Bad traffic: New Citizen Lab report finds Sandvine鈥檚 PacketLogic devices used to deploy government spyware in Turkey and redirect Egyptian users to affiliate ads
at the University of Toronto鈥檚 Munk School of Global Affairs outlines an investigation into the apparent use of networking equipment, offered by a company based in Canada and the United States, to deliver malware in Turkey and indirectly into Syria.
Such equipment also appears to have been used to covertly raise money through affiliate ads and cryptocurrency mining in Egypt.
Through internet scanning, Citizen Lab researchers found Deep Packet Inspection (DPI) middleboxes on T眉rk Telekom鈥檚 network. The middleboxes were being used to redirect hundreds of users in Turkey and Syria to spyware when those users attempted to download certain legitimate Windows applications.
Additionally, researchers found similar middleboxes at a Telecom Egypt demarcation point. On a number of occasions, the middleboxes were apparently being used to hijack Egyptian internet users鈥 unencrypted web connections en masse and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.
鈥淟eaked documents have long indicated that a number of governments are targeting their opponents by surreptitiously injecting spyware into their internet connections,鈥 said researcher Bill Marczak of Citizen Lab at the Munk School. 鈥淔or the first time ever, we have the proof.鈥
After an extensive investigation, researchers matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. The investigation involved researchers developing a fingerprint for the injection found in Turkey, Syria, and Egypt and matching that fingerprint to a second-hand PacketLogic device that they procured and measured in a lab setting. The report was peer reviewed by academic experts in the field.
The company that makes PacketLogic devices was formerly known as Procera Networks, but was recently renamed Sandvine after Procera鈥檚 owner, U.S.-based private equity firm Francisco Partners, acquired the Ontario-based networking equipment company Sandvine and combined the two companies in 2017. Francisco Partners has a number of investments in dual-use technology companies, including providers of internet surveillance and monitoring tools such as NSO Group, an Israeli company that develops and sells mobile spyware 鈥 in several countries to target journalists, lawyers, and human rights defenders.
The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns, particularly in light of the 鈥渟trong safeguards鈥 that Sandvine asserts it maintains 鈥渞egarding social responsibility, human rights, and privacy rights.鈥
鈥淪andvine鈥檚 PacketLogic Deep-Packet Inspection (DPI) system, as currently advertised, is classic 鈥榙ual-use鈥 technology, marketed as benign-sounding 鈥榪uality of service鈥 or 鈥榪uality of experience鈥 functionality. But as our report shows, these types of DPI systems can also surreptitiously redirect users to sophisticated spyware, or permit the hijacking of their browsers to mine cryptocurrency for profit,鈥 said Professor Ron Deibert, director of the Citzen Lab.
鈥淭he power of such systems is in the hands of the local operator 鈥 operators that answer to autocratic rulers like Turkey鈥檚 Erdogan or Egypt鈥檚 el-Sisi. Targeted injection of spyware at the nation-state level represents a major public safety risk, and technologies that facilitate such injection should be regulated accordingly.鈥