Surveillance malware and crypto-miners are being injected by ISPs in several countries

by Jake Doevan - -

Government institutions in Turkey and Syria have been found hijacking users’ connections in order to secretly inject spyware and cryptocurrency miners. Meanwhile, in Egypt, the massive interception technology has been detected injecting crypto-miners into users’ web traffic. 

Cryptocurrency miners and spyware injecting into victims' devicesGovernment institutions or agencies are linked to this spyware and cryptocurrency miners distribution. In addition, ISPs in Turkey, Syria, and Egypt use Deep Packet Inspection method provided by Sandvine to take over and modify users’ web traffic.[1]

Deep Packet Inspection technology enables ISPs to analyze every single packet to see users’ online activities. 

Citizen Lab has recently announced the report which states that Turkey’s Telecom network was applying Sandvine PacketLogic machines in order to redirect journalist, lawyers, and human rights defenders to download malicious application infected with FinFisher and StrongPity spyware. The spyware was injected in malicious versions of legitimate applications and compromised targeted users when they attempt to download them from official stores.[2] 

This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default.

Meanwhile, in Syria also has been spotted malicious activities, and consumers were redirected to malicious editions of popular programs, such as Avast Antivirus,  CCleaner, Opera and 7-Zip apps, infected with spyware. 

In Turkey, websites like Wikipedia and sites of the Butch Broadcast Foundation (NOS), and Kurdistan Workers’ Party (PKK) were blocked using Sandvine PacketLogic devices. 

However, in Egypt, Sandvine PacketLogic devices were also being used by a Telecom operator in order to make money. The Telecom operator applied couple techniques that include injecting a cryptocurrency mining malware into HTTP web site that consumers accessed to mine Monero cryptocurrency, and secretly redirecting consumers to websites that include affiliate ads. 

In addition, these devices also being used in order to stop and block access to political, human rights and news outlets such as Al Jezeera, HuffPost Arabic, Reporters Without Borders and NGOs like Human Rights Watch. 

The findings were reported to Sandvine by Citizen Lab. However, Sandvine did not accept the accuracy of the report. The report was called “false, misleading, and wrong”, as well as Citizen Lab was demanded to return the second-hand PacketLogic device. 

The investigation was started in September 2017 by Citizen Lab, after security researchers at ESET published a report which disclosed that the downloads of some popular software compromised ISP level in two countries in order to spread the FinSisher spyware. 

About the author

Jake Doevan
Jake Doevan - Computer security guru

Jake Doe is a security expert and news editor of His major is Communication and Journalism, which he obtained from the Washington and Jefferson College.

Contact Jake Doevan
About the company Esolutions


now online
Like us on Facebook