According to a report from the University of Toronto, a telecom company connected to the Egyptian Government is secretly mining cryptocurrencies from its citizens’ computers through a program called AdHose.
Government Funding or Otherwise
Adhose would either redirect Egyptian Internet users to advertising sites or websites that would mine the cryptocurrency Monero without the user’s knowledge.
“On a number of occasions, the middleboxes were apparently being used to hijack Egyptian internet users” unencrypted web connections en masse, and “redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts,” said the report.
While it’s unclear why Egypt would hack the computers of their citizens’, the report suggests that it is “to covertly raise money” for the government.
AdHose: The Government’s cryptocurrency mining scheme
Adhose has two modes: A “spray mode,” where a middlebox “redirects Egyptian Internet users en masse to ads or cryptocurrency mining scripts” when they would attempt to access a website.
The other mode is the “trickle mode” where “only requests to certain URLs are redirected.”
Specific websites like a former pornographic site called Babylon-X.com and a religious site for the Orthodox Church called CopticPope.org continuously redirected users to ads regardless of whether the spray mode was active.
Although the Egyptian telecom company uses both modes, the trickle mode occurs continuously while they only sparingly use the spray mode.
The University also performed a scan on January 3, 2018. They discovered that 95 percent of the time, the AdHose program would redirect users to advertising sites. They tested 5,702 IP addresses, and 5,443 were susceptible to the program.
Cryptocurrency Mining and Censorship Tool
The report mentions that AdHose also doubles up as a censorship tool used by the government to block news sites and human rights websites like Reporters Without Borders, Al Jazeera, and HuffPost Arabi.
The University of Toronto found similar findings in other regions in North Africa and the Middle East. While the government’s in these regions did not mine using citizens resources, they used similar programs for censorship purposes.
Users in those regions were unwittingly downloading spyware programs with the belief that they were anti-virus programs.
Deep Packet Inspection Technology from Sandvine
Egypt, Syria, and Turkey are using censorship tool that comes from Sandvine‘s Deep Packet Inspection technology to infiltrate, insert surveillance malware and in Egypt’s case, inject browser-based cryptocurrency mining scripts.
Deep packet inspection technology allows internet service providers to analyze what individuals are doing online by prioritizing, blocking, injection and logging different types of internet traffic.
Although the researchers at the University of Toronto reported their findings to Sandvine, the company called their report “false, misleading, and wrong.” They also forced Citizen Lab to return the PacketLogic device used to confirm these findings.
According to a statement with CoinDesk, Sandvine stated that:
“Based on a preliminary review of the report, certain Citizen Lab allegations are technically inaccurate and intentionally misleading. [We] have never had, directly or indirectly, any commercial or technology relationship with any known malware vendors, and our products do not and cannot inject malicious software. While our products include a redirection features, HTTP redirection is a commodity-like technology that is commonly included in many types of technology products.”
Crypto-Jacking Becoming a Serious Problem
Although this is one of the first instances a state-owned telecommunications company is mining from their citizens, crypto-jacking is a prevalent problem.
On January 31, 2018, crypto jackers leveraged Youtube advertisements to mine cryptocurrencies at the detriment and expense of Youtube viewers.
Hackers were even able to access Tesla’s cloud and use its computing power to mine digital currencies. On February 15, 2018, hackers also infected UK government websites.
While a cryptocurrency mining spyware setup by the Egyptian government sounds highly unlikely, Tor Project’s Open Observatory of Network Interference found similar findings of a spyware epidemic in 2016. Users, however, were not involved in any form of crypto-jacking.
Nevertheless, crypto-jacking is unethical and offers a new problem to cybersecurity that effects everyone.