Canadian researchers from Human Rights organization Citizen Lab uncovered a major computer espionage operation spreading across Turkey, Egypt and, indirectly, Syria. The operation, which started in 2017, is a nation-state-level network injection to deliver spyware.
According to the research, deep packet inspection (DPI) middleboxes, hardware developed by Canadian-American company SandVine, were used by local ISPs Türk Telekom and Telecom Egypt for nationwide surveillance. The goal was to trick users into downloading programs bundled with spyware created by GammaGroup.
Hundreds of targeted users from Turkey and Syria were redirected “to nation-state spyware when those users attempted to download certain legitimate Windows applications.” Some users in Syria were also affected because some systems route into the Turkish operator. Those who tried to download Avast Antivirus, CCleaner, Opera and 7-Zip from their official websites were also affected.
Once the system was infected, a third party took complete control of the device, including microphone and camera. In Egypt, users with an unencrypted connection (non-HTTPS) were redirected to a fraud campaign trying to make money through affiliate ads and browser cryptocurrency-mining scripts.
“The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns,” reads the report.
In Turkey and Egypt, the middleboxes were also used to block any type of content related to politics, human rights and journalism on websites such as Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, HuffPost Arabic, Wikipedia, the Dutch Broadcast Foundation (NOS) and the Kurdistan Workers’ Party (PKK).
Even more troubling is the fact that technology developed by two Western companies made it all possible. It appears the spyware is similar to that used in the StrongPity APT attacks that targeted Italian and Belgian users. This spyware is less sophisticated than FinFisher which is normally sold to governments, and has been used by the Turkish government in the past. According to researchers, the local governments were likely behind the operation. They manipulated the technology to suit their surveillance interests in specific IP addresses, while local ISPs fully cooperated for the code injection.