The NSS Document Portal: Armenia's Security Agency Has a Signup Page

NSS E-DOCUMENTSOFFICIAL PORTAL AT DOCS.SNS.AM

INTERNET-FACINGACCESSIBLE FROM ANY BROWSER WORLDWIDE

SIGNUP PAGEPUBLIC REGISTRATION AT /SIGNUP

SINCE 2019100+ WAYBACK MACHINE CAPTURES

The Discovery

OSINT VERIFIED OWL began with a standard certificate transparency audit of Armenian government domains using crt.sh -- the public database that logs every TLS certificate ever issued. When we queried *.sns.am (the domain of Armenia's National Security Service), the results were not what you would expect from a secretive intelligence agency. The certificates revealed a constellation of public-facing subdomains -- including one that should not exist on the open internet at all.

The domain docs.sns.am returned a valid TLS certificate. We checked the Wayback Machine CDX API. Over 100 captures dating back to June 2019. The page title, rendered in Armenian: HAYASTANI HANRAPETOUTYOUN AZGAYIN ANVTANGOUTYAN TSARAYOUTYOUN -- the Republic of Armenia National Security Service. Below it: "NSS E-Documents."

Armenia's most powerful security agency -- the one that arrests archbishops, raids the Mother See of Holy Etchmiadzin, and opens criminal cases against the Catholicos -- operates a document management system on the public internet. With a login page. With a signup page. With a password recovery feature.

What Is Exposed

CONFIRMED The docs.sns.am portal presents a full authentication interface:

Email/password login with CAPTCHA verification
Signup page at /signup -- a public registration form for a national security document system
ID card authentication -- integration with Armenian national ID cards for identity verification
Password recovery -- a "forgot password" feature, meaning the system stores and can reset credentials

Let that sink in. The National Security Service -- the direct successor to the Soviet KGB in Armenia -- has a document portal where the signup page is reachable by anyone with a web browser. The password recovery mechanism means that if credentials are compromised, an attacker has a built-in pathway to take over accounts. The CAPTCHA is the only visible barrier between the open internet and the NSS document system.

This is not a public information portal. This is not a press page. The name says it: E-Documents. This is where NSS personnel manage internal documentation -- and it faces the entire internet.

The SNS Infrastructure Map

CERTIFICATE TRANSPARENCY The certificate transparency audit and Wayback Machine sweep revealed five subdomains under sns.am, each exposing a different piece of the NSS digital infrastructure:

SNS.AM -- National Security Service Infrastructure Map
    |
    +-- docs.sns.am
    |       |-- NSS E-Documents portal
    |       |-- Login + Signup + Password Recovery
    |       |-- ID card authentication
    |       +-- 100+ Wayback captures since June 2019
    |
    +-- matrix.sns.am
    |       |-- Matrix protocol encrypted chat server
    |       |-- End-to-end encrypted messaging
    |       +-- Used by NSS personnel for internal communications
    |
    +-- s3.sns.am
    |       |-- S3-compatible object storage
    |       |-- File storage for the NSS
    |       +-- Bucket configuration unknown
    |
    +-- sahmanapah.sns.am
    |       |-- "Sahmanapah" = Constitutional
    |       |-- Constitutional law / legal reference portal
    |       +-- Purpose: legal framework access for NSS
    |
    +-- mul.sns.am
            |-- Purpose: UNKNOWN
            +-- Active TLS certificate issued

DISCOVERY METHOD: crt.sh certificate transparency + Wayback Machine CDX API

The most alarming subdomain beyond docs is matrix.sns.am. Matrix is an open-standard encrypted messaging protocol. The NSS runs its own Matrix server -- meaning internal communications between security officers flow through this self-hosted infrastructure. If the document portal's security posture is any indication of how the Matrix server is configured, the implications for communications security are severe.

The s3.sns.am subdomain indicates S3-compatible object storage -- the same protocol used by Amazon Web Services for file storage. The NSS is running its own S3 instance. The question is whether its bucket policies are as permissive as its document portal's signup page.

mul.sns.am remains unidentified. An active TLS certificate exists, but the purpose of this subdomain is not clear from public records. It could be a testing environment, an internal tool, or something else entirely.

Why This Matters

CONTEXT The National Security Service is not an ordinary government department. Under its current director Andranik Simonyan -- who was illegally appointed in June 2025 by circumventing the legally required Security Council approval -- the NSS has become the Pashinyan government's primary instrument of political repression:

Arrested Archbishop Bagrat Galstanyan -- the leader of the Tavush for the Homeland movement and the most prominent opposition figure in Armenia
Raided the Mother See of Holy Etchmiadzin -- the spiritual center of the Armenian Apostolic Church, a 1,700-year-old institution
Opened a criminal case against Catholicos Garegin II -- the supreme head of the Armenian Church
Prosecuted opposition politicians, journalists, and military leaders -- systematic targeting of anyone who challenges the government

This is the agency that conducts surveillance on Armenian citizens. This is the agency that interrogates political prisoners. This is the agency that decides who is a threat to "national security." And its document management system has a signup page on the open internet.

The NSS demands absolute secrecy from everyone else. It classifies information, restricts access, and punishes leaks with criminal prosecution. But its own digital infrastructure is discoverable by anyone who knows how to query a certificate transparency log -- a skill taught in introductory cybersecurity courses.

The Pattern

SYSTEMIC FAILURE The NSS document portal is not an isolated finding. It is part of a documented pattern of catastrophic security failures across the entire Armenian government digital infrastructure:

Gov.am -- 279 compromised credentials, 1 confirmed Predator spyware instance
351+ government accounts compromised across Armenian state systems in what OWL has documented as the Armenia Cyber Catastrophe
Central Bank of Armenia -- Jira project management system exposed on the public internet
Government email systems -- systematic failures in authentication and credential management

Every Armenian government system we examine has security problems. Not edge cases. Not minor misconfigurations. Fundamental architectural failures -- systems that should never face the public internet, exposed with login pages, signup forms, and password recovery features that provide attack vectors for any motivated adversary.

The Predator spyware instance on Gov.am means at least one government device was already compromised by commercial surveillance tools. The 351+ compromised accounts mean that credential stuffing attacks against the NSS document portal are not hypothetical -- they are the logical next step for any attacker who already holds government passwords from previous breaches.

Accountability

Armenia's National Security Service spends its energy arresting clergymen, raiding churches, and prosecuting political opponents. It surveils citizens, taps phones, and demands that everyone around it maintain operational security.

Meanwhile, its own document portal sits on the open internet with a signup page. Its own Matrix chat server is discoverable through public certificate logs. Its own file storage system faces the world.

The people running the NSS -- the people who appointed themselves guardians of Armenia's security -- cannot secure their own systems. They cannot protect their own documents. They cannot even hide the existence of their internal infrastructure from a basic OSINT sweep that any journalism student could perform.

This is not a technical failure. It is an institutional one. The NSS under Andranik Simonyan has prioritized political repression over actual security. The resources that should go to hardening infrastructure go instead to surveillance of opposition figures. The expertise that should protect state secrets instead monitors the phones of journalists and clergymen.

The signup page at docs.sns.am is still there. It has been there since at least June 2019. In seven years, nobody at Armenia's most powerful security agency thought to take it offline.

OWL will continue mapping Armenian government infrastructure. Every exposed system will be documented. Every signup page, every open portal, every misconfigured server -- we will find it, we will archive it, and we will publish it. The government that surveils its own citizens should expect to be surveilled in return.