ISPs Caught installing Cryptocurrency Miners and Spyware

ISPs Caught installing Cryptocurrency Miners and Spyware

Governments in Turkey and Syria have been caught hijacking native web users’ connections to quietly inject monitoring malware, whereas a similar mass interception technology has been found silently injecting browser-based cryptocurrency mining scripts into users’ net traffic in Egypt.


Governments, or agencies connected to that, and ISPs within the three countries are exploiting Deep Packet examination technology from Sandvine (which integrated with Procera Networks last year), to intercept and alter web users’ internet traffic.


Deep packet examination technology permits ISPs to prioritize, degrade, block, inject, and log all varieties of net traffic, in alternative words, they will analyze every packet to visualize what you’re doing online.


According to a brand new report by Citizen Lab, Turkey’s telecommunication network was manipulating Sandvine PacketLogic devices to divert hundreds of targeted users (journalists, lawyers, and human rights defenders) to malicious versions of legitimate programs bundled with FinFisher and StrongPity spyware, after they tried to obtain them from official sources.


“This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default,” the report reads.


A similar campaign has been noticed in Syria, in which web users were wordlessly redirected to malicious versions of the various well-liked applications, as well as Avast Antivirus, CCleaner, Opera, and 7-Zip applications bundled with government spyware.


In Turkey, Sandvine PacketLogic devices were being employed to dam websites like Wikipedia, the sites of the Dutch Broadcast Foundation (NOS) and Kurdistan Workers’ Party (PKK).


ISPs Injected Cryptocurrency Mining Scripts Into Users’ internet Browsers



However, in Egypt, Sandvine PacketLogic devices were getting used by a telecommunication operator for creating cash by:

  • secretly injecting a cryptocurrency mining script into each HTTP website users visited to mine the Monero cryptocurrency,
  • Redirecting Egyptian users to websites with affiliate ads.


In Egypt, these devices were additionally getting used for blocking access to human rights, political, and news retailers like Al Jazeera, HuffPost Arabic, Reporters without boundary lines, and Mada Masr, as well as NGOs like Human Rights Watch.


Citizen Lab researchers reported Sandvine of their findings. However the corporate referred to their report “false, misleading, and wrong,” and additionally demanded them to return the second-hand PacketLogic device they use for ensuring attribution of their fingerprint.


Citizen lab started this investigation in September last year when ESET researchers printed a report revealing that the downloads of many well-liked apps were reportedly compromised at the ISP level in 2 (unnamed) countries to distribute the FinFisher spyware.

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.