Gulnara Mehdiyeva is an Azeri feminist activist, known for organizing the Women’s march in Baku on the International Women’s Day (March 8). During the first week of March 2020, Gulnara discovered that her Gmail, Telegram, Facebook and Instagram accounts were all compromised.
The forensics of the attacks leads to “Sandman”, a state-sponsored attacker fully dedicated to compromise human rights activists and independent journalists. “Sandman”, working for the Ministry of Interior of Azerbaijan, was uncovered by Qurium in February 2020.
This report summarizes the findings of the attacks against Gulnara Mehdiyeva and links the outcome with previous forensics reports.
As attacker gained access to Gulnara’s accounts, he logged into her Facebook account and deleted her 8,000 members and started to prepare a 2GB downloadable bundle with all the her account contents since January 2010 (Image 1).
During our forensics investigation, Qurium found that the attacker used the Bakcell IP address 5.44.37{.}131 to gain access to her Telegram account and attempted to access Google Mail from 134.19.217{.}249. (Image 2 and 3).
The IP address 134.19.217{.}249 (from Azertelecom) has previously been linked to the Ministry of Interior of Azerbaijan and the accounts man474019 in AntiChat and sandman4812av in GitHub.
The victim discovered that her Facebook was compromised when she started to receive “Password Reset Codes” in her mobile. The codes are sent by Facebook to the phone associated with an account when someone is trying to change the account password (Image 4).
Supporting documentation
