In 2018, Jenna McLaughlin and Zach Dorfman of Yahoo News reported that a system used by the CIA to covertly communicate with its assets around the world had been compromised by Iran and China around 2011. The compromise reportedly led to the death of “more than two dozen sources” in China in 2011 and 2012, and also reportedly led Iran to execute some CIA assets and imprison others.
Because the network was used by CIA assets around the world, the compromise also reportedly enabled Iran and China to track espionage activities outside of their borders, related to other countries.
While relevant oversight bodies reportedly performed an investigation into the as-yet-unreported compromise in 2013, Yahoo News reported that those responsible for the intelligence failures were never held accountable: “One of the central concerns among those familiar with the scope of the breakdown is the institutions responsible for it were never held accountable.”
In 2022, we learned from Reuters journalist Joel Schectman that a CIA asset who was captured in Iran, and subsequently served seven years in prison, communicated with his agency handlers via a hidden communications app on a website iraniangoals[.]com. Reuters reports that Iran’s compromise of the network may have led to the asset’s capture. We investigated the website in an effort to understand the vulnerabilities leveraged by Iran and China, and to learn whether the United States had been using an irresponsibly secured system for asset communication. Our investigation, led by Citizen Lab senior researcher Bill Marczak, confirmed the reports of a fatally insecure network.
We shared our findings with Schectman, whose Reuters story can be found here: America’s Throwaway Spies: How the CIA failed Iranian informants in its secret war with Tehran.
Extensive Design Flaws and Shortcuts
Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive’s Wayback Machine, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication.
The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.
The websites, which purported to be news, weather, sports, healthcare, and other legitimate websites, appeared to be localized to at least 29 languages and geared towards at least 36 countries.
Identifying Americans Abroad
The bulk of the websites that we discovered were active at various periods between 2004 and 2013. We do not believe that the CIA has recently used this communications infrastructure. Nevertheless, a subset of the websites are linked to individuals who may be former and possibly still active intelligence community employees or assets:
- Several are currently abroad
- Another left mainland China in the timeframe of the Chinese crackdown
- Another was subsequently employed by the US State Department
- Another now works at a foreign intelligence contractor
Limited Disclosure
Given that we cannot rule out ongoing risks to CIA employees or assets, we are not publishing full technical details regarding our process of mapping out the network at this time. As a first step, we intend to conduct a limited disclosure to US government oversight bodies.
Our mission is to undertake independent, evidence-based research holding governments and corporations accountable for their actions in the digital space, regardless of who those governments and corporations are. The reckless construction of this infrastructure by the CIA reportedly led directly to the identification and execution of assets, and undoubtedly risked the lives of countless other individuals. Our hope is that this research, and our limited disclosure process, will ensure that no one connected to these websites will be in danger, and lead to accountability for this reckless behavior.