WikiLeaks Research Challenge 3: How can we identify CIA cover servers? via /r/WikiLeaks


WikiLeaks Research Challenge 3: How can we identify CIA cover servers?

WikiLeaks Research Community released a new challenge to find and identify CIA cover servers. Some parameters were given as to what was needed to be further looked into, and can be found on the WikiLeaks subreddit. I also include each specific challenge item in my conclusion along with specific responses.

HIVE diagram

VPS servers

A virtual private server (VPS) is a virtual machine sold as a service by an Internet hosting service. A VPS runs its own copy of an operating system, and customers may have superuser-level access to that operating system instance, so they can install almost any software that runs on that OS.

Source Wikipedia

78.47.85.114

  • Domain: static.114.85.47.78.clients.your-server.de
  • Location: Sachsen, Falkenstein and North Rhine-Westphalia, Bonn in Germany
  • ISPs: Hetzner Online GmbH, Innovo Consulting SRL
  • Created: 2007-04-16

78.47.85.121

  • Domain: static.121.85.47.78.clients.your-server.de
  • Location: Sachsen, Falkenstein and North Rhine-Westphalia, Bonn in Germany
  • ISPs: Hetzner Online GmbH, Innovo Consulting SRL
  • Created: 2007-04-16

78.47.131.68

  • Domain: static.68.131.47.78.clients.your-server.de
  • Location: Sachsen, Falkenstein and Lower Saxony, Hanover in Germany
  • ISPs: Hetzner Online GmbH, Innovo Consulting SRL
  • Created: 2007-04-16

88.198.156.226

  • Domain: static.88-198-156-226.clients.your-server.de
  • Location: Bayern and North Rhine-Westphalia, Bonn in Germany
  • ISPs: Hetzner Online GmbH, Innovo Consulting SRL
  • Created: 2005-12-27

88.198.156.225

  • Domain: static.88-198-156-225.clients.your-server.de
  • Location: Bayern and North Rhine-Westphalia, Bonn in Germany
  • ISPs: Hetzner Online GmbH, Innovo Consulting SRL
  • Created: 2005-12-27

VPN tunnels

The first reason many people use [VPN tunnels] is to encrypt a TCP/IP connection from an application to a server. Some applications, mainly ones based on a client/server protocol, need to connect to a database server to access their data. Using a tunnel is an excellent way to not only make the connection easier for the end user but also to secure the communications.

The second reason is that you want to encrypt all of your traffic leaving some location. A tunnel can be set up, by using a regular or transparent proxy, to transfer all of your Internet data via that tunnel.

Source: Make Use Of

91.93.104.178

  • Domain: host-91-93-104-178.reverse.superonline.net
  • Location: Istanbul, Turkey
  • ISPs: Teletek Network and Global Iletisim Hizmetleri
  • Created: 2006-08-24

Cover domains

According to a brief found on WikiLeaks, a cover domain is part of a network of other cover domains used to mask the IP of a target domain.

For example, if the owner of EXAMPLE.COM wanted WIKILEAKS.EXAMPLE.COM to be a cover domain, they would add EXAMPLE A [IP ADDRESS] to a file on a computer that does nothing more than convert domains to IP addresses.

Source: WikiLeaks

playa-del-rio.com

IP Address Location IP Address Owner Last seen on this IP
184.168.221.79 Scottsdale – United States GoDaddy.com, LLC 2015-06-21
78.47.85.114 Germany HETZNER-RZ-NBG-BLK5 2014-07-05

viva-rio-engracado.com

IP Address Location IP Address Owner Last seen on this IP
50.63.202.76 Scottsdale – United States GoDaddy.com, LLC 2015-06-21
78.47.131.68 Germany HETZNER-RZ-NBG-BLK5 2014-05-17

Conclusion

Let's then revisit the challenge questions to see what's been covered:

IP addresses

  • What domain names have the IP addresses in the document been connected to?
    • your-server.de
    • superonline.net
  • When were the IP addresses connected to those domain names?
    • your-server.de addresses: 2005-12-27 to present
    • 91.93.104.178: 2006-08-24 to present
  • Who registered any associated domain names?
    • Hetzner Online GmbH
    • Innovo Consulting SRL
    • Teletek Network
    • Global Iletisim Hizmetleri
  • Were other IP addresses connected to those same domains at any point?
  • Where were the CIA's VPS servers used in HIVE located/hosted?
    • Germany
    • Turkey

Domain names

  • Who registered these domain names and when?
    • GoDaddy, 2015
    • Hetzner Online GmbH, 2014
  • What IP addresses have been connected to the domain names in the document?
    • playa-del-rio.com
    • 78.47.85.114
    • 78.47.85.121
    • viva-rio-engracado.com
    • 78.47.131.65 (gateway)
    • 78.47.131.68
    • 88.198.156.226
    • 88.198.156.225 (gateway)
  • Is it possible to confirm that the IP addresses mentioned in the document were actually associated with the domain names that the document claims they were?

Trends/Connections

  • Are there any patterns or trends in how the CIA registers domain names or sets up servers? (registrars, hosts, timing, etc)
    • None were based in the U.S.
    • All appear to be at least 10 years old
  • What companies and people seem to be associated with these domain names and IP addresses?
    • VPS servers
    • Germany
    • Hetzner Online GmbH
    • Innovo Consulting SRL
    • VPN tunnels
    • Turkey
    • Teletek Network
    • Global Iletisim Hizmetleri
  • Are there any other interesting things you can find about these domain names and IP addresses?
    • According to the histories of Wayback Machine several of the cover IPs have been flagged for sending spam
    • Different components are from different countries/locations
    • Seems perfect for hiding a CIA cyberattack

If you like my posts, I can be found on Medium as well! @RebelSkum

Submitted April 24, 2017 at 08:07PM by RebelliousSkoundrel
via reddit http://bit.ly/2pfTYzv

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s