Bad traffic: New Citizen Lab report finds Sandvine’s PacketLogic devices used to deploy government spyware in Turkey and redirect Egyptian users to affiliate ads

A new report by the Citizen Lab at the University of Toronto’s Munk School of Global Affairs outlines an investigation into the apparent use of networking equipment, offered by a company based in Canada and the United States, to deliver malware in Turkey and indirectly into Syria.

Such equipment also appears to have been used to covertly raise money through affiliate ads and cryptocurrency mining in Egypt.

Through internet scanning, Citizen Lab researchers found Deep Packet Inspection (DPI) middleboxes on Türk Telekom’s network. The middleboxes were being used to redirect hundreds of users in Turkey and Syria to spyware when those users attempted to download certain legitimate Windows applications.

Additionally, researchers found similar middleboxes at a Telecom Egypt demarcation point. On a number of occasions, the middleboxes were apparently being used to hijack Egyptian internet users’ unencrypted web connections en masse and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.

“Leaked documents have long indicated that a number of governments are targeting their opponents by surreptitiously injecting spyware into their internet connections,” said researcher Bill Marczak of Citizen Lab at the Munk School. “For the first time ever, we have the proof.”

After an extensive investigation, researchers matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. The investigation involved researchers developing a fingerprint for the injection found in Turkey, Syria, and Egypt and matching that fingerprint to a second-hand PacketLogic device that they procured and measured in a lab setting. The report was peer reviewed by academic experts in the field.

Read the Citizen Lab report

The company that makes PacketLogic devices was formerly known as Procera Networks, but was recently renamed Sandvine after Procera’s owner, U.S.-based private equity firm Francisco Partners, acquired the Ontario-based networking equipment company Sandvine and combined the two companies in 2017. Francisco Partners has a number of investments in dual-use technology companies, including providers of internet surveillance and monitoring tools such as NSO Group, an Israeli company that develops and sells mobile spyware – the use of which was previously documented by Citizen Lab in several countries to target journalists, lawyers, and human rights defenders.

The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns, particularly in light of the “strong safeguards” that Sandvine asserts it maintains “regarding social responsibility, human rights, and privacy rights.”

“Sandvine’s PacketLogic Deep-Packet Inspection (DPI) system, as currently advertised, is classic ‘dual-use’ technology, marketed as benign-sounding ‘quality of service’ or ‘quality of experience’ functionality. But as our report shows, these types of DPI systems can also surreptitiously redirect users to sophisticated spyware, or permit the hijacking of their browsers to mine cryptocurrency for profit,” said Professor Ron Deibert, director of the Citzen Lab.

“The power of such systems is in the hands of the local operator – operators that answer to autocratic rulers like Turkey’s Erdogan or Egypt’s el-Sisi. Targeted injection of spyware at the nation-state level represents a major public safety risk, and technologies that facilitate such injection should be regulated accordingly.”