The level of Internet freedom in Armenia in 2020-2021 was seriously affected by three factors. The first is the constant and tough political confrontation between the current government under the leadership of Nikol Pashinyan, who ascended to power as a result of the 2018 revolution, and various political forces directly or indirectly associated with the ruling elites of past years. The second is the processes closely related to COVID-19. And the third factor is the second Karabakh war, whose active phase was in September-November 2020, while the conflict continues to smolder to this day, having an impact on the Internet environment as well.
Hacker attacks against Armenian Internet resources are a permanent phenomenon. Due to the ongoing tensions around Karabakh, for more than two decades Armenian and Azerbaijani hackers have been constantly competing in hacking the websites of the opposite side. Attacks on websites are routine and basically almost regular, with increased waves of attacks on special calendar days. Between March and November 2021, only the Azerbaijani hacker group Azerbaijan Cyber Army reported around 70 hacked Armenian sites[i].
Hacker attacks also tend to intensify during escalations on the line of contact between the Armenian and Azerbaijani troops. During such an escalation of the situation on the line of contact in the south of Armenia, for example, massive attacks on news websites also began. Armtimes.com, previously edited by the incumbent Prime Minister of Armenia Nikol Pashinyan, announced to have been hacked on November 16, at the moment of the start of active hostilities on the border[ii]. Added to that, cybersecurity experts started reporting serious DDoS attacks on news sites, which also began immediately after the border escalation[iii].
State-sponsored hacking groups
Armenian journalists, activists, public and government organizations are increasingly being targeted by state-sponsored hacking groups. As noted above, Azerbaijani hacker groups constantly attack Armenian targets. In the case of Azerbaijan, it is even difficult to distinguish between patriotic groups and those that are directly under state control or are groups immediately in the civil service.
However, within the last few years there has been an increase in extremely complex, comprehensive attacks on Armenian targets, which are carried out by various hacker groups, most likely associated with other states.
Thus, on July 14, 2021, Google’s Threat Analysis Group announced that they had discovered three zero-day vulnerabilities that were used to attack browser users[iv]. Targeted attacks were carried out on users in Armenia. The attackers used domains mimicking the most popular Armenian news websites. Only first-level domains were replaced. The following fake websites were used: lragir[.]org, armradio[.]org, asbares[.]com, armtimes[.]net, armlur[.]org, armenpress[.]org, hraparak[.]org, armtimes[.]org, hetq[.]org. Links to the infected websites were sent to targets by e-mail. At Google they believe that state-sponsored hacking groups participated in the attacks on targets in Armenia.
In parallel, Microsoft also announced about uncovering an attack at the level of zero-day vulnerabilities. And the list of targets also included victims from Armenia[v]. An investigation into the matter by Citizen Lab revealed that the attacks were carried out through the use of a malware developed by Israeli company Candiru. This time Armenian targets received a link to a fake website mimicking Armenpress state news agency. The address of the infected website again represented a complete analogue of the real website with a replaced first-level domain: armenpress[.]net[vi].
On November 24, 2021, a number of users received an alert from Apple that they were victims of an attack by a state-sponsored hacking group. According to CyberHUB-AM group, there are more than ten known cases, although the real number may be higher. Among the potential victims of the attack, which is most likely related to the Pegasus mobile phone malware, there are both pro-government and opposition figures. Artur Vanetsyan, former head of the National Security Service, now the head of “With Honor” opposition parliamentary bloc, openly declared to have received such an email[vii].
Later, well-known cybersecurity expert Ruben Muradyan, referring to the post of Artur Vanetsyan, announced that he had discovered the popular mobile malware Pegasus on Vanetsyan’s phone two months before he received the email[viii].
And already at the end of the year, a particularly significant event took place: Armenia for the first time appeared on the list of countries that benefit from hacker services at the state level. On December 16, Facebook[ix], Citizen Lab[x] reported on the discovery of the activities of Cytrox, a company that, by the order of government agencies in a number of countries, carried out surveillance of various targets using Predator spyware. And the report lists Armenia as a client of the company, separately highlighting that journalists and politicians were among the targets of surveillance.
The main content restrictions for journalists and social media users were in place in 2020. A state of emergency was initially declared in Armenia due to the COVID-19 pandemic in March 2020, which led to restrictions in the press. During 2020, dozens of online media and users were forced to delete publications or were fined[xi]. However, martial law, declared in the country with the start of the Karabakh war on September 27, 2020, was not lifted after the signing of the ceasefire agreement. Only on March 24, 2021 did the National Assembly lift martial law. Despite the fact that already in the post-war period censorship ended, nevertheless, a number of websites continued to face restrictions. During the war, websites belonging to the domain zone of Azerbaijan and Turkey were blocked in Armenia, and TikTok was also blocked for several weeks. At the same time, there was no official announcement on the blocking of sites. In the post-war period, many users were complaining about the inaccessibility of Azerbaijani and Turkish news portals, and some had also problems with TikTok. Armenian providers continued having problems with the accessibility of websites until March-April 2021[xii]. It is also noteworthy that the absence of any serious reaction by civil society towards the fact of blocking is a major concern. It should also be noted that in Armenia there are no traditions for blocking websites.
Persecutions of users
The authorities’ attempt to detect the administrator of the fake Facebook user “Gagik Soghomonyan” may be considered as the most serious incident. This account spreads highly negative information about government representatives, and he does so in an extremely abusive manner. On February 19, the National Security Service detained 4 persons who were suspected of running the fake account. Ex-deputy from the Republican Party of Armenia Karen Bekaryan, former chief of staff of the National Assembly Ara Saghatelyan, representative of “International Center on Development of Parliamentarism” public organization Mher Ayvazyan and citizen Aram Sargsyan[xiii] were detained. Saghatelyan was arrested for 2 months in this case. At the same time, according to the lawyer, the only evidence of his connection with the fake account was the fact of Saghatelyan’s using the same VPN service[xiv].
As a follow-up, in August 2021 the RA National Assembly adopted changes to the Criminal Code, criminalizing insults. Defamation had been decriminalized in the country as part of the fight for freedom of speech and freedom of the press back in 2010. Now, however, everything is going in the opposite direction.
“Grave insult”, that is, swearing, insulting a person in other ways, according to the new article, is punishable by a fine of 100,000 to one million AMD [about $205-2,050]. If the swearing was public or was published on the Internet, was related to the public activities of a person, then the fine will be from half a million to one million AMD [about $1,025-2,050]. And in case of a repeated insult against the same person, the punishment envisages not only a fine, which will be from one to three million AMD [about $2,050-6,150], but also imprisonment from one to three months[xv].
In general, it should be mentioned that in Armenia there have always been rarer restrictions on the Internet than “offline”. At the same time, the years 2020-2021 began to raise concerns that the situation with network freedoms is steadily deteriorating.
[ii] Facebook post of the media about a hacker attack (in Armenian) — https://www.facebook.com/armtimes/posts/2104467383034405
[iii] Warning about attacks by well-known cybersecurity expert Ruben Muradyan — https://twitter.com/RubenMuradyan/status/1460585479284346883
[iv] How we protect users from 0-day attacks, https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/
[v] Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware, https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
[vii] Artur Vanetsyan’s Facebook post (in Armenian) — https://www.facebook.com/avav111/posts/4128774197228456
[viii] Ruben Muradyan’s post https://www.facebook.com/ruben.muradyan/posts/4521469627973414
[ix] Threat Report on the Surveillance-for-Hire Industry, 16 Dec 2021, https://about.fb.com/wp-content/uploads/2021/12/Threat-Report-on-the-Surveillance-for-Hire-Industry.pdf
[x] Pegasus vs. Predato, 16 Dec 2021 https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/
[xii] Freedom on the Net, Armenia, 2021. https://freedomhouse.org/country/armenia/freedom-net/2021
[xiv] Freedom on The Net, Armenia, 2021. https://freedomhouse.org/country/armenia/freedom-net/2021
[xv] Freedom of speech in post-revolutionary Armenia is in doubt: what is happening? https://jam-news.net/ru/%D1%81%D0%B2%D0%BE%D0%B1%D0%BE%D0%B4%D0%B0-%D1%81%D0%BB%D0%BE%D0%B2%D0%B0-%D0%B2-%D0%BF%D0%BE%D1%81%D1%82%D1%80%D0%B5%D0%B2%D0%BE%D0%BB%D1%8E%D1%86%D0%B8%D0%BE%D0%BD%D0%BD%D0%BE%D0%B9-%D0%B0%D1%80/