OTTAWA—Internet users in Turkey and Syria are being targeted by a state spying campaign making use of a Waterloo-based tech company’s products, new research from the University of Toronto’s Citizen Lab suggests.
Researchers said Friday that Sandvine Incorporated’s products have been used to hack internet users’ devices along the Turkey-Syrian border, installing malicious spyware and raising “significant” human rights concerns as the Turkish government cracks down on internal dissent and battles Kurdish militia in northern Syria.
Citizen Lab did not identify the perpetrators, but said the spying was likely done “by nation-states or (Internet Service Providers)” on the Turk Telekom network, which researchers noted has ties to Turkish President Recep Tayyip Erdogan’s ruling party.
According to the report, internet users in Turkey and Syria downloading popular software like Avast Antivirus and CCleaner were redirected to malicious versions of the software that included spyware. The same technique, known as “packet injection,” was used on users accessing Download.com, which offers a variety of different applications for download. The researchers say Sandvine’s PacketLogic internet filtering devices were used in the hacks.
“Imagine that your device could be silently commandeered and used to spy on you simply because you surfed the web. No need for anyone to have possession of it and physically install something. No need to trick you into downloading spyware, clicking on a malicious link, or entering your credentials into a phoney login page,” wrote Ron Diebert, director of the Citizen Lab at U of T’s Munk School.
“Imagine no more.”
In a statement Friday afternoon, Sandvine said they’ve opened an internal investigation in the wake of the Citizen Lab report. But the company also criticized the report as being “technically inaccurate and intentionally misleading” — without saying specifically what findings they take issue with.
“Sandvine is deeply committed to ethical technology development and we hold our business processes and behaviour to the highest standards. We institute strong safeguards to ensure adherence to our principles of social responsibility, human rights, and privacy rights,” the company’s statement read.
The Citizen Lab report also found evidence of similar hacks in Egypt, although for a very different purpose. On Telecom Egypt’s networks, Sandvine’s technology was used to redirect internet users to advertisements and cryptocurrency mining schemes, suggesting economic motives — although the report suggests spyware may also have been deployed.
Sandvine’s PacketLogic products were designed for legitimate internet filtering and network management uses. But internet filtering devices can also be used by repressive regimes to censor the internet, blocking access to critical journalism, political opponents, or social media. The Citizen Lab report found evidence of that censorship in both Turkey and Egypt.
“In Egypt, (Sandvine) devices were being used to block dozens of human rights, political, and news websites … In Turkey, these devices were being used to block websites including Wikipedia, the website of the Dutch Broadcast Foundation (NOS), and the website of the Kurdistan Workers’ Party (PKK).”
Nation states using “network injection” to spy on their citizens “has long been the stuff of legends,” the report notes. In documents leaked by Edward Snowden, the U.S. National Security Agency even had a code name for the technique — “QUANTUM.” Quantum has reportedly been used to target employees at a Belgium telecommunications company, workers at OPEC, and internet users accessing terrorism-related materials.
Diebert told the Star this is the first empirical evidence of this type of technique has been observed “in the wild,” however.
Sandvine Incorporated, which Premier Kathleen Wynne called a “true Ontario success story” in 2016, was acquired by Francisco Partners and Procera Networks Inc. for $562 million in 2017.
Procera has been tied to internet censorship and surveillance in Turkey before. In 2016, Forbes reported a group of Procera engineers quit the company in protest of a deal to provide surveillance hardware to Turk Telekom.
“I do not wish to spend the rest of my life with the regret of having been a part of Erdogan’s insanity, so I’m out,” wrote one engineer in a company-wide email reported by Forbes.