The investigation revealed that both the technical methods used during the attack and the behavioral patterns point to APT29 (“Cozy Bear”) — also known as Midnight Blizzard or the Dukes — a group linked to Russia. This is an organized unit that carries out high-profile cyber operations.

Axar.az reports that Ramid Namazov, chairman of the parliamentary commission on foreign interference and hybrid threats, made this statement while speaking about the cyberattacks carried out against several media outlets on February 20 of this year.

He noted that APT29, a group engaged in cyber espionage, primarily targets government institutions, foreign diplomatic missions, as well as critical sectors such as politics, defense, energy, and media.

“As for their methods, they use various techniques and cyber intrusion tools,” Ramid Namazov said. “One of their key tactics is infiltrating target systems long in advance, establishing a foothold, and then activating when the time is right. It is exactly this method, along with their politically motivated goals, that sets them apart from other cybercriminal groups. According to investigations, on February 20 of this year, the APT29 cyber espionage group fully took over media outlets where they had reportedly been operating covertly for 2–3 years.”

The head of the commission emphasized that the motive behind the attack is clear:
“The motivation stems from the closure of the Russian Information and Cultural Center – Russkiy Dom – on February 3, which was operating in Azerbaijan without legal registration and in violation of legislation. Around the same time, there were also discussions about shutting down the local branch of Rossiya Segodnya (Sputnik). These developments directly triggered this politically motivated cyber intrusion,” said Ramid Namazov.

According to him, steps resembling “false flag” operations were taken — provocative images featuring the logo of the illegal terrorist group "Huseynchiler" and verses from the Quran were placed on the targeted websites in an attempt to mislead and cover the true source of the attack.