State Spy Programs, espionage & Monero mining – fingers point at Sandvine

Sandvine Products and Technology Used by Egypt, Turkey, and Syrian Governments to Install Spyware and Monero Mining.

A Canadian security and human rights research group Citizen Lab has discovered that Turkey, Egypt, and Syrian governments are involved in the hijacking of local internet connections for the purpose of injecting surveillance malware.

Moreover, Citizen Lab, run by the University of Toronto’s Munk School of Global Affairs, stated that they identified Sandvine PacketLogic devices and Deep Packet Inspection technology installed in Türk Telecom and Telecom Egypt networks for injecting browser-based Coinhive Monero cryptomining scripts into web traffic and for ensuring political censorship.

The research group noted that not only governments of the identified countries but also agencies and ISPs are benefitting from Sandvine’s technology to intercept and change web traffic. It must be noted that Deep Packet Inspection technology allows ISPs to prioritize, block, inject, degrade and log different types of internet traffic and assess every packet to keep track of online activities of users.

Perhaps, this is why internet users in Egypt, Turkey, and Syria were redirected to nation-wide distributed spyware when they attempted to download authentic Windows applications. This was made possible by the deep packet inspection boxes that are installed at telecom networks across Turkey and Egypt. Researchers wrote in their report, published on Friday, that this discovery raises “significant human rights concerns.”

The Windows applications users in Egypt, Turkey, and Syria tried to download from CBS Interactive’s included Avast Antivirus, 7-Zip, Opera and CCleaner. They attempted to download these applications from official vendor websites but were diverted to malware-infected versions of the applications via HTTP redirects.

Related:  After The Pirate Bay, Showtime Websites Also Found Mining Cryptocoins

Researchers believe that this redirection became possible because despite supporting HTTPS, the official websites for these programs by-default directed users to non-HTTP downloads. The malware is said to be quite similar to FinFisher and StrongPity spyware. Apparently, does not support HTTPS despite its claims of offering secure downloads.

When contacted, CBS Interactive’s CNET did not respond, nor released an official statement.

The scheme for which Sandvine boxes have been employed is dubbed as AdHose as it involves the distribution of affiliate ads and/or browser crypto-mining scripts. Network hardware is also believed to being used for censoring websites like Al Jazeera, HuffPost Arabic, Human Rights Watch, Mada Masr and Reporters Without Borders.

State Spy Programs, espionage & Monero Mining - fingers point at Sandvine

Sandvine and its owner Francisco Partners have claimed that Citizen Lab report is flawed and misrepresent their products. In a letter issued to Citizen Lab by Sandvine on March 7, the University of Toronto was asked to delay the report’s publications on grounds that the allegations were intentionally misleading and technically unfeasible.

Moreover, head of the Citizen Lab research team Professor Ronald Deibert has been charged by Sandvine for using unethical research methods and misappropriation of company’s technology by obtaining used Sandvine box for testing.

These claims were disputed by the University and Citizen Lab’s attorneys, who questioned Sandvine’s unwillingness to respond to queries about the firm’s commitment to ethical business practices and human rights and defended Citizen Lab’s research methods.

“You state, broadly, that Sandvine takes seriously its commitment to corporate social responsibility and ethical use of its products. However, you have not responded to any of the specific questions asked of Sandvine by Citizen Lab in letters dated February 16 and March 1, 2018,” the letter issued by University of Toronto and Citizen Lab attorneys read.

Related:  Hackers are using YouTube Ads to Mine Monero Cryptocurrency


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.