Türk Telekom, a Turkish Internet Service Provider (ISP), has deployed special hardware to intercept and alter Internet traffic, swapping legitimate software downloads with similar applications, but infected with spyware.
A Citizen Lab report claims that Türk Telekom has deployed Sandvine PacketLogic middleboxes in five regions across the country. These devices are powerful traffic interception machines that can allow the ISP to spy on unencrypted traffic, and even alter its content by injecting additional code.
According to the report, the devices deployed on the network of this ISP have been used as a malware delivery system.
Researchers spotted the middleboxes redirecting users attempting to download software from official websites to pages offering the same software but injected with the FinFisher spyware. In later cases, researchers say the payload switched from FinFisher to another spyware strain named StrongPity.
Citizen Lab says it identified such redirects when users tried to download the Avast Antivirus, CCleaner, VLC, Opera, and 7-Zip from their official websites.
Additionally, the ISP also tainted some software downloads hosted on CNET's Download.com platform in a similar manner, offering the spyware-infected version instead of the legitimate app.
These download switcheroos didn't happen for everyone. Citizen Lab says it identified 259 IP addresses for which the middleboxes replaced downloaded software. Some IPs belonged for users located in Syria, where some Türk Telekom subscribers provided Internet access via cross-border directional Wi-Fi links.
But researchers don't believe this is the work of a rogue employee. This is because the same ISP middleboxes have been used to censor access to various political domains —such as the website of the Kurdistan Workers’ Party (PKK), Wikipedia, and the website of the Dutch Broadcast Foundation (NOS).
Furthermore, FinFisher isn't your regular run-of-the-mill malware. This is a very expensive "lawful intercept" product sold only to government agencies by the eponymous FinFisher company, a provider of government-grade surveillance technology.
The censorship of political domains and the deployment of spyware made available only to law enforcement suggests a heavy involvement of the Turkish government into the traffic interception scheme.
It is unclear if the government was going after dissidents or was cracking down on Syrian Kurdish troops, against which Turkish forces are engaged in military campaigns.
The Citizen Lab report describes two cyber-espionage campaigns that ESET detailed in reports published in September and December 2017. ESET detected the same thing —an ISP tampering with user app downloads— but did not reveal the ISP and country's name. The September report claimed an ISP was distributing the FinFisher spyware, while the December report detailed the StrongPity spyware distribution campaign.
But besides the Türk Telekom middleboxes, Citizen Lab researchers found similar devices deployed on the network of Telecom Egypt, an Egyptian ISP.
Researchers say these middleboxes blocked access to dozens of human rights, political, and news websites including Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic
The Egyptian ISP didn't deliver spyware by replacing download attempts, but it did inject ads and in-browser cryptocurrency miners inside its subscribers' Internet traffic, most likely as a money-making scheme.
A wealth of additional details can be found in Citizen Lab's much detailed report on these two campaigns.