SANDMAN AND FINEPROXY BEHIND THE DDOS ATTACKS AGAINST TIMETV.LIVE is the latest Azeri news site targeted by Denial of Service (DDoS) attacks launched by Sandman threat actor, the attack took place on March 21, 2020. is the latest Azeri news site targeted by Denial of Service attacks. The 21st of March, the website received a Denial of Service attack after the publishing of an article about Mubariz Mansimov, a businessman who has been imprisoned and claims that the arrest was ordered by the head of SOCAR – State Oil Company of Azerbaijan Rovnag Abdullayev and his cousin Anar Alizade. This report focuses on the forensics of the attack in an attempt to attribute the attack.

After reviewing the attack logs of the Denial of Service, Qurium could quickly determine that the attacker was using Fineproxy VPN service to build a botnet to flood the website. Fineproxy provides access to thousand of proxies registered in the name of several associated companies like Region40, Silverstar, Blockchain Solutions etc.

Despite that Fineproxy management claims that their business does not support Denial of Service attacks and “they block them immediately”, this is the forth time in the last twelve months that Qurium has mitigated attacks coming from Fineproxy’s infrastructure. The attacks last for hours and there are no signs that Fineproxy stops this kind of abuse.

Just like many other DDoS attacks we have seen in the past against Azeri media, the attacker monitors the success of the floods using the HostTracker service.

Sandman behind the attacks

Reviewing the logs, we could see IP address 134.19.217{.}249 visiting the website days before the attacks and performing “vulnerability” scans against the website. This IP address is associated with a known threat actor known as Sandman, working in the Ministry of Interior of Azerbaijan, focusing on targeting activists and independent media.

Sandman testing the results of WPScan from the office. – – [17/Mar/2020:06:58:17 -0400] “GET / HTTP/1.1” 200 86081 “” “WPScan v2.9.4-dev (”

On March 18th, the IP address requested the picture /wp-content/uploads/2020/01/C016DA7E-EBEA-4B14-8AE4-C17BF0FA36EC.jpeg from website clicking on a link in a spreadsheet with User Agent: “Mozilla/4.0 (compatible; ms-office; MSOffice 16)”

The picture visited by “Sandman” from his spreadsheet was connected to an article published on January 24 2020.

CERT.AZ asked for content removal

Since late February 2020, the editor of TimeTV has been subject of harassment by the authorities. The media received threats if content was not removed from the news site or the organization’s Facebook page.

The threats included to block the website in the country or incarceration of members of the family or opposition activists. Some of this threats came from an anonymous account in Facebook and two messages were received by WhatsApp.

On February 24th, the Ministry of Transport, Communications and High Technologies via their National CERT ( sent a mail to Fikret Huseynli, editor of TimeTV. The CERT kindly asked for the removal of an article by TimeTV’s journalist Elxan Huseynov about the Minister of communications, Ramin Guluzade. The CERT requested the content removal based on Article 13-2.3.9 of the Law “On information, informing and protection of information”.

According to Article 13.3 of the Law of the Republic of Azerbaijan “On information, informatization and protection of information”, if the relevant information is not taken from the Internet information resources within 8 hours after the warning, restrictions will be imposed on the site and the matter will be appealed to the court.

Article requested to be removed.Conclusion

Our forensics investigation can conclude that “Sandman”, the mysterious cyber-attacker working in the Ministry of Interior of Azerbaijan targeting activists and independent media, used Fineproxy VPN service to launch a Denial of Service attack against TimeTV.

One week before the events, the National CERT contacted the site editor to ask for the content removal of an article related to the Minister of Communications Ramin Guluzade. Additionally, anonymous messages were sent to TimeTV via Facebook and WhatsApp days before the cyberattacks.

The article was published by Qurium’s forensics report: Sandman and Fineproxy behind the DDoS Attacks against TimeTV.Live

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS

window._mNHandle = window._mNHandle || {};
window._mNHandle.queue = window._mNHandle.queue || [];
medianet_versionId = “3121199”;

try {
window._mNHandle.queue.push(function () {
window._mNDetails.loadTag(“762221962”, “300×250”, “762221962”);
catch (error) {}

Pierluigi Paganini

(SecurityAffairs – Sandman, DDoS)