New details are emerging about a cyberattack carried out on Azerbaijani media platforms at the end of February 2025, reportedly on the orders of Russian intelligence services. Experts explain that the hackers managed to alter SSH access keys, effectively locking out system administrators. Simultaneously, there was interference in centralized management systems and several other networks. Some computers were encrypted with ransomware, leading to a complete shutdown of the control system. Backup storage systems were also hacked, and all stored data deleted. Attempts were even made to completely destroy the technical infrastructure of the media outlets.
According to reliable sources cited by Minval, this was not merely a cyberattack—Azerbaijan was subjected to one of the most extensive hybrid attacks ever recorded. Targeted TDoS (Telephony Denial of Service) attacks were detected during that time. Countless calls were made to the phones of public officials and prominent figures, mostly from fake numbers using spoofing technology and automatically generated phone lines. The scale and intensity of the calls amounted to a form of phone terrorism.
Given the magnitude of the attack, an investigation was inevitable. Azerbaijan has successfully implemented a digitalization and e-government program and cannot afford to treat cybersecurity lightly. A breach of media systems is far more dangerous than it may appear—it allows for the spread of disinformation that can incite panic and confusion. Tomorrow, it could be police databases, ASAN services, or other critical systems that are compromised.
Perhaps some of the masterminds behind this “malicious interference” believed the attack would be untraceable. But in reality, “digital footprints” are always left behind. Azerbaijan used various methods to detect them—analyzing system logs, software behavior, and the actions of the hackers. This revealed that the operation had been prepared and executed using state-level IT resources. This was no random cybercriminal act but a meticulously orchestrated operation by a state agency. The IP addresses and domains used in the attack had prior links to Russian government institutions, including intelligence agencies. Based on the technical methods and the hackers’ behavior, the attack is attributed to the APT29 (“Cozy Bear”) and APT28 groups—both believed by international experts to be tied to Russian intelligence. Many indicators point directly to Russia, including IP addresses geolocated in a Moscow district near Kremlin-linked buildings, such as the FSB, the GRU, the SVR, and other intelligence agencies. For example, one IP address (185.1X.X.X) was registered just a 13-minute walk from Red Square.
Further revelations suggest that the ultimate goal of the attack was to dismantle Azerbaijan’s media infrastructure. The cyber operation aimed to spread fear and destabilize the public’s psychological well-being—a classic motive for targeting media outlets. What’s most intriguing is that this operation had reportedly been ongoing in secret for 2–3 years.
Here are some important details: many of the targeted media outlets had already been blocked by Roskomnadzor—nicknamed “Roskomshame”—and thus were not even accessible to a Russian audience, except via VPN. This undermines the theory that the aim was to shield Russian citizens from foreign content. More importantly, the timeline now shows that this was not a spontaneous reaction to Azerbaijan’s firm stance on investigating the AZAL passenger flight allegedly shot down by Russian air defense near Grozny. In fact, the cyberattack had been in preparation two or three years before that incident.
The timeline is critical. In February 2022, Azerbaijan and Russia signed the Declaration on Allied Interaction in Moscow, pledging mutual respect for sovereignty, territorial integrity, and non-interference in internal affairs—including refraining from hostile media campaigns and supporting separatist movements.
Yet it appears that around the same time, Moscow began preparing cyberattacks aimed at “detonating” the socio-political situation in Azerbaijan.
Whether or not cyberattacks should be considered acts of war, as some international experts argue, one thing is clear: such actions have nothing to do with friendship, cooperation, good neighborliness, or allied relations. Ultimately, Russian state-sponsored hackers failed to destabilize Azerbaijan, but they severely undermined the credibility of the Declaration on Allied Interaction—with serious reputational consequences for Russia.
