According to a new report from researchers at the University of Toronto, entities linked to the Egyptian government may have been hijacking “Egyptian internet users’ unencrypted web connections en masse” to secretly mine cryptocurrency.
According to the detailed report from the University of Toronto Citizen Lab, researchers identified techniques being used to hijack Egyptian citizens’ computers and mobile devices. Egyptian internet users were reportedly being covertly redirected to malware that used their computers to mine Monero cryptocurrency. The Citizens Lab describes itself as an “interdisciplinary laboratory” focused on “research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.”
— Through Internet scanning, we found deep packet inspection (DPI) middleboxes on Türk Telekom’s network. The middleboxes were being used to redirect hundreds of users in Turkey and Syria to nation-state spyware when those users attempted to download certain legitimate Windows applications.
— We found similar middleboxes at a Telecom Egypt demarcation point. On a number of occasions, the middleboxes were apparently being used to hijack Egyptian Internet users’ unencrypted web connections en masse, and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.
— After an extensive investigation, we matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting.
—The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns.
The researchers called the scheme AdHose, which has two modes: spray mode and trickle mode. According to the report:
Quartz Media reported the hardware used for implementing AdHose is used for revenue generation as well as a censorship tool. The report stated that the malware blocked certain news outlets such as Al Jazeera, Reporters Without Borders and Human Rights Watch, and redirected users attempting to access certain websites such as former-pornographic website Babylon-X.com and the Coptic Orthodox Church religious website for the pope (CopticPope.org).
Quartz Media explained that with “spray” mode, “any website that affected users tried to visit would redirect their browsers to either an ad network or cryptocurrency mining malware called Coinhive. One scan in January found 95% of devices observed, numbering over 5,700, were affected by AdHose.”
University researchers conducted tests that identified AdHose middleboxes in a Telecom Egypt “demarcation point,” which may provide evidence of a connection to the Egyptian government, as Telecom Egypt is state-owned.
The maker of the hardware is a Canadian company called Sandvine; the Citizen Lab researchers noted that Sandvine called their report “false, misleading, and wrong.” Sandvine also issued a statement to CoinDesk:
Based on a preliminary review of the report, certain Citizen Lab allegations are technically inaccurate and intentionally misleading….We have never had, directly or indirectly, any commercial or technology relationship with any known malware vendors, and our products do not and cannot inject malicious software. While our products include a redirection feature, HTTP redirection is a commodity-like technology that is commonly included in many types of technology products.
The researchers reached out to Sandvine and its owner Francisco Partners for comment on the discovery. They received a response stating:
A key part of the Sandvine’s innovation process is to ensure that we do not lose sight of the ethical impact of our technology on human rights, freedom of speech, and privacy. Sandvine has taken the approach on regulating access to the components of our solutions that could be sued to infringe on any of these. The usage of our regulatory compliance solutions is controlled by an EULA and software licenses that are required for any components that could conceivably be used to violate human rights, freedom of speech, and privacy.
However, the report stated that Sandvine referred to confidentiality issues as it refrained from commenting on business dealings in Egypt or Turkey. Business dealings with these countries would appear to contradice Sandvine’s Business Ethics Committee review process, in which it has used the World Bank Index to review sales with partners, stating they use “strong safeguards” that Sandvine asserts it maintains “regarding social responsibility, human rights, and privacy rights.”
“We emphasized that we were confident in our research findings, which two independent peer reviews confirmed,” the researchers at Citizens Lab maintained.