Hardware from Sandvine, a Canadian company, is being used to hack web traffic along the border of Turkey and Syria, the Associated Press reports, possibly targeting Kurdish forces aligned with the U.S.
Internet users in Turkey were infected with a surveillance program disguised as software and Egyptian internet users were redirected to browsers that mined cryptocurrency.
The discovery was made by Citizen Lab, a University of Toronto research group, that published its findings on Friday.
Forbes described the hacking process as such:
When anyone using a target IP address on Turk Telekom’s network attempted to download software from a handful of legitimate vendors – including security tools Avast and CCleaner, as well as the Opera browser and file archiver 7-Zip – their connections were intercepted by the PacketLogic tool and redirected to unencrypted websites registered by the snoops. From there, fake versions of those software, which were in fact malware, were automatically downloaded.
“These companies are not closely regulated—and that can lead to a lot of unintended consequences, including consequences that harm our foreign policy interests and human rights interest as well,” Roger Deibert, the director of Citizen Lab, told AP. “It’s a strong argument for government control over this kind of technology.”
The hack appears to be an example of so-called “network injection” or software that is injected into internet traffic by those who control the network. It only works with connections that have unencrypted web traffic.
Edward Snowden, the famous NSA whistleblower, sounded the alarm of “network injection” on Friday.
“Huge: @Citizenlab catches ISPs invisibly redirecting download requests for popular programs, injecting them with government spyware. Unencrypted web traffic is now provably a critical, in-the-wild vulnerability. 20-30% of top internet sites affected,” he wrote on Twitter.
Huge: @Citizenlab catches ISPs invisibly redirecting download requests for popular programs, injecting them with government spyware. Unencrypted web traffic is now provably a critical, in-the-wild vulnerability. 20-30% of top internet sites affected. https://t.co/5RR8BlkicH
— Edward Snowden (@Snowden) March 9, 2018
In Egypt, the watchdog group found that users were being redirected to websites that mined cryptocurrency.
Sandvine told AP that they would conduct a “full investigation” once it received data from Citizen Lab, adding that they believed the allegations were “technically inaccurate” and “intentionally misleading.”
You can read AP’s report here and Citizen Lab’s report here.