Türk Telekom, a Turkish Internet Service Provider (ISP), has deployed special hardware to intercept and alter Internet traffic, swapping legitimate software downloads with similar applications, but infected with spyware.
A Citizen Lab report claims that Türk Telekom has deployed Sandvine PacketLogic middleboxes in five regions across the country. These devices are powerful traffic interception machines that can allow the ISP to spy on unencrypted traffic, and even alter its content by injecting additional code.
Middleboxes used as malware delivery system
According to the report, the devices deployed on the network of this ISP have been used as a malware delivery system.
Researchers spotted the middleboxes redirecting users attempting to download software from official websites to pages offering the same software but injected with the FinFisher spyware. In later cases, researchers say the payload switched from FinFisher to another spyware strain named StrongPity.
Citizen Lab says it identified such redirects when users tried to download the Avast Antivirus, CCleaner, VLC, Opera, and 7-Zip from their official websites.
Additionally, the ISP also tainted some software downloads hosted on CNET's Download.com platform in a similar manner, offering the spyware-infected version instead of the legitimate app.
These download switcheroos didn't happen for everyone. Citizen Lab says it identified 259 IP addresses for which the middleboxes replaced downloaded software. Some IPs belonged for users located in Syria, where some Türk Telekom subscribers provided Internet access via cross-border directional Wi-Fi links.
Government involvement highly probable
But researchers don't believe this is the work of a rogue employee. This is because the same ISP middleboxes have been used to censor access to various political domains —such as the website of the Kurdistan Workers’ Party (PKK), Wikipedia, and the website of the Dutch Broadcast Foundation (NOS).
Furthermore, FinFisher isn't your regular run-of-the-mill malware. This is a very expensive "lawful intercept" product sold only to government agencies by the eponymous FinFisher company, a provider of government-grade surveillance technology.
The censorship of political domains and the deployment of spyware made available only to law enforcement suggests a heavy involvement of the Turkish government into the traffic interception scheme.
It is unclear if the government was going after dissidents or was cracking down on Syrian Kurdish troops, against which Turkish forces are engaged in military campaigns.