Government-owned Telecom Egypt linked to Monero mining software

Getting your Trinity Audio player ready...

If proven true, Sandvine’s new “revenue-generation” formula is downright unethical.

Since last year, over 5,000 websites including Amazon and Australian government websites have fallen victim to a malware that uses unwitting users’ computers to mine Monero (XMR) for attackers. Back then, the Coinhive malware slipped in these websites through a usability plugin called BrowseAloud.

And it looks like cyberthieves are deploying the same malware to mine the same coin, but this time a suspect has been pinpointed.

A report by researchers at the Citizen Lab titled, “BAD TRAFFIC” alleges that government-owned company Telecom Egypt had a hand in it, with implications of involvement by network intelligence provider Procera, and its newly acquired corporation Sandvine. Apart from infecting users with Monero-mining CoinHive malware, users are also being wrongly redirected to revenue-generating ads and content—which is one of Sandvine/Provera’s major business offerings. The Sandvine/Procera partnership focuses on traffic management, analytics, and revenue generation, among other things.

The report says that Sandvine devices are being used to infect users with the malware and to generate revenue through redirects not only in Egypt but also in Turkey and Syria, adding that this “raises significant human rights concerns.”

According to the report, the researchers found deep packet inspection (DPI) middleboxes on Egyptian government-owned Telecom Egypt which were similar to those found on Türk Telekom, and “were being used to hijack Egyptian Internet users’ unencrypted web connections en masse, and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.”

In a message to CoinDesk, Sandvine denies the allegations, and says that the company has launched an investigation on the allegations.

“Based on a preliminary review of the report, certain Citizen Lab allegations are technically inaccurate and intentionally misleading….We have never had, directly or indirectly, any commercial or technology relationship with any known malware vendors, and our products do not and cannot inject malicious software. While our products include a redirection feature, HTTP redirection is a commodity-like technology that is commonly included in many types of technology products.”

This isn’t the first time the Egyptian government has been accused of manipulation. In 2016, a report alleged that there were anomalies in networks in Egypt, pointing to censorship and malware injection, as well as interference of secure networks (HTTPS) while enabling connections to unsecured networks (HTTP).