Governments rely on Sandvine network gear to deliver spyware and miners

According to Citizen Lab, some governments are using Sandvine network gear installed at internet service providers to deliver spyware and cryptocurrency miners.

Researchers at human rights research group Citizen Lab have discovered that netizens in Turkey, Egypt and Syria who attempted to download legitimate Windows applications from official vendor websites (i.e. Avast Antivirus, CCleaner, Opera, and 7-Zip)  have been infected with a nation-state malware.

According to the organization, local governments with the help of internet service providers have used deep-packet inspection boxes to hijack the traffic.

“This report describes how we used Internet scanning to uncover the apparent use of Sandvine/Procera Networks Deep Packet Inspection (DPI) devices (i.e. middleboxes) for malicious or dubious ends, likely by nation-states or ISPs in two countries.” states the report published by Citizen Lab.

Citizen Lab started this investigation in September after the researchers at ESET uncovered a surveillance campaign using a new variant of FinFisher spyware, also known as FinSpy.

Finfisher infected victims in seven countries and experts believe that in two of them the major internet providers have been involved.

The Citizen Lab researchers have found Sandvine PacketLogic devices being used on the networks of Türk Telecom and Telecom Egypt for distributing malware designed for varying purposes, ranging from surveillance to cryptocurrency mining.

“After an extensive investigation, we matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting.” states the report.

“The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns.”

Researchers highlighted that official websites for these legitimate applications redirect users to non-HTTPS downloads by default, making easy for attackers to redirect users.

The experts reported the case of the CBS Interactive’s Download.com, its users were redirected to downloads containing spyware in Turkey and Syria.

The surveillance malware the researchers found bundled by operators was similar to that used in the espionage campaigns conducted by StrongPity APT.

The expert discovered that the Sandvine boxes were used in Egypt to distribute either affiliate ads or browser cryptocurrency mining scripts.

“The middleboxes were being used to redirect users across dozens of ISPs to affiliate ads and browser cryptocurrency mining scripts. The Egyptian scheme, which we call AdHose, has two modes.” continues the report. “In spray mode, AdHose redirects Egyptian users en masse to ads for short periods of time. In trickle mode, AdHose targets some JavaScript resources and defunct websites for ad injection. AdHose is likely an effort to covertly raise money.”

According to Citizen Lab, the same boxes are also supposedly being used for censorship, for example blocking the access to websites like Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic.

Citizen Lab reported Sandvine of their findings, but the firm flagged the study as “false, misleading, and wrong,” and asked the organization to return the second-hand PacketLogic device they used in their investigation.

Sandvine asked the experts to delay publication of the report, claiming that the researchers intentionally provided incorrect information.

On March 7, 2018, Sandvine sent a letter to the University of Toronto, to express its disappointment about the Citizen Lab analysis. External counsel responded to Sandvine’s letter on behalf of the University of Toronto and Citizen Lab on March 8, 2018.

Sandvine criticized the unethical approach of the researchers, it also pointed out that tests were conducted by acquiring a second-hand Sandvine PacketLogic PL7720 box for testing.

“You state, broadly, that Sandvine takes seriously its commitment to corporate social responsibility and ethical use of its products,” reads a letter sent by attorneys representing the University and Citizen Lab. “However, you have not responded to any of the specific questions asked of Sandvine by Citizen Lab in letters dated February 16 and March 1, 2018.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Sandvine, spyware)

[adrotate banner=”5″]

[adrotate banner=”13″]