Governments and internet service providers (ISP’s) in the three countries are using Deep Packet Inspection technology from Sandvine, in order to intercept as well as alter Internet users’ web traffic.
Deep packet inspection technology allows internet service providers aka ISPs to degrade, block/inject, as well as log various types of Internet traffic.
A campaign similar to this has been spotted in Syria, where web users were quietly redirected to malicious versions of the various popular application, including CCleaner, Opera, Avast Antivirus, and 7-Zip apps that were apparently bundled with government spyware.
In Turkey, Sandvine PacketLogic devices were being used to block sites such as Wikipedia, the sites of the Kurdistan Workers’ Party, and the Dutch Broadcast Foundation.
ISPs Injected Cryptocurrency Mining Scripts Into Web Browsers
In Egypt, Sandvine PacketLogic devices were being used by a Telecom admin for revenue by:
- Secretly injecting a cryptocurrencymining script into all HTTP web page users visited in order to mine Monero cryptocurrency,
- Redirecting Egyptian users to web pages with affiliate advertisements.
In Egypt, these devices were also being used to block access to political, human rights, and certain news outlets like Al Jazeera, Reporters Without Borders, HuffPost Arabic, and the Mada Masr.
Citizen Lab began this investigation in September 2017 after ESET researchers published a report indicating that the downloads of several popular applications were compromised at the ISP level in 2 (unspecified) countries to distribute the FinFisher spyware.