{ "id": "47239c1f-9998-409c-bcd4-5c12b9d38025", "created_at": "2026-04-06T00:09:12.042817Z", "updated_at": "2026-04-10T03:35:28.793522Z", "deleted_at": null, "sha1_hash": "22523e8656f6d62bb80ff079e191f7ebb5d8b527", "title": "BAD TRAFFIC: Sandvine’s PacketLogic Devices Used to Deploy Government Spyware in Turkey and Redirect Egyptian Users to Affiliate Ads?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4495451, "plain_text": "BAD TRAFFIC: Sandvine’s PacketLogic Devices Used to Deploy\r\nGovernment Spyware in Turkey and Redirect Egyptian Users to\r\nAffiliate Ads?\r\nArchived: 2026-04-05 17:12:15 UTC\r\nKey Findings\r\nThrough Internet scanning, we found deep packet inspection (DPI) middleboxes on Türk Telekom’s\r\nnetwork. The middleboxes were being used to redirect hundreds of users in Turkey and Syria to nation-state spyware when those users attempted to download certain legitimate Windows applications.\r\nWe found similar middleboxes at a Telecom Egypt demarcation point. On a number of occasions, the\r\nmiddleboxes were apparently being used to hijack Egyptian Internet users’ unencrypted web connections\r\nen masse, and redirect the users to revenue-generating content such as affiliate ads and browser\r\ncryptocurrency mining scripts.\r\nAfter an extensive investigation, we matched characteristics of the network injection in Turkey and Egypt\r\nto Sandvine PacketLogic devices. We developed a fingerprint for the injection we found in Turkey, Syria,\r\nand Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and\r\nmeasured in a lab setting.\r\nThe apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in\r\nTurkey, Syria, and Egypt raises significant human rights concerns.\r\n1. Summary\r\nThis report describes how we used Internet scanning to uncover the apparent use of Sandvine/Procera Networks\r\nDeep Packet Inspection (DPI) devices (i.e. middleboxes) for malicious or dubious ends, likely by nation-states or\r\nISPs in two countries.\r\n1.1. Turkey\r\nWe found that a series of middleboxes on Türk Telekom’s network were being used to redirect hundreds of users\r\nattempting to download certain legitimate programs to versions of those programs bundled with spyware. The\r\nspyware we found bundled by operators was similar to that used in the StrongPity APT attacks. Before switching\r\nto the StrongPity spyware, the operators of the Turkey injection used the FinFisher “lawful intercept” spyware,\r\nwhich FinFisher asserts is sold only to government entities.\r\nTargeted users in Turkey and Syria who downloaded Windows applications from official vendor websites\r\nincluding Avast Antivirus, CCleaner, Opera, and 7-Zip were silently redirected to malicious versions by way of\r\ninjected HTTP redirects. This redirection was possible because official websites for these programs, even though\r\nthey might have supported HTTPS, directed users to non-HTTPS downloads by default. Additionally, targeted\r\nusers in Turkey and Syria who downloaded a wide range of applications from CBS Interactive’s Download.com (a\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 1 of 33\n\nplatform featured by CNET to download software) were instead redirected to versions containing spyware.\r\nDownload.com does not appear to support HTTPS despite purporting to offer “secure download” links.1\r\nOur scans of Turkey revealed that this spyware injection was happening in at least five provinces. In addition to\r\ntargets in Turkey, targets included some users physically located in Syria who used Internet services relayed into\r\nSyria by Türk Telekom subscribers, sometimes via cross-border directional Wi-Fi links. In one case, more than a\r\nhundred Syrian users appeared to share a single Turkish IP address. Based on publicly available information we\r\nfound on Wi-Fi router pages, at least one targeted IP address appears to serve YPG (Kurdish militia) users. YPG\r\nhas been the target of a Turkish government air and ground offensive which began in January 2018. Areas not\r\ncontrolled by the YPG also appear to be targeted, including the area around Idlib city.\r\n1.2. Egypt\r\nWe found similar middleboxes at a Telecom Egypt demarcation point. The middleboxes were being used to\r\nredirect users across dozens of ISPs to affiliate ads and browser cryptocurrency mining scripts. The Egyptian\r\nscheme, which we call AdHose, has two modes. In spray mode, AdHose redirects Egyptian users en masse to ads\r\nfor short periods of time. In trickle mode, AdHose targets some JavaScript resources and defunct websites for ad\r\ninjection. AdHose is likely an effort to covertly raise money.\r\n1.3. Technology Matches Sandvine PacketLogic\r\nAfter an extensive investigation, we matched characteristics of the middleboxes in Turkey and Egypt to Sandvine\r\nPacketLogic devices. Sandvine’s PacketLogic middleboxes can prioritize, degrade, block, inject, and log various\r\ntypes of Internet traffic. The company that makes PacketLogic devices was formerly known as Procera Networks,\r\nbut was recently renamed Sandvine after Procera’s owner, U.S.-based private equity firm Francisco Partners,\r\nacquired Ontario-based networking equipment company Sandvine and combined the two companies in 2017.\r\nFrancisco Partners has a number of investments in dual-use technology companies, including providers of Internet\r\nsurveillance and monitoring tools such as NSO Group, an Israeli company that develops and sells mobile spyware.\r\nNSO Group’s spyware has been used in several countries to target journalists, lawyers, and human rights\r\ndefenders.\r\nA 2014 article in a Turkish Newspaper mentioned that Turkey had begun negotiations with Procera to buy a\r\nPacketLogic system for surveillance and censorship purposes; the deal reportedly caused consternation within the\r\ncompany.\r\n1.4. Blocking Human Rights and Political Content\r\nIn Egypt and Turkey, we also found that devices matching our Sandvine PacketLogic fingerprint were being used\r\nto block political, journalistic, and human rights content.\r\nIn Egypt, these devices were being used to block dozens of human rights, political, and news websites including\r\nHuman Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic. In Turkey, these\r\ndevices were being used to block websites including Wikipedia, the website of the Dutch Broadcast Foundation\r\n(NOS), and the website of the Kurdistan Workers’ Party (PKK).\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 2 of 33\n\n1.5. Procera/Sandvine employees on the ground?\r\nA search of LinkedIn reveals profiles for a Procera Networks “Solutions Engineer” in Istanbul, Turkey and a\r\nSandvine (formerly Procera Networks) “Resident Engineer – Senior Level” in Egypt. Sandvine’s “Careers” page\r\ndescribes the responsibilities of a position entitled “Resident Operations Engineer,” including “performing\r\noperations based activities, residing at the customer’s location,” and “working closely with the customers’\r\noperations and development teams.” A 2016 Procera “use cases” brochure2 has a section on “Regulatory\r\nCompliance – Traffic Blocking,” which mentions that the company provides “resident engineering services” to\r\nsupport government mandates on Procera’s customers that require blocking of services like VPNs or VoIP. In light\r\nof this information, on February 12, 2018, we sent a letter to Sandvine and asked whether Sandvine maintains a\r\nresident solutions engineer or other support staff in Turkey or Egypt. Sandvine did not respond to this question.\r\nThe prospect of in-country work of this sort, especially at the large ISP level, raises questions regarding company\r\nawareness of, or participation in, activities with significant human rights impact.\r\nOur February 12, 2018 letters to Sandvine and Francisco Partners summarized the findings of our report and\r\ncontained detailed questions about our findings and their corporate social responsibility practices. A February 16,\r\n2018 letter from Sandvine characterized the statements in our letter as “false, misleading, and wrong,” and\r\ndemanded that we return the second-hand PacketLogic device that we used to confirm attribution of our\r\nfingerprint. On February 20, 2018, Francisco Partners sent its own response, stating that the firm “recognizes the\r\nimportance of corporate governance and social responsibility.” On March 1, 2018, Citizen Lab replied to\r\nSandvine. Our interactions with Sandvine and Francisco Partners are discussed in further detail in Section 7.\r\n2. Background: Nation-State Network Injection\r\nNation-state-level network injection to deliver spyware has long been the stuff of legends.  There have been many\r\nleaked documents and vendor claims outlining purported nation-state network injection capabilities but there are\r\nno concrete public measurements that conclusively establish nation-state spyware injection in the wild.\r\nIn network injection, a middlebox operates over connections between a target and an Internet site they are visiting.\r\nIf the connection is unauthenticated (e.g., HTTP and not HTTPS), then the middlebox can be used to tamper with\r\ndata to inject a spoofed response from the Internet site.  The spoofed response may contain redirects to exploits or\r\nspyware to infect and monitor the target. A significant portion of web traffic (approximately 20-30% in the United\r\nStates) still does not use HTTPS, according to Google.\r\nBroadly, network injection systems are divided into two categories: an on-path system (also called a man-on-the-side) can simply add Internet traffic to the network, whereas an in-path system (also called a man-in-the-middle)\r\ncan add traffic and also suppress legitimate traffic. A malicious response injected by an on-path system is easier\r\nfor researchers to detect, because the target receives both the legitimate and malicious response. The presence of\r\ntwo non-similar responses to the same request is a good indicator of on-path network injection. The target’s device\r\nwill process whichever response is received first, so the goal of an on-path system is to inject a malicious response\r\nthat reaches the user before the legitimate response. However, such a system cannot always guarantee that the\r\ntarget’s device will see the malicious response first, due to unpredictable network delays and reordering.\r\n2.1. On-Path Systems\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 3 of 33\n\nNSA QUANTUM\r\nBased on information from documents leaked from the U.S. National Security Agency (NSA), NSA’s\r\nQUANTUM is an on-path network injection system, and has been used to target engineers associated with\r\nBelgian telco Belgacom, employees of OPEC, and Tor users accessing terrorist content. NSA’s QUANTUM has\r\nnever been publicly measured in the wild, but leaked documents indicate that it functions by injecting HTTP\r\nredirects into targeted users’ connections.\r\nHacking Team Network Injection Appliance (NIA)\r\nAccording to a patent filed in 2010 by nation-state spyware vendor Hacking Team, and leaked documents, the\r\ncompany may have developed a similar on-path network injection system called the Hacking Team Network\r\nInjection Appliance (NIA). This system has never been publicly measured in the wild. The patent indicates that\r\nthe NIA functions by injecting HTTP redirects into targeted users’ connections.\r\n2.2. In-Path Systems\r\nFinFly ISP\r\nLeaked documents from nation-state spyware vendor FinFisher indicate that the company sells an in-path network\r\ninjection system called FinFly ISP. The complex system supports a number of unique features, such as rewriting\r\ndownloaded binaries on-the-fly. The system was apparently sold to governments in Mongolia and Turkmenistan,\r\nand at least one additional customer that could not be identified from the 2014 FinFisher leaked documents. This\r\nsystem has never been publicly measured in the wild.\r\nChina’s Great Cannon\r\nChina’s Great Cannon is an in-path network injection system, which was used in 2015 (and perhaps as recently\r\nas 2017) to inject JavaScript that enlists targets’ browsers in distributed denial of service (DDoS) attacks against\r\nthe Chinese diaspora’s efforts to spread censored information. In a 2015 report, we hypothesized that the Great\r\nCannon could also be used to distribute spyware, but this has never been publicly measured in the wild.\r\nSandvine PacketLogic\r\nAccording to our measurements (Section 3.3), Sandvine’s PacketLogic product supports in-path network\r\ninjection. The company advertises that they support “regulatory compliance” but does not mention spyware\r\ninjection. Nevertheless, the product has support for defining rules that inject data into targeted connections\r\n(Figure 4). As we document in this report, the PacketLogic product may have been used by government-linked\r\nentities in both Turkey and Egypt to inject spyware.\r\n2.3. The Procera/Sandvine Value Proposition\r\nA Procera “use cases” brochure3 has a section on “Regulatory Compliance – Traffic Blocking.”  The section links\r\nto a 2002 article by Electronic Frontiers Australia entitled “Internet Censorship: Law \u0026 policy around the world”\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 4 of 33\n\nand mentions that “Procera’s solutions provide the capabilities to identify and block, or shape down to become\r\nunusable, any identifiable service network wide or on an individual subscriber basis.”\r\nProcera appears to have pitched its services as a win-win for both ISPs and governments that require Internet\r\ncensorship solutions, or as a way for ISPs to save money while implementing regulatory requirements that do not\r\ngenerate any revenue:\r\n“Operators that are required to filter content from their networks by governmental regulations are struggling to\r\nfind solutions that can keep up with the explosive bandwidth growth of the past few years. Many telecom\r\noperators are required to invest several racks worth of equipment for a single use case with no return on\r\ninvestment through additional ARPU from subscribers.”\r\nThe document describes the close ongoing relationship Procera may have maintained with its clients to help them\r\nimplement “regulatory requirements,” in some cases apparently having a Procera employee assist government\r\nclients with censorship:\r\n“As an example, adult content can be opted in on an individual bases [sic] or services like Skype could be enabled\r\nfor corporate clients only. Procera updates it’s [sic] signature database on a weekly basis to stay up to date on\r\nchanges in what traffic looks like. Blocking proprietary over-the-top services will always remain a cat and mouse\r\ngame that requires local dedicated personnel to perform well. Procera can provide these resident engineering\r\nservices.”\r\nSandvine appears to offer instructor-led training sessions, such as the “Operating with PacketLogic” course. If\r\ndesired, Sandvine can offer such courses as a “customer-exclusive session delivered at the customer’s location“.\r\n3. Catching Nation-State Spyware Injection in the Wild\r\nThis section describes how we obtained the first-ever packet captures (PCAPs) of nation-state spyware injection,\r\nand how we matched the characteristics of the spyware injection to Sandvine PacketLogic devices.\r\n3.1. An Initial Report\r\nA September 2017 report revealed that ISPs in two (unnamed) countries were likely injecting FinFisher spyware\r\ninto targeted users’ Internet connections when the users tried to download popular Windows applications. The\r\ninjection was implemented using HTTP redirects matching the format shown in Figure 1.\r\nHTTP/1.1 307 Temporary Redirect\r\nLocation: [location]\r\nConnection: close\r\nFigure 1\r\nInjected HTTP 307 redirect to spyware seen in two countries.\r\nA follow-up report in December 2017 found no further evidence of spyware injection from one of the two\r\ncountries from the original report and found that operators of the injection in the second country switched from\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 5 of 33\n\nFinFisher spyware to a piece of spyware that was similar to the StrongPity spyware. StrongPity was an\r\nunattributed APT operation in 2016 that primarily targeted individuals in Italy and Turkey.\r\n3.2. Scanning and Identifying Countries\r\nDiscovering that an ISP or government is tampering with a user’s Internet connection by injecting malicious\r\nresponses to the user’s requests is difficult. Typically, this requires the user to send requests, record the responses\r\nthey receive, and share this data with researchers.  However, we find that some network injection is bidirectional:\r\nwe can sometimes receive a malicious injected response when we send a request to a targeted user.\r\nWe checked Shodan, a website on which anyone can search the results of global Internet scans, for the header\r\nformat in Figure 1, and found thousands of IP addresses in dozens of countries returning similar (non-malicious)\r\nredirects,4 sometimes to landing pages about billing like “Your Internet service has been suspended for non-payment.” It seemed peculiar to us that Shodan saw these messages when it scanned the IP address of a customer\r\nwho was suspended for non-payment, because the messages would only need to be visible to the customer\r\nthemself. The fact that Shodan received responses from thousands of IP addresses matching the same header\r\nformat used to inject FinFisher spyware in two countries (Figure 1) suggested to us that the spyware injection\r\nmight also be bidirectional.\r\nWe scanned the Internet in October 2017, sending every IPv4 address an HTTP request to download the Opera\r\nWeb Browser, one of the applications that a September 2017 report indicates was targeted for spyware injection.\r\nOur initial scan found dozens of IP addresses on Türk Telekom that returned 307 redirects such as the ones in\r\nFigure 2.\r\nHTTP/1.1 307 Temporary Redirect\r\nLocation: https://downloading.internetdownloading.co/down.php?a=2ec8a93a73540467335f4365beee7e44\r\nConnection: close\r\nHTTP/1.1 307 Temporary Redirect\r\nLocation: https://downloading.syriantelecom.co/pcdownload.php?a=20755b98d7c094747b75b157413e3422\r\nConnection: close\r\nFigure 2\r\nInjected HTTP 307 spyware redirects we observed in Turkey when performing HTTP requests for Opera.\r\nWe successfully fetched the files from a Turkish IP address using a VPN. When we tried to fetch the files from a\r\nnon-Turkish IP, we received a 503 Service Temporarily Unavailable message. The files were similar to the\r\nStrongPity spyware.5\r\nWe continued to perform scanning of Turkey and set out to fingerprint the middlebox performing the spyware\r\ninjection. As part of our scanning, we obtained packet captures (PCAPs) that show network-level details of the\r\nspyware injection. These are the first ever public PCAPs showing nation-state spyware injection.\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 6 of 33\n\n3.3. Attribution of Middlebox to Sandvine\r\nFingerprint Elements\r\nBased on our PCAPs, we identified several elements of the injection in Turkey which, in conjunction, form what\r\nwe believe to be a highly distinctive fingerprint:\r\n1. In all injected packets, the IPID is always 13330 (0x3412, which is 0x1234 endian-swapped) for all\r\ninjected packets. This value is unusual, as the IPID is typically incremented or pseudorandomly generated,\r\nand is not a fixed value.\r\n2. In all packets, the IP flags are all zero. This characteristic is unusual as modern TCP stacks typically\r\ndefault-enable Path MTU Discovery for TCP sockets, which results in the “don’t fragment” IP flag being\r\nset to 1.\r\n3. The injected packet received by the client is either an empty RST/ACK packet, or a FIN/ACK\r\npacket, with an HTTP 307 redirect whose headers exactly match the form of redirect in Figure 1.\r\n4. If a FIN/ACK is injected, then the injector sends an unsolicited final ACK packet to the client\r\n~100ms later. This behaviour is unusual, as a well-behaving TCP stack would wait to see the FIN/ACK\r\nfrom the client before sending the final ACK.\r\nGiven the well-documented controversy over the installation of Sandvine PacketLogic devices in Turkey, we\r\npurchased a PacketLogic device second-hand to confirm whether its behaviour matched our fingerprint.\r\nOur Second-Hand PacketLogic Device\r\nWe purchased a Sandvine PacketLogic device second-hand. The device was a PacketLogic PL7720, which is a 2U\r\nrackmount version of PacketLogic with Procera livery. This model is well past its designated end-of-life date and\r\nno longer serviced by the company. The device was installed with firmware version 12.1, which was released in\r\n2009. The device also contained a PacketLogic license file that appeared to be valid in perpetuity for the currently\r\ninstalled version of the firmware but which cannot be used to upgrade to a later version. Version 12.1 appears to\r\nbe the earliest version of PacketLogic firmware to contain support for network injection.6\r\nThe device has two USB ports, an RS232 (on RJ45) serial console port that can be used to access a text-based\r\nmenu configuration system, two management ethernet ports, and a single channel over which the middlebox\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 7 of 33\n\noperates. The channel has an internal ethernet port (Int) and an external ethernet port (Ext). The middlebox would\r\ntypically operate over traffic flowing between a local network (connected to the Int port), and the rest of the\r\nInternet (connected to the Ext port). An operator could add rules to the middlebox to take certain actions over this\r\ntraffic (e.g., block traffic to a website, inject traffic for targeted users, etc.).\r\nWe powered up the device and connected through its Admin management port. We used an old version of the\r\nPacketLogic Client available on the Internet Archive to interface with the device, as no current version of the\r\nPacketLogic Client on Sandvine’s website appeared to support version 12.1 of the firmware. We used the default\r\npassword “pldemo00” printed on the device to log in. We connected one experiment computer to the PacketLogic\r\ndevice’s Ext port, and a second experiment computer to the Int port in order to observe characteristics of the\r\ndevice’s operation. At no time did we connect the device to the Internet.\r\nRedirecting Users to a Malicious File\r\nWe added a rule to redirect users who requested an Avast Antivirus setup file to a malicious file. This test involved\r\ncreating a PropertyObject to match requests whose URL ended in the filename for Avast Antivirus:\r\navast_free_antivirus_setup_online.exe, and then a Filtering Rule to redirect all connections matching the\r\nPropertyObject to a malicious file. This redirection used the built-in Inject action. The PacketLogic GUI has an\r\n“Insert 307 Temporary Redirect” button that, when pressed, pastes an HTTP 307 Temporary Redirect response\r\nidentical to element 3 of our fingerprint (at the start of this section). The PacketLogic operator can configure the\r\n“Location” header, which is initially blank; in this case, we entered: http://example.com/spyware.exe.\r\nWithout any further configuration, this rule caused our PacketLogic device to inject the redirect in response to a\r\nmatching request in either direction (internal to external, or external to internal).  This mirrors our experience of\r\nbeing able to reproduce spyware injection in Turkey from requests sent external to internal. We noticed that we\r\ncould add an extra condition to the rule in order to restrict the injection to a single direction.\r\nOur experiment matched elements 1-3 of our fingerprint, but did not completely match element 4. Specifically,\r\nour PacketLogic middlebox injected an unsolicited final ACK back-to-back after the FIN/ACK containing the 307\r\nTemporary Redirect instead of injecting it following the ~100ms delay we observed in Turkey and Egypt. Our\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 8 of 33\n\nversion of the PacketLogic firmware (12.1) was the first to support injection; we hypothesize that the ~100ms\r\ndelay between the data packet and the final ACK was added in a later firmware version, potentially to reduce the\r\nprobability of the ACK being reordered before the FIN/ACK; such a reordering would cause the injection\r\nrecipient’s TCP connection to hang in the LAST_ACK state, which is the scenario that sending the ACK seeks to\r\navoid.\r\nFigure 5 shows an excerpt from our client-side PCAP that captures the injection from our test PacketLogic\r\ndevice. Note that the IPID is 13330 in both injected packets, both injected packets have no IP flags, the format of\r\nthe HTTP 307 redirect is what we expect, and the final ACK packet is unsolicited.\r\nClient sends GET request for Avast file\r\n17:28:25.024018 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 170)\r\n192.168.1.27.49458 \u003e 192.168.1.26.8080: Flags [P.], seq 1:119, ack 1, win 4117, options [nop,nop,TS val 75636371\r\nGET /avast_free_antivirus_setup_online.exe HTTP/1.1\r\nHost: 192.168.1.26:8080\r\nUser-Agent: curl/7.54.0\r\nAccept: */*\r\nClient receives injected data (redirect to spyware file)\r\n17:28:25.024300 IP (tos 0x0, ttl 64, id 13330, offset 0, flags [none], proto TCP (6), length 134)\r\n192.168.1.26.8080 \u003e 192.168.1.27.49458: Flags [F.], seq 1:95, ack 119, win 32120, length 94: HTTP, length: 94\r\nHTTP/1.1 307 Temporary Redirect\r\nLocation: http://example.com/spyware.exe\r\nConnection: close\r\nClient receives injected ACK\r\n17:28:25.024302 IP (tos 0x0, ttl 64, id 13330, offset 0, flags [none], proto TCP (6), length 40)\r\n192.168.1.26.8080 \u003e 192.168.1.27.49458: Flags [.], seq 96, ack 120, win 32120, length 0\r\nFigure 5\r\nPacketLogic spyware injection from the client side.\r\nFigure 6 shows an excerpt from our server-side PCAP that captures the injection from our test PacketLogic\r\ndevice. Note that the server side does notreceive the HTTP request for the Avast file. Instead, it receives an\r\ninjected RST packet with IPID 13330 and no flags. Note that the timestamp discrepancy in the PCAP files is\r\nbecause the server and client clocks were not synchronized.\r\nServer receives injected RST\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 9 of 33\n\n17:28:06.715257 IP (tos 0x0, ttl 64, id 13330, offset 0, flags [none], proto TCP (6), length 40)\r\n192.168.1.27.49458 \u003e 192.168.1.26.8080: Flags [R], seq 681001116, win 32120, length 0\r\nFigure 6\r\nPacketLogic spyware injection from the server side.\r\n3.4. Shared Code: A Competing Hypothesis\r\nOur technical attribution (Section 3.3) can only establish that code that makes the same distinctive\r\nimplementation choices as PacketLogic’s was used in the injection in Turkey and Egypt. It is possible that another\r\nvendor copied PacketLogic’s design, such as by studying and exactly re-implementing PacketLogic’s custom TCP\r\nstack and HTTP header format in injected redirects. It is also possible that, with or without Sandvine’s knowledge,\r\na third party obtained and copied PacketLogic’s code. It might also be possible that both Sandvine and other\r\ncompanies drew their code from the same third-party codebase.\r\nThere are, however, several reasons why the shared code hypothesis is unlikely to be an accurate explanation of\r\nour findings. First, the 2016 controversy within Procera about selling their solution to Turkey for surveillance\r\n(referred to in Section 1.3) indicates a possible prior business relationship between the company and Turkey.\r\nSecond, we have not been able to locate any codebase with both the same distinctive IPID value and the same\r\ndistinctive HTTP header format;7 the only references to IPID values of 13330 (0x3412) we found were a 2016\r\nOONI report about the ad injection we mention in Section 5, and a 2004 forum post by an individual in Sweden\r\ncurious as to why he was seeing IPID values of 13330 when he tried to ping the IP addresses of his website’s\r\nvisitors with unsolicited TCP segments. It is significant in this regard that it was a Swedish company, Netintact\r\nAB, founded in 2000, that developed and sold the PacketLogic product before Procera acquired the company in\r\n2006. Third, performing single packet injection in a TCP connection is a relatively simple feat to achieve; an\r\nengineer wishing to implement this functionality would likely not need to study or copy another implementation.\r\n4. Turkey Case: Targeted Malware Injection\r\nThis section describes how DPI equipment that matches our Sandvine PacketLogic fingerprint is used to inject\r\nmalware to users in Turkey and Syria who attempt to download common Windows software.\r\n4.1. Turkey Background: Information Controls and Surveillance\r\nIn spite of being a parliamentary democracy with decades of multi-party elections, Turkey’s government is\r\ncharacterized by corruption, human rights abuses, and autocratic tendencies on the part of the current Prime\r\nMinister Recep Tayyip Erdoğan. Turkey’s military has traditionally been an important and occasional overbearing\r\npresence in domestic politics, with the country experiencing several coup attempts. Information controls played an\r\nimportant part in the most recent such attempt, which was foiled by President Erdoğan in July 2016. Prior to the\r\ncoup attempt, Turkish authorities routinely throttled access to prominent social media sites, such as Twitter and\r\nFacebook. Erdoğan used Apple’s Facetime video calling application during the coup attempt to plead with the\r\nTurkish public to resist the plotters. While restrictions on social media were softened to facilitate popular\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 10 of 33\n\nopposition to the coup, the openness was short lived, with Internet censorship returning (and even increasing) after\r\nErdoğan successfully re-asserted his authority.  \r\nAlthough there is widespread and growing popularity of social media in Turkey, which provides citizens with an\r\nalternative to conservative state-controlled mainstream media, the country has one of the most extensive Internet\r\ncensorship regimes in the world. ISPs routinely throttle access to popular social media, make frequent requests to\r\nservice providers to remove content, and even implement occasional regional shutdowns. According to Twitter’s\r\ntransparency report, Turkey led the world with 2,710 removal requests in the first six months of 2017. Although\r\nTurkey’s numerous security threats, and in particular those related to Islamist and other terrorist attacks, are\r\nprovided as justifications for such expansive controls, Internet censorship has included a broad range of other\r\ncontent such as criticism of the Erdoğan regime.\r\nThe first Internet-related legislation in Turkey was passed in 2007. It is called “Law No. 5651, Regulation of\r\nPublications on the Internet and Suppression of Crimes Committed by means of Such Publications,” or “Internet\r\nLaw” for short. The Internet Law introduced Internet censorship across a range of content categories and\r\nmandated service providers to monitor online content passing through their infrastructure. Additional laws and\r\nbroader information controls were applied in the aftermath of the 2013 Gezi protests, including Law No. 6532,\r\npassed in April 2014, which criminalized “the leaking and publication of secret official information, punishable by\r\na prison term of up to nine years.” The law authorizes the Turkish intelligence agency, Milli İstihbarat Teşkilatı\r\n(MIT), to “collect data relating to external intelligence, national defense, terrorism, international crimes and cyber\r\nsecurity passing via telecommunication channels.” These laws and practices have imposed strict responsibilities\r\non ISPs to block and disrupt access to targeted URLs (in some cases through DNS poisoning), and to monitor and\r\narchive Internet traffic for two years. The responsibilities have, in turn, prompted the acquisition of mass and\r\ntargeted surveillance technologies. A 2014 Citizen Lab report traced activity related to Hacking Team spyware to\r\nan IP address owned by Türk Telekom, and a 2015 report mapped FinFisher spyware to Turkey.\r\nMIT’s practical implementation of the 2014 national security laws requires the cooperation of the Turkish\r\ntelecommunications sector, which is centralized around Türk Telekom. While technically a private company, Türk\r\nTelekom is heavily controlled by the ruling AKP party. The AKP exerts influence over Türk Telekom through its\r\nsupposed independent regulator, the Information and Communications Authority (which is itself controlled by the\r\nstate), as well as a large ownership stake controlled by the Turkish Treasury department. The government’s direct\r\ninfluence over Türk Telekom was demonstrated following the July 2016 coup attempt, when several Türk\r\nTelekom senior executives were purged from the company.\r\n4.2. Localizing the Targets of Turkey’s Malware Injection\r\nIn a February 2018 scan of Turkey, we identified five different malicious domain names that were injected in\r\nresponse to HTTP requests for Opera. We performed traceroutes for the targeted IP addresses and found targeting\r\nin at least five provinces, based on names we found in the furthest downstream reverse DNS (PTR) record. Figure\r\n7 shows the five provinces where we identified injection.\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 11 of 33\n\nOver five months of scanning we found a total of 259 targeted IP addresses. However, this is not a complete count\r\nof targeted IP addresses; we could only measure IP addresses that responded to our scans (i.e., had an open TCP\r\nport).\r\nWe were able to develop a general sense of target identities by scraping data from public router pages hosted on\r\nsome of the IP addresses. The pages show names chosen by the people who set up the routers, including names of\r\nusers sharing the connection. In some cases, the names chosen were of Syrian cities. We conducted on-the-ground\r\ntesting in one such Syrian city and found that all users of a particular Internet reseller (sharing the same Türk\r\nTelekom IP) were targeted. We also found several router pages showing names containing “ypg” (e.g., ciwan.ypg\r\nand ypg-matar), indicating possible targeting of YPG (Kurdish militia) members or facilities. We also found that\r\nsome routers were named for resellers in Turkey and Syria. We found Facebook pages for some of the named\r\nresellers which showed images of the resellers building infrastructure to provide Internet access using Türk\r\nTelekom leased lines (Figures 8 and 9).\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 12 of 33\n\nAfter we sent letters to Sandvine and Francisco Partners on February 12, 2018, we ran tests on February 14 and\r\nFebruary 16, 2018 which found that two targeted IP addresses– on which we had observed injection since October\r\n2017– no longer produced injection. We conducted a full scan of Turkey on March 7, 2018 and found that these\r\ntwo IP addresses again produced injection, but with different domain names. Our March scan also found that the\r\noperators of the injection had changed some of the injected domain names.\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 13 of 33\n\nMalware Domain (February\r\n2018)\r\nMalware Domain (March 2018)\r\nInjection Targets\r\nDownstream\r\nfrom Location\r\nsolitude.file-download[.]today system.filedownloaders[.]com Hatay\r\nsystem.documentations[.]live epoch.englishdownloaders[.]today Gaziantep\r\nepiphany.download-document[.]world\r\nepiphany.download-document[.]world\r\nAnkara (Ulus\r\nquarter)\r\nepoch.wind-files[.]today document.downloadingsystem[.]com Adana\r\ninternet.document-management[.]today\r\ninternet.downloadingdocuments[.]com Diyarbakir\r\n4.3. Identifying Targeted Applications\r\nWe performed testing of targeted IP addresses to see what additional applications were being targeted. We sent\r\nrequests like the one in Figure 10 for a variety of paths and filenames matching popular Windows software. We\r\ntested filenames associated with the IOCs from two earlier reports, as well as the top 20 Windows applications on\r\nDownload.com (one of the IOCs from previous reports pointed to a file called\r\navast_free_antivirus_setup_online_cnet1.exe).\r\nGET [path] HTTP/1.1\r\nConnection: close\r\nFigure 10\r\nForm of requests that we sent to test for targeted applications.\r\nWe found at least ten applications whose downloads were targeted for spyware injection. Figure 11 lists the\r\ntargeted applications we found, and for each application, a non-exhaustive list of websites where targeted users’\r\ndownloads of these applications would be injected with spyware.\r\nPath\r\nWhich\r\napplication\r\ndoes this\r\npath typically\r\ncorrespond\r\nto?\r\nIf a user visits this site to\r\ndownload the application,\r\nthe path will be fetched\r\nunauthenticated over\r\nHTTP\r\n/opera/stable/windows Opera opera.com\r\n/vlc-2.2.8-win32.exe VLC download.videolan.org\r\n8\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 14 of 33\n\nPath\r\nWhich\r\napplication\r\ndoes this\r\npath typically\r\ncorrespond\r\nto?\r\nIf a user visits this site to\r\ndownload the application,\r\nthe path will be fetched\r\nunauthenticated over\r\nHTTP\r\n/ccsetup539.exe CCleaner\r\nccleaner.com\r\ndownload.com\r\n/wrar550.exe\r\nWinRAR 32-\r\nbit\r\ndownload.com\r\n/wrar540tr.exe\r\nWinRAR 32-\r\nBit Turkish\r\n?\r\n/winrar-x64-550.exe\r\nWinRAR 64-\r\nbit\r\ndownload.com\r\n/winrar-x64-550tr.exe\r\nWinRAR 64-\r\nBit Turkish\r\n?\r\n/7z1701.exe 7-Zip 7-zip.org\r\n/7z1701-x64.exe 7-Zip (64-bit) 7-zip.org\r\n/avast_free_antivirus_setup_online.exe\r\n/avast_free_antivirus_setup_online_cnet1.exe\r\nAvast\r\nAntivirus\r\navast.com\r\ndownload.com\r\n/driver_booster_setup.exe\r\nDriver\r\nBooster\r\niobit.com\r\n/SkypeSetup.exe Skype download.com\r\n/advanced-systemcare-setup.exe\r\nAdvanced\r\nSystemCare\r\niobit.com\r\nFigure 11\r\nApplications targeted for spyware injection in Turkey.\r\nSome of these websites supported HTTPS, but did not redirect users to the HTTPS version when directly visited.\r\nAs an example, when a user visited opera.com (the unencrypted version), they were not redirected to the HTTPS-encrypted version automatically. According to Internet Archive data, Opera seems to have fixed the issue on\r\nMarch 7, 2018, between 07:26GMT and 16:04GMT. Surprisingly, some websites we tested, like avast.com,\r\niobit.com, and ccleaner.com, used HTTPS on their main website but directed users to download links that did not\r\nuse HTTPS.9 While the user saw an HTTPS page in their browser, the file that the page downloaded to their\r\ncomputer was via HTTP (Figure 12). Targeted users in Turkey and Syria would have received spyware instead of\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 15 of 33\n\nthe legitimate version of the app. Sometime after February 13, 2018, Avast fixed one page on their avast.com site\r\nto use HTTPS for downloads. However, as of the publication date of this report, another page on avast.com\r\nredirects users to an insecure download on download.com. Piriform fixed their ccleaner.com site to use HTTPS\r\nfor downloads sometime after February 23, 2018.  Also, as of the date of publication, some websites we list in\r\nFigure 11 do not appear to support HTTPS at all, including download.com, 7-zip.org.\r\nThis situation can be particularly problematic for activists who may rely on advice to use apps like CCleaner and\r\nAvast. For example, the digital security guide Security in a Box advises the use of both products and links to the\r\nofficial websites of these products, both of which offered insecure downloads.\r\n4.4. Connection with FinFisher Campaign\r\nVirusTotal records that a sample of StrongPity-like spyware communicating with updserv-east-cdn3[.]com was\r\ndownloaded from download.downloading[.]shop, the same site used to distribute samples of FinFisher. The\r\nupdserv-east-cdn3[.]com server was also the command and control (C\u0026C) server for the samples of StrongPity-like spyware downloaded in a subsequent phase of the injection campaign that we observed, from sites including\r\ndownloading[.]internetdownloading[.]co and downloading[.]syriantelecom[.]co.\r\n5. AdHose: Mass Connection Hijacking to Deliver Affiliate Ads in Egypt\r\nThis section describes how DPI equipment that matches our Sandvine PacketLogic fingerprint is installed on\r\nTelecom Egypt’s network at Egypt’s borders, and is used to deliver affiliate ads, cryptocurrency mining scripts,\r\nand perhaps nation-state spyware, to Egyptian Internet users.\r\n5.1. Egypt Background: Malware, Surveillance, and Censorship\r\nSeven years after the 2011 demonstrations in Cairo’s Tahrir Square, Egyptian President Abdel Fattah el-Sisi has\r\nescalated a violent crackdown against opposition and dissent. Under the guise of combating terrorism, particularly\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 16 of 33\n\nfollowing a series of ISIS church bombings, the el-Sisi government has engaged in mass arrests, forced\r\ndisappearances, and torture against targeted journalists, human rights defenders, and protesters. The brief window\r\nopened during the Arab Spring period has closed as el-Sisi has sought to strengthen his rule and silence critics of\r\nhis regime.\r\nThe Egyptian government has been widely criticized for its human rights abuses and corruption. A May 2017 law\r\nratified by el-Sisi was criticized as stifling dissent as it imposes new restrictions on foreign NGOs, subjects groups\r\nto additional security monitoring and financial reporting requirements, and imposes heavy fines on groups who\r\npublish without government permission. Reporters Without Borders has ranked Egypt 161st out of the 180\r\ncountries it included in its 2017 World Press Freedom Index. More than 15,000 civilians have been tried in\r\nmilitary courts since 2014, and more than 800 people have been sentenced to death since 2013. Corruption is also\r\nendemic across all of society in Egypt, in spite of numerous attempts by various government agencies to reign it\r\nin. Transparency International ranked Egypt 108 out of 176 countries in its 2016 Corruption Perceptions Index.\r\nEgypt adopted a new constitution following a January 2014 referendum. While the revised constitution does\r\ncontain provisions protecting freedom of expression, access to information, and freedom of the press, it also\r\ncontains exceptions which allow censorship during periods of war or state of emergency. Prior to the 2011 Arab\r\nSpring, Egypt had generally been under a continuous state of emergency since 1958. Following a short reprieve in\r\n2012, successive Egyptian governments have repeatedly reimposed emergency rule, and most recently in January\r\n2018. Such declarations expand the arrest and detention powers of security forces and permit media censorship.\r\nEl-Sisi has also targeted the country’s judiciary by ratifying a bill which empowers him to select the courts’ chief\r\njustices. Several potential political candidates have been arrested or face intimidation and physical violence in\r\nadvance of the March 2018 Presidential election. The election, which is virtually guaranteed to see el-Sisi elected\r\nto a second term, has been widely criticized as undemocratic.  \r\nTelecommunications surveillance is facilitated under the 2003 Telecommunications Regulation Law. This law\r\ncompels telecommunications operators to provide technical capacity for the military and national security entities\r\nto “exercise their powers within the law” as well as prohibiting the use of “telecommunication services encryption\r\nequipment” without written authorization from entities including the armed forces. Article 73 of the\r\nTelecommunications Law prohibits telecommunications providers from interfering with any part of a\r\ntelecommunication message.\r\nThe ongoing crackdown against critical voices has extended to online censorship. The pre-Arab Spring Mubarak\r\ngovernment did not engage in widespread online censorship. However reports of censorship have increased in\r\nrecent years. Testing conducted by the OONI project in 2016 confirmed reporting that Qatari-owned news website\r\nThe New Arab and its Arabic language version were blocked.\r\nCensorship in Egypt has also reflected regional concerns. Egypt, and four other Arab states including Saudi\r\nArabia, have accused Qatar of supporting terrorism and destabilizing the region. In response, Egypt was reported\r\nin May 2017 to have blocked access to 21 news websites for “supporting terrorism and spreading false news”. The\r\nblocked websites included Qatar-based Al Jazeera as well as prominent local independent news website Mada\r\nMasr. In September 2017 Egypt blocked the Human Rights Watch website one day after HRW released a report\r\ndocumenting the use of torture by the country’s security services.\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 17 of 33\n\nThe use of surveillance technology by the Egyptian government has been widely documented, particularly the\r\ntechnologies operated by an obscure intelligence agency called the Technical Research Department (TRD). A 2015\r\nCitizen Lab report identified that a server used in the operation of FinFisher surveillance malware was present on\r\nnetworks operated by the TRD. Similarly, Privacy International obtained documents leaked from Nokia Siemens\r\nNetworks which showed that the company sold an interception management system and monitoring centre to the\r\nTRD. The leaked emails from surveillance company Hacking Team indicated that the company had sold its\r\nsurveillance malware system to the TRD for more than 1 million Euros.\r\nA 2017 Citizen Lab report documented a large-scale phishing campaign against Egyptian civil society members.\r\nVirtually all of the targets identified in this report were implicated in Case 173, a legal case brought by the\r\nEgyptian government against domestic NGOs. In this case, the government has accused NGOs of improperly\r\nreceiving foreign funding and engaging in prohibited activities.\r\n5.2. Following up on Earlier Findings\r\nA September 2017 report found FinFisher spyware injected via HTTP 307 redirect matching the format in Figure\r\n1 using the URL http://108.61.165[.]27/setup/TrueCrypt-7.2.rar, (024d37333bf79796813e76ada77720cd\r\naccording to VirusTotal). That FinFisher sample’s command and control (C\u0026C) server is 199.195.193.34. We\r\nfound another FinFisher sample (3947a9c9099d4728ff2ceaed2bd7edb3) with the same C\u0026C; VirusTotal records\r\nthe sample as being downloaded from http://185.82.202[.]133/setup/Threema.rar. When we tested 185.82.202.133,\r\nwe found that it was running cPanel, and the email address associated with the cPanel installation was an email\r\naddress we know to be associated with the TRD based on past work the Citizen Lab has conducted. We conducted\r\nInternet scanning of Egypt, sending every IPv4 address an HTTP request to download the TrueCrypt setup file, but\r\ndid not find any spyware injection. However, we discovered a system we call AdHose that was redirecting\r\nEgyptian Internet users to affiliate ads and cryptocurrency mining scripts.\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 18 of 33\n\nWe identify two modes of AdHose. In spray mode, a middlebox redirects Egyptian Internet users en masse to ads\r\nor cryptocurrency mining scripts whenever they make a request to any website. In trickle mode, only requests to\r\ncertain URLs are redirected. It appears that spray mode is enabled sparingly, whereas trickle mode appears to be in\r\noperation mostly continuously.\r\n5.3. Discovering AdHose\r\nWhen checking Shodan for HTTP 307 redirects (Section 3.2), we noticed a large number of redirects returned by\r\nEgyptian IPs to what appeared to be an advertising site (Figure 14). The site embedded further redirects to\r\naffiliate ads.\r\nHTTP/1.1 307 Temporary Redirect\r\nLocation: http://static.dbmads.com/static.html\r\nConnection: close\r\nFigure 14\r\nSuspicious HTTP redirect returned by Egyptian IPs.\r\nWhile we were conducting an (unrelated) scan of the IPv4 Internet (from outside Egypt), we captured these\r\nredirects being injected, solely for IP addresses in Egypt. The redirects were injected during 32 minutes of our\r\nscan (on January 8, 2018 between 10:23:36 – 10:55:12 Egypt time). The advertising redirects were injected in\r\nresponse to requests we sent of the form in Figure 15 (where “%s” is the IP address we were scanning).\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 19 of 33\n\nGET / HTTP/1.1\r\nHost: %s\r\nUser-Agent: Mozilla/5.0\r\nFigure 15\r\nHTTP request sent by our scan that elicited ad injection.\r\nThe PCAPs we recorded during our scan show that each instance of injection matches our entire fingerprint in\r\nSection 3.3. Namely, all injected packets have IPID = 13330, no IP flags, match the expected 307 Redirect format,\r\nand involve the packet injector sending an unsolicited final ACK packet ~100ms after injecting the redirect. This\r\nindicates that the redirect was likely being injected by Sandvine PacketLogic devices as configured by the\r\noperators.\r\nDuring the 32 minutes on January 8 when injection was active, we both scanned and received a response\r\ncontaining data from 3,337 IP addresses in 27 ASNs in Egypt (as determined by MaxMind GeoLite2 country\r\ndatabase). 1,239 IP addresses in 17 ASNs returned the advertising redirect, for an injection rate of ~38%. This\r\nappears to be an instance of the AdHose spray mode. Figure 16 shows the ASNs in which we observed injections,\r\nindicating that the middleboxes used for injection are upstream from these ASNs.\r\nASN # ASN Description\r\n24863 Link Egypt (Link.NET)\r\n8452 Telecom Egypt (TE)\r\n20928 Noor\r\n36992 Etisalat Misr\r\n24835 Vodafone / Raya Telecom\r\n37031 Misr Information Services \u0026 Trading (MIST)\r\n36935 Vodafone\r\n37069 Mobinil\r\n33785 City Net Telecom\r\n30993 Egypt Centers\r\n20484 Yalla Online\r\n36408 CDNetworks\r\n328067 EGIT\r\n31619 City Stars\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 20 of 33\n\nASN # ASN Description\r\n31065 Egyptian Ministry of Communications and Information Technology (MCIT)\r\n25576 Armed Forces Main information Center (AFMIC)\r\n15475 Nile Online (NOL)\r\nFigure 16\r\nASNs where we observed injection in Egypt.\r\n5.4. A Multi-Year Campaign\r\nOONI’s Report and Data\r\nOur data matches up with findings that the network interference measurement project OONI published in August\r\n2016. OONI’s work revealed affiliate ad injection when users attempted to access certain pornography websites in\r\nEgypt. OONI’s findings matched all elements of the fingerprint we described in Section 3.3, which suggests that\r\nthe ad injection they identified in 2016 was also the result of Sandvine PacketLogic devices as configured by the\r\noperators.\r\nAdditional historical OONI data that we reviewed showed evidence that two domains, copticpope[.]org (the\r\nformer website of the Pope of the Coptic Orthodox Church of Alexandria) and babylon-x[.]com (a former\r\npornographic website), have been targeted by AdHose in trickle mode. As a result, visitors to these websites were\r\ncontinuously redirected to ads, regardless of whether spray mode was active. We confirmed these findings in our\r\nown scans in February 2018. We also identified an October 2016 post on Webhostingtalk which indicated that\r\nvisitors to a free web counter JavaScript file, http://s10.histats[.]com/js15.js, were redirected to advertisements\r\nlinked to the infinitads[.]com domain. We tested accessing this URL from within Egypt and found that it is\r\ntargeted by AdHose in trickle mode.\r\nCensys Captures AdHose Spray\r\nWe found that the 7547-cwmp-get-full_ipv4 Censys scan10 performed on January 3, 2018 captured AdHose in\r\nspray mode between 15:50:23 – 16:32:02 local time. Censys both scanned and received a response containing\r\ndata from 5,702 IP addresses in four ASNs in Egypt during this period. Of these 5,702 IPs, 5,443 in four ASNs\r\nreturned the advertising redirect, for an injection rate of ~95%.\r\nEnumerating Affiliate IDs\r\nWe looked at historical OONI data and enumerated all HTTP 307 redirects within Egypt that did not match the\r\ndomain from which they were redirected. Within this list, we looked for any domains returned which appeared to\r\nbe domains hosting advertising pages (for example, we manually filtered out domains that appeared to be ISP or\r\nbilling notifications). To this list, we added the injected domains that OONI previously reported.\r\nWe then gathered all copies of all pages on these domains archived by the Internet Archive, and looked for\r\naffiliate links included in the HTML source of the webpages (or any pages they redirected to). We also manually\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 21 of 33\n\nvisited URLs in cases where the Internet Archive did not retain past copies. As a result of this process, we\r\nobtained the list of affiliate links and IDs we believe were used by the AdHose operators, shown in Figure 17.\r\nAd Network Affiliate Link Affiliate IDs\r\nAdvertising\r\nTechnologies\r\nLtd.\r\nhttp://go.pub2srv[.]com/afu.php?\r\nzoneid=1251527\r\nhttp://go.ad2upapp[.]com/afu.php?\r\nid=1209127\r\nhttp://go.ad2upapp[.]com/afu.php?\r\nid=773263 http://go.ad2up[.]com/afu.php?\r\nid=862744 http://go.ad2up[.]com/afu.php?\r\nid=758873 http://go.ad2up[.]com/afu.php?\r\nid=773263 http://go.oclasrv[.]com/afu.php?\r\nid=896707\r\nhttp://go.ad2upapp[.]com/afu.php?\r\nid=723454\r\nhttp://go.deliverymodo[.]com/afu.php?\r\nid=723454\r\n723454\r\n758873\r\n773263\r\n862744\r\n896707\r\n1209127\r\n1251527\r\nTerra\r\nAdvertising\r\nCorp\r\nhttp://www.hitcpm[.]com/watch?\r\nkey=e4c634c55ad300b85c8760d9e09104cd\r\nhttp://www.urldelivery[.]com/watch?\r\nkey=3e73d64a401c1e5b8b3eb33316b711e0\r\nhttp://cs6hm[.]com/watch?\r\nkey=3e73d64a401c1e5b8b3eb33316b711e0\r\nhttp://cpm10[.]com/watch?\r\nkey=3e73d64a401c1e5b8b3eb33316b711e0\r\nhttp://www.clicksgear[.]com/watch?\r\nkey=3e73d64a401c1e5b8b3eb33316b711e0\r\ne4c634c55ad300b85c8760d9e09104cd\r\n3e73d64a401c1e5b8b3eb33316b711e0\r\nAdvertica.ae\r\nhttps://ylx-4[.]com/fullpage.php?\r\nsection=General\u0026pub=175258\u0026ga=g\r\nhttps://ylx-4[.]com/fullpage.php?\r\nsection=General\u0026pub=125652\u0026ga=g\r\n125652\r\n175258\r\n(Unidentified)\r\nhttp://conceau[.]co/out?\r\nzoneId=2692073\u0026htatb=1\u0026sId=2692073\r\n2692073\r\nCoinhive\r\n(Monero\r\ncryptocurrency\r\nmining)\r\nhttp://cnhv[.]co/fmwi  \r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 22 of 33\n\nFigure 17\r\nAffiliate links we believe were used by AdHose operators.\r\nWe saw a significant overlap between the ad networks mentioned in the OONI report and AdHose. For example,\r\nwe saw in the hosting history that static.dbmads[.]com forwarded users to ad2upapp[.]com, which was mentioned\r\nin the initial OONI report. Additionally, the infinitads[.]com domain mentioned in the OONI report was forwarded\r\nto static.dbmads[.]com at several points in time. This overlap suggests to us that the same actors have been\r\ninvolved since at least October 2016.\r\n5.5. Localizing Egypt’s Middleboxes\r\nWe conducted tests that localized the AdHose middleboxes to a Telecom Egypt demarcation point.\r\nWe noticed that for AdHose, the redirects were injected upon receipt of an HTTP response, rather than an HTTP\r\nrequest. In this case, sending a request to a server did not trigger an injected response unless the server received\r\nthe request, and returned a proper HTTP response.\r\nWe verified that we could configure our second-hand PacketLogic device to inject on responses rather than\r\nrequests, such as by adding a condition on the injection rule that would not be known until the device saw the\r\nresponse (e.g., the condition “HTTP response code == 200”).\r\nTest 1: Localizing AdHose\r\nBecause AdHose only injects data in response to HTTP responses, sending TTL limited HTTP requests cannot\r\nlocalize AdHose. We instead sent a TTL-limited FIN/ACK packet after properly establishing a TCP connection,\r\nbut before sending a default-TTL HTTP request with a Host header for one of the AdHose domains\r\n(copticpope[.]org). By varying the TTL of the FIN/ACK packet, we could identify the link on which the\r\nmiddlebox first saw the FIN/ACK (and the end-host in Egypt did not). We hypothesized that when the middlebox\r\nfirst saw the FIN/ACK, it might consider the connection closed and not perform any injection on the server’s\r\nresponse. Thus, we would expect to find some number X, where setting the TTL to Y (≥ X)  would cause us to\r\nreceive the legitimate response from the server, and setting the TTL to Z (\u003c X) would cause us to receive the\r\nredirect injected by AdHose.\r\nWe did indeed observe this behavior; the first link on which we saw the legitimate response from the end-host in\r\nEgypt (and not the injected response) was between 130.117.50.166 (be3093.ccr22.mrs01.atlas.cogentco.com) and\r\n149.14.125.162 (telecom-egypt.demarc.cogentco.com), which appears to be a cable link between Marseilles,\r\nFrance, and Egypt.\r\nTest 2: Localizing Censorship\r\nIn this test, we found that the same device that was running AdHose was also performing Internet censorship in\r\nEgypt. We localized the censorship functionality of the device by sending a TTL-limited HTTP request to a\r\nblocked website (www.aljazeera.net). By varying the TTL of the HTTP request, and observing whether we\r\nreceived an injected RST/ACK packet, we could identify the link where the device first saw the request.\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 23 of 33\n\nThe first link on which we saw an injected RST/ACK packet was between 130.117.50.166\r\n(be3093.ccr22.mrs01.atlas.cogentco.com) and 149.14.125.170 (telecom-egypt.demarc.cogentco.com), which\r\nappears to be the same cable link that we found in Test 1.\r\nGiven that we localized both AdHose and Internet censorship to the same link, we believe that the same\r\nPacketLogic device is being used to carry out both functionalities.\r\n6. Egypt \u0026 Turkey Censorship Testing\r\nThis section describes how DPI equipment that matches our Sandvine PacketLogic fingerprint is blocking\r\npolitical and human rights content in Egypt and Turkey.\r\n6.1. Websites Blocked\r\nIn Egypt, we found that devices matching our Sandvine PacketLogic fingerprint are being used to block dozens of\r\nhuman rights, political, and news websites including Human Rights Watch, Reporters Without Borders, Al\r\nJazeera, Mada Masr, and HuffPost Arabi. In Turkey, we discovered that these devices are being used to block\r\nwebsites including every language version of Wikipedia, the website of the Dutch Broadcast Foundation (NOS),\r\nand the website of the PKK (Kurdistan Workers’ Party).\r\nThe blocking is implemented by injecting TCP reset packets. The TCP reset packets have IPID 13330, and no IP\r\nflags, and match our fingerprint (Section 3.3). These characteristics suggest that Sandvine PacketLogic devices\r\nare being used to carry out the blocking.\r\n6.2. Website Blocking in PacketLogic\r\nWe tested blocking a website using our second-hand Sandvine PacketLogic device (Section 3.3). This test\r\ninvolved creating a PropertyObject to match requests whose hostname was hrw.org and then a Filtering Rule that\r\nterminates all connections matching the Property Object by using the built-in Reject action.\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 24 of 33\n\nRequests with an HTTP host header of hrw.org were terminated by an injected RST packet. Requests with a TLS\r\nclient hello message with the SNI extension set to hrw.org were also terminated.\r\nOur experiment (Figure 19, Figure 20) matched elements 1-4 of our fingerprint. Note that the timestamp\r\ndiscrepancy in the PCAP files is because the server and client clocks were not synchronized.\r\nClient sends GET request for hrw.org\r\n17:34:54.213576 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 123)\r\n192.168.1.27.49482 \u003e 192.168.1.26.8080: Flags [P.], seq 1:72, ack 1, win 4117, options [nop,nop,TS val 756752097\r\nGET / HTTP/1.1\r\nHost: hrw.org\r\nUser-Agent: curl/7.54.0\r\nAccept: */*\r\nClient receives injected RST/ACK\r\n17:34:54.213805 IP (tos 0x0, ttl 64, id 13330, offset 0, flags [none], proto TCP (6), length 40)\r\n192.168.1.26.8080 \u003e 192.168.1.27.49482: Flags [R.], seq 1, ack 72, win 32120, length 0\r\nFigure 19\r\nPacketLogic content blocking via Reject rule from the client side.\r\nServer receives injected RST/ACK\r\n17:34:36.051889 IP (tos 0x0, ttl 64, id 13330, offset 0, flags [none], proto TCP (6), length 40)\r\n192.168.1.27.49482 \u003e 192.168.1.26.8080: Flags [R.], seq 72, ack 1, win 32120, length 0\r\nFigure 20\r\nPacketLogic content blocking via Reject rule from the server side.\r\n7. Communication with Sandvine and Francisco Partners\r\nCitizen Lab sent letters to executive leadership at Sandvine and to Procera Networks/Sandvine owner Francisco\r\nPartners on February 12, 2018. Our letters notified the companies of our research findings and raised questions\r\nconcerning their human rights impact. We received an initial response from both companies on February 13 which\r\nconfirmed their receipt of our letters and indicated that they would provide us with a reply.\r\nA February 16, 2018 letter from Sandvine laid out the company’s response in more detail, characterizing the\r\nstatements in our letter as “false, misleading, and wrong”; demanding return of the second-hand PacketLogic\r\ndevice that we used to confirm attribution of our fingerprint; describing Sandvine’s “Comprehensive Business\r\nEthics Program”; and noting that any public statements we make “that are factually inaccurate or based on\r\nimproper use of [the PacketLogic] product . . . will be met with vigorous fact-based rebuttal and a strong legal\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 25 of 33\n\nresponse . . . .” Citizen Lab replied to this email the same day noting that we had withdrawn the original\r\npublication date to carefully review the points they raised and undertake further due diligence.\r\nSandvine asserted in its February 16 letter that its PacketLogic product “is not capable of Man-in-the-Middle\r\n(MITM) attacks and not capable of any form of payload injection, malicious or not,” and that Citizen Lab’s\r\nfindings were therefore incorrect. Our research, however, does not suggest that the PacketLogic device is capable\r\nof injecting traffic with the malicious code outright. Rather, the spyware injection and advertising injection were\r\ncarried out by injecting HTTP 307 redirects that caused a target’s browser to automatically fetch malicious code\r\nfrom a separate website. As described in Section 2, the injection of various HTTP redirects is an established\r\nspyware and advertising injection technique. Additionally, Sandvine acknowledged in its letter that the\r\nPacketLogic design “does not permit the end user to inject a payload larger than 1 packet.” This assertion,\r\nindicating an injection of one packet is possible, is consistent with our findings regarding the injection of a\r\nredirect command, which is one packet in size.\r\nNotably, in the February 16 letter, Sandvine also expressed its commitment to the ethical use of its product. It\r\nreferred to the company’s webpage regarding “Ethics and Human Rights protection at Sandvine,” which\r\nprovided:11\r\nA key part of [Sandvine’s] innovation process is to ensure that we do not lose sight of the ethical impact of our\r\ntechnology on human rights, freedom of speech, and privacy. Sandvine has taken the approach on regulating\r\naccess to the components of our solutions that could be used to infringe on any of these. The usage of our\r\nregulatory compliance solutions are controlled by a EULA and software licenses that are required for any\r\ncomponents that could conceivably be used to violate human rights, freedom of speech, and privacy.\r\nThe letter noted that Sandvine’s EULA prohibits injection of malicious payloads. The letter also indicated that the\r\ncompany maintains a Business Ethics Committee (BEC) “to review and approve the sale of products and services\r\nto customers.” The webpage details how Sandvine’s BEC uses “the World Bank Index” (an apparent reference to\r\nthe Worldwide Governance Indicators) to review sales to certain countries. The BEC assesses the indicators\r\nassociated with the following areas of governance: voice and accountability (which includes freedom of\r\nexpression-related indicators); political stability and absence of violence/terrorism; rule of law; and control of\r\ncorruption. The Sandvine webpage states:\r\nAny country not rated an “A” by the World Bank must be approved by the BEC and a certificate of compliance\r\nsigned by the customer acknowledging that they will not use the technology to violate human rights based on the\r\nregulatory compliance use case(s) deployed. Sandvine employees and resellers are prohibited from selling\r\nsolutions to countries that are embargoed or sanctioned by the EU, US, and/or UN or are rated a “D” by the\r\nWord Bank.\r\nIt is unclear, however, what letter grade ratings are referred to in this policy, or how they are determined, as the\r\nWorldwide Governance Indicators provide percentile rankings for countries rather than a letter grade.\r\nWhile Sandvine did not comment on the existence or any aspect of business dealings in Egypt or Turkey, citing\r\ncontract confidentiality clauses, the BEC assessment process it outlines would appear to apply to sales in both\r\ncountries. The Worldwide Governance Indicators reflect the following 201612 percentile rankings (0 to 100) for\r\nEgypt and Turkey in the categories utilized by Sandvine’s BEC:\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 26 of 33\n\nVoice and\r\naccountability\r\nPolitical stability and\r\nabsence of violence /\r\nterrorism\r\nRule of\r\nlaw\r\nControl of\r\ncorruption\r\nEgypt 14 9 36 32\r\nTurkey 30 6 49 50\r\nThe low percentile rankings assigned to those countries — single digits in the “political stability and absence of\r\nviolence / terrorism” category, and in no case surpassing 50th percentile — suggest at a minimum that the BEC\r\nwould have been called upon to assess and approve any such sales that took place, and require certificates of\r\ncompliance from the customers.\r\nOn February 20, 2018, Francisco Partners sent its own response to our letter, emphasizing that the firm\r\n“recognizes the importance of corporate governance and social responsibility.” The firm went on to state: “We\r\nspend considerable time and effort regarding the thoughtful development and implementation of proper\r\ngovernance and social responsibility policies and processes for Francisco Partners and for the companies in which\r\nwe invest.” The firm noted that, as an investor, it works “with company management teams to enhance (where\r\nnecessary) and to implement robust corporate governance principles, business processes and policies, and business\r\nstrategy, including social responsibility policies and practices.” It also “mandates the adoption of compliant\r\nbusiness ethics policies and processes. Where appropriate, such policies and processes are based on, among other\r\nthings, the engagement of outside parties and a variety of benchmarking information sources, including World\r\nBank information.”\r\nOn March 1, 2018, Citizen Lab replied to Sandvine. We emphasized that we were confident in our research\r\nfindings, which two independent peer reviews confirmed. We also posed additional questions regarding\r\nSandvine’s business ethics program. On March 7, 2018, Sandvine sent a letter to the University of Toronto,\r\nexpressing its continuing concern that the Citizen Lab report “will contain false, inaccurate and misleading\r\ninformation that has the potential to do significant harm to the company, its shareholders and its customers.”\r\nSandvine “demand[ed] that the report not be released publicly at this time” and laid out the reasons for that\r\ndemand. External counsel responded to Sandvine’s letter on behalf of the University of Toronto and Citizen Lab\r\non March 8, 2018. \r\n8. Conclusion: Dual-Use Technology, Unrestrained\r\nDeep packet inspection technology is now ubiquitous across network environments. DPI devices supporting\r\nnetwork injection can be used by ISPs for a range of ostensibly legitimate uses, from alerting users to billing\r\nissues to bandwidth cap limits — all broadly marketed under the rubric of what DPI companies refer to benignly\r\nas “Quality of Service” or “Quality of Experience.” However, as our investigation demonstrates, network injection\r\ncan also be used for harmful purposes. Depending on how DPI systems are configured, they may even present\r\nserious human rights risks, such as censoring access to content or, worse, silently infecting users with malware,\r\nand all without the person affected by the censorship or targeted by the malware realizing what has occurred.\r\nEvidently, the technology can also be easily repurposed for mass-scale revenue scams.  \r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 27 of 33\n\nDespite the risks of harms and abuses, the market for this powerful technology remains largely unregulated.\r\nExport controls that were agreed upon within the framework of the Wassenaar Arrangement explicitly exclude\r\n“systems or equipment, specially designed for . . . a. Marketing purpose; b. Network Quality of Service (QoS); or\r\nc. Quality of Experience (QoE)” from the scope of controlled IP network communications surveillance systems or\r\nequipment. Yet the integration of functions, including network injection, in a customizable, multipurpose network\r\nsolution raises difficult questions regarding end use determinations and proper methods for prevention of misuse\r\nof the technology.  \r\nRegardless of the specific business sector, all companies have a responsibility to prevent the misuse of their\r\nproducts and services in ways that undermine human rights. The UN Guiding Principles on Business and Human\r\nRights note that businesses should “avoid causing or contributing to adverse human rights impacts” and “address\r\nsuch impacts when they occur.” Moreover, the UN Guiding Principles clarify that companies should “seek to\r\nprevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services\r\nby their business relationships, even if they have not contributed to those impacts.” As described in this report,\r\nhowever, Sandvine appears to have provided such tools in Turkey and Egypt — two countries with documented\r\npoor human rights records — and may have serviced these tools on the ground as well. Additionally, prior\r\nreporting of internal company discussions at Procera Networks show clearly that concerns were raised inside the\r\ncompany about equipping the Turkish regime with technology that could be used for surveillance. The company is\r\nor should be aware of the potential for misuse of its product in Turkey. Despite the human rights concerns raised,\r\nSandvine/Procera evidently chose to move ahead with provision of technology to Turkey.\r\nThe apparent use of Sandvine technology to engage in network injection in Egypt and Turkey is even more\r\ntroubling in light of the “strong safeguards” that Sandvine asserts it maintains “regarding social responsibility,\r\nhuman rights, and privacy rights.” Sandvine appears to have technical means in place to prevent misuse of its\r\ntechnology, noting in its February 16 letter that it “implements stringent software license controls that limit access\r\nto specific product capabilities outside of an intended use case.” The malicious and dubious activities that appear\r\nto have been conducted through the use of PacketLogic devices as documented in this report suggest that\r\nSandvine’s safeguards have come up short — despite the Procera controversy over dealings in Turkey that was\r\npublicly reported in 2016, which put the company on notice of the potential human rights impact of sales and\r\nservices in Turkey. We recommend that Sandvine engage in regular consultation with civil society regarding its\r\nhuman rights due diligence and business ethics program, and enhance transparency surrounding its sales review\r\nprocess and post-sale technical controls. We also recommend that Sandvine establish an operational-level\r\ngrievance mechanism, in line with the UN Guiding Principles on Business and Human Rights, to address incidents\r\nof misuse of its products, and clearly communicate to the public how to report concerns,13 the timeframe in which\r\none can expect to receive a response, and remedial action taken.\r\nWe recommend that both dual-use technology developers and investors carefully consider their human rights\r\npolicies and due diligence practices in light of the changing regulatory and social landscape and growing\r\nexpectations surrounding corporate social responsibility. Francisco Partners in particular appears to have targeted\r\ndual-use technology companies as a lucrative sector for investment, given the company’s prior investment in\r\ncompanies such as Blue Coat and NSO Group. Proactive efforts within the firm to incorporate and promote human\r\nrights due diligence, as Francisco Partners touched on in its correspondence, could help address the risks of abuse\r\npresent in this sector. We recommend that Francisco Partners publicly release its own corporate social\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 28 of 33\n\nresponsibility policies and practices, as well as those that it promotes among its investment companies, and\r\nengage with civil society in a transparent manner regarding how those policies and practices could be improved.\r\nWe also recommend that government entities, including the newly established Canadian Ombudsperson for\r\nResponsible Enterprise (which would have jurisdiction over Sandvine as a corporation based in Canada), consider\r\nthe significant human rights implications of network tools capable of network injection in responding to the lack\r\nof oversight, transparency, and accountability in the surveillance market.\r\nThe findings of this report also illustrate the urgent need for ubiquitous adoption of HTTPS by website developers.\r\nHandling web traffic over unencrypted channels leaves users vulnerable to network injection techniques that may\r\nexpose them to spyware, unwanted advertising, or other Internet scams. Particularly on sites offering software\r\ndownloads (some of which may be billed as “secure”), companies and developers responsible for such platforms\r\nmust ensure the proper use of encryption.Ultimately, the use of products that provide network injection features on\r\npublic ISP networks,  as identified in this report, represents a major global public safety risk. Network injection\r\ncan be used to take advantage of access to a user’s unencrypted web traffic to replace expected data with\r\nmalicious or inappropriate code, often in a manner undetectable to the average user. Francisco Partners’ recent\r\nacquisition of Sandvine is especially troubling in this regard, since the investment firm’s portfolio also includes\r\nNSO Group, one of the world’s leading providers of spyware whose products are associated with numerous cases\r\nof abuse. The prospect of such powerhouse surveillance technologies being sold to companies operating in\r\nautocratic regimes, or autocratic regimes themselves, and in jurisdictions wherein human rights are flagrantly\r\nabused, should be cause for concern.\r\nAcknowledgements\r\nBill Marczak’s work on this project was supported by the Center for Long Term Cybersecurity (CLTC) at UC\r\nBerkeley. This work was also supported by grants to the Citizen Lab from the Ford Foundation, the John T. and\r\nCatherine D. MacArthur Foundation, the Oak Foundation, the Open Society Foundations, and the Sigrid Rausing\r\nTrust. This work includes data from the Open Observatory of Network Interference (OONI), Censys, VirusTotal,\r\nand RiskIQ.\r\nEditing and other assistance provided by Masashi Nishihata, Jeffrey Knockel, Christopher Parsons, Lex Gill, and\r\nMiles Kenyon. Research assistance provided by Elizabeth Gross and Gabrielle Lim.\r\nAdditional Data here\r\nAppendix A: Turkey Malware Injection IOCs\r\nInitial Campaign\r\nDomains of injected redirects\r\ndownload.downloading[.]shop\r\ndownloading.syriantelecom[.]co14\r\ndownload.syriantelecommunications[.]co\r\nredirection[.]bid\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 29 of 33\n\nPhase 2 Campaign\r\nDomains of injected redirects\r\ndownloading.internetdownloading[.]co\r\ndownload.downloadering[.]co\r\nMalware hashes\r\n08d971f5f4707ae6ea56ed2f243c38b7\r\n20755b98d7c094747b75b157413e3422\r\n3632fb080545d3518d57320466f96cb3\r\n40383bee9846ecbd78581402e3379051\r\n449ba12127133ecd0440a558b083468c\r\n461446151be0033a668782c2d7ba58cb\r\n56bc314bc0d4a0a230a4de2bf978b5ae\r\na070fd2cce434a6f0b0d0fa6d3278d22\r\nbe6f2a03dfddbaf1166854730961d13c\r\nd7ec065cc3f563928504f80692578d2f\r\nf344da38958dbc730ddebc10660cd451\r\nfa90508007b94a4dbfeb8b48d5443ec8\r\nMalware C\u0026C\r\nupdserv-east-cdn3[.]com\r\nPhase 3 Campaign:\r\nDomains of injected redirects\r\ncomputing[.]downloaders[.]today\r\nstorage[.]computingdownloads[.]life\r\nwindow[.]processingdownloads[.]today\r\nMalware hashes\r\n001316808aa7108b467e8ecc06139c2e\r\n5c3f0dcf4aaa699b50154aa245923c86\r\n7fd98d6bb1e9d6bcf2e1984e812c1e46\r\n89180820b47bb11ccf0c8505371e98d1\r\n8bb2ba6f1cfa3bd99146688cd1e76bb0\r\n8c8eb5cfc5642a773c5f2b5f59148aa3\r\n8fea3de31a58415c3fec2e6dd4095575\r\n9b0de56f7f862db73e223f41099fc74c\r\nbe8a344487bcfea66de8e0f0f14d869e\r\ndf0045bd4168893922480f7ccb29860a\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 30 of 33\n\ne436e849d9496ef3f651c1904786c78f\r\ne80d8a0c35133f7485d8e87ade903919\r\nf36e67109ae368c9db109d0a41b5817c\r\nMalware C\u0026C\r\nms-cdn-88[.]com\r\nRelated IOCs discovered\r\ncdn2-sys-upd[.]com\r\nand-security-state[.]com\r\nPhase 4 Campaign\r\nInjection domains\r\nsolitude.file-download[.]today\r\nsystem.documentations[.]live\r\nepiphany.download-document[.]world15\r\nepoch.wind-files[.]today\r\ninternet.document-management[.]today\r\nMalware hashes\r\n08b8b4787f3ce90c6c1483cc127b1cdc\r\n205a5502ff0da4a471c4dad0e06c6c57\r\n32bc51088953377d601c6b27ca7484a9\r\n3729531c71163cddcded7e70c02a3004\r\n43b39fd4ddc386092372da19f6278c25\r\n4fe4094302c26e7ea2c58f5ca9f7f993\r\n58239ea5747d3375278ce7c04db22c1b\r\n6491df10c766be9c487fb9495d04df6e\r\n6a442a610c047a7a306a12f423978bfb\r\n6ce947913231bd968c86a2737bae7bba\r\n7ad8ad340c084f8185e2bb18cbfde891\r\n90373539c60529153d0d6b0cc857e845\r\na5ae6e0d74052d4f889f2538fdd7cb9b\r\nMalware C\u0026C\r\ncdn-upd-ms6[.]com\r\nRelated IOCs discovered\r\nbombinate.winload[.]info\r\nepoch.uploaders[.]online\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 31 of 33\n\nsolitude.filedownloads[.]online\r\nmevlut.oncu@yandex.com16\r\nPhase 5 Campaign\r\nInjection domains\r\ndocument.downloadingsystem[.]com\r\nepoch.englishdownloaders[.]today\r\ninternet.downloadingdocuments[.]com\r\nsystem.filedownloaders[.]com\r\nMalware C\u0026C\r\nupd-ms3-app-state[.]com\r\nRelated IOCs discovered\r\ncdn6-upd-state-app.com\r\nBPF rule to detect HTTP 307 redirect injection consistent with PacketLogic:\r\n“port 80 and ip[4:2] = 13330 and tcp[((tcp[12:1] \u0026 0xf0) \u003e\u003e 2)+8:4] = 0x20333037 and tcp[14:2] = 32120 and\r\nip[6:2] = 0”\r\nFootnotes\r\n1. The text “SECURE DOWNLOAD” is displayed when a user hovers over the “DOWNLOAD NOW” link\r\nwhen attempting to download a file from Download.com.\r\n2. Found via Google search; the brochure URL includes a Hubspot Hub ID (482141) that we see in the\r\nHTML source code of the https://sandvine.com/ site, thus we conclude this is an official brochure.\r\n3. Found via Google search; the brochure URL includes a Hubspot Hub ID (482141) that we see in the\r\nHTML source code of the https://sandvine.com/ site, thus we conclude this is an official brochure.\r\n4. Our Shodan search query was: 307 temporary redirect -date -server connection close -content-length -\r\npragma -usercheck -content-type location.\r\n5. The samples were structurally similar to the ones described here.\r\n6. See “inject_data parameter requires v12.1 firmware or newer” on\r\nhttp://python.proceranetworks.com/4.0.0/ruleset.html.\r\n7. For instance, Checkpoint’s Secure Web Gateway appears to use the same HTTP header format as\r\nPacketLogic, but has numerous differences in the IP and TCP layers, including not using a fixed IPID\r\nvalue, and not injecting a final unsolicited ACK.\r\n8. Though most people would instead probably visit videolan.org, which redirects users to HTTPS by\r\ndefault.\r\n9. Also surprisingly, when we tested ccleaner.com, it directed Mac users to a download via HTTPS, but\r\ndirected PC users to a download over HTTP.\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 32 of 33\n\n10. While it is unlikely that a user would actually see an ad injected on port 7547, it appears that the DPI\r\noperator in Egypt did not restrict the network injection to a specific port. As a result, an HTTP request on\r\nany port would be injected.\r\n11. After we began corresponding with Sandvine, and apparently in March 2018, Sandvine changed the\r\ncontent of this webpage. The original text as of February 15, 2018 is available at\r\nhttps://web.archive.org/web/20180215124449/https://www.sandvine.com/company/corporate-ethics.  \r\n12. Most recent data available as of March 7, 2018.\r\n13. After we began corresponding with Sandvine, and apparently in March 2018, Sandvine changed the\r\ncontent of its “Ethics and Human Rights protection at Sandvine” webpage to add the following text: “[W]e\r\nencourage Sandvine employees and interested third parties to report any suspected breaches of a signed\r\nSandvine certificate of compliance or breaches of Sandvine’s End User License Agreement (EULA) with\r\nsufficient supporting evidence to Sandvine’s BEC committee at BEC@sandvine.com for investigation. All\r\nreported concerns will be reviewed and appropriately actioned.” It is unclear, however, what terms are\r\ncontained in the applicable certificates of compliance or EULAs, which information would be required for\r\nthe public to properly identify and report on such breaches; or what supporting evidence would be\r\nconsidered “sufficient.” Additional transparency is necessary to make this mechanism effectively available\r\nto the public.\r\n14. Also seen in the Phase 2 campaign.\r\n15. Also seen in the Phase 5 campaign.\r\n16. The (self-signed) TLS certificate served by 62.109.20.58 (pointed to by cdn-upd-ms6[.]com) was issued to\r\n“mevlut.oncu.example.com,” and we found a similar-looking domain cdn6-scl-ms.com registered to\r\nmevlut.oncu@yandex.com according to the WHOIS record. That domain never pointed to an IP address, as\r\nfar as we could tell.\r\nSource: https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nhttps://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/\r\nPage 33 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/" ], "report_names": [ "bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960", "created_at": "2022-10-25T16:07:24.077859Z", "updated_at": "2026-04-10T02:00:04.860725Z", "deleted_at": null, "main_name": "Promethium", "aliases": [ "APT-C-41", "G0056", "Magenta Dust", "Promethium", "StrongPity" ], "source_name": "ETDA:Promethium", "tools": [ "StrongPity", "StrongPity2", "StrongPity3", "Truvasys" ], "source_id": "ETDA", "reports": null }, { "id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6", "created_at": "2022-10-25T15:50:23.777222Z", "updated_at": "2026-04-10T02:00:05.399303Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "PROMETHIUM", "StrongPity" ], "source_name": "MITRE:PROMETHIUM", "tools": [ "Truvasys", "StrongPity" ], "source_id": "MITRE", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4660477f-333f-4a18-b49b-0b4d7c66d482", "created_at": "2023-01-06T13:46:38.511962Z", "updated_at": "2026-04-10T02:00:03.007466Z", "deleted_at": null, "main_name": "PROMETHIUM", "aliases": [ "StrongPity", "G0056" ], "source_name": "MISPGALAXY:PROMETHIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434152, "ts_updated_at": 1775792128, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/22523e8656f6d62bb80ff079e191f7ebb5d8b527.pdf", "text": "https://archive.orkl.eu/22523e8656f6d62bb80ff079e191f7ebb5d8b527.txt", "img": "https://archive.orkl.eu/22523e8656f6d62bb80ff079e191f7ebb5d8b527.jpg" } }