Hundreds of users in Turkey and Syria have been redirected to nation-state malware at the Internet Service Provider (ISP) level, a recent Citizen Lab report reveals.
Following ESET’s discovery that ISPs might be involved in the FinFisher distribution, Citizen Lab launched its own investigation into the matter, only to discover that Türk Telekom has been using Sandvine/Procera Networks Deep Packet Inspection (DPI) devices for the delivery of FinFisher when users attempted to download certain legitimate Windows applications.
Furthermore, the same DPI middleboxes at a Telecom Egypt demarcation point were used to hijack Egyptian users’ unencrypted Internet connections en masse, to redirect them to affiliate ads and in-browser crypto-currency mining scripts.
Middleboxes on Türk Telekom’s network were redirecting users to spyware-laden versions of legitimate programs such as Avast Antivirus, CCleaner, Opera, and 7-Zip, Citizen Lab reports. This was possible because “official websites for these programs […] directed users to non-HTTPS downloads by default,” the Citizen Lab report reads.
Targeted users in Turkey and Syria attempting to download applications from CBS Interactive’s Download.com were also redirected to versions of the programs containing spyware. The lack of HTTPS once again made the redirection possible.
The malicious versions of the targeted applications were initially packed with the FinFisher lawful intercept spyware, but the actor then switched to the StrongPity spyware.
Citizen Lab also found that middleboxes at a Telecom Egypt demarcation point redirected users across dozens of ISPs to affiliate ads and browser crypto-currency mining scripts. The scheme, called AdHose, would either redirect users en masse to ads for short periods of time, or would target some JavaScript resources and defunct websites for ad injection.
The characteristics of the middleboxes were eventually matched to Sandvine PacketLogic devices, which can prioritize, degrade, block, inject, and log various types of Internet traffic.
The company making PacketLogic devices was initially called Procera Networks, but was recently renamed. Its owner, U.S.-based private equity firm Francisco Partners, also invested in dual-use technology companies such as Internet surveillance and monitoring provider NSO Group, Citizen Lab points out. The NSO Group’s mobile spyware has been used to target journalists, lawyers, and human rights defenders.
“In Egypt and Turkey, we also found that devices matching our Sandvine PacketLogic fingerprint were being used to block political, journalistic, and human rights content,” Citizen Lab reports.
In Egypt, they would block human rights, political, and news websites such as Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic. In Turkey, they would block Wikipedia, the website of the Dutch Broadcast Foundation (NOS), and the website of the Kurdistan Workers’ Party (PKK).
According to Citizen Lab, Sandvine also appears to maintain a resident solutions engineer or other support staff in Turkey or Egypt, which “raises questions regarding company awareness of, or participation in, activities with significant human rights impact.”
Sandvine’s PacketLogic product does include support for in-path network injection, meaning that it could be used to inject data into the targeted connection. Thus, it is possible that government-linked entities in both Turkey and Egypt might have used the device to inject spyware.
However, Citizen Lab does point out that their technical attribution could only establish that “code that makes the same distinctive implementation choices as PacketLogic’s was used in the injection.” This does not exclude the possibility that another vendor copied PacketLogic’s design or copied PacketLogic’s code, or that Sandvine and other companies used the same third-party codebase in their products.
Citizen Lab also revealed that they contacted both Sandvine and their owner Francisco Partners on February 12, 2018, to notify them on the investigation’s fi
ndings. In their response letter, Sandvine said Citizen Lab’s statements were “false, misleading, and wrong.” The company also said the PacketLogic product wasn’t able of payload injection.
“Our research, however, does not suggest that the PacketLogic device is capable of injecting traffic with the malicious code outright. Rather, the spyware injection and advertising injection were carried out by injecting HTTP 307 redirects that caused a target’s browser to automatically fetch malicious code from a separate website,” Citizen Lab says.
Furthermore, the company expressed its commitment to the ethical use of the product and referenced to a webpage regarding Ethics and Human Rights protection. It also revealed that it has the “technical means in place to prevent misuse of its technology,” but the safeguards appear to have come up short, the report reads.
“The findings of this report also illustrate the urgent need for ubiquitous adoption of HTTPS by website developers. Handling web traffic over unencrypted channels leaves users vulnerable to network injection techniques that may expose them to spyware, unwanted advertising, or other Internet scams. Particularly on sites offering software downloads, companies and developers responsible for such platforms must ensure the proper use of encryption,” Citizen Lab points out.
Responding to a SecurityWeek inquiry, Sandvine said they would conduct their own investigation into the matter and take the appropriate measures to reduce the misuse of their product.
“We remain disappointed that we were not able to get the Report in advance of its media release in order to further our ongoing Business Ethics Committee investigation of the claims made by The Citizen Lab. We have conducted a preliminary review of the Report and we are pleased that the Report concedes that the Sandvine product is not physically responsible for injection of any malicious payload content.
“We are now able to advance our investigation into any possible misuse of the packet redirect capabilities of the Sandvine product as one link in a broader system using other players and vendors to perpetuate the alleged abuses. We will review the Report for factual accuracy, determine if there are changes to product configuration or licenses that would reduce the potential for misuse of the Sandvine product, and, if the facts warrant, engage with the relevant customers and take appropriate action,” Sandvine said in an email.
Related: Internet Providers Possibly Involved in FinFisher Surveillance Operations: Report
