Bad Traffic: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?

Toronto, Canada (9 March 2018) -- A new report by the Citizen Lab at the Munk School of Global Affairs, University of Toronto, outlines an investigation into the apparent use of networking equipment, offered by a company based in Canada and the United States, to deliver malware in Turkey and indirectly into Syria. Such equipment also appears to have been used to covertly raise money through affiliate ads and cryptocurrency mining in Egypt.

Through Internet scanning, Citizen Lab researchers found Deep Packet Inspection (DPI) middleboxes on Türk Telekom’s network. The middleboxes were being used to redirect hundreds of users in Turkey and Syria to spyware when those users attempted to download certain legitimate Windows applications.

Additionally, researchers found similar middleboxes at a Telecom Egypt demarcation point. On a number of occasions, the middleboxes were apparently being used to hijack Egyptian Internet users’ unencrypted web connections en masse and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.

After an extensive investigation, researchers matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. The investigation involved researchers developing a fingerprint for the injection found in Turkey, Syria, and Egypt and matching that fingerprint to a second-hand PacketLogic device that they procured and measured in a lab setting. The report was peer reviewed by academic experts in the field.

The company that makes PacketLogic devices was formerly known as Procera Networks, but was recently renamed Sandvine after Procera’s owner, U.S.-based private equity firm Francisco Partners, acquired the Ontario-based networking equipment company Sandvine and combined the two companies in 2017. Francisco Partners has a number of investments in dual-use technology companies, including providers of Internet surveillance and monitoring tools such as NSO Group, an Israeli company that develops and sells mobile spyware -- the use of which was previously documented by Citizen Lab in several countries to target journalists, lawyers, and human rights defenders.

“Leaked documents have long indicated that a number of governments are targeting their opponents by surreptitiously injecting spyware into their Internet connections. For the first time ever, we have the proof.” -- Bill Marczak, Research Fellow, the Citizen Lab, Munk School of Global Affairs, University of Toronto

The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns, particularly in light of the “strong safeguards” that Sandvine asserts it maintains “regarding social responsibility, human rights, and privacy rights.” 

“Sandvine’s PacketLogic Deep-Packet Inspection system, as currently advertised, is classic ‘dual-use’ technology, marketed as benign-sounding “quality of service” or “quality of experience” functionality. But as our report shows, these types of DPI systems can also surreptitiously redirect users to sophisticated spyware, or permit the hijacking of their browsers to mine cryptocurrency for profit. The power of such systems is in the hands of the local operator — operators that answer to autocratic rulers like Turkey’s Erdogan or Egypt’s el-Sisi. Targeted injection of spyware at the nation-state level represents a major public safety risk, and technologies that facilitate such injection should be regulated accordingly.” -- Ron Deibert, Director, the Citizen Lab, Munk School of Global Affairs, University of Toronto

The prospect of technologies capable of facilitating pervasive surveillance being sold to companies operating in autocratic regimes, or to autocratic regimes themselves, and in jurisdictions wherein human rights are flagrantly abused, should be cause for concern.

For Media Inquiries

Guide on Citing in Media