← Back to database

Predaxia Research

Sandvine PacketLogic

Sandvine · United States (formerly Canada)

ActiveUS Entity List 2024Citizen Lab forensic 2023
4

Confidence 4/5

VendorSandvine Inc.
Country of originOriginally Canada (Waterloo, ON), now Texas (Plano, US)
Founded2001
Current ownershipFrancisco Partners (acquired 2017, approximately $562M)
Current statusActive
US Entity ListYes, since February 26, 2024
Documented useNetwork injection of Predator spyware (Egypt)
Predaxia GlossaryWhat it means in practicePlain-English explainer · Threat model · Action steps

Technical capabilities

Sandvine PacketLogic is a Deep Packet Inspection (DPI) platform deployed at the carrier and ISP level. It performs real-time classification of internet traffic by protocol and application, supports TLS fingerprinting, performs traffic-shaping and prioritization, and can redirect HTTP traffic to attacker-controlled destinations. The platform is sold globally as a quality-of-service and traffic-management tool.

Citizen Lab’s September 2023 report “Predator in the Wires” demonstrated that PacketLogic was used by an Egyptian operator to perform network-level injection of the Predator mercenary spyware (Intellexa) against an Egyptian opposition presidential candidate. The redirection occurred at the Telecom Egypt backbone via PacketLogic middleboxes, redirecting cleartext HTTP requests to spyware delivery URLs.

Documented use

Public Citizen Lab and Reuters research has surfaced PacketLogic deployments in:

  • Egypt: network injection of Predator spyware against opposition figure Ahmed Eltantawy (May to September 2023), per Citizen Lab.
  • Turkey: deployment by Turk Telekom for content filtering and reported targeted redirection (Citizen Lab 2018 “Bad Traffic” report).
  • Syria: deployment in 2014 by Syrian Telecommunications Establishment, per Bloomberg Businessweek reporting.
  • Belarus, Eritrea, Iraq, Kazakhstan, UAE: reported in Forbes and procurement records.

The Egypt case provided the first publicly documented direct link between Sandvine middleboxes and active mercenary-spyware delivery.

Customer states

Telecom carriers and government agencies in dozens of countries. Sandvine has published voluntary customer-screening commitments since 2017 but Citizen Lab and Bloomberg reporting has demonstrated that those commitments have repeatedly failed in practice. The February 2024 BIS Entity List action explicitly cited the Predator-injection capability discovered in Egypt.

Legal and sanctions status

  • Added to the US Department of Commerce Entity List February 26, 2024, citing supply of equipment for mass web monitoring and targeted spyware injection in Egypt.
  • Owned by US private equity Francisco Partners since 2017.
  • Subject to US export controls under EAR, more restrictive since Entity List addition.
  • Multiple internal employee resignations reported by Bloomberg in 2018 and 2024 in response to deployment to authoritarian regimes.

Technical countermeasures

  • HTTPS Everywhere by default: PacketLogic redirection in the Egypt case targeted cleartext HTTP. Modern browsers default to HTTPS where available.
  • HSTS and Encrypted Client Hello (ECH): deny PacketLogic the ability to perform SNI-based redirection on TLS traffic.
  • DNS-over-HTTPS or DNS-over-TLS: blunt DNS-level interception. Encrypted DNS endpoint operated by a trustworthy resolver, ideally outside the operator country.
  • Tor Browser: full transport-layer encryption plus relay obfuscation defeats DPI classification and redirection.
  • WireGuard or OpenVPN to trusted endpoint: end-to-end tunnel out of the surveilled carrier, provided the operator is trusted.
  • Lockdown Mode on iOS: defeats some of the post-redirect spyware delivery chains.
For at-risk individuals. In jurisdictions where carriers are believed to operate DPI middleboxes capable of spyware injection, assume any cleartext HTTP request can be redirected. Default to encrypted DNS, HTTPS-only mode, and a trustworthy VPN or Tor.

Sources

  1. Citizen Lab, Predator in the Wires (September 22, 2023)
  2. US Department of Commerce BIS, Entity List addition (February 26, 2024)
  3. Bloomberg Businessweek, Sandvine internal turmoil over deployments (2018, 2024)
  4. Reuters, Sandvine added to Entity List (February 2024)
  5. Citizen Lab, Bad Traffic report on Turkey deployment (2018)
  6. Forbes, Sandvine deployments to authoritarian regimes

Update log

April 7, 2026: Entry created. Sourced from Citizen Lab Predator in the Wires report (September 2023), US BIS Entity List addition (February 2024), Bloomberg internal-source reporting, Reuters sanctions coverage, and Citizen Lab Bad Traffic 2018 investigation.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.