Cyber Incident Victim: Azerbaijan Central Bank
Date:
Nov 2015
Location:
Azerbaijan
Summary
A cyberattack attributed to the Armenian A.S.A.L.A. group compromised a sub-domain of the Azerbaijan Central Bank, resulting in website defacement and the theft of sensitive customer data including names, email addresses, phone numbers, passwords, and administrative credentials. The attackers publicly leaked the information, which also contained hashed passwords and database records, though the data's disorganized presentation complicated comprehensive analysis. This incident reflects the persistent cyber hostilities between Armenian and Azerbaijani groups, exacerbated by the unresolved Nagorno-Karabakh conflict. The affected sub-domain was subsequently restored following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On July 2, 2015, Armenian hackers identifying as the Monte Melkonian Cyber Army breached the official website of Azerbaijani customs, exfiltrating highly confidential personal information belonging to 6,650 Azerbaijani citizens. This incident preceded a second attack on November 11, 2015, when hackers from the Armenian A.S.A.L.A. group compromised the Mortgage Fund subdomain (amf.cbar.az) of the Azerbaijan Central Bank. The attackers defaced the website and stole customer data, subsequently leaking the information publicly. The leaked data included banking details, emails, names, phone numbers, passwords, admin login credentials with hashed passwords, and portions of the domain’s database. Attackers provided mirrors of the defaced subdomain as proof of compromise, including links to Zone-H archives. Analysis of the leaked data indicated extensive exposure of customer records, though the disorganized structure of the data dump complicated comprehensive assessment. Both attacks occurred within the context of ongoing cyber hostilities between Armenian and Azerbaijani groups, including a June 2014 incident where Azerbaijani hackers targeted Armenian presidential and ministry websites. These conflicts reflect broader geopolitical tensions stemming from the unresolved Nagorno-Karabakh territorial dispute and the absence of diplomatic relations between the two nations.
The breach of the Central Bank’s Mortgage Fund subdomain resulted in the unauthorized disclosure of sensitive customer and administrative data, directly impacting thousands of individuals whose financial and personal information became publicly accessible. Attackers specifically targeted the amf.cbar.az subdomain, though the compromise did not extend to the Central Bank’s primary systems. Bank administrators restored the subdomain shortly after the incident, bringing it back online by the time media reported the attack. The breach prompted public advisories urging affected customers to contact the bank and report security deficiencies. No additional containment measures, forensic investigations, or attribution efforts beyond the attackers’ self-identification were documented in the available reporting. Historical precedents show a pattern of reciprocal cyber operations between Armenian and Azerbaijani actors, with critical infrastructure and government entities frequently targeted. The 2015 Central Bank incident marked a continuation of this trend, emphasizing persistent vulnerabilities in Azerbaijan’s financial sector web assets during this period.