WikiLeaks Research Challenge 3: How can we identify CIA cover servers?
WikiLeaks Research Community released a new challenge to find and identify CIA cover servers. Some parameters were given as to what was needed to be further looked into, and can be found on the WikiLeaks subreddit. I also include each specific challenge item in my conclusion along with specific responses.
VPS servers
A virtual private server (VPS) is a virtual machine sold as a service by an Internet hosting service. A VPS runs its own copy of an operating system, and customers may have superuser-level access to that operating system instance, so they can install almost any software that runs on that OS.
Source Wikipedia
78.47.85.114
- Domain: static.114.85.47.78.clients.your-server.de
- Location: Sachsen, Falkenstein and North Rhine-Westphalia, Bonn in Germany
- ISPs: Hetzner Online GmbH, Innovo Consulting SRL
- Created: 2007-04-16
78.47.85.121
- Domain: static.121.85.47.78.clients.your-server.de
- Location: Sachsen, Falkenstein and North Rhine-Westphalia, Bonn in Germany
- ISPs: Hetzner Online GmbH, Innovo Consulting SRL
- Created: 2007-04-16
78.47.131.68
- Domain: static.68.131.47.78.clients.your-server.de
- Location: Sachsen, Falkenstein and Lower Saxony, Hanover in Germany
- ISPs: Hetzner Online GmbH, Innovo Consulting SRL
- Created: 2007-04-16
88.198.156.226
- Domain: static.88-198-156-226.clients.your-server.de
- Location: Bayern and North Rhine-Westphalia, Bonn in Germany
- ISPs: Hetzner Online GmbH, Innovo Consulting SRL
- Created: 2005-12-27
88.198.156.225
- Domain: static.88-198-156-225.clients.your-server.de
- Location: Bayern and North Rhine-Westphalia, Bonn in Germany
- ISPs: Hetzner Online GmbH, Innovo Consulting SRL
- Created: 2005-12-27
VPN tunnels
The first reason many people use [VPN tunnels] is to encrypt a TCP/IP connection from an application to a server. Some applications, mainly ones based on a client/server protocol, need to connect to a database server to access their data. Using a tunnel is an excellent way to not only make the connection easier for the end user but also to secure the communications.
The second reason is that you want to encrypt all of your traffic leaving some location. A tunnel can be set up, by using a regular or transparent proxy, to transfer all of your Internet data via that tunnel.
Source: Make Use Of
91.93.104.178
- Domain: host-91-93-104-178.reverse.superonline.net
- Location: Istanbul, Turkey
- ISPs: Teletek Network and Global Iletisim Hizmetleri
- Created: 2006-08-24
Cover domains
According to a brief found on WikiLeaks, a cover domain is part of a network of other cover domains used to mask the IP of a target domain.
For example, if the owner of EXAMPLE.COM wanted WIKILEAKS.EXAMPLE.COM to be a cover domain, they would add EXAMPLE A [IP ADDRESS] to a file on a computer that does nothing more than convert domains to IP addresses.
Source: WikiLeaks
playa-del-rio.com
IP Address Location | IP Address | Owner | Last seen on this IP |
---|---|---|---|
184.168.221.79 | Scottsdale - United States | GoDaddy.com, LLC | 2015-06-21 |
78.47.85.114 | Germany | HETZNER-RZ-NBG-BLK5 | 2014-07-05 |
viva-rio-engracado.com
IP Address Location | IP Address | Owner | Last seen on this IP |
---|---|---|---|
50.63.202.76 | Scottsdale - United States | GoDaddy.com, LLC | 2015-06-21 |
78.47.131.68 | Germany | HETZNER-RZ-NBG-BLK5 | 2014-05-17 |
Conclusion
Let's then revisit the challenge questions to see what's been covered:
IP addresses
What domain names have the IP addresses in the document been connected to?- your-server.de
- superonline.net
When were the IP addresses connected to those domain names?- your-server.de addresses: 2005-12-27 to present
- 91.93.104.178: 2006-08-24 to present
Who registered any associated domain names?- Hetzner Online GmbH
- Innovo Consulting SRL
- Teletek Network
- Global Iletisim Hizmetleri
Were other IP addresses connected to those same domains at any point?Where were the CIA's VPS servers used in HIVE located/hosted?- Germany
- Turkey
Domain names
Who registered these domain names and when?- GoDaddy, 2015
- Hetzner Online GmbH, 2014
What IP addresses have been connected to the domain names in the document?- playa-del-rio.com
- 78.47.85.114
- 78.47.85.121
- viva-rio-engracado.com
- 78.47.131.65 (gateway)
- 78.47.131.68
- 88.198.156.226
- 88.198.156.225 (gateway)
- playa-del-rio.com
Is it possible to confirm that the IP addresses mentioned in the document were actually associated with the domain names that the document claims they were?- YES (special thanks to Reddit user OCCUPY_MARS)
- playa-del-rio.com
- viva-rio-engracado.com
Trends/Connections
Are there any patterns or trends in how the CIA registers domain names or sets up servers? (registrars, hosts, timing, etc)- None were based in the U.S.
- All appear to be at least 10 years old
What companies and people seem to be associated with these domain names and IP addresses?- VPS servers
- Germany
- Hetzner Online GmbH
- Innovo Consulting SRL
- VPN tunnels
- Turkey
- Teletek Network
- Global Iletisim Hizmetleri
- VPS servers
Are there any other interesting things you can find about these domain names and IP addresses?- According to the histories of Wayback Machine several of the cover IPs have been flagged for sending spam
- Different components are from different countries/locations
- Seems perfect for hiding a CIA cyberattack
If you like my posts, I can be found on Medium as well! @RebelSkum