Bad Traffic / AdHose network injection on Egypt's telecom backbone
Citizen Lab found Sandvine PacketLogic deep-packet-inspection devices on Telecom Egypt's network covertly redirecting users en masse to affiliate ads and cryptocurrency-mining scripts, while also blocking dozens of news and human-rights sites.
- Victim
- Telecom Egypt internet subscribers (millions of Egyptian users)
On 9 March 2018, the University of Toronto's Citizen Lab published Bad Traffic, revealing that Sandvine PacketLogic deep-packet-inspection (DPI) middleboxes deployed on the network of Telecom Egypt β the country's dominant, state-linked ISP β were being used to covertly hijack ordinary users' web traffic. The same devices redirected Egyptians to affiliate advertising and in-browser cryptocurrency miners, and censored dozens of news and human-rights websites.
What happened
Citizen Lab developed a technical fingerprint for network injection β including an unusual IP-ID value of 13330 and distinctive packet behavior β and matched it to a second-hand Sandvine PacketLogic device purchased and tested in their lab. They then located devices producing that signature on Telecom Egypt's network, at a demarcation point near Marseille, France.
The Egyptian scheme, which researchers named AdHose, ran in two modes. In "spray" mode, the middleboxes redirected large numbers of users to advertisements for short bursts β one January 2018 scan caught it active for 32 minutes, affecting roughly 38% of scanned IPs across 27 Egyptian ASNs. In "trickle" mode, it continuously injected ads into specific URLs and defunct websites, behavior traceable back to at least October 2016. The injected content pushed users toward affiliate ad networks and Coinhive scripts that forced victims' browsers to mine Monero cryptocurrency. The same PacketLogic device also performed censorship via TCP-reset packets, blocking around two dozen sites including Human Rights Watch, Al Jazeera, Reporters Without Borders, and Mada Masr.
Impact
- DPI injection touched users across 17+ Egyptian autonomous systems on Telecom Egypt, plausibly affecting millions of subscribers.
- Affected users were silently turned into revenue generators (ad fraud) and unwitting cryptocurrency miners, with their browsers' compute resources hijacked.
- Independent censorship of major international news and rights organizations restricted Egyptians' access to information.
Attribution
Citizen Lab attributed the technical means to Sandvine PacketLogic devices on Telecom Egypt's infrastructure but did not name the specific operating party. Given that Telecom Egypt is a majority state-owned carrier and the parallel deployment in Turkey was used to deliver government spyware, the report framed the Egyptian activity within a pattern of state-adjacent abuse of commercial DPI hardware. Sandvine publicly disputed the findings and pressured Citizen Lab over a returned demonstration unit.
Why it matters
Bad Traffic exposed how commercial network-management hardware β sold for legitimate traffic shaping β can be repurposed at the ISP backbone to inject malware, run cryptojacking, and censor, all invisibly to end users. The Egyptian AdHose case showed a government-linked carrier monetizing its own subscribers while suppressing critical media, and it intensified scrutiny of the dual-use DPI industry, contributing to Sandvine later facing reputational and policy consequences for sales to authoritarian governments.
Timeline
Evidence suggests the AdHose injection scheme on Telecom Egypt has been operating since at least October 2016 in 'trickle' mode.
Citizen Lab's network-measurement scanning begins detecting PacketLogic injection fingerprints on Telecom Egypt's network.
A January 2018 scan captures 'spray' mode active for 32 minutes, redirecting roughly 38% of scanned Egyptian IPs to ads and Coinhive mining.
Citizen Lab publishes 'Bad Traffic,' attributing the injection and censorship to Sandvine PacketLogic devices on Telecom Egypt and TΓΌrk Telekom.
Sandvine disputes the findings; press coverage amplifies the report and the company threatens legal action over a returned demo device.
Sources
- citizenlab.cahttps://citizenlab.ca/research/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/
- utoronto.cahttps://www.utoronto.ca/news/bad-traffic-new-citizen-lab-report-finds-sandvine-s-packetlogic-devices-used-deploy-government
- theregister.comhttps://www.theregister.com/2018/03/09/citizen_lab_claims_sandvine_hardware_used_to_enable_government_spyware/
- securityweek.comhttps://www.securityweek.com/internet-provider-redirects-users-turkey-spyware-report/
- securityaffairs.comhttps://securityaffairs.com/70083/malware/sandvine-government-spyware.html