A detailed investigative report published today by Citizen Lab at the University of Toronto's Munk School of Global Affairs describes what might be the new standard in a long line of malicious cryptocurrency mining schemes.
The report summarizes how "middlebox" technology – created by the Canada-based Sandvine Corporation – was used to "deliver nation-state malware in Turkey and indirectly into Syria, and to covertly raise money through affiliate ads and cryptocurrency mining in Egypt."
Middleboxes are a type of software tool used to conduct what is known as deep packet inspection (DPI), which is a way to thoroughly scrutinize internet data. Sandvine calls its DPI product PacketLogic.
Citizen Lab used a technique known as internet scanning to track middlebox activity on Türk Telekom, Turkey's formerly state-run telecommunications company (which has since been privatized), and create a digital profile of that activity. That profile, essentially a digital fingerprint, was compared against that of Egypt's primary telecom company, Telecom Egypt.
When Telecom Egypt's profile was found to be similar to Turkey's, Citizen Lab created a control group to verify its suspicions. The report states, "We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting."
"On a number of occasions, the middleboxes were apparently being used to hijack Egyptian Internet users' unencrypted web connections en masse, and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts."
Citizen Lab concluded, "DPI equipment that matches our Sandvine PacketLogic fingerprint is installed on Telecom Egypt's network at Egypt's borders, and is used to deliver affiliate ads, cryptocurrency mining scripts, and perhaps nation-state spyware, to Egyptian Internet users."