKEY, Voice over IP specialist and technical contact for Stellford and Connect Internet network resources. Now working at YayFon.

Nigar Alizadeh: Accountant of AKEY. Declared that AKEY was working only for Caspian Telecommunications, aka Casptel.

Yashar Mammadov: Technical network engineer of AKEY. Specialized in surveillance and Allot Sigma and Tera Equipment. In 2011-2012 worked as engineer at AzerTelecom in the Surveillance Group.

Manti Effrosyni: Head of Cartburg Networks a subsidiary of Caspian Telecommunications that offers telephony services to Belarus. Manti Effrosyni a director of several off-shores as reported here

The illustration shows the main actors in the corruption scandal, their relationships and connections to the Azerbaijan government or private companies.

Follow the money, find the kickbacks and bribes

According to the information released from State media in Azerbaijan, Cartburg was channeling most of the money. According to an article by Azer Tac, Cartburg was already known as a subsidiary of Caspian Telecommunications. Cartburg received 90 Million USD from three sources, and forwarded it to at least six different players, whereas Allot was one of them. AzInTelecom seems to receive most of the funds (82 million USD). The smaller amount (<200,00 USD) are likely to be kickbacks.

AzInTelecom LLC was funded in 2015 for the provision of voice traffic exchanged between Azerbaijan and foreign countries, certification of telecommunication equipment imported into Azerbaijan, and infrastructure as a service in their Tier III data center.

Documented financial flows in the corruption scandal.

Part 3: Circumvention of DPI blocking

Background

Azadliq.info reached out to Virtualroad.org in 2014, after being a target of numerous digital attacks that brought them offline time after time. Since then, Virtualroad.org has been fighting countless digital attacks ranging from large and multi-vector DDoS attacks, penetration tests, brute-force attacks, and throttling of traffic. Under all these years, with financial means being a fraction of what the authorities invests in fighting independent media, we have successfully defended independent media in Azerbaijan. This fact must assumable have caused great annoyance for the Azerbaijan authorities.
On Mar 27, 2017, the Electronic Security Center at the Ministry of Communications made a final attempt to silence the online dissidents once and for all. By means of the (Allot) DPI equipment that had earlier been procured to control the population during the 2015 Baku European Games, the authorities instructed the upstream providers to block access to the four main independent media sites in the country, namely Azadliq.info, Azadliq.org, Meydan.tv and Abzas.net. The coming month, more independent media were added to the list of blocked sites. Shortly after (May 12, 2017) the Sabail court approved the blocking on the pretext that “legitimate interests of society and the state were violated”.

As a response to the government’s attempt to block access to the media sites, Virtualroad.org implemented a mirror solution that circumvents the blocking by means of domain-fronting. One week after the blocking was implemented, Azadliq.info was once again reachable to the Azerbaijani population.

During the coming month, Virtualroad.org implemented domain co-hosting for three more Azerbaijani sites, namely Abzas.Net, 24saat.org and Azerbaycan Saati. All four news sites are since then real-time mirrored in the Google Cloud Storage. and can be reached from: https://storage.googleapis.com/qurium/index.html

One year later

One year after the DPI blocking took place, Virtualroad.org is illustrating how censorship is directly linked to corruption and bribery and how vendors of security solutions, such as Allot Communications, benefit from such repressive environments.

One year after the government formally begun blocking independent media sites by means of DPI equipment, our one year long quest to find means to circumvent the blocking reached an end. By taking advantage of weaknesses in the DART design, the DPI blocking could be circumvented. Budget? In-house skills and 500USD.

One year after the blocking of azadliq.info, 24saat.org and abzas,net are finally back where they should be. Reachable to the Azerbaijani population.

Where there is a will, there is a way. If there is a chance in a million that you can do something, anything, to keep what you want from ending, do it.

Pry the door open or, if need be, wedge your foot in that door and keep it open.

Pauline Kael

We wedged.

Increase of traffic towards azadliq.info after DPI bypass was implemented. Orange graph shows traffic before DPI was circumvented. Blue graph shows traffic after the DPI was circumvented.

Follow the money – and you find international support

Many people, including the Azerbaijani authorities, wonder who is funding our tireless efforts to protect and support Azerbaijani independent media. One thing should be clear though, none of our eight hosted media sites from Azerbaijan has ever been charged for our services. On their behalf, we have over the years received financial support from the Digital Defenders Partnership, Access Now, Open Tech Fund and International Media Support to support independent media in Azerbaijan.

Timeline – Blocking and circumvention

[Mar 27, 2017] Azadliq.info is blocked by means of DPI provided by Allot Communications.
[Mar 27, 2018] Qurium’s anti-DPI hosting platform circumvent’s the blocking of Azadliq.info.
[Apr 2, 2018] Qurium’s IP space is blocked by all Azerbaijani upstream providers.
[Apr 4, 2018] The independent media sites abzas.net and 24saat.org are migrated to the Anti-DPI hosting platform. The sites are once again accessible from Azerbaijan.

AzInTelecom Data Center in Baku.

[Apr 5, 2018] AzInTelecom launches a WordPress pen testing attack against Azadliq.info. The attack comes from 185.96.126.12, Palo Alto device Global Protect (ra.azintelecom.az). In 2015, AzInTelecom opened its largest data center in Baku, built with the support of the United Nations Development Program (UNDP).
[Apr 5 2018] As a result of the IP based blocking, the three circumvented websites (azadliq.info, 24saat.org, abzas.net) have been reallocated (changed IP address) 12 times during the past 24h.
[Apr 6 2018] Azadliq.info receives a targeted pen testing attack from 185.232.22.152.

Timeline and References

30 March – 3 April 2015 The official visit of the delegation Ministry ICT of Belarus
http://beltelecom.by/en/news/company/the-official-visit-of-the-delegation-of-the-ministry-of-communications-and-informatizat

12-28 June 2015 European Games in Baku
– http://www.iacci.org.il/portfolio/bakutel-2014/

22-24 of July 2015. IACCI Israel Mission in Baku
https://www.facebook.com/iacci.org.il/posts/876748262420029

19 October 2015 Azerbaijan’s president fires security minister
– https://www.reuters.com/article/us-azerbaijan-minister-dismissal/azerbaijans-president-fires-security-minister-idUSKCN0SD15920151019
– http://www.intellinews.com/caucasus-blog-rumours-fly-after-azerbaijan-security-purge-81653/

17 November 2015 Delta Telecom: “Data Center caught fire”
http://en.apa.az/azerbaijan-economy/infrastructure/delta-telecom-data-center-caught-fire.html

2 – 5 December 2015 BakuTel 2015

6 December 2015 Baku’s Binagadi district passed a decision to prosecute Karimov (AKEY)

20 March 2016 UK Government about the business partner of his son Eldar Mahmudov
https://euroasia-news.com/2016/03/20/6324/

22 November 2016 Investigation Suspended
http://en.apa.az/azerbaijani-news/accidents-incidents-news/investigation-into-criminal-case-of-business-partner-of-ex-azerbaijani-minister-s-son-suspended.html

23 November 2016 Eldar Mahmudov oğlunun şirkətinə 10 milyon dollar köçürüb
– http://news.lent.az/news/260333
– http://www.azadliq.az/xeber/98909/eldar-mahmudov-oglunun-sirketine-10-milyon-dollar-kocurub-yenil%C9%99nib/
– https://news.day.az/azerinews/842167.html
– http://brifinq.com/news/social/34103-mahmudovun-misasi-haqda-milyonluq

23 November 2016 Mahmudov 2.8 milyonluq dinləmə cihazını niyə alıb?
– http://qafqazinfo.az/news/detail/mahmudov-2-8-milyonluq-dinleme-cihazini-niye-alib-167624

23 November 2016 Trial of Azerbaijani ministrys ex-official proceeds
– http://m.apa.az/en/azerbaijani-news/accidents-incidents-news/trial-of-azerbaijani-ministry-s-ex-official-proceeds-4027

24 November 2016 Makhmudov’s million facts about MISA
https://news.milli.az/country/492687.html

2 December 2016 Accused: “I gave Vidadi Zeynalov 300,000 dollars every month”
https://www.amerikaninsesi.org/a/rabite_isi/3620260.html

23 December 2016 Witness Testimonies Reveal Fascinating Facts in Former ICT Ministry Officials’ Trial
https://www.irfs.org/news-feed/witness-testimonies-reveal-fascinating-facts-in-former-ict-ministry-officials-trial/

6 January 2017 Trial of Ex-Officials of ICT Ministry
https://www.irfs.org/news-feed/trial-of-ex-officials-of-ict-ministry-defendant-denies-witness-account/

27 March 2017 Azadliq.info blocking. Specialized hardware is deployed.

28 March 2017 Interpol and Ayaz Karimov.
https://www.youtube.com/watch?time_continue=1&v=lTjQh9kLnQg

4 May 2017 Qurium’s DPI fingerprint project starts.

27 July 2017 Former directors of Aztelekom and Azintelekom released.
http://kaspi.az/en/former-directors-general-of-aztelekom-and-azintelekom-llc-released
https://www.contact.az/ext/news/2017/7/free/Social/en/64405.htm

28 July 2017 Former Official of Ministry of Comm. and High Tech. Receives 13 Years.
https://www.meydan.tv/en/site/society/24392/

21 December 2017 Court Dismisses Complaint of Blocked Websites.
https://www.irfs.org/news-feed/court-dismisses-complaint-of-blocked-websites/

27 March 2018 Anti-DPI hosting platform released hosting Azadliq.info.

2 April 2018: Qurium’s IP space gets blocked.

4 April 2018: The independent meida sites abzas.net and 24saat.org are added to the AndiDPI hosting platform.

AzInTelecom Data Center in Baku

5 April 2018: AzInTelecom launches a WordPress pen testing attack against Azadliq.info. The attack comes from 185.96.126.12, Palo Alto device Global Protect (ra.azintelecom.az). In 2015, AzInTelecom opened its largest data center in Baku, built with the support of the United Nations Development Program (UNDP).

5 April 2018: The circumvented websites (Azadliq.info, 24saat.org, abzas.net) have been reallocated 12 times during the past 24h.

6 April 2018: Pen testing targeted attack from 185.232.22.152.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.