Security Experts:

Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Internet Provider Redirects Users in Turkey to Spyware: Report

Hundreds of users in Turkey and Syria have been redirected to nation-state malware at the Internet Service Provider (ISP) level, a recent Citizen Lab report reveals.

Hundreds of users in Turkey and Syria have been redirected to nation-state malware at the Internet Service Provider (ISP) level, a recent Citizen Lab report reveals.

Following ESET’s discovery that ISPs might be involved in the FinFisher distribution, Citizen Lab launched its own investigation into the matter, only to discover that Türk Telekom has been using Sandvine/Procera Networks Deep Packet Inspection (DPI) devices for the delivery of FinFisher when users attempted to download certain legitimate Windows applications.

Furthermore, the same DPI middleboxes at a Telecom Egypt demarcation point were used to hijack Egyptian users’ unencrypted Internet connections en masse, to redirect them to affiliate ads and in-browser crypto-currency mining scripts.

Middleboxes on Türk Telekom’s network were redirecting users to spyware-laden versions of legitimate programs such as Avast Antivirus, CCleaner, Opera, and 7-Zip, Citizen Lab reports. This was possible because “official websites for these programs […] directed users to non-HTTPS downloads by default,” the Citizen Lab report reads.

Targeted users in Turkey and Syria attempting to download applications from CBS Interactive’s were also redirected to versions of the programs containing spyware. The lack of HTTPS once again made the redirection possible.

The malicious versions of the targeted applications were initially packed with the FinFisher lawful intercept spyware, but the actor then switched to the StrongPity spyware.

Citizen Lab also found that middleboxes at a Telecom Egypt demarcation point redirected users across dozens of ISPs to affiliate ads and browser crypto-currency mining scripts. The scheme, called AdHose, would either redirect users en masse to ads for short periods of time, or would target some JavaScript resources and defunct websites for ad injection.

The characteristics of the middleboxes were eventually matched to Sandvine PacketLogic devices, which can prioritize, degrade, block, inject, and log various types of Internet traffic.

The company making PacketLogic devices was initially called Procera Networks, but was recently renamed. Its owner, U.S.-based private equity firm Francisco Partners, also invested in dual-use technology companies such as Internet surveillance and monitoring provider NSO Group, Citizen Lab points out. The NSO Group’s mobile spyware has been used to target journalists, lawyers, and human rights defenders.

“In Egypt and Turkey, we also found that devices matching our Sandvine PacketLogic fingerprint were being used to block political, journalistic, and human rights content,” Citizen Lab reports.

In Egypt, they would block human rights, political, and news websites such as Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic. In Turkey, they would block Wikipedia, the website of the Dutch Broadcast Foundation (NOS), and the website of the Kurdistan Workers’ Party (PKK).

According to Citizen Lab, Sandvine also appears to maintain a resident solutions engineer or other support staff in Turkey or Egypt, which “raises questions regarding company awareness of, or participation in, activities with significant human rights impact.”

Sandvine’s PacketLogic product does include support for in-path network injection, meaning that it could be used to inject data into the targeted connection. Thus, it is possible that government-linked entities in both Turkey and Egypt might have used the device to inject spyware.

However, Citizen Lab does point out that their technical attribution could only establish that “code that makes the same distinctive implementation choices as PacketLogic’s was used in the injection.” This does not exclude the possibility that another vendor copied PacketLogic’s design or copied PacketLogic’s code, or that Sandvine and other companies used the same third-party codebase in their products.

Citizen Lab also revealed that they contacted both Sandvine and their owner Francisco Partners on February 12, 2018, to notify them on the investigation’s fi
ndings. In their response letter, Sandvine said Citizen Lab’s statements were “false, misleading, and wrong.” The company also said the PacketLogic product wasn’t able of payload injection.

“Our research, however, does not suggest that the PacketLogic device is capable of injecting traffic with the malicious code outright. Rather, the spyware injection and advertising injection were carried out by injecting HTTP 307 redirects that caused a target’s browser to automatically fetch malicious code from a separate website,” Citizen Lab says.

Furthermore, the company expressed its commitment to the ethical use of the product and referenced to a webpage regarding Ethics and Human Rights protection. It also revealed that it has the “technical means in place to prevent misuse of its technology,” but the safeguards appear to have come up short, the report reads.

“The findings of this report also illustrate the urgent need for ubiquitous adoption of HTTPS by website developers. Handling web traffic over unencrypted channels leaves users vulnerable to network injection techniques that may expose them to spyware, unwanted advertising, or other Internet scams. Particularly on sites offering software downloads, companies and developers responsible for such platforms must ensure the proper use of encryption,” Citizen Lab points out.

Responding to a SecurityWeek inquiry, Sandvine said they would conduct their own investigation into the matter and take the appropriate measures to reduce the misuse of their product.

“We remain disappointed that we were not able to get the Report in advance of its media release in order to further our ongoing Business Ethics Committee investigation of the claims made by The Citizen Lab. We have conducted a preliminary review of the Report and we are pleased that the Report concedes that the Sandvine product is not physically responsible for injection of any malicious payload content.

“We are now able to advance our investigation into any possible misuse of the packet redirect capabilities of the Sandvine product as one link in a broader system using other players and vendors to perpetuate the alleged abuses. We will review the Report for factual accuracy, determine if there are changes to product configuration or licenses that would reduce the potential for misuse of the Sandvine product, and, if the facts warrant, engage with the relevant customers and take appropriate action,” Sandvine said in an email.

Related: Internet Providers Possibly Involved in FinFisher Surveillance Operations: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...


Spanish Court agreed to extradite Joseph James O’Connor to he U.S., who allegedly took part in the July 2020 hacking of Twitter accounts of...


A hacker who reportedly posed as the CEO of a financial institution claims to have obtained access to the more than 80,000-member database of...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...


Russian Vladislav Klyushin made tens of millions of dollars by hacking into U.S. computer networks to steal insider information.