Study: Blocked access to websites, ad redirects and cryptocurrency mining in Egypt traced to Sandvine’s PacketLogic devices

The technology used to block access to Mada Masr and hundreds of websites, blogs, proxy and virtual private networks (VPNs) on Egypt’s service providers is also being used to redirect traffic to revenue-generating content, such as advertising pages and cryptocurrency mining scripts, according to a report published by the University of Toronto’s Citizen Lab.

The Egyptian advertisement and cryptocurrency redirect scheme, which Citizen Lab researchers have dubbed “AdHose,”  is an attempt to “covertly raise money,” the Friday report, titled Bad Traffic, asserts.

Beyond identifying the specifics of the revenue-generation scheme, the researchers also developed a digital fingerprint for the deep packet inspection (DPI) observed in Egypt and Turkey and matched it to a second-hand PacketLogic device produced by Sandvine/Procera Networks, one of several facts that they argue points to the US company’s implication in malicious activity.

Unpacking AdHose

Data is transmitted over the internet in formated network packets that are “repackaged” and made legible on the recipient’s side. DPI-enabled devices have the ability to look several layers into this formatted packet — including the data headers, data protocol structures, and the actual data, or payload, of the message — at a point between the sender and recipient, redirecting the traffic in accordance with the parameters of the operator.

DPI-enabled devices, however, fall under the broader rubric of dual-use technologies. While there are a range of ostensibly legitimate uses for DPI, such as alerting users to billing issues and bandwidth cap limits, they may also be used for malicious purposes, including surveillance, censorship and infecting users with malware.

In the course of the study, Citizen Lab researchers observed DPI middleboxes positioned at a Telecom Egypt demarcation point that “were apparently being used to hijack Egyptian internet users’ unencrypted web connections en masse, and to redirect the users to revenue-generating content, such as affiliate ads and browser cryptocurrency mining scripts.”

The researchers dubbed this process AdHose, identifying two operational modes: spray and trickle.

“In spray mode, a middlebox redirects Egyptian internet users en masse to ads or cryptocurrency mining scripts whenever they make a request to any website. In trickle mode, only requests to certain URLs are redirected. It appears that spray mode is enabled sparingly, whereas trickle mode appears to be in operation mostly continuously,” the report explains.

In a scan performed on January 3, between 3 pm and 4:32 pm, the researchers observed AdHose in spray mode. They scanned and received a response from 5,702 IP addresses, 5,443 of which returned the advertising redirect, an injection rate of approximately 95 percent.

The documented attacks targeted data being sent over HTTP, which is particularly susceptible, as it is not encrypted like other protocols, such as HTTPS. According to Google, approximately 20-30 percent of web traffic in the United States does not use HTTPS.

The researchers were able to trace the middlebox back to the US-company Sandvine after they developed a “fingerprint for the injection […] found in Turkey, Syria, and Egypt,” with four distinct characteristics, and then “matched [the] fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting.”

The information gathered from a scan conducted on January 8 matched all of the features of the digital fingerprint. One of the features of the fingerprint is that the static IP identification (IPID) is always “13330 (0x3412, which is 0x1234 endian-swapped) for all injected packets. This value is unusual, as the IPID is typically incremented or pseudorandomly generated, and is not a fixed value.”

The feature also matches what the Open Observatory of Network Interference (OONI) — an international network operating under the Tor Project that monitors internet censorship, traffic manipulation and signs of surveillance — found in an October 2016 report. In addition to revealing ad injection when users attempted to access certain pornography websites in Egypt, the report documented that the injected packet observed to obstruct user-server communication with The New Arab website shared the “static IP identification (IP ID) value of 0x3412 as the injected RST packets” used in an attempt to block Tor. This similarity is significant, as The New Arab, which is Qatari-funded and sympathetic to the Muslim Brotherhood, is known to be blocked by the Egyptian government, suggesting that a state agency using the same server location conducted the RST injection attacks on Tor.

Amr Gharbeya, a technology and liberty researcher at the Egyptian Institute for Personal Rights, suggests there are several possible parties behind AdHose: an engineer operating under the official direction of the state or company, or an engineer exploiting his work for material gain.


The company that makes the PacketLogic middleboxes identified in the study was formerly known as Procera Networks. Procera took on the name Sandvine after its owner, the US-based equity firm Francisco Partners, acquired the Ontario-based networking equipment company Sandvine and merged the two companies in 2017.

The report asserts that Francisco Partners has a number of investments in dual-use technology companies, including the Israeli spyware developer and merchant NSO Group software, which has been linked to mobile eavesdropping targeting journalists, lawyers and human rights workers in a number of countries, including Mexico and the United Arab Emirates.

Sandvine’s company website states that it provides “resident engineering services” to support government mandates on its customers that require the blocking of services like VPNs or VoIP. Through research on LinkedIn, Citizen Lab identified an individual whose self-stated title is “Resident Engineer – Senior Level at Procera Networks.” Mada Masr attempted to contact the engineer through a telephone contact listed on the page, but could not reach him for comment. However, Citizen Lab asserts that the existence of a resident engineer in Egypt is a potential red flag.

“The prospect of in-country work of this sort, especially at the large ISP level, raises questions regarding company awareness of, or participation in, activities with significant human rights impact,” asserts the report.

The researchers notified Francisco Partners and Sandvine of their findings in a letter sent in early February, to which both companies responded. Sandvine stated that the Citizen Lab’s findings were “false, misleading, and wrong,” demanded the return of the second-hand PacketLogic device, highlighted their “Comprehensive Business Ethics Program,” and noted that any public statements Citizen Lab might make “that are factually inaccurate or based on improper use of [the PacketLogic] product . . . will be met with vigorous fact-based rebuttal and a strong legal response.”

The research lab delayed publication of its findings to review the points raised by Sandvine and conduct due diligence. On March 1, Citizen Lab replied to Sandvine, saying that it is “confident in [its] research findings, which two independent peer reviews confirmed.”

Countering user rights violations

Although there are legitimate uses to DPI technology, the Citizen Lab report highlights potential uses that may cause “serious human rights risks, such as censoring access to content, or, worse, silently infecting users with malware,” or being “easily repurposed for mass-scale revenue scams.”  

Despite these risks, the market for such technologies is still largely unregulated, according to the report.

For Gharbiya, those that employ dual-use technology should submit to a degree of transparency to verify it is in fact being used for practical purposes.

He pointed to the general absence of a clear legislative framework in countries that export dual-use technologies. At best, Gharbiya says, there is piecemeal regulation through export licenses in order to ensure software is not exported to countries where it may be exploited in committing human rights violations.

In March 2016, for example, Italy suspended Hacking Team’s license to export spyware outside the European Union, after the company dealings with a number of countries that have violated human rights standards, including Egypt, were made public.

European Parliament member Marietje Schaake has exerted efforts to develop a legislative framework to regulate the European Union’s relationship with external countries in the export of dual-use technologies. She states that these technologies should be classified as “digital weapons” and regulated in a fashion similar to the sale of conventional weaponry.

Mohamed Hamama 

You have a right to access accurate information, be stimulated by innovative and nuanced reporting, and be moved by compelling storytelling.

Subscribe now to become part of the growing community of members who help us maintain our editorial independence.
Know more

Join us

Your support is the only way to ensure independent,
progressive journalism