= CIA 2010 covert communication websites
{c}
{scope}
{tag=Ciro Santilli's naughty projects}
{tag=Ciro Santilli's data projects}
{tag=Open-source intelligence}
{tag=Digital preservation}
{title2=Iran, China}
This article is about <cutout (espionage)>[covert agent communication channel] websites used by the <CIA> in the late 2000s to early 2010s until they were uncovered by target countries. This discovery led to the imprisonment and execution of several assets in <Iran> and <China>.
The existence of such websites was first reported in November 2018 by Yahoo News: https://www.yahoo.com/video/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html[].
Previous whispers had been heard in 2017 but without clear mention of websites: https://www.nytimes.com/2017/05/20/world/asia/china-cia-spies-espionage.html
\Q[Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.]
Then in September 2022 a few specific websites were finally reported by Reuters: https://www.reuters.com/investigates/special-report/usa-spies-iran/[], henceforth known only as "the <Reuters article>" in this article.
<Ciro Santilli> heard about the 2018 article at around 2020 while <Ciro Santilli's campaign for freedom of speech in China>[studying for his China campaign] because the websites had been used to take down the Chinese CIA network in China. He even asked on <Quora>: https://www.quora.com/What-were-some-examples-of-the-websites-that-the-CIA-used-around-2010-as-a-communication-mechanism-for-its-spies-in-China-and-Iran-but-were-later-found-and-used-to-take-down-their-spy-networks[] but there were no publicly known domains at the time to serve as a starting point.
So when <Ciro Santilli> heard about the 2022 article almost a year after publication, and being a <OurBigBook.com>[half-arsed web developer himself], he <Ciro Santilli's naughty projects>[knew he had to try] and find some of the domains himself using the newly available information! It was an irresistible real-life <capture the flag (Cybersecurity)>. The thing is, everyone who has ever developed a website knows that its <attack surface> is about the size of Oregon, and the potential for <fingerprinting (cybersecurity)> is off the charts with so many bits and pieces sticking out.
In particular, it is fun to have such a clear and visible to anyone examples of the <USA spying on its own allies> in the form of <Wayback Machine> archives.
Given that it was reported that there were "more than 350" such websites, it would be really cool if we could uncover more of those websites ourselves beyond the 9 domains reported by Reuters!
This article documents the list of extremely likely candidates Ciro has found so far, mostly using:
* rudimentary IP range search on https://viewdns.info[] starting from the websites reported by Reuters
* heuristic search for keywords in domains of the <2013 DNS Census> plus <Wayback Machine CDX scanning>
more details on methods also follow. It is still far from the https://citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/[885 websites reported by citizenlabs], so there must be key techniques missing. But the fact that there are no <Google Search> hits for the domains or IPs (except in bulk e.g. in <expired domain trackers>) indicates that these might not have been previously clearly publicly disclosed.
If anyone can find others, or has better techniques: <contact>{full}. The techniques used so far have been very heuristic, and that added to the limited amount of data makes it almost certain that several <IP range search>[IP ranges] have been missed. There are two types of contributions that would be possible:
* finding new IP ranges: harder more exiting, and potentially requires more intelligence
* better IP to domain name databases to <Find missing hits in IP ranges>[fill in known gaps in existing IP ranges]
Perhaps the current heuristically obtained data can serve as a good starting for a more data-oriented search that will eventually find a valuable fingerprint which brings the entire network out.
Disclaimer: the network fell in 2013, followed by fully public disclosures in 2018 and 2022, so we believe it is now more than safe for the public to know what can still be uncovered about the events that took place. The main author's political bias is <Ciro Santilli's campaign for freedom of speech in China>[strongly pro-democracy and anti-dictatorship].
May this list serve as a tribute to those who spent their days making, using, and uncovering these websites under the shadows.
If you want to go into one of the best <OSINT> <capture the flag (Cybersecurity)>[CTFs] of your life, stop reading now and see how many Web Archives you can find starting only from the <Reuters article> as Ciro did. Some guidelines:
* there was no ultra-clean fingerprint found yet. Some intuitive and somewhat guessy data analysis was needed. But when you clean the data correctly and make good guesses, many hits follow, it feels so good
* nothing was paid for data. But using cybercafe <Wifi>'s for a few extra IPs may help.
\Video[https://www.youtube.com/watch?v=uh_q02eefFM]
{title=Compromised Comms by Darknet Diaries (2023)}
{description=
It was the <YouTube> suggestion for this video that made <Ciro Santilli> aware of the <Reuters article> almost one year after its publication, which kickstarted his research on the topic.
Full podcast transcript: https://darknetdiaries.com/transcript/75/
}