Recent investigations reveal alarming cybersecurity breaches involving the governments of Turkey and Syria. These states have been implicated in hijacking local internet users’ connections to implant surveillance malware covertly. Concurrently, reports indicate that in Egypt, similar interception technologies have been employed to inject unauthorized browser-based cryptocurrency mining scripts into users’ web traffic.
The tactics at play in these incidents predominantly revolve around Deep Packet Inspection (DPI) capabilities, utilized by Internet Service Providers (ISPs) and governmental agencies. This technology, particularly from the vendor Sandvine—recently merged with Procera Networks—enables entities to intercept, analyze, and manipulate internet traffic on a granular level. Through DPI, ISPs can assess the content of data packets transmitted over their networks, allowing them to redirect or alter traffic with significant stealth.
According to a report by Citizen Lab, Turkey’s telecommunications network utilized Sandvine PacketLogic devices to misdirect numerous targeted users, including journalists and human rights defenders, to malicious versions of legitimate software. These harmful versions were found bundled with notorious spyware, such as FinFisher and StrongPity, when users attempted to download applications from reputable sources. Notably, the report highlights that even HTTPS-secured URLs could direct users toward non-encrypted downloads, severely undermining online security protocols.
Syria’s internet users have not been spared from these tactics, experiencing similar redirections to compromised downloads of widely used applications like Avast Antivirus and CCleaner, also embedded with government surveillance tools. In Turkey, these DPI technologies have thus far also been employed to block access to platforms like Wikipedia and the sites associated with the Kurdistan Workers’ Party, illustrating a broader strategy to suppress dissenting information.
In stark contrast, Egypt’s application of Sandvine PacketLogic appears to prioritize economic exploitation through malicious cybersecurity maneuvers. Reports indicate that ISPs have quietly inserted cryptocurrency mining scripts into every HTTP page visited by users, specifically targeting the Monero cryptocurrency. Alongside this, users are redirected to pages laden with affiliate ads, thereby generating revenue for ISPs while circumventing ethical standards.
The reports further document extensive censorship measures, with access to vital human rights and news outlets severely restricted. Websites such as Al Jazeera and Human Rights Watch have faced systematic blockage, showcasing the chilling effect on free information flow within the region.
In addressing these findings, Citizen Lab reached out to Sandvine regarding the identified misuse of its products, but the company refuted the allegations, labeling the report as misleading and demanded the return of the analyzed PacketLogic device. This controversy underscores the complexities surrounding accountability and transparency in the cybersecurity landscape.
This investigation by Citizen Lab was initiated following previous disclosures by ESET researchers, who flagged similar instances of spyware distribution via compromised downloads at the ISP level in other countries. Monitoring these developments is crucial for understanding the evolving landscape of state-sponsored cyber operations aimed at undermining user privacy and stifling dissent.
In analyzing these incidents through the lens of the MITRE ATT&CK framework, tactics such as initial access and execution techniques are evident in the use of malicious redirects and altered software downloads. This highlights the sophisticated means through which attackers can achieve persistence, escalate privileges, and ultimately manipulate user experiences on a broad scale.
As global business owners remain vigilant concerning cybersecurity, these revelations serve as crucial reminders of the potential vulnerabilities inherent within internet infrastructure and the need for robust protective measures against such targeted threats.