CIA Websites Reportedly Led to the Exposure of Critical Assets

Security researchers from Citizen Lab at the University of Toronto said on Thursday they found fatal flaws in a massive network of 885 fake websites that they have “high confidence” were previously used by the Central Intelligence Agency for covert communications.

For one thing, these websites relied on antiquated technology, even for the time. The sites were so easily identifiable that they likely led to agency assets and agents being put at serious risk. What’s more, the sites led to at least one Iranian spy’s arrest and seven-year internment after Iran uncovered the CIA’s fake webpage and informed China, according to the report. “More than two dozen sources” in China reportedly died after the network was exposed.

In 2018, a Yahoo News report documented a huge compromise of the CIA’s internet communications system back in 2013. This compromised network of websites was so “catastrophic,” according to unnamed intelligence figures, it apparently allowed the governments of Iran and China to identify and execute assets as well as track espionage activities outside their borders.

On Thursday, Reuters reported on the CIA’s years-long enterprise to recruit young people in countries like Iran and the shoddy online infrastructure that led to those agents’ capture. Many of those agents were not volunteers, the report notes. Here’s how Reuters explained that process:

After an Iranian drops off an application, diplomatic officers are instructed to examine whether their employment history or family ties could make them valuable. A few days later, a promising applicant might receive a phone call asking them to return to the consulate to answer more detailed questions. As CIA officers, posing as consular officers, reel the applicant into increasingly probing meetings, they hold out the possibility that the visa application will be approved, according to the national security officials, all of whom were directly involved in such practices. By the time the Iranian realizes he has given information to an intelligence officer, the unwitting informant has often made disclosures that could land him in jail.

Citizen Lab says it was the CIA’s own shoddy web design that that ultimately put these CIA assets in harm’s way.

The researchers said they started their investigation after Reuters reporter Joel Schectman came to them with information about a captured CIA agent who had used a clandestine app embedded on the website iraniangoals.com to communicate with his agency handlers. The site appeared to be a kind of sports website geared toward Iranians, according to a version of the site seen on the Wayback Machine.

Citizen Lab, led by senior researcher Bill Marczak, wrote that the early-2010s collapse of the CIA’s covert infrastructure was partially due to the slate of easily-identifiable websites used by the CIA for covert communications. They were disguised as weather, sports, and healthcare outlets, there was even a site dedicated to Johnny Carson, ex-host of The Tonight Show. These websites were localized in 29 languages and were supposed to remain innocuous in at least 36 countries around the world. They remained active from 2004 to 2013, the researchers noted.

Many of these now-defunct websites can be viewed via the Wayback Machine. Some include incredibly shoddy work at trying to be innocuous, including one that displayed Arabic text that was spelled backward, according to former national security reporter Matthew Petti.

The sites were mainly a way for CIA assets abroad to access covert communication applications. Only, these were hidden using Javascript, Adobe Flash, or CGI artifacts that when interacted with in certain ways helped load the communications network. The security flaws inherent in Adobe Flash were known all the way back in 2010.

The agency reportedly made it far too easy to discover and infiltrate these networks. The sites used blocks of sequential IP addresses, many registered to fake U.S.-based companies. The websites had already been taken down by the time the researchers started investigating, but using the archived records, Citizen Lab determined that when these sites were online, even a “motivated amateur sleuth could have mapped the CIA network and attributed it to the U.S. government.”

Citizen Lab said in their statement they decided not to release a full report as that could put more CIA assets in harm’s way, especially because these websites still connect to past—and potentially present—agency informants or spies.

Gizmodo reached out to the CIA for comment but we did not immediately hear back.

This latest report makes a particularly dark incident in the CIA’s past even darker, but you likely won’t find it mentioned on the CIA’s propagandistic foray into podcasts.

Security researchers from Citizen Lab at the University of Toronto said on Thursday they found fatal flaws in a massive network of 885 fake websites that they have “high confidence” were previously used by the Central Intelligence Agency for covert communications.

For one thing, these websites relied on antiquated technology, even for the time. The sites were so easily identifiable that they likely led to agency assets and agents being put at serious risk. What’s more, the sites led to at least one Iranian spy’s arrest and seven-year internment after Iran uncovered the CIA’s fake webpage and informed China, according to the report. “More than two dozen sources” in China reportedly died after the network was exposed.

In 2018, a Yahoo News report documented a huge compromise of the CIA’s internet communications system back in 2013. This compromised network of websites was so “catastrophic,” according to unnamed intelligence figures, it apparently allowed the governments of Iran and China to identify and execute assets as well as track espionage activities outside their borders.

On Thursday, Reuters reported on the CIA’s years-long enterprise to recruit young people in countries like Iran and the shoddy online infrastructure that led to those agents’ capture. Many of those agents were not volunteers, the report notes. Here’s how Reuters explained that process:

After an Iranian drops off an application, diplomatic officers are instructed to examine whether their employment history or family ties could make them valuable. A few days later, a promising applicant might receive a phone call asking them to return to the consulate to answer more detailed questions. As CIA officers, posing as consular officers, reel the applicant into increasingly probing meetings, they hold out the possibility that the visa application will be approved, according to the national security officials, all of whom were directly involved in such practices. By the time the Iranian realizes he has given information to an intelligence officer, the unwitting informant has often made disclosures that could land him in jail.

Citizen Lab says it was the CIA’s own shoddy web design that that ultimately put these CIA assets in harm’s way.

The researchers said they started their investigation after Reuters reporter Joel Schectman came to them with information about a captured CIA agent who had used a clandestine app embedded on the website iraniangoals.com to communicate with his agency handlers. The site appeared to be a kind of sports website geared toward Iranians, according to a version of the site seen on the Wayback Machine.

Citizen Lab, led by senior researcher Bill Marczak, wrote that the early-2010s collapse of the CIA’s covert infrastructure was partially due to the slate of easily-identifiable websites used by the CIA for covert communications. They were disguised as weather, sports, and healthcare outlets, there was even a site dedicated to Johnny Carson, ex-host of The Tonight Show. These websites were localized in 29 languages and were supposed to remain innocuous in at least 36 countries around the world. They remained active from 2004 to 2013, the researchers noted.

Many of these now-defunct websites can be viewed via the Wayback Machine. Some include incredibly shoddy work at trying to be innocuous, including one that displayed Arabic text that was spelled backward, according to former national security reporter Matthew Petti.

The sites were mainly a way for CIA assets abroad to access covert communication applications. Only, these were hidden using Javascript, Adobe Flash, or CGI artifacts that when interacted with in certain ways helped load the communications network. The security flaws inherent in Adobe Flash were known all the way back in 2010.

The agency reportedly made it far too easy to discover and infiltrate these networks. The sites used blocks of sequential IP addresses, many registered to fake U.S.-based companies. The websites had already been taken down by the time the researchers started investigating, but using the archived records, Citizen Lab determined that when these sites were online, even a “motivated amateur sleuth could have mapped the CIA network and attributed it to the U.S. government.”

Citizen Lab said in their statement they decided not to release a full report as that could put more CIA assets in harm’s way, especially because these websites still connect to past—and potentially present—agency informants or spies.

Gizmodo reached out to the CIA for comment but we did not immediately hear back.

This latest report makes a particularly dark incident in the CIA’s past even darker, but you likely won’t find it mentioned on the CIA’s propagandistic foray into podcasts.