If you follow the media in Armenia, you will get a clear sense that Armenian citizens and organizations come under attack primarily from Azerbaijani and Turkish hackers. From a quantitative perspective, this certainly seems to be true. In the last year alone, hackers from Azerbaijan and Turkey were able to hack several thousand Armenian profiles on Facebook and Instagram. And if we look back over the last 10-15 years, the overriding number of cyber attacks were indeed the work of Azerbaijani and Turkish cyber groups. Until October 2009, when Armenia’s National Security Service (NSS) took over the supervision of Armenia's state cyber space, Azerbaijani hacking groups would collectively attack and breach security networks of official Republic of Armenia and Artsakh state sites. Since the NSS took over, the number of successful attacks decreased drastically.

However, if we look beyond large-scale attacks to the more targeted ones - cyber operations against important state and non-state institutions, as well as individuals - it is possible to highlight a number of well known cases. And behind each of these are state-sponsored hacker groups or even state structures themselves.  

Countries are color coded according to NSA activity in any given month; green for low activity, red for high activity -  in the leaked document, Armenia is yellow, like China yet more active than Russia, which is evidence of significant NSA activity regarding Armenia.

In 2013, Kaspersky Lab’s Global Research & Analysis Team discovered a large scale cyber-espionage network which they called “Red October.” It was able to infiltrate important state and non-state substructures (including diplomatic, governmental and scientific research organizations in different countries, mainly of Eastern Europe and the former USSR) and initiate an elaborate cyber espionage even retrieving deleted files, in case they were of any interest to the creators of the virus.

In its 2014 report titled, “APT28: A Window Into Russia’s Cyber Espionage Operations?” FireEye, an organization that is specialized in information security, exposed the large-scale international activity of a hacker group, with members of the Armenian military among their targets. The report dealt with APT28 or Fancy Bear, the hacker group now famous for its alleged activity during the U.S. presidential elections. This group is considered by many specialists as a Russian state cyber-group, operating in the interest of the Kremlin: “They compile malware samples with Russian language settings during working hours consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg.” According to the FireEye study, Fancy Bear hackers had created the fake mail.rnil.am phishing site, imitating the Armenian Ministry of Defense mil.am domain and made it possible to “target members of the Armenian military by hosting a fake login page.” It is not clear what damage the hackers have caused Armenia.  

The rnil.am domain is periodically mentioned in different reports, in numerous phishing attacks. For example, it has been used against the Bellingcat organization investigating the downing of the Malaysian Airlines (MH17) aircraft that came down in eastern Ukraine in 2014 in an area controlled by pro-Russian separatists, something Russian authorities were keenly interested in.

In May 2017, the Citizen Lab organization made new discoveries regarding the latest activities of Fancy Bear. This time too, Armenia was on the list of victims. According to the TAINTED LEAKS․ Disinformation and Phishing With a Russian Nexus report, this time the targets were members of the Armenian government and the military. The report states that Armenia was one of the main targets of the phishing attack, with three percent of the attacks being addressed to the Republic (of Armenia). According to available data, high ranking military officials and diplomats are on the list of Armenian victims.