CIA 2010 covert communication websites Adobe Dreamwaver JS functions Updated 2025-06-12 +Created 2025-06-02
Many of the files appear to contain JavaScript functions in a format generated by Adobe Dreamweaver, making it almost certain that at least some of the websites were developed in that editor. This was first pointed out by Reddit user sq00q. Also note that the username spells "boobs" upside down in leet.
For example, starwarsweb.net contains the four following functions, first commented out which is funny and has some version comments:and then repeated on a
function MM_swapImgRestore() { //v3.0
function MM_preloadImages() { //v3.0
function MM_findObj(n, d) { //v4.01
function MM_swapImage() { //v3.0body onload. Here MM_ stands for MacroMedia, and is mentioned e.g. at:Doing:on github.com/cirosantilli/cia-2010-websites-dump currently gives 64 hits out of 421 websites.
git grep MM_swapImage | sed -r 's/\/.*//' | sort -u | wcThe approximate version history is:
Sample implementations:
By Ciro Santilli:By others:
- stackoverflow.com/questions/1430757/convert-a-vectorint-to-a-string/79637760#79637760
- stackoverflow.com/questions/14070940/how-can-i-print-out-c-map-values/79637777#79637777
- stackoverflow.com/questions/2793232/c-print-out-objects-from-set/79637784#79637784
- stackoverflow.com/questions/61338240/how-to-print-the-content-of-a-nested-stdunordered-map/79637792#79637792
- 1.2 Check permutation: cpp/string_is_permutation.cpp
- 1.5 One away: cpp/one_away.cpp
- 4.1 Route Between Nodes: cpp/directed_graph_size.cpp
- 4.7 Build Order: cpp/topological_sort.cpp
- 16.10 Living People: cpp/max_interval_overlaps.cpp
- 16.25 LRU Cache: cpp/lru_cache.cpp
The issue appears to be that the file watcher goes out of control.
The reproduction is very simple:and now the editor GUI hangs and Ubuntu shows a popup:
mkdir mytest
cd mytest
seq 1000000 | xargs touch
code --disable-extensions .The window is not responding
Infinite duplicate pool:
CIA 2010 covert communication websites Split header images Updated 2025-06-12 +Created 2025-05-23
Maybe it is some kind of outdated web design thing, which they took much further in time than the average website, like the JAR.
Their websites do appear to follow common style guidelines form earlier eras, around the early 2000s notably, some legit sites that look a lot like hits:
An example:
Looking at the source code of: web.archive.org/web/20130828122833/http://euronewsonline.net/euro_bus.php we noticed an interesting comment:which presumably refers to Adobe ImageReady:A sample tutorial: people.goshen.edu/~paulmr/physix/326/imageready/slicendice.php
<!-- ImageReady Slices (enewsweather.psd) -->Adobe ImageReady was a bitmap graphics editor that was shipped with Adobe Photoshop for six years. It was available for Windows, Classic Mac OS and Mac OS X from 1998 to 2007. ImageReady was designed for web development and closely interacted with Photoshop
Some of the websites use CSS background images to populate the images, e.g. ingenuitytrendz.com has HTML:and then the CSS engineering.css does:
ingenuitytrendz.com/20110201170354/index.html: <li><a id="banner1"> </a></li>
ingenuitytrendz.com/20110201170354/index.html: <li><a id="banner2"> </a></li>
ingenuitytrendz.com/20110201170354/index.html: <li><a id="banner3"> </a></li>#banner1 { background: url(/web/20110201170405im_/http://ingenuitytrendz.com/images/banner_01.jpg) no-repeat center; }
#banner2 { background: url(/web/20110201170405im_/http://ingenuitytrendz.com/images/banner_02.jpg) no-repeat center; }
#banner3 { background: url(/web/20110201170405im_/http://ingenuitytrendz.com/images/banner_03.jpg) no-repeat center; } Updates Backing up CIA website archives for research and posterity Updated 2025-06-12 +Created 2025-05-23
I've downloaded and uploaded copies of the archives of the CIA websites as follows:
- all cqcounter screenshots where cqcounter was the best source to: github.com/cirosantilli/media/tree/master/cia-2010-covert-communication-websites/screenshots/cqcounter. That commercial website does not inspire much trust, e.g. now the main pages like cqcounter.com/site/internationalwhiskylounge.com.html were giving an error:so I'm glad to have saved their precious screenshots at a safer place.
[1114: The table 'access' is full] ( 1114 : The table 'access' is full ) - all Wayback Machine archives to: github.com/cirosantilli/cia-2010-websites-dump. The exports were done with github.com/StrawberryMaster/wayback-machine-downloader by Felipe x.com/opapeldetrouxa which is an up-to-date fork of github.com/hartator/wayback-machine-downloader and the tool seemed to work very well. I've also edited that better working fork at the top answer of: superuser.com/questions/828907/how-to-download-a-website-from-the-archive-org-wayback-machine/957298#957298
The cqcounter screenshots don't offer too much information, but having the wayback machine ones could actually reveal new fingerprints and other website information leaks.
Starting December 2004, the "Submit your favored carlson quote" of alljohnny.com was mind blowingly switched to point to https://washington.serversecured.net/~alljohnn/cgi-bin/memlog.cgi thus likely leaking the control site URL. Beauty. It previously pointed to web.archive.org/web/20040901162621/https://secure.alljohnny.com/cgi-bin/memlog.cgi
mynepalnews.com actually has several archives for a /stats path which contains HTML reports generated by Webalizer, an analytic tracker that tracks the source of incoming traffic!!! It is hard to believe that the CIA would have left that there. Particularly ridiculous is the presence of
inurl:cgi server_software at web.archive.org/web/20110204095809/http://mynepalnews.com:80/stats/usage_200805.html which is almost certainly a Google dork search, which we know is something that the Iranians used to find the websites. That search hits under /cgi-bin/check.cgi. That page is itself os some interest containing SERVER_ADMIN = mmadev@mmadev.com. web.archive.org/web/20110204095815/http://mynepalnews.com:80/stats/usage_200806.html also reveals several request IPs. Even if this is not a CIA website, there's a chance we could find the IP of the Iranian counter-intelligence in these IP list, it's mind blowing. There's lots of referrer spam too as well. Further HTML inspection however seems to show close relationship to that HTML and other confirmed hits.globaltourist.net, if is actually a hit, likely has a a 2003 archive, which would be our earliest hit archive so far.
A fun fact is that looking at the source code of: web.archive.org/web/20130828122833/http://euronewsonline.net/euro_bus.php we noticed an interesting comment:which clarifies that the CIA likely used Adobe ImageReady to cut up the images for Split header images:We also understand that the tool likely outputs the layout to HTML directly, and leaks the adobe projects filenames (.pds files) in the process.
<!-- ImageReady Slices (enewsweather.psd) -->Adobe ImageReady was a bitmap graphics editor that was shipped with Adobe Photoshop for six years. It was available for Windows, Classic Mac OS and Mac OS X from 1998 to 2007. ImageReady was designed for web development and closely interacted with Photoshop
Unlisted articles are being shown, click here to show only listed articles.