Future Tense

Report: U.S. Tech Company’s Devices Were Used to Inject Surveillance Malware Into Computers in the Middle East

The malware blocked sites that had been targeted in the past by Turkey's government.
The malware blocked sites that had been targeted in the past by Turkey’s government. Ozan Kose/AFP/Getty Images

Devices created by a U.S. tech company called Sandvine were apparently used to deliver surveillance and censorship malware in Egypt, Turkey, and Syria. Researchers at the University of Toronto’s Citizen Lab found that the malware targeted people who were trying to download programs from established companies like Avast Antivirus, Opera, and CNET. Sandvine’s PacketLogic technology may have helped to discreetly hijack the process, redirecting users to instead install spyware and other invasive programs.

The malware that users unknowingly downloaded had a number of nefarious political purposes. Citizen Lab discovered that it blocked websites in Egypt for the Human Rights Watch, Reporters Without Borders, Al Jazeera, and HuffPost Arabic. In Turkey, blocked sites included those for the Kurdistan Workers’ Party, Wikipedia, and the Dutch Broadcast Foundation. And in Syria, PacketLogic devices helped deliver surveillance software to a militia called the Kurdish People’s Protection Units via a Turkish telecom network.

Bill Marczak, the lead author on Citizen Lab’s report, noted that it’s very difficult to pinpoint who exactly was directing the malware campaign. “The indication here is that directives about blocking websites from the government are being implemented with these [devices]. Whether that’s directly by the government, or whether that’s done by an ISP, that’s hard to know,” he told Slate.

Indeed, the websites that fell under these censorship campaigns suspiciously correspond to ones that local governments have targeted in the past. For example, Reuters journalists found in September that the Human Rights Watch site became inaccessible in Egypt after its government blasted the organization’s report on prison torture. Turkish President Recep Tayyip Erdogan famously banned Wikipedia last April. Plus, Turkey believes that the Kurdish People’s Protection Units is a terrorist organization and has been pressuring the U.S. to stop supporting its fighters. So, as Marczak pointed out, whoever was behind these campaigns at the very least had government-aligned motivations.

PacketLogic devices came handy for financial scams as well, particularly in Egypt. Citizen Lab found that some download links redirected users to affiliated ads and websites that host cryptojacking scripts, which steal processing power from computers to mine cryptocurrency.

Citizen Lab caught onto the scheme by conducting a global internet scan and finding signs of mass spyware injections in Turkey and Egypt. Researchers then purchased a secondhand PacketLogic device, which looks like a small black box, and ran tests indicating that the behavior of their unit matched up with the digital fingerprints they had found in those countries.

Moving forward, Marczak says that one of the best countermeasure would be for software downloading websites to use more advanced security protocols. Opera and Avast Antivirus were not using HTTPS, a more sophisticated version of the HTTP protocol, throughout their websites, which may have allowed the hijacking to occur. “There’s been a lot of movement recently from companies that make web browsers like Mozilla Firefox and Google Chrome … to make it very inconvenient to use HTTP. Hopefully that will push more adoption of HTTPS by people who host websites.”

Slate has reached out to Sandvine for comment. The company did send a letter to Citizen Lab when its researchers first inquired about the PacketLogic technology, which stated that the allegations were “false, misleading, and wrong.”

Update, March 9, 2018, at 3:30 p.m.: Sandvine sent Slate a statement, which reads in part:

There are many products in a network that are capable of redirecting network traffic. The Citizen Lab failed to give us sufficient information, or a copy of the report, prior to its release in order for us to conduct a thorough investigation regarding their allegations. Now that we have received a copy of The Citizen Lab report, we are investigating the allegations set forth in the report and will take appropriate action in accordance with our business ethics policies, if necessary.

Based on a preliminary review of the report, certain Citizen Lab allegations are technically inaccurate and intentionally misleading. Despite repeated requests, Citizen Lab refused to provide us with a copy of their report or any underlying data prior to its release, which made it impossible for us to investigate their allegations of misuse of our product and denied us any opportunity to fully respond to the claims in the report.  

Our investigation of these allegations remains ongoing. We have never had, directly or indirectly, any commercial or technology relationship with any known malware vendors, and our products do not and cannot inject malicious software. While our products include a redirection feature, HTTP redirection is a commodity-like technology that is commonly included in many types of technology products. This standards based protocol is present across a wide variety of networking elements that an end user’s traffic would traverse and is widely deployed and used every day by corporations, security products and telecom providers (just to name a few) for legitimate and lawful purposes.