The Egyptian government (or individuals in relation to it) has hijacked the local internet connections of its citizens to secretly mine cryptocurrency, says a new report done by security researchers at the University of Toronto. Proving that such a large-scale intrusion was operated by a nation-state is “the stuff of legends,” said the researches, because detecting the techniques involved is a difficult process.
A scheme called “AdHose” has been identified by researchers at the university’s Citizen Lab, which secretly redirected Egyptian internet users’ web traffic to malware that used the processing power of their computers to mine the Monero cryptocurrency or display ads. AdHose depends on hardware installed within the networks of Telecom Egypt.
The researchers found that it was is used in two ways. The first one called “spray” mode, redirects the browsers of affected users to either an ad network or cryptocurrency mining malware called Coinhive whenever they tried to visit any website. In January, one scan found 95% of observed devices, which were more than 5,700, to be affected by AdHose. The report didn’t give out the exact total number of affected users.
“Spray” mode is used scantily, according to the researchers. The other way of using AdHose is “trickle” mode, which redirects web traffic only when users access certain websites. Such websites include CopticPope.org, a former religious website, and Babylon-X.com, a porn site. The researchers discovered that trickle mode is in always operating.
The hardware employed for AdHose’s implementation is also used for censorship. It obstructs access to news outlets like Al Jazeera and NGOs such as Human Rights Watch. Citizen Lab found similar schemes in other countries such as Turkey and Syria, but instead of crypto-mining malware, users were infected with spyware when they downloaded anti-virus programs that they thought were legitimate.
The creator of the malevolent hardware is a Canadian firm called Sandvine, which incorporated a firm called Procera Networks last year. The researchers said that Sandvine called their report “false, misleading, and wrong” when they confronted the firm with regards to their findings.