In light of the news that Egypt is likely mining for crypto on citizens’ private rigs, we wanted to know more about the software and hardware that make this possible.
According to The Citizen Lab out of the University of Toronto, Egypt’s mining operation is only possible because of Sandvine/Procera Network’s Deep Packet Inspection devices. These devices are installed on the Egyptian telecom network and were used to raise money by directing users to ads and crypto-mining malware in two campaigns. The full spray campaign was persistent on every website, and the more targeted trickle campaign linked through specific sites.
The Sandvine Corporation, like many tech operations, is a maze of mergers and acquisitions. Last year, it was purchased by Francisco partners, who had previously purchased Procera Networks in 2015. Sandvine and Procera were then merged.
The company has been producing website-filtering software since. This software, called Packetlogic, has been identified in the Citizen Lab report as the means by which government entities in Turkey and Egypt were able to inject spyware onto citizen-owned machines.
In addition to installing spyware, the Citizen Lab report charges Egyptian government-tied entities with installing Coinhive, a Monero miner. Coinhive is an easily available miner for the ultra-private crypto.
Researchers located devices called middleboxes while scanning IP addresses in certain countries. These devices intercept traffic on a network and various unencrypted websites, making the traffic prime for blocking or redirecting. In fact, according to the researchers, middleboxes were used to redirect hundreds of users in Turkey and Syria, as well as Egypt.
In Turkey and Syria, the devices simply stopped users from downloading some legitimate Windows-based applications. But, in Egypt, the devices seemed to be geared toward something even more sinister than censorship and surveillance, redirecting users to ad sites and downloading mining malware. The boxes affected dozens of ISPs.
Widespread, high injection rates
Over six million people in Egypt use Telecom Egypt as their phone and internet provider. The provider is owned 80% by the Egyptian Ministry of Communications and Information Technology. This is a damning number for the Egyptian government: if they own the telecom industry, they must be aware of its actions.
Citizen Lab is calling the Egyptian redirection and revenue generation hijack ‘AdHose’. The initiative has been running since at least October of 2016 by the same entity. The scheme has an injection rate of 95%, according to the findings obtained while scanning nearly 6000 IP addresses across 4 ASNs, at the beginning of this year.
Confident in their findings, despite pushback from Sandvine
Sandvine and Francisco Partners received a letter from the Citizen Lab team, to which they have publicly responded that the report is misleading, false and wrong. The Citizen Lab, however, reiterates that they are sure in their conclusions and that they have observed this real phenomenon. They have obtained two independent peer reviews on their findings, both of which agree that The Citizen Lab is correct.