The Egyptian government or entities linked to it have reportedly been hijacking their local internet users’ connections to secretly mine cryptocurrency.
Watch Out! Governments and Internet Service Providers (ISPs) in Turkey, Syria and Egypt Caught Using Sandvine’s PacketLogic Devices to Infect Citizens with 💰Cryptocurrency Mining Scripts and 🕵Spying Malwarehttps://t.co/AEB6ONq0RF pic.twitter.com/dfjW93G7I8
— The Hacker News (@TheHackersNews) March 9, 2018
A report released on Friday by Citizen Lab at the University of Toronto says (with evidence) that the Egyptian government is using a clever technique to surreptitiously force its citizens to mine the Monero cryptocurrency.
The researchers found out a scheme, referred to as “AdHose”, which secretly redirects the web traffic towards advertisements and websites that stimulate a computer to mine the Monero cryptocurrency.
The AdHose relies on hardware installed within the networks of Telecom Egypt. The hardware includes middleboxes attached to the computer network.
The redirection has two modes: the ‘spray mode’ and the ‘trickle mode’. In Spray mode a middlebox “redirects Egyptian Internet users en masse to ads or cryptocurrency mining scripts whenever they make a request to any website,” the report says. The researchers also reported that this mode is used “sparingly”.
While in the trickle mode, the web traffic is redirected only when users visit particular URLs. These sites include CopticPope.org (former website of the Pope of the Coptic Orthodox Church of Alexandria) and Babylon-X.com (a porn site).
CoinHive, a Monero mining platform was also included in the list of links for AdHose middleboxes that redirected the Egyptian internet users’ connection. CoinHive has previously been linked to the massive cryptojacking case that affected Youtube at the end of January. A java script from CoinHive was reportedly used to run malicious ads on Youtube that secretly used users’ CPU to mine Monero.
Citizen Lab’s report further noted that the same middlebox that runs AdHose doubles as a censorship tool in Egypt that blocks the website for NGOs like Humans Right Watch and the news outlet Al Jazeera.
The researchers found the same schemes in Syria and Turkey too but instead of cryptojacking malwares, users were served with spywares when they attempted downloading anti-virus programs.
The hardware that ran AdHose is made by a Canadian network equipment company called Sandvine. When Citizen Lab notified Sandvine of the unethical use of their devices, the company denied the report calling it “false, misleading and wrong”