What IP addresses does the CIA use?

President George W Bush visits CIA Headquarters, March 20, 2001.

Zdroj: Quora

Answer: Kenneth G Hartman, CISSP, Security Guy & Student of Awesomeness. www.kennethghartman.com

Answered 1 May 2016

Many of the questions on Quora regarding IP addresses reveal a misunderstanding of exactly what an IP address is, so I will start with a brief discussion of that.  The analogy that I will use, is that an IP address is similar to a physical mailing address.  First off, public IP addresses must be globally unique.  If there is another mailing address that is exactly the same, how would the mail service know who the intended recipient of the letter is supposed to be?  Second of all, it is possible to put the wrong return address on an envelope and it will still get to its destination.  The only problem is that return mail will not get back to the sender. On the internet, packets with a spoofed IP address will not get back to the correct sender.

Websites have IP addresses, just like the local Walmart has a street address.  Typically these IP addresses do not change so that the site is easy to find.  In this regard, the websites and mail servers of the CIA are no different than Amazon.com—they actually want to be found!

In fact, every device on the Internet has an IP address or it cannot communicate.  Most of these addresses are assigned only temporarily, using “dynamic host configuration protocol” or DHCP.  The temporary assignment is called a “lease.”  The physical world analogy to this is renting a hotel room, in that you get an address for a period of time and most people do not know who is renting the room.  When you connect to your internet service provider (ISP) to access the internet, they will temporarily assign (lease) you one of their IP addresses from the block that they have obtained.  Internet Service providers and large companies will typically obtain a block of IP addresses to use for their public servers and network hardware such as firewalls and routers.

If you do a “nslookup”on cia.gov it looks like the CIA uses (as of the date this was written).  If you plug that IP address into https://isc.sans.edu/tools/whereis.htmlyou can see that this IP address belongs to Akamai Technologies, Inc. out of Cambridge, Massachusetts.  Note that this address is without a doubt used for normal non-covert business purposes.  Any computer systems that would be used for covert activity on the Internet would not be able to be linked to the CIA.  It is easy to hide on the Internet because the CIA, just like any other business or individual, can obtain services from an ISP or cloud services provider anywhere in the world.

It is a common practice for the internet security threat intelligence teams that work for large companies (such as international banks)to host non-descript servers in the public cloud to study how that they get attacked.  It is to be expected that the CIA would operate in the same manner, using a front company.

Another question on Quora asked, “What if my IP Address gets hacked?”  IP addresses do not get hacked,computers do.  Therefore, if someone’s computer gets hacked, the attacker can use that IP address for their nefarious purposes.  This is often the goal of malware, which will typically try to join the computer to a botnet.  I mention this for completeness, because one of the issues with cyberwar is the difficulty with attribution.  Just because the computer that is attacking you is from China or Russia, it doesn’t mean that it was an attacker from China or Russia.  That computer may be compromised or it could be rented from a cloud services provider in that country, but controlled remotely.

In summary, the CIA has certain IP addresses that are easy to identify.  These are for their public servers.  The IP addresses that they use for covert activity cannot be easily determined and are almost certainly changing all of the time as different needs arise.

Be the first to comment

Leave a Reply