Threat Intelligence, Malware

Middleboxes in Turkish telecom redirecting users to nation-state spyware

Security researchers have uncovered how deep packet inspection middleboxes are being used either to expose Turkish nationals to nation-state spyware or to redirect Egyptian Internet users to ads and browser cryptocurrency mining scripts.

Back in 2016, after Turkish state-run media outlets published WhatsApp messages of military officers involved in Turkey's attempted coup, Alan Duric, CTO at Wire Swiss GmbH, told SC Media UK that such messages could have been intercepted by the Turkish government through several methods including a “security flaw or backdoor”.

Later that year, researchers at Symantec's Norton division found that Turkey had the largest number of total “bot” infections in the world, with internet users in the country plagued with 18.5 percent of all of the bots across the EMEA region. These facts revealed how bots were being regularly used to infect millions of Turkish citizens.

In a reflection of how the menace continues to prevail in Turkey, security firm Citizen Lab has revealed how deep packet inspection middleboxes on the Türk Telekom network are being used to expose Turkish nationals and those in neighbouring Syria to nation-state spyware.

According to Citizen Lab researchers, Turkish internet users trying to download legitimate Windows applications from official vendor websites such as Avast Antivirus, CCleaner, Opera, and 7-Zip are being redirected to malicious websites that are infested with malware. At the same time, those trying to download software from are instead redirected to websites containing spyware.   

The researchers also observed that similar middleboxes on Egypt Mobile's network are being used to redirect internet users either to ads for short periods of time or to browser cryptocurrency mining scripts. These middleboxes, popularly known as Sandvine PacketLogic middleboxes, were used extensively in both Turkey and Egypt to block political, journalistic, and human rights content by their respective governments.

Websites that are currently blocked by the Turkish government using Sandvine's PacketLogic middleboxes include Wikipedia, the website of the Dutch Broadcast Foundation (NOS), and the website of the Kurdistan Workers' Party (PKK). When contacted by researchers at Citizen Lab, Sandvine, the maker of such middleboxes, termed the use of such middleboxes by Turkey and Egypt for muffling citizens' voices as “false, misleading, and wrong”.

According to Citizen Lab, DPI devices supporting network injection can be used by ISPs for a range of ostensibly legitimate uses from alerting users to billing issues to bandwidth cap limits, but depending on how such systems are configured, they can be used to censure access to content or, worse, to silently infect users with malware, and all without the person affected by the censorship or targeted by the malware realising what has occurred.  

In an email to SC Media UK, Evgeny Chereshnev, CEO at Biolink.Tech, said that while it is not surprising to see Turkey make attempts to spy on its own citizens considering that most countries are doing it or considering it, the use of malware to redirect users to profit generating links or converting their machines into cryptocurrency mining zombies cannot be considered as state-sponsored.

"State-sponsored malware is very rarely used for such purposes - when the big guns are being fired, they usually pursue big geopolitical goals - to compromise enemies' infrastructure, inflict real damage. Purely financial motivation usually means that professional hackers are behind it. Today those rarely work alone - they are well organised groups, hitting their financial MBO's," he said.

Chereshnev adds that in order to protect themselves from such hacking groups and their actions, internet users must never open links shared by unknown sources, install top antivirus software, use VPN in public hotspots to prevent hackers from seeing through their traffic or phishing for their credentials.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.