CIA 2010 covert communication websites Updated 2025-02-22 +Created 1970-01-01
View more
This article is about covert agent communication channel websites used by the CIA in many countries from the late 2000s until the early 2010s, when they were uncovered by counter intelligence of the targeted countries circa 2011-2013. This discovery led to the imprisonment and execution of several assets in Iran and China, and subsequent shutdown of the channel.
https://raw.githubusercontent.com/cirosantilli/media/master/CIA_Star_Wars_website_promo.jpg
Video 1.
How I found a Star Wars website made by the CIA by Ciro Santilli
. Source. Slightly edited VOD of the talk Aratu Week 2024 Talk by Ciro Santilli: My Best Random Projects.
The existence of such websites was first reported in November 2018 by Yahoo News: www.yahoo.com/video/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html.
Previous whispers had been heard in 2017 but without clear mention of websites: www.nytimes.com/2017/05/20/world/asia/china-cia-spies-espionage.html:
Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.
[...]
From the final weeks of 2010 through the end of 2012, [...] the Chinese killed at least a dozen of the C.I.A.’s sources. [...] One was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.
https://raw.githubusercontent.com/cirosantilli/media/master/Yahoo_CIA_website_article.png
Then in September 2022 a few specific websites were finally reported by Reuters: www.reuters.com/investigates/special-report/usa-spies-iran/, henceforth known only as "the Reuters article" in this article.
Figure 1.
Banner of the Reuters article
. Source.
Figure 2.
Reuters reconstruction of what the applet would have looked like
. Source.
Figure 3.
Inspecting the Reuters article HTML source code
. Source. The Reuters article only gave one URL explicitly: iraniangoals.com. But most others could be found by inspecting the HTML of the screenshots provided, except for the Carson website.
Ciro Santilli heard about the 2018 article at around 2020 while studying for his China campaign because the websites had been used to take down the Chinese CIA network in China. He even asked on Quora: www.quora.com/What-were-some-examples-of-the-websites-that-the-CIA-used-around-2010-as-a-communication-mechanism-for-its-spies-in-China-and-Iran-but-were-later-found-and-used-to-take-down-their-spy-networks but there were no publicly known domains at the time to serve as a starting point. Chris, Electrical Engineer and former Avionics Tech in the US Navy, even replied suggesting that obviously the CIA is so competent that it would never ever have its sites leaked like that:
Seriously a dumb question.
So when Ciro Santilli heard about the 2022 article almost a year after publication, and being a half-arsed web developer himself, he knew he had to try and find some of the domains himself using the newly available information! It was an irresistible real-life capture the flag. The thing is, everyone who has ever developed a website knows that its attack surface is about the size of Texas, and the potential for fingerprinting is off the charts with so many bits and pieces sticking out. Chris, get fucked.
Figure 4.
"Seriously a dumb question" Quora answer by Chris from the US Navy
. Source.
In particular, it is fun to have such a clear and visible to anyone examples of the USA spying on its own allies in the form of Wayback Machine archives.
Given that it was reported that there were "more than 350" such websites, it would be really cool if we could uncover more of those websites ourselves beyond the 9 domains reported by Reuters!
This article documents the list of extremely likely candidates Ciro has found so far, mostly using:
more details on methods also follow. It is still far from the 885 websites reported by citizenlabs, so there must be key techniques missing. But the fact that there are no Google Search hits for the domains or IPs (except in bulk e.g. in expired domain trackers) indicates that these might not have been previously clearly publicly disclosed.
If anyone can find others, or has better techniques: Section "How to contact Ciro Santilli". The techniques used so far have been very heuristic, and that added to the limited amount of data makes it almost certain that several IP ranges have been missed. There are two types of contributions that would be possible:
Perhaps the current heuristically obtained data can serve as a good starting for a more data-oriented search that will eventually find a valuable fingerprint which brings the entire network out.
Disclaimer: the network fell in 2013, followed by fully public disclosures in 2018 and 2022, so we believe it is now more than safe for the public to know what can still be uncovered about the events that took place. The main author's political bias is strongly pro-democracy and anti-dictatorship.
May this list serve as a tribute to those who spent their days making, using, and uncovering these websites under the shadows.
If you want to go into one of the best OSINT CTFs of your life, stop reading now and see how many Web Archives you can find starting only from the Reuters article as Ciro did. Some guidelines:
  • there was no ultra-clean fingerprint found yet. Some intuitive and somewhat guessy data analysis was needed. But when you clean the data correctly and make good guesses, many hits follow, it feels so good
  • nothing was paid for data. But using cybercafe Wifi's for a few extra IPs may help.
Figure 5.
viewdns.info activegameinfo.com domain to IP
. Source.
Figure 6.
viewdns.info aroundthemiddleeast.com IP to domain
. Source.
Figure 7.
DNS Census 2013 website
. Source. This source provided valuable historical domain to IP data. It was likely extracted with an illegal botnet. Data excerpt from the CSVs:
amazon.com,2012-02-01T21:33:36,72.21.194.1
amazon.com,2012-02-01T21:33:36,72.21.211.176
amazon.com,2013-10-02T19:03:39,72.21.194.212
amazon.com,2013-10-02T19:03:39,72.21.215.232
amazon.com.au,2012-02-10T08:03:38,207.171.166.22
amazon.com.au,2012-02-10T08:03:38,72.21.206.80
google.com,2012-01-28T05:33:40,74.125.159.103
google.com,2012-01-28T05:33:40,74.125.159.104
google.com,2013-10-02T19:02:35,74.125.239.41
google.com,2013-10-02T19:02:35,74.125.239.46
Figure 8.
The four communication mechanisms used by the CIA websites
. Java Applets, Adobe Flash, JavaScript and HTTPS
Figure 9.
Expired domain names by day 2011
. Source. The scraping of expired domain trackers to Github was one of the positive outcomes of this project.
Video 2.
Compromised Comms by Darknet Diaries (2023)
Source.
It was the YouTube suggestion for this video that made Ciro Santilli aware of the Reuters article almost one year after its publication, which kickstarted his research on the topic.
Full podcast transcript: darknetdiaries.com/transcript/75/
Read the full article
IP range search Updated 2025-02-22 +Created 1970-01-01
View more
One promising way to find more of those would be with IP searches, since it was stated in the Reuters article that the CIA made the terrible mistake of using several contiguous IP blocks for those website. What a phenomenal OPSEC failure!!!
The easiest way would be if Wayback Machine itself had an IP search function, but we couldn't find one: Search Wayback Machine by IP.
viewdns.info was the first easily accessible website that Ciro Santilli could find that contained such information.
Our current results indicate that the typical IP range is about 30 IPs wide.
E.g. searching: viewdns.info/iphistory and considering only hits from 2011 or earlier we obtain:
  • capture-nature.com
    • 65.61.127.163 - Greenacres - United States - TierPoint - 2013-10-19
  • activegaminginfo.com
    • 66.175.106.148 - United States - Verizon Business - 2012-03-03
  • iraniangoals.com
    • 68.178.232.100 - United States - GoDaddy.com - 2011-11-13
    • 69.65.33.21 - Flushing - United States - GigeNET - 2011-09-08
  • rastadirect.net
    • 68.178.232.100 - United States - GoDaddy.com - 2011-05-02
  • iraniangoalkicks.com
    • 68.178.232.100 - United States - GoDaddy.com - 2011-04-04
  • headlines2day.com
    • 118.139.174.1 - Singapore - Web Hosting Service - 2013-06-30. Source: viewdns.info
    • 184.168.221.91 2013-08-12T06:17:39. Source: 2013 DNS Census grep
  • fightwithoutrules.com
    • 204.11.56.25 - British Virgin Islands - Confluence Networks Inc - 2013-09-26
    • 208.91.197.19 - British Virgin Islands - Confluence Networks Inc - 2013-05-20
    • 212.4.17.38 - Milan - Italy - MCI Worldcom Italy Spa - 2012-03-03
  • fitness-dawg.com
    • 219.90.62.243 - Taiwan - Verizon Taiwan Co. Limited - 2012-01-11
Neither of these seem to be in the same ranges, the only common nearby hit amongst these ranges is the exact 68.178.232.100, and doing reverse IP search at viewdns.info/reverseip/?host=68.178.232.100&t=1 states that it has 2.5 million hostnames associated to it, so it must be some kind of Shared web hosting service, see also: superuser.com/questions/577070/is-it-possible-for-many-domain-names-to-share-one-ip-address, which makes search hard.
Ciro then tried some of the other IPs, and soon hit gold.
Initially, Ciro started by doing manual queries to viewdns.info/reversip until his IP was blocked. Then he created an account and used his 250 free queries with the following helper script: cia-2010-covert-communication-websites/viewdns-info.sh. The output of that script can be seen at: github.com/cirosantilli/media/blob/master/cia-2010-covert-communication-websites/viewdns-info.sh.
Ciro then found 2013 DNS Census which contained data highly disjoint form the viewdns-info one!
Summaries of the IP range exploration done so far follows, combined data from all databases above.
Read the full article
Searching for Carson Updated 2025-02-22 +Created 1970-01-01
View more
Edit: Carson was found Oleg Shakirov's findingsby Oleg Shakirov: alljohnny.com, communicated at: twitter.com/shakirov2036/status/1746729471778988499, earliest archive from 2004 (!): web.archive.org/web/20040113025122/http://alljohnny.com/, The domain was hidden in plain sight, it was present in a not very visible watermark visible in the Reuters article screenshot! The watermark was added to the CIA to the background image, it is actually present on the website. In retrospect, it was actually present at on the expired domain trackers dataset, but the mega discrete all second word made Ciro Santilli miss it: github.com/cirosantilli/expired-domain-names-by-day-2015/blob/9d504f3b85364a64f7db93311e70011344cff788/07/05/02#L1572
Figure 1.
2004 Wayback Machine archive of alljohnny.com
.
What follows is the previous
The fact that the Reuters article has a screenshot of it, and therefore a Wayback Machine link, plus the specificity of the website topic, will likely keep Ciro awake at night for a while until someone finds that domain.
Some text visible on the Reuters screenshot:
  • Johnny Carson and The Tonight Show
  • Your Favorite Host and Comedic Genius
  • Submit Your Favorite Carson Moment
  • Heeere's Johnny!
    Holy crap, the "Here's Johnny" line from The Shining (1980) is a reference to Johnny Carson: www.youtube.com/watch?v=WDpipB4yehk, www.youtube.com/watch?v=aYnyPAkgyvc, Ciro never knew that... but every American would have understood it at the time.
It is unclear however if this text is plaintext or part of a an image.
Some failed attempts, either dry guesses or from DNS grepping dataset searches:
Searching the Wayback Machine proved fruitless. There is no full text search: Wayback Machine full text search, and a heuristic web.archive.org/web/20230000000000*/Johnny%20Carson search has relevant hits but not the one we want.
Another attempt was to search for "carson" on webmasterhome.cn which lists expired domains in bulk by expiration day, and it search engine friendly. It contains most of the domains we've found so far. Google either doesn't support partial word search or requires you to be a God to find it
so we settle for DuckDuckGo which supports it: duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22&t=h_&ia=web Adding years also helps: duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22+2011&ia=web with this we might be getting all possible results. Ciro went through all in 2011, 2012 and 2013 but no luck. Also fuck en.wikipedia.org/wiki/Carson_City,_Nevada and en.wikipedia.org/wiki/Carson,_California :-)
Let's search tools.whoisxmlapi.com/reverse-whois-search for "carson" contained in any historic domain name. 10,001 lines. Grepping those, no good Wayback machine hits for those that also contain "johnny" or "show". Data at: raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/tools.whoisxmlapi.com_reverse-whois-search_carson.csv in case anyone want to try and dig...
Let's also search the fortuitously timed 2013 DNS Census.
Read the full article
Selected screenshots Updated 2025-02-22 +Created 1970-01-01
View more
Figure 1.
2010 Wayback Machine archive of starwarsweb.net
.
The Star Wars one. Clearly branded websites like this are rare, which makes finding them all the much more fun. The Reuters article had two of them (Carson and rastadirect.net), so these were probably manually selected from the full hit dataset, and did not serve specifically as entry points. Most of the websites are quite boring and forgetful as you'd expect.
The subtitle "Beyond The Unknown" may be a reference to the Unknown Regions in the Star Wars fictional universe.
Figure 2.
2011 Wayback Machine archive of iranfootballsource.com
. The third Iranian football on top of the two other published by Reuters: iraniangoalkicks.com and iraniangoals.com! Admittedly, this one is the most generic and less well designed one. But still. They pushed the theme too far!
Figure 3.
2010 Wayback Machine archive of dedrickonline.com
.
The German one.
The CIA has had a few Germany espionage scandals in the 2010s:
Figure 4.
2010 Wayback Machine archive of lesummumdelafinance.com
. A French one. Because it mentions VTT (Mountain Biking in French), it must focus France.
Figure 5.
2011 Wayback Machine archive of attivitaestremi.com
. An Italian one about extreme sports.
Figure 6.
2010 Wayback Machine archive of noticiasmusica.net
.
The Brazilian one.
Figure 7.
2011 Wayback Machine archive of economicnewsbuzz.com
. The Korean one. Love the kawaii style!
Figure 8.
2011 Wayback Machine archive of snapnewsfront.net
. The Japanese one.
Figure 9.
2010 Wayback Machine archive of philippinenewsonline.net
. The Philippine one one.
Figure 10.
2011 Wayback Machine archive of feedsdemexicoyelmundo.com
. The Mexican one.
Figure 11.
2012 Wayback Machine archive of easytraveleurope.com
.
Figure 12.
2011 Wayback Machine archive of tee-shot.net
. One of the many golf-themed sites. Golf appears to be quite popular over in Langley. It's exactly what you'd expect for a mid-level spook to do in their free time!
Figure 13.
2011 Wayback Machine archive of nouvellesetdesrapports.com
.
Figure 14.
2011 Wayback Machine archive of pangawana.com
.
Figure 15.
2011 Wayback Machine archive of recuerdosdeviajeonline.com
.
Figure 16.
2011 Wayback Machine archive of theworld-news.net
.
Figure 17.
2011 Wayback Machine archive of kessingerssportsnews.com
.
Figure 18.
2011 Wayback Machine archive of negativeaperture.com
.
Read the full article
The Reuters websites Updated 2025-02-22 +Created 1970-01-01
View more
The Reuters article directly reported only two domains in writing:
But by looking at the URLs of the screenshots they provided from other websites we can easily uncover all others that had screenshots, except for the Johnny Carson one, which is just generically named. E.g. the image for the Chinese one is www.reuters.com/investigates/special-report/assets/usa-spies-iran/screencap-activegaminginfo.com.jpg?v=192516290922 which leads us to domain activegaminginfo.com.
Also none of those extra ones have any Google hits except for huge domain dumps such has Expired domain trackers, so maybe this counts as little bit of novel public research.
The full list of domains from screenshots is:
This brings up to 8 known domain names with Wayback Machine archives, plus the yet unidentified Johnny Carlson one, see also: Section "Searching for Carson", which is also almost certainly is on Wayback Machine somewhere given that they have a screenshot of it.
Read the full article