Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey.
This report includes broad technical information which is published in Citizenlab . You can read the full article by clicking the link. We provide you some insight information.
This report describes how we used Internet scanning to uncover the apparent use of Sandvine/Procera Networks Deep Packet Inspection (DPI) devices (i.e. middleboxes) for malicious or dubious ends, likely by nation-states or ISPs in two countries.
We found that a series of middleboxes on Türk Telekom’s network were being used to redirect hundreds of users attempting to download certain legitimate programs to versions of those programs bundled with spyware. The spyware we found bundled by operators was similar to that used in the StrongPity APT attacks. Before switching to the StrongPityspyware, the operators of the Turkey injection used the FinFisher “lawful intercept” spyware, which FinFisher asserts is sold only to Government entities.
Targeted users in Turkey and syria who downloaded Windows applications from official vendor websites including Avast Antivirus, CCleaner, Opera, and 7-Zip were silently redirected to malicious versions by way of injected HTTP redirects. This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default. Additionally, targeted users in Turkey and syria who downloaded a wide range of applications from CBS Interactive’s Download.com (a platform featured by CNET to download software) were instead redirected to versions containing spyware. Download.com does not appear to support HTTPS despite purporting to offer “secure download” links.1
Our scans of Turkey revealed that this spyware injection was happening in at least five provinces. In addition to targets in Turkey, targets included some users physically located in syria who used Internet services relayed into syria by Türk Telekom subscribers, sometimes via cross-border directional Wi-Fi links. In one case, more than a hundred syrian users appeared to share a single Turkish IP address. Based on publicly available information we found on Wi-Fi router pages, at least one targeted IP address appears to serve YPG (Kurdish militia) users. YPG has been the target of a Turkish Government air and ground offensive which began in January 2018. Areas not controlled by the YPG also appear to be targeted, including the area around Idlib city.
Blocking Human Rights and Political Content
In Egypt and Turkey, we also found that devices matching our Sandvine PacketLogic fingerprint were being used to block political, journalistic, and human rights content.
In Egypt, these devices were being used to block dozens of human rights, political, and news websites including Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic. In Turkey, these devices were being used to block websites including Wikipedia, the website of the Dutch Broadcast Foundation (NOS), and the website of the Kurdistan Workers’ Party (PKK).
Background: Nation-State Network Injection
Nation-state-level network injection to deliver spyware has long been the stuff of legends. There have been many leaked documents and vendor claims outlining purported nation-state network injection capabilities but there are no concrete public measurements that conclusively establish nation-state spyware injection in the wild.
In network injection, a middlebox operates over connections between a target and an Internet site they are visiting. If the connection is unauthenticated (e.g., HTTP and not HTTPS), then the middlebox can be used to tamper with data to inject a spoofed response from the Internet site. The spoofed response may contain redirects to exploits or spyware to infect and monitor the target. A significant portion of web traffic (approximately 20-30% in the United States) still does not use HTTPS, according to Google.
Broadly, network injection systems are divided into two categories: an on-path system (also called a man-on-the-side) can simply add Internet traffic to the network, whereas an in-pathsystem (also called a man-in-the-middle) can add traffic and also suppress legitimate traffic. A malicious response injected by an on-path system is easier for researchers to detect, because the target receives both the legitimate and malicious response. The presence of two non-similar responses to the same request is a good indicator of on-path network injection. The target’s device will process whichever response is received first, so the goal of an on-path system is to inject a malicious response that reaches the user before the legitimate response. However, such a system cannot always guarantee that the target’s device will see the malicious response first, due to unpredictable network delays and reordering.
Turkey background: information controls and surveillance
In spite of being a parliamentary democracy with decades of multi-party elections, Turkey’s Government is characterized by corruption, human rights abuses, and autocratic tendencieson the part of the current Prime Minister Recep Tayyip Erdoğan. Turkey’s military has traditionally been an important and occasional overbearing presence in domestic politics, with the country experiencing several coup attempts. Information controls played an important part in the most recent such attempt, which was foiled by President Erdoğan in July 2016. Prior to the coup attempt, Turkish authorities routinely throttled access to prominent social media sites, such as Twitter and Facebook. Erdoğan used Apple’s Facetime video calling application during the coup attempt to plead with the Turkish public to resist the plotters. While restrictions on social media were softened to facilitate popular opposition to the coup, the openness was short lived, with Internet censorship returning(and even increasing) after Erdoğan successfully re-asserted his authority.
Although there is widespread and growing popularity of social media in Turkey, which provides citizens with an alternative to conservative state-controlled mainstream media, the country has one of the most extensive Internet censorship regimes in the world. ISPs routinely throttle access to popular social media, make frequent requests to service providers to remove content, and even implement occasional regional shutdowns. According to Twitter’s transparency report, Turkey led the world with 2,710 removal requests in the first six months of 2017. Although Turkey’s numerous security threats, and in particular those related to Islamist and other terrorist attacks, are provided as justifications for such expansive controls, Internet censorship has included a broad range of other contentsuch as criticism of the Erdoğan regime.
The first Internet-related legislation in Turkey was passed in 2007. It is called “Law No. 5651, Regulation of Publications on the Internet and Suppression of Crimes Committed by means of Such Publications,” or “Internet Law” for short. The Internet Law introduced Internet censorship across a range of content categories and mandated service providers to monitor online content passing through their infrastructure. Additional laws and broader information controls were applied in the aftermath of the 2013 Gezi protests, including Law No. 6532, passed in April 2014, which criminalized “the leaking and publication of secret official information, punishable by a prison term of up to nine years.” The law authorizes the Turkish intelligence agency, Milli İstihbarat Teşkilatı (MIT), to “collect data relating to external intelligence, national defense, terrorism, international crimes and cyber security passing via telecommunication channels.” These laws and practices have imposed strict responsibilities on ISPs to block and disrupt access to targeted URLs (in some cases through DNS poisoning), and to monitor and archive Internet traffic for two years. The responsibilities have, in turn, prompted the acquisition of mass and targeted surveillancetechnologies. A 2014 Citizen Lab report traced activity related to Hacking Team spyware to an IP address owned by Türk Telekom, and a 2015 report mapped FinFisher spyware to Turkey.
MIT’s practical implementation of the 2014 national security laws requires the cooperation of the Turkish telecommunications sector, which is centralized around Türk Telekom. While technically a private company, Türk Telekom is heavily controlled by the ruling AKP party. The AKP exerts influence over Türk Telekom through its supposed independent regulator, the Information and Communications Authority (which is itself controlled by the state), as well as a large ownership stake controlled by the Turkish Treasury department. The Government’s direct influence over Türk Telekom was demonstrated following the July 2016 coup attempt, when several Türk Telekom senior executives were purged from the company.
Localizing the targets of Turkey’s malware injection
In a February 2018 scan of Turkey, we identified five different malicious domain names that were injected in response to HTTP requests for Opera. We performed traceroutes for the targeted IP addresses and found targeting in at least five provinces, based on names we found in the furthest downstream reverse DNS (PTR) record. Figure 7 shows the five provinces where we identified injection.
Over five months of scanning we found a total of 259 targeted IP addresses. However, this is not a complete count of targeted IP addresses; we could only measure IP addresses that responded to our scans (i.e., had an open TCP port).
We were able to develop a general sense of target identities by scraping data from public router pages hosted on some of the IP addresses. The pages show names chosen by the people who set up the routers, including names of users sharing the connection. In some cases, the names chosen were of syrian cities. We conducted on-the-ground testing in one such syrian city and found that all users of a particular Internet reseller (sharing the same Türk Telekom IP) were targeted. We also found several router pages showing names containing “ypg” (e.g., ciwan.ypg and ypg-matar), indicating possible targeting of YPG (Kurdish militia) members or facilities. We also found that some routers were named for resellers in Turkey and syria. We found Facebook pages for some of the named resellers which showed images of the resellers building infrastructure to provide Internet access using Türk Telekom leased lines (Figures 8 and 9).
After we sent letters to Sandvine and Francisco Partners on February 12, 2018, we ran tests on February 14 and February 16, 2018 which found that two targeted IP addresses– on which we had observed injection since October 2017– no longer produced injection. We conducted a full scan of Turkey on March 7, 2018 and found that these two IP addresses again produced injection, but with different domain names. Our March scan also found that the operators of the injection had changed some of the injected domain names.