Report highlights how deep packet inspection could be subverted by cybercriminals

A series of deep packet inspection (DPI) middleboxes developed by Sandvine PacketLogic (formerly known as Procera) are apparently being misused by state-sponsored cybercriminals for espionage purposes and for commercial gain.

According to a Citizen Lab internet scan, DPI boxes on Türk Telekom’s network are being used to redirect hundreds of mobile and fixed users in Turkey and Syria to spyware when those users attempt to download certain legitimate Windows applications. Visitors to official vendor websites, including Avast Antivirus, CCleaner, Opera, and 7-Zip, were observed being silently redirected to malicious versions bundled with the StrongPity and FinFisher spyware, as were those who downloaded a wide range of applications from CBS Interactive’s Download.com.

The scans of Turkey revealed that this redirection was happening in at least five provinces, and Citizen Lab believes the efforts were being carried out by the ISP at the behest of the Turkish government.

“Based on publicly available information we found on Wi-Fi router pages, at least one targeted IP address appears to serve YPG (Kurdish militia) users,” the group said in its analysis. “YPG has been the target of a Turkish government air and ground offensive which began in January 2018. Areas not controlled by the YPG also appear to be targeted, including the area around Idlib city.”

The Citizen Lab also found similar middleboxes in the Telecom Egypt network being used to hijack Egyptian internet users’ unencrypted web connections en masse. In this case, the boxes were being used to redirect the users to affiliate ads and browser cryptocurrency mining scripts in an effort to line the criminals’ pockets.

This kind of redirection can be done via network injection: A DPI middlebox operates over connections between a target and an internet site he or she is visiting. If the connection is unauthenticated (e.g., HTTP and not HTTPS), then the middlebox can be used to tamper with data to inject a spoofed response from the internet site. The spoofed response may contain redirects to exploits or spyware to infect and monitor the target.

The Citizen Lab said that it matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices.  

“We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting,” the group said in an announcement.

Sandvine’s PacketLogic middleboxes can prioritize, degrade, block, inject and log various types of internet traffic on mobile and fixed networks; such DPI capabilities have a number of legitimate uses, including enforcing corporate internet policies and regulatory compliance. The Citizen Lab however said that in Egypt and Turkey, the devices matching the Sandvine PacketLogic fingerprint were being used to block political, journalistic and human rights content.

“In Egypt, the Sandvine PacketLogic devices were being used to block dozens of human rights, political, and news websites including Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic,” the Citizen Lab said. “In Turkey, these devices were being used to block websites including Wikipedia, the website of the Dutch Broadcast Foundation (NOS), and the website of the Kurdistan Workers’ Party (PKK).”

The Citizen Lab also insinuated that the company may be complicit in this use of its equipment, actively aiding in the Turkish government’s targeting of dissidents. As evidence of this, it noted that the company is owned by private equity firm Francisco Partners, which also has a stake in the NSO Group, an Israeli company that develops and sells mobile spyware.

“NSO Group’s spyware has been used in several countries to target journalists, lawyers and human rights defenders,” the Citizen Lab said.

It also cited a 2014 article in a Turkish newspaper that mentioned that Turkey “had begun negotiations with Procera to buy a PacketLogic system for surveillance and censorship purposes,” and said that there is evidence that Sandvine may have provided personnel on the ground to help carry out this mission.

The implication that Sandvine might be knowingly working with governments to violate human rights has been rejected by the company out of hand.

“There are many products in a network that are capable of redirecting network traffic,” the company said in a note to FierceWireless. “Based on a preliminary review of the report, certain Citizen Lab allegations are technically inaccurate and intentionally misleading…We have never had, directly or indirectly, any commercial or technology relationship with any known malware vendors, and our products do not and cannot inject malicious software.”

It acknowledged that its DPI products do include a redirection feature, but added that this kind of HTTP redirection is a commodity-like technology that is commonly included in many types of technology products.

“This standards-based protocol is present across a wide variety of networking elements that an end user’s traffic would traverse and is widely deployed and used every day by corporations, security products and telecom providers (just to name a few) for legitimate and lawful purposes,” Sandvine said.

It added that the Citizen Lab failed to give it sufficient information, or a copy of the report, prior to releasing the findings. Sandvine added that it is now investigating the allegations and will “take appropriate action in accordance with our business ethics policies, if necessary.”

Sandvine is “deeply committed to ethical technology development and we hold our business processes and behavior to the highest standards,” the company added. “We institute strong safeguards to ensure adherence to our principles of social responsibility, human rights and privacy rights. We have a Business-Ethics Committee that conducts a comprehensive review of all potential regulatory compliance engagements to identify risk of product misuse prior to any sales.”