Spies hacked Azerbaijan government officials as Nagorno-Karabakh conflict escalated, researchers say

More than 200 people have died in clashes between ethnic Armenian separatists and Azerbaijani government forces over the breakaway region of Nagorno-Karabakh in the last 10 days.

It’s the worst outbreak of violence related to Nagorno-Karabakh since Armenia and Azerbaijan, two former Soviet republics, fought a war over the enclave in the 1990s. And this time, hacking has come with the fighting.

Unidentified spies have in recent weeks been quietly breaching Azerbaijani government IT networks and accessing the diplomatic passports of certain officials, according to new research from Talos, Cisco’s threat intelligence unit.

The Talos data shows how digital espionage often coincides with bursts of violence in modern war. Days after Azerbaijan’s president made a call to mobilize reserve soldiers, the hackers used a fake Azerbaijani government document on the same subject as bait. The malicious code embedded in the document can exfiltrate data from a compromised computer and gives the hackers enduring access to the machine.

The research comes a day after the U.S. and Russia called for a ceasefire in Nagorno-Karabakh, which is governed by ethnic Armenians but recognized under international law as part of Azerbaijan.

The Talos researchers declined to discuss who was responsible for the hacking, or how many Azerbaijani government officials were affected. They called the activity “espionage with national security implications” carried out by a group “with a specific interest in various Azerbaijani government departments.”

“We cannot confirm information regarding [this] particular case of cyber-espionage,” said Asmar Yusifzada, a spokesperson for the Azerbaijani Embassy in Washington, D.C. “Azerbaijan treats the issue of cybersecurity with utmost attention.”

A spokesperson for the Armenian Embassy did not respond to a request for comment.

From Shakespeare to Dostoevsky

The Talos researchers first exposed the espionage group targeting Azerbaijani officials in April, calling their hacking tool “PoetRAT” because the code was littered with literary references. Whereas William Shakespeare was the calling card before, the most recent updates to the code include allusions to Russian writer Fyodor Dostoevsky.

After being outed by Talos, the hackers made PoetRAT harder to detect. They’re now using a common protocol for data exfiltration to try to be inconspicuous.

Warren Mercer, technical leader at Talos, said he expects PoetRAT’s authors to keep changing their code in response to public scrutiny. The research also shows how “there are less barriers to entry to perform cyberattacks,” Mercer said.

A study conducted last year by federal officials and private executives underscores that point.

“The increasing ability to buy cyber tools on a commercial basis allows both nation-state and non-state actors to leapfrog by crossing the line from emerging threat to an established threat quickly,” says the study, which was carried out under a Department of Homeland Security program.