Flawed CIA covert websites may have risked sources’ lives, research says

A report published by the University of Toronto's Citizen Lab has raised serious doubts about the US intelligence agency’s handling of safety measures, after finding that the CIA used "flawed" websites for covert communications for years. 

Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive’s Wayback Machine, Citizen Lab said it identified a network of 885 websites that it attributed “with high confidence” as having been used by the CIA between 2004 and 2013.

Although the researchers said the websites were probably not used by the CIA recently, they revealed that a subset of them are still linked to active intelligence employees or assets, including a foreign contractor and a current state department employee. 

The researchers reported that the websites included similar Java, JavaScript, Adobe Flash and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have reportedly facilitated discovery by hostile parties.

"Had we conducted this research while the websites were still online - as China and Iran likely would have - we would not even have needed to rely on the Wayback Machine and other tools," Citizen Lab said in a statement.

"Knowing only one website, it is likely that, while the websites were online, a motivated amateur sleuth could have mapped the CIA network and attributed it to the US government". 

The security experts began their investigation into the CIA websites in 2022, after receiving a tip from Reuters reporter Joel Schectmann, revealing that a CIA asset was captured in Iran after using a compromised network. Four years prior, an article published in Yahoo News reported that a CIA covert communications system had been compromised by Iran and China around 2011, leading to the death of “more than two dozen sources” in China and Iran.

The group said it was not publishing a full detailed technical report of its findings to avoid putting CIA assets or employees at risk, but did raise concerns regarding the intelligence agency’s handling of safety measures.

“The reckless construction of this infrastructure by the CIA reportedly led directly to the identification and execution of assets and undoubtedly risked the lives of countless other individuals," Citizen Lab added. "Our hope is that this research and our limited disclosure process will lead to accountability for this reckless behaviour.” 

The websites - which purported to be news, weather, sports, healthcare and other legitimate websites - appeared to be available in 29 languages and geared towards at least 36 countries. One of the websites released posed as a Johnny Carson tribute page, asking users to submit their "favourite Johnny Carson moment," the study said.

CIA spokesperson Tammy Kupperman Thorp responded to the report, saying: “CIA takes its obligations to protect the people who work with us extremely seriously and we know that many of them do so bravely, at great personal risk. The notion that CIA would not work as hard as possible to safeguard them is false.”

In 2020, an internal report concluded that a 2016 breach which compromised a huge trove of the CIA’s cyber weapons occurred due to “woefully lax” information security within the agency. The breach was revealed in March 2017 when WikiLeaks published what it characterised as the largest-ever trove of acquired CIA documents, known as ‘Vault 7’.