Telecom Egypt, a government’s company, has been diverting Egyptian internet users to mine cryptocurrencies or show certain ads by using malware, as per a report published by security analysts at the University of Toronto.
The Citizen Lab researchers have found that Sandvine’s PacketLogic Devices were used to deploy government spyware in Turkey and redirect Egyptian users to particular ads. They found Deep Packet Inspection (DPI) middleboxes on Türk Telekom’s network. The DPI’s were being used to divert multiple clients in Turkey and Syria to spyware when those users tried to download specific legal Windows applications. Let’s take a look at what exactly happened.
What is DPI?
Deep packet inspection (DPI) is an advanced technique of examining and managing network traffic. It is a form of packet filtering that locates, identifies, classifies, reroutes or blocks packets with specific payloads that conventional packet filtering, which examines only packet headers.
Researchers found that, the middleboxes were used to hijack Egyptian Internet users’ unencrypted web connections and redirect the users to commercial content such as affiliate ads and browser cryptocurrency mining payloads. They checked characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. After that, they developed fingerprint for the injection they found in Turkey, Syria, and Egypt and matched the created fingerprint to a second-hand PacketLogic device.
The spyware found was similar to that used in the StrongPity APT attacks. Before switching to the StrongPity spyware, the operators of the Turkey injection used the FinFisher “lawful intercept” spyware, which FinFisher asserts is sold only to government entities. They also found that in Egypt, these devices were being used to block many human rights, political, and news websites including Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic. In Turkey, these devices were being used to block websites like Wikipedia, the website of the Dutch Broadcast Foundation (NOS), and the website of the Kurdistan Workers’ Party (PKK). Researchers tested websites like, avast.com, iobit.com, and ccleaner.com. These websites used https on their main website but diverted users to download links that did not use https. While the user saw an https page in their browser.
Researcher Bill Marczak of Citizen Lab at the Munk School said that, “Leaked documents have long indicated that a number of governments are targeting their opponents by surreptitiously injecting spyware into their internet connections”. You can read the Citizen Lab report here
The creator of the intrusive hardware is a Canadian firm called Sandvine, which merged with a firm called Procera Networks a year ago. The specialists said that Sandvine called their report “false, deceptive, and wrong”