This article is about covert agent communication channel websites used by the CIA in the late 2000s to early 2010s until they were uncovered by target countries. This discovery led to the imprisonment and execution of several assets in Iran and China.
So Ciro Santilli heard about the 2022 article almost a year after publication, he knew he had to try and find some of the domains himself using the newly availabe information! Given that it was reported that there were “more than 350” such websites, it would be really cool if we could uncover more of those websites ourselves beyond the 8 domains reported by Reuters! Notably, being Brazilian, Ciro Santilli is particularly curious about the existence of a Brazilian-focused website one mentioned in the article, as well as in other democracies. WTF the CIA was doing in Brazil in the early 2010s! Wasn’t the Military dictatorship in Brazil enough!
Here’s the list of probable candidates Ciro has found so far using only rudimentary IP range search on viewdns.info starting from the websites reported by Reuters, more details on methods below. It is nothing compared to the hundreds of websites reported, so there must be key techniques missing, but the fact that there are no Google Search hits for the domains or IPs indicates that these might not have been previously clearly publicly disclosed.
Some selected screensthos:
citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/ did an investigation and found 885 such websites, but decided not to disclose the list or methods:
Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive‘s Wayback Machine, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication.
The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.
The websites, which purported to be news, weather, sports, healthcare, and other legitimate websites, appeared to be localized to at least 29 languages and geared towards at least 36 countries.
The bulk of the websites that we discovered were active at various periods between 2004 and 2013. We do not believe that the CIA has recently used this communications infrastructure. Nevertheless, a subset of the websites are linked to individuals who may be former and possibly still active intelligence community employees or assets:
- Several are currently abroad
- Another left mainland China in the timeframe of the Chinese crackdown
- Another was subsequently employed by the US State Department
- Another now works at a foreign intelligence contractor
Given that we cannot rule out ongoing risks to CIA employees or assets, we are not publishing full technical details regarding our process of mapping out the network at this time. As a first step, we intend to conduct a limited disclosure to US government oversight bodies.
The websites were used from at least as early as August 2008, as per Gholamreza Hosseini’s account, and the system was only shutdown in 2013 apparently.
Notably, so as to be less suspicious the websites are often in the language of the country for which they were intended, so we can often guess which country they were intended for!
Reuters directly reported only two domains in writing:
-
iraniangoals.com. Iranian language football website. As of 2023, the domain had been bought by Reuteres and redirects to otheir website.
Also none of those extra ones have any Google hits except for huge domain dumps, so maybe this counts as little bit of novel public research.
The full lits of domains from screenshots is:
-
The website is entitled:
活跃游戏
which means “Lively games”, or “active games” as in the domain name itself.
Available in GoDaddy as of 2023.
-
Ciro Santilli actually sent him a message to let him know about the CIA thing in case he didn’t, and he replied that he wasn’t aware of it.
-
Available as of 2023.
-
Available as of 2023.
-
Available as of 2023.
Failed attempts at guessing the Johnny Carson domain:
This brings up to 8 known domain names with Wayback Machine archives, plus the yet unidentified Johnny Carlson one, which is also almost certainly is on Wayback Machine somewhere given that they have a screenshot of it.
From this we can establish see some clear stylistic trends across the websites which would allow us to find other likely candidates upon inspection:
- natural sounding, sometimes long-ish, English language domain names with 2 or 3 full words
- shallow websites with a few tabs, many external links, sometimes many images, and few internal pages
- common themes include:
- news
- hobbies, notably sports, travel and photography
- .com and .net top-level domains
- each one has one “communication mechanism file” which is either a:These have short single word names with some meaning linked to their website.
