Russian intelligence services were behind the largest hybrid attack on Azerbaijan, which took place in February 2025. Hackers crippled the country’s media infrastructure, attempted to destroy key systems, and incited social and political instability using tools of cyberwarfare and psychological pressure, according to Aze.
Experts report that the attackers changed critical SSH access keys, effectively locking out administrators and seizing control of the systems. Centralized management networks and auxiliary systems were also compromised. Ransomware was deployed to encrypt numerous computers, disabling administrative access entirely. Hackers infiltrated backup systems, erased data, and in some cases even tried to physically destroy media infrastructure.
According to information cited by the portal Minval, this wasn’t merely a cyberattack, but a full-scale hybrid operation. Alongside IT sabotage, a TDoS (Telephony Denial of Service) assault was launched, overwhelming government officials and public figures with spoofed calls generated using masking and auto-dialing technologies. Experts compared the scale and intensity of the assault to a form of telephone terrorism.
Given the scope and consequences, Azerbaijani authorities have launched a comprehensive investigation. With ongoing national digitalization and e-governance initiatives, cybersecurity is a top priority. The breach of media infrastructure is particularly dangerous, as it opens the door to disinformation capable of inciting panic and confusion. Today it’s the media — tomorrow it could be the police, ASAN service, or other vital institutions.
The attackers failed to remain hidden. Azerbaijani specialists tracked the intrusion using log analysis, malware behavior monitoring, and hacker activity profiling. The investigation revealed that state-level resources were used in the attack — this wasn’t an ordinary cybercrime. All evidence points to a deliberate operation planned by a government body. IP addresses and domains involved in the breach were previously linked to Russian intelligence operations.
Experts concluded that the cyberattack was carried out by APT29 (Cozy Bear) and APT28 — groups long associated with Russian intelligence. Some digital indicators point directly to Moscow, with IP addresses geolocated near buildings belonging to the FSB, GRU, and SVR, just minutes from the Kremlin. One address was registered only a 13-minute walk from Red Square.
It was also determined that the ultimate objective was the complete dismantling of Azerbaijan’s media systems. The attack was psychological in nature, aiming to spread fear and destabilize society. Notably, the operation was in preparation for two to three years.
Additional findings highlight the political motives: many of the targeted Azerbaijani media outlets were already blocked in Russia by Roskomnadzor, accessible only via VPN from within Russia — ruling out the claim of defending Russian information space. Furthermore, the timeline confirms the operation wasn’t triggered by the investigation into the AZAL flight crash, which Azerbaijani authorities suspect was shot down by Russian air defenses near Grozny. The attack had been planned long before that incident.
