ISPs inside Turkey and Egypt spread FinFisher spyware in massive espionage campaign

Ankara, Turkey at night. (Photo by Nezih Durmazlar -- CC2.0)


Written by

An expansive and ongoing computer espionage campaign spread across Egypt, Turkey and Syria has been powered by technology developed by a Canadian-American networking company, SandVine, and an infamous spyware maker known as GammaGroup or Lench IT Solutions, security researchers say.

New research by human rights advocacy organization Citizen Lab shows how products made by two Western technology contractors facilitated nationwide surveillance in multiple developing countries under authoritarian rule. The findings piggyback on prior reporting by a Slovakian cybersecurity company, which also discovered similar “man-in-the-middle” cyberattacks at the internet service provider (ISP) level in September and December.

People getting online through local ISPs in Egypt, Turkey and Syria were tricked into installing highly intrusive spyware that allows the attacker to gain full access of an infected device, including its microphone and camera. Whenever targeted users in Turkey attempted to access certain websites to install free software, they were instead covertly served up a nearly identical but boobytrapped version carrying malware, researchers say. In another case, large swaths of the internet in Egypt had been quietly funneled toward a small number of commercial websites as part of an apparent advertising fraud campaign.

Researchers say that SandVine internet hardware helped accomplish these schemes. It allegedly was installed onsite at at least two different domestic ISPs, Türk Telekom in Turkey and Telecom Egypt in Egypt, in order to regulate internet traffic. Parts of Syria are connected to the internet through systems that route into Türk Telekom, causing some Syrians to also be affected.

In a series of messages between Citizen Lab, SandVine and its owner Francisco Partners, a American private equity firm, the Canadian-American company claimed that its hardware was never intended for such purposes. It’s not clear who was controlling the SandVine technology in these two cases, but researchers told CyberScoop that the most likely candidate is the ruling government of each respective country where the espionage continues today. Türk Telekom did not responded to a request for comment.

‘Very hard to spot’

Costin Raiu, head of Kaspersky Lab’s Global Research and Analysis Team, said that deploying malware directly through an ISP is extremely rare.

“Threat actors able to launch man-in-the-middle attacks at ISP level form what can be seen as a very exclusive ‘club,'” explained Raiu. “This is due to the fact that ISPs rarely willingly cooperate with governments to launch attacks against their paying customers. For the users, attacks at ISP level can be completely invisible. You think you download a legitimate program, such as Skype or RAR, but instead you end up with a trojan. It can be very hard to spot and can trick even computer-savvy users.”

According to Citizen Lab researcher Bill Marczak, SandVine boxes were configured in Turkey at Türk Telekom in such a way that an administrator could precisely target certain IPs so that when an associated computer attempted to download legitimate, free software from one of several websites it would fetch a trojanized program. This was accomplished through a code injection and website redirection technique that forced the user to visit an entirely different domain after attempting to download the software.

Websites distributing targeted software in Turkey included those managed by Avast Antivirus, file cleaner CCleaner, browser maker Opera, and free open-source software distributor 7-Zip. These domains are not HTTP Secure.

The attached spyware, named FinFisher and developed by GammaGroup, was hidden inside each downloadable program. This meant that the websites themselves were not compromised, but rather the entire internet connection between the end user and ISP was suspect.

More than one tool

The espionage operation in Turkey dates back to at least early 2017, with multiple waves distributing different FinFisher versions over time, researchers say. In late 2017, the attackers switched over to an entirely different, less sophisticated spyware variant dubbed StrongPity, which has been tied for several years to hacking efforts involving Turkey.

The change in spyware type happened after the aforementioned Slovakian cybersecurity company, ESET, outed the activity in September 2017 on its blog. That post, however, contained no information about where the operation was taking place. In an interview with CyberScoop, ESET researchers declined to provide the geographic location, citing potential blowback on their original source of data.

Other sources provided CyberScoop with private information concerning ESET’s FinFisher research earlier this year, including context about the origin of described ISP-based cyberattacks. In January, CyberScoop approached multiple digital human rights organizations, including Citizen Lab and the Electronic Frontier Foundation, with this context to acquire third party confirmation about the espionage activity in Turkey and Egypt. But a relevant story was delayed after Citizen Lab picked up the research and began making new discoveries behind the scenes.

Although the spying hardware is similar, the situations in each country differ slightly, Marczak told CyberScoop. In Egypt, the activity captured by Citizen Lab tells part of the story while other findings by ESET may complete it.

Seven years after the Arab Spring, Egypt has slipped back into a situation where citizens are closely monitored and authoritarian leaders are paranoid about an uprising.

Citizen Lab discovered that portions of the Egyptian internet — in limited bursts usually lasting only 30 minutes — would redirect some local users to adfraud pages. It’s not clear who was doing this or why it was happening, but it appears there may have been another purpose aside from monetization. ESET’s research, for example, showed that a separate FinFisher campaign, using GammaGroup’s FinFly product, was active in Egypt last year but it seemed to be more targeted, with far less known infections than in Turkey. The FinFisher-StrongPity campaign hit more than 100 devices. But in Egypt, the spread of FinFly through a local ISP seemed to only target less than 30 known victims, based on prior research.

“Leaked documents from nation-state spyware vendor FinFisher indicate that the company sells an in-path network injection system called FinFly ISP​. The complex system supports a number of unique features, such as rewriting downloaded binaries on-the-fly,” Citizen Lab’s report reads. “The system was apparently sold to governments in Mongolia and Turkmenistan, and at least one additional customer that could not be identified from the 2014 FinFisher leaked documents.”

Spillover into Syria

With Egypt and Turkey covered, Syria presented the most limited evidence. Marczak speculated that perhaps some Turkish internet equipment was smuggled into Syria, creating connections that link into Türk Telekom and were therefore also accessible to the SandVine administrator in Turkey. Routers and IP addresses that appeared linked to one Kurdish militia group that are known to operate in Syria were among those targeted with FinFisher.

In addition to dispensing spyware and funding adfraud, SandVine hardware appears to have been used to block content from various publishers and human rights organizations in Turkey and Egypt, including Human Rights Watch and Reporters Without Borders.

GammaGroup in the past has marketed its spying tools for use only by governments. Even so, the company has faced international criticism for helping to arm dictatorial regimes with the tools necessary to find and ultimately capture human rights activists, journalists and other dissidents.

SandVine, which was combined with California-based Procera Networks after it was acquired by Francisco Partners in July 2017, had never been associated with spyware until now. Francisco Partners is also the owner of an infamous Israeli malware development shop named NSO Group. That cyber-arms dealer created spyware launched by the UAE government to surveil a prominent local human rights activist.

Over the last several weeks, spokespeople for Procera Networks have contested aspects of Citizen Lab’s report. In response, Citizen Lab performed additional due diligence, including conducting two independent, third-party peer reviews of their report, said Ronald Deibert, director of Citizen Lab.

“We have never had, directly or indirectly, any commercial or technology relationship with any known malware vendors, and our products do not and cannot inject malicious software. While our products include a redirection feature, HTTP redirection is a commodity-like technology that is commonly included in many types of technology products,” a Procera spokesperson told Forbes. “The allegations Citizen Lab has provided to us so far are technically inaccurate and intentionally misleading … We have a Business Ethics Committee that conducts a comprehensive review of all potential engagements to identify the potential risk of product misuse prior to any sales.”

Francisco Partners has now called on Procera to pursue an investigation into the accusations and to take action where appropriate.

-In this Story-

CitizenLab, data breaches, Egypt, ESET, espionage, Fransisco partners, hacking, Intelligence, malware, man-in-the-middle, Middle East, security research, spying, spyware, Turkey