A report released by University of Toronto researchers claim that the government of Egypt hijacked the internet connection of its citizens’ computers in order to covertly conduct cryptocurrency mining. The Citizen Lab is the university’s interdisciplinary laboratory. Its report states that devices referred to as the Sandvine/Procera Networks Deep Packet Inspection secretly raised money via affiliate ads as well as through illegally mining cryptocurrency.
The researchers acknowledge that Adhose – the technique utilized by the Egyptian government to secretly hack computers – is highly difficult to detect. The method stealthily redirects users’ web traffic onto a malware that utilized Egyptian users’ computers in order to show ads or conduct Monero mining. AdHose requires that the hardware is installed in Telecom Egypt’s networks.
AdHose reportedly works in two modes. The “spray” mode would redirect affected users’ browsers to an ad network or Coinhive’s cryptocurrency mining malware. The “trickle” mode redirects traffic everytime specific sites – such as CopticPope.org or porn site Babylon-X – are visited.
According to the report, the scheme has been in operation since October 2016. Sandvine Corporation was purchased in 2017 by Francisco Partners – a private equity firm which acquired Procera Networks back in 2015. Since then, Procera Networks and Sandvine have been collaborating on Packetlogic – a site-filtering software that the University of Toronto report claims says “may have been used by government-linked entities in both Turkey and Egypt to inject spyware.”
The report and its findings were summarized by The Citizen Lab and sent to Sandvine and Francisco Partners in February this year. However, Sandvine states that the report is “false” and “wrong”. The lab has expressed confidence in its research as well as in the confirmation of two independent peer reviews, declaring: “We emphasized that we were confident in our research findings, which two independent peer reviews confirmed.”