Cyber Threat Actor: Anti-Armenia Team

The Anti‑Armenia Team is a self‑described independent hacktivist group that operates from Azerbaijan and has been active for at least five years according to its own statements. The group’s activities are framed within the broader Nagorno‑Karabakh conflict between Azerbaijan and Armenia, and it presents itself as a retaliatory force against Armenian cyber actors. No public evidence links the group to a state sponsor or a criminal consortium; its members describe themselves as acting independently.

The group’s typical targets are Armenian governmental and diplomatic entities, including ministries, presidential offices, national security services, and permanent missions to international organizations such as NATO, the OSCE and the United Nations. It has also compromised the Twitter account of the Russian Embassy in Armenia to disseminate political messages. Observed objectives include disrupting online services through website defacement, leaking sensitive data such as passport scans and internal analytical reports, and spreading propaganda that highlights Azerbaijan’s military capabilities. These actions appear intended to convey political statements rather than to generate financial gain.

Reported tactics involve defacing web pages with propaganda images and videos, hijacking social media accounts to post opposing viewpoints, and exfiltrating documents from government servers. In the 2016 leak of Armenian National Security Service material, security experts suggested the data may have been obtained through a compromised insider rather than a direct technical intrusion, indicating a possible reliance on credential abuse. The group restores access after delivering its messages, as seen when it returned control of the compromised Twitter account. No specific malware families or custom tooling are mentioned in the open sources.

Representative operations include the September 2016 disclosure of Armenian security service documents, the April 2016 takeover of the Russian Embassy’s Twitter account to post protest messages, and the January 2016 coordinated defacement of Armenian diplomatic websites across roughly forty countries. Earlier activities such as the June 2014 defacement of the Armenian presidential site and the January 2014 alteration of dozens of government ministry pages demonstrate a recurring pattern of politically motivated cyber actions. The Anti‑Armenia Team remains identified solely by its alias and its asserted independence, with no further attribution details publicly available.