Governments in Syria and Turkey have been caught red handed hijacking local internet users’ connections to surreptitiously inject surveillance malware, all while the same interception technology has been discovered also secretly injecting browser-based cryptocurrency mining scripts into users’ web traffic in countries like Egypt.

Governments and internet service providers (ISP’s) in the three countries are using Deep Packet Inspection technology from Sandvine, in order to intercept as well as alter Internet users’ web traffic. Cryptocurrency Miners

Deep packet inspection technology allows internet service providers aka ISPs to degrade, block/inject, as well as log various types of Internet traffic.

In other words; they can analyze each and every packet in order to see what folks are doing online.
 “The redirection was possible because official sites for these programs, although they might have supported HTTPS, directed users to non-HTTPS downloads by default,” the research report reads.

A campaign similar to this has been spotted in Syria, where web users were quietly redirected to malicious versions of the various popular application, including CCleaner, Opera, Avast Antivirus, and 7-Zip apps that were apparently bundled with government spyware.

In Turkey, Sandvine PacketLogic devices were being used to block sites such as Wikipedia, the sites of the Kurdistan Workers’ Party, and the Dutch Broadcast Foundation.

ISPs Injected Cryptocurrency Mining Scripts Into Web Browsers

In Egypt, Sandvine PacketLogic devices were being used by a Telecom admin for revenue by:

In Egypt, these devices were also being used to block access to political, human rights, and certain news outlets like Al Jazeera,  Reporters Without Borders, HuffPost Arabic, and the Mada Masr.

Citizen Lab researchers reported Sandvine of their discoveries, but the company called the report “both misleading, and wrong,” and also demanded that they return the PacketLogic device they used to confirm their fingerprint.

Citizen Lab began this investigation in September 2017 after ESET researchers published a report indicating that the downloads of several popular applications were compromised at the ISP level in 2 (unspecified) countries to distribute the FinFisher spyware.

Olé Crypto,


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.