How CIA betrayed informants with shoddy front websites built for covert comms
Top tip, don't give your secret login box the HTML form type 'password'
For almost a decade, the US Central Intelligence Agency communicated with informants abroad using a network of websites with hidden communications capabilities.
The idea being: informants could use secret features within innocent-looking sites to quietly pass back information to American agents. So poorly were these 885 front websites designed, though, according to security research group Citizen Lab and Reuters, that they betrayed those using them to spy for the CIA.
Citing a year-long investigation into the CIA's handling of its informants, Reuters on Thursday reported that Iranian engineer Gholamreza Hosseini had been identified as a spy by Iranian intelligence, thanks to CIA negligence.
"A faulty CIA covert communications system made it easy for Iranian intelligence to identify and capture him," the Reuters report stated.
Word of a catastrophic failure in CIA operational security initially surfaced in 2018, when Yahoo! News reporters Zach Dorfman and Jenna McLaughlin revealed "a compromise of the agency’s internet-based covert communications system used to interact with its informants."
The duo's report indicated that the system involved a website and claimed "more than two dozen sources died in China in 2011 and 2012" as a result of the compromise. Also, 30 operatives in Iran were said to have been identified by Iranian intelligence, fewer of whom were killed as a consequence of discovery than in China.
Blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites
Reuters found one of the CIA websites, iraniangoals[.]com, in the Internet Archive and told Citizen Lab about the site earlier this year. Bill Marczak, from Citizen Lab, and Zach Edwards, from analytics consultancy Victory Medium, subsequently examined the website and deduced that it had been part of a CIA-run network of nearly 900 websites, localized in at least 29 languages, and intended for viewing in at least 36 countries.
These websites, said to have operated between 2004 and 2013, presented themselves as harmless sources of news, weather, sports, healthcare, or other information. But they are alleged to have facilitated covert communications, and to have done serious harm to the US intelligence community and to those risking their lives to help the United States.
The websites were designed to look like common commercial publications but included secret triggering mechanisms to open a covert communication channel. For example, the supposed search box on iraniangoals[.]com is actually a password input field to access such its hidden comms functionality – which you'd never guess unless you inspected the website code to see the input field identified as
type="password" or unless the conversion of text input into hidden • characters gave it away.
Entering the appropriate password opened a messaging interface that spies could use to communicate.
The encrypted messaging widgets from CIA can be found on websites in numerous languages, & technical fingerprints made it possible to find more websites within the network, even nearly a decade after they had been taken down, thanks to the @waybackmachine. Did the CCP know too? https://t.co/5CFa11mFbT— Zach Edwards (@thezedwards) September 29, 2022
Citizen Lab says it has limited the details contained in its report because some of the websites point to former and possibly still active intelligence agents. It says it intends to disclose some details to US government oversight bodies. The security group blames the CIA's "reckless infrastructure" for the alleged agent deaths. Zach Edwards put it more bluntly on Twitter.
"Sloppy ass website widget architecture plus ridiculous hosting/DNS decisions by CIA/CIA contractors likely resulted in dozens of CIA spies being killed," he said.
What makes the infrastructure ridiculous or reckless is that many of the websites had similarities with others in the network and that their hosting infrastructure appears to have been purchased in bulk from the same internet providers and to have often shared the same server space.
"The result was that numerical identifiers, or IP addresses, for many of these websites were sequential, much like houses on the same street," Reuters explained.
- Ex-NSA trio who spied on Americans for UAE now banned from arms exports
- CIA accused of illegally spying on Americans visiting Assange in embassy
- Former CIA engineer Joshua Schulte convicted of spying over WikiLeaks dump
- Anatomy of suspected top-tier decade-hidden NSA backdoor
Such basic errors continue to trip up spy agencies. Investigative research group Bellingcat, for example, has used the sequential numbering of passports to help identify the fake personas of Russian GRU agents. It described this blunder as "terrible spycraft."
And while numerically proximate or sequential identifiers may go unnoticed some of the time – security through obscurity – it only takes one double agent aware of the scheme to allow adversaries to connect the dots.
In the case of Iran, that's what happened, according to Yahoo! News: "Though the Iranians didn’t say precisely how they infiltrated the network, two former US intelligence officials said that the Iranians cultivated a double agent who led them to the secret CIA communications system."
The CIA did not respond to a request for comment. ®
On the subject of spies...
A former NSA man has been charged with three counts of espionage. Jareh Sebastian Dalke, 30, of Colorado Springs, is accused of emailing three classified files to someone he thought was a foreign government agent but was in fact an undercover FBI agent.
Dalke left the NSA in July this year, and soon after attempted to leak documents he had stolen from the agency, prosecutors claim. According to the Justice Dept, Dalke claimed he "had taken highly sensitive information relating to foreign targeting of US systems, and information on US cyber operations, among other topics," and wanted cryptocurrency in exchange for the files.
He was arrested on September 28 and was due to appear in court today. If convicted, he potentially faces the death penalty or any length of time behind bars.