Sandman and Fineproxy behind the DDOS attacks against timetv.live


Timetv.live is the latest Azeri news site targeted by Denial of Service attacks. The 21st of March, the website received a Denial of Service attack after the publishing of an article about Mubariz Mansimov, a businessman who has been imprisoned and claims that the arrest was ordered by the head of SOCAR – State Oil Company of Azerbaijan Rovnag Abdullayev and his cousin Anar Alizade. This report focuses on the forensics of the attack in an attempt to attribute the attack.


After reviewing the attack logs of the Denial of Service, Qurium could quickly determine that the attacker was using Fineproxy VPN service to build a botnet to flood the website. Fineproxy provides access to thousand of proxies registered in the name of several associated companies like Region40, Silverstar, Blockchain Solutions etc.

Despite that Fineproxy management claims that their business does not support Denial of Service attacks and “they block them immediately”, this is the forth time in the last twelve months that Qurium has mitigated attacks coming from Fineproxy’s infrastructure. The attacks last for hours and there are no signs that Fineproxy stops this kind of abuse.

Just like many other DDoS attacks we have seen in the past against Azeri media, the attacker monitors the success of the floods using the HostTracker service.

Sandman behind the attacks

Reviewing the logs, we could see IP address 134.19.217{.}249 visiting the website days before the attacks and performing “vulnerability” scans against the website. This IP address is associated to a known threat actor known as Sandman, working in the Ministry of Interior of Azerbaijan, focusing on targeting activists and independent media.

Sandman testing the results of WPScan from the office.
134.19.217.249 - - [17/Mar/2020:06:58:17 -0400] "GET / HTTP/1.1" 200 86081 "http://timetv.live/" "WPScan v2.9.4-dev (http://wpscan.org)"

On March 18th, the IP address 134.19.217.249 requested the picture /wp-content/uploads/2020/01/C016DA7E-EBEA-4B14-8AE4-C17BF0FA36EC.jpeg from timetv.live website clicking on a link in a spreadsheet with User Agent: “Mozilla/4.0 (compatible; ms-office; MSOffice 16)”

The picture visited by “Sandman” from his spreadsheet was connected to an article published on January 24 2020.

CERT.AZ asked for content removal

Since late February 2020, the editor of TimeTV has been subject of harassment by the authorities. The media received threats if content was not removed from the news site or the organization’s Facebook page.

The threats included to block the website in the country or incarceration of members of the family or opposition activists. Some of this threats came from an anonymous account in Facebook and two messages were received by WhatsApp.

On February 24th, the Ministry of Transport, Communications and High Technologies via their National CERT (cert.az) sent a mail to Fikret Huseynli, editor of TimeTV. The CERT kindly asked for the removal of an article by TimeTV’s journalist Elxan Huseynov about the Minister of communications, Ramin Guluzade. The CERT requested the content removal based on Article 13-2.3.9 of the Law “On information, informing and protection of information”.

www.timetv.live internet informasiya ehtiyatında dərc olunan “Nəqliyyat  və Rabitə Nazirliyində dava düşüb” başlıqlı məqalədə "Kütləvi  informasiya vasitələri haqqında" Azərbaycan Respublikasının Qanununun 10-cu, “İnformasiya, informasiyalaşdırma və informasiyanın mühafizəsi  haqqında” Azərbaycan Respublikasının Qanununun 13-2.3.9-cu maddəsinin tələbləri kobud şəkildə pozularaq həqiqətə uyğun olmayan, təhqir və ya böhtan xarakteri daşıyan, habelə şəxsi həyatın toxunulmazlığını pozan məlumatlar  dərc edilmişdir.
 “İnformasiya, informasiyalaşdırma və informasiyanın mühafizəsi haqqında” Azərbaycan Respublikasının Qanununun 13.3-cü maddəsinə əsasən xəbərdarlıq edildikdən 8 saat ərzində müvafiq məlumatlar internet informasiya ehtiyatından götürülmədiyi təqdirdə saytın fəaliyyətinə məhdudiyyətlər tətbiq ediləcək və məsələ ilə əlaqədar məhkəməyə müraciət olunacaqdır.

According to Article 13.3 of the Law of the Republic of Azerbaijan “On information, informatization and protection of information”, if the relevant information is not taken from the Internet information resources within 8 hours after the warning, restrictions will be imposed on the site and the matter will be appealed to the court.

Article requested to be removed.

Conclusion

Our forensics investigation can conclude that “Sandman”, the mysterious cyber-attacker working in the Ministry of Interior of Azerbaijan targeting activists and independent media, used Fineproxy VPN service to launch a Denial of Service attack against TimeTV.

One week before the events, the National CERT contacted the site editor to ask for the content removal of an article related to the Minister of Communications Ramin Guluzade. Additionally, anonymous messages were sent to TimeTV via Facebook and WhatsApp days before the cyberattacks.