WikiLeaks Research Community released a new challenge to find and identify CIA cover servers. Some parameters were given as to what was needed to be further looked into, and can be found on the WikiLeaks subreddit. I also include each specific challenge item in my conclusion along with specific responses.

VPS servers

A virtual private server (VPS) is a virtual machine sold as a service by an Internet hosting service. A VPS runs its own copy of an operating system, and customers may have superuser-level access to that operating system instance, so they can install almost any software that runs on that OS.

Source Wikipedia

78.47.85.114

• Domain: static.114.85.47.78.clients.your-server.de
• Location: Sachsen, Falkenstein and North Rhine-Westphalia, Bonn in Germany
• ISPs: Hetzner Online GmbH, Innovo Consulting SRL
• Created: 2007-04-16

78.47.85.121

• Domain: static.121.85.47.78.clients.your-server.de
• Location: Sachsen, Falkenstein and North Rhine-Westphalia, Bonn in Germany
• ISPs: Hetzner Online GmbH, Innovo Consulting SRL
• Created: 2007-04-16

78.47.131.68

• Domain: static.68.131.47.78.clients.your-server.de
• Location: Sachsen, Falkenstein and Lower Saxony, Hanover in Germany
• ISPs: Hetzner Online GmbH, Innovo Consulting SRL
• Created: 2007-04-16

88.198.156.226

• Domain: static.88-198-156-226.clients.your-server.de
• Location: Bayern and North Rhine-Westphalia, Bonn in Germany
• ISPs: Hetzner Online GmbH, Innovo Consulting SRL
• Created: 2005-12-27

88.198.156.225

• Domain: static.88-198-156-225.clients.your-server.de
• Location: Bayern and North Rhine-Westphalia, Bonn in Germany
• ISPs: Hetzner Online GmbH, Innovo Consulting SRL
• Created: 2005-12-27

VPN tunnels

The first reason many people use [VPN tunnels] is to encrypt a TCP/IP connection from an application to a server. Some applications, mainly ones based on a client/server protocol, need to connect to a database server to access their data. Using a tunnel is an excellent way to not only make the connection easier for the end user but also to secure the communications.

The second reason is that you want to encrypt all of your traffic leaving some location. A tunnel can be set up, by using a regular or transparent proxy, to transfer all of your Internet data via that tunnel.

Source: Make Use Of

91.93.104.178

• Domain: host-91-93-104-178.reverse.superonline.net
• Location: Istanbul, Turkey
• ISPs: Teletek Network and Global Iletisim Hizmetleri
• Created: 2006-08-24

Cover domains

According to a brief found on WikiLeaks, a cover domain is part of a network of other cover domains used to mask the IP of a target domain.

For example, if the owner of EXAMPLE.COM wanted WIKILEAKS.EXAMPLE.COM to be a cover domain, they would add EXAMPLE A [IP ADDRESS] to a file on a computer that does nothing more than convert domains to IP addresses.

Source: WikiLeaks

playa-del-rio.com

IP Address Location	IP Address	Owner	Last seen on this IP
184.168.221.79	Scottsdale - United States	GoDaddy.com, LLC	2015-06-21
78.47.85.114	Germany	HETZNER-RZ-NBG-BLK5	2014-07-05

viva-rio-engracado.com

IP Address Location	IP Address	Owner	Last seen on this IP
50.63.202.76	Scottsdale - United States	GoDaddy.com, LLC	2015-06-21
78.47.131.68	Germany	HETZNER-RZ-NBG-BLK5	2014-05-17

Conclusion

Let's then revisit the challenge questions to see what's been covered:

IP addresses

• What domain names have the IP addresses in the document been connected to?
  • your-server.de
  • superonline.net
• When were the IP addresses connected to those domain names?
  • your-server.de addresses: 2005-12-27 to present
  • 91.93.104.178: 2006-08-24 to present
• Who registered any associated domain names?
  • Hetzner Online GmbH
  • Innovo Consulting SRL
  • Teletek Network
  • Global Iletisim Hizmetleri
• Were other IP addresses connected to those same domains at any point?
  • superonline.net has a history of changed ownership
• Where were the CIA's VPS servers used in HIVE located/hosted?
  • Germany
  • Turkey

Domain names

• Who registered these domain names and when?
  • GoDaddy, 2015
  • Hetzner Online GmbH, 2014
• What IP addresses have been connected to the domain names in the document?
  • playa-del-rio.com
    • 78.47.85.114
    • 78.47.85.121
  • viva-rio-engracado.com
    • 78.47.131.65 (gateway)
    • 78.47.131.68
    • 88.198.156.226
    • 88.198.156.225 (gateway)
• Is it possible to confirm that the IP addresses mentioned in the document were actually associated with the domain names that the document claims they were?
  • YES (special thanks to Reddit user OCCUPY_MARS)
  • playa-del-rio.com
  • viva-rio-engracado.com

Trends/Connections

• Are there any patterns or trends in how the CIA registers domain names or sets up servers? (registrars, hosts, timing, etc)
  • None were based in the U.S.
  • All appear to be at least 10 years old
• What companies and people seem to be associated with these domain names and IP addresses?
  • VPS servers
    • Germany
    • Hetzner Online GmbH
    • Innovo Consulting SRL
  • VPN tunnels
    • Turkey
    • Teletek Network
    • Global Iletisim Hizmetleri
• Are there any other interesting things you can find about these domain names and IP addresses?
  • According to the histories of Wayback Machine several of the cover IPs have been flagged for sending spam
  • Different components are from different countries/locations
  • Seems perfect for hiding a CIA cyberattack

If you like my posts, I can be found on Medium as well! @RebelSkum

If you like my work and wish to support my future projects and research, consider subscribing to my Patreon and receive additional perks for helping the cause!