How the CIA failed Iranian informants in its secret war with Tehran

    The spy was minutes from leaving Iran when he was nabbed.

    Gholamreza Hosseini was at Imam Khomeini Airport in Tehran in late 2010, preparing for a flight to Bangkok. There, the Iranian industrial engineer would meet his Central Intelligence Agency handlers. But before he could pay his exit tax to leave the country, the airport ATM machine rejected his card as invalid. Moments later, a security officer asked to see Hosseini’s passport before escorting him away.

    Hosseini said he was brought to an empty VIP lounge and told to sit on a couch that had been turned to face a wall. Left alone for a dizzying few moments and not seeing any security cameras, Hosseini thrust his hand into his trouser pocket, fishing out a memory card full of state secrets that could now get him hanged. He shoved the card into his mouth, chewed it to pieces and swallowed.

    Not long after, Ministry of Intelligence agents entered the room and the interrogation began, punctuated by beatings, Hosseini recounted. His denials and the destruction of the data were worthless; they seemed to know everything already. But how?

    “These are things I never told anyone in the world,” Hosseini told Reuters. As his mind raced, Hosseini even wondered whether the CIA itself had sold him out.

    Iranian engineer Gholamreza Hosseini spent nearly a decade in a Tehran prison following his conviction for spying for the U.S. Central Intelligence Agency (CIA). He said the agency abandoned him following his 2010 arrest. Handout via REUTERS

    Rather than betrayal, Hosseini was the victim of CIA negligence, a year-long Reuters investigation into the agency’s handling of its informants found. A faulty CIA covert communications system made it easy for Iranian intelligence to identify and capture him. Jailed for nearly a decade and speaking out for the first time, Hosseini said he never heard from the agency again, even after he was released in 2019.

    The CIA declined to comment on Hosseini’s account.

    Hosseini’s experience of sloppy handling and abandonment was not unique. In interviews with six Iranian former CIA informants, Reuters found that the agency was careless in other ways amid its intense drive to gather intelligence in Iran, putting in peril those risking their lives to help the United States.

    One informant said the CIA instructed him to make his information drops in Turkey at a location the agency knew was under surveillance by Iran. Another man, a former government worker who traveled to Abu Dhabi to seek a U.S. visa, claims a CIA officer there tried unsuccessfully to push him into spying for the United States, leading to his arrest when he returned to Iran.

    Such aggressive steps by the CIA sometimes put average Iranians in danger with little prospect of gaining critical intelligence. When these men were caught, the agency provided no assistance to the informants or their families, even years later, the six Iranians said.

    James Olson, former chief of CIA counterintelligence, said he was unaware of these specific cases. But he said any unnecessary compromise of sources by the agency would represent both a professional and ethical failure.

    “If we’re careless, if we’re reckless and we’ve been penetrated, then shame on us,” Olson said. “If people paid the price of trusting us enough to share information and they paid a penalty, then we have failed morally.”

    The men were jailed as part of an aggressive counterintelligence purge by Iran that began in 2009, a campaign partly enabled by a series of CIA blunders, according to news reports and three former U.S. national security officials. Tehran has claimed in state media reports that its mole hunt ultimately netted dozens of CIA informants.

    To tell this story, Reuters conducted dozens of hours of interviews with the six Iranians who were convicted of espionage by their government between 2009 and 2015.

    To vet their accounts, Reuters interviewed 10 former U.S. intelligence officials with knowledge of Iran operations; reviewed Iranian government records and news reports; and interviewed people who knew the spies.

    None of the former or current U.S. officials who spoke with Reuters confirmed or disclosed the identities of any CIA sources.

    The CIA declined to comment specifically on Reuters’ findings or on the intelligence agency’s operations in Iran. A spokeswoman said the CIA does its utmost to safeguard people who work with the agency.

    Iran's Ministry of Foreign Affairs and its Mission to the United Nations in New York did not respond to requests for comment.

    Hosseini was the only one of the six men Reuters interviewed who said he was assigned the vulnerable messaging tool. But an analysis by two independent cybersecurity specialists found that the now-defunct covert online communication system that Hosseini used – located by Reuters in an internet archive – may have exposed at least 20 other Iranian spies and potentially hundreds of other informants operating in other countries around the world.

    This messaging platform, which operated until 2013, was hidden within rudimentary news and hobby websites where spies could go to connect with the CIA. Reuters confirmed its existence with four former U.S. officials.

    These failures continue to haunt the agency years later. In a series of internal cables last year, CIA leadership warned that it had lost most of its network of spies in Iran and that sloppy tradecraft continues to endanger the agency’s mission worldwide, the New York Times reported.

    “This is a very serious, very serious intelligence goal to penetrate Iran’s nuclear weapons program. You don’t get a much higher priority than that.”James Lawler, a former CIA officer whose focus included weapons of mass destruction and Iran

    The CIA considers Iran one of its most difficult targets. Ever since Iranian students seized the American embassy in Tehran in 1979, the United States has had no diplomatic presence in the country. CIA officers are instead forced to recruit potential agents outside Iran or through online connections. The thin local presence leaves U.S. intelligence at a disadvantage amid events such as the protests now sweeping Iran over the death of a woman arrested for violating the country’s religious dress code.

    Four former intelligence officers interviewed by Reuters said the agency is willing to take bigger risks with sources when it comes to spying on Iran. Curbing the Islamic Republic’s nuclear ambitions has long been a priority in Washington. Tehran insists its nuclear efforts are solely for energy needs.

    “This is a very serious, very serious intelligence goal to penetrate Iran’s nuclear weapons program. You don’t get a much higher priority than that,” said James Lawler, a former CIA officer whose focus included weapons of mass destruction and Iran. “So when they do the risk-versus-gain analysis, you’ve got to consider the incredible amount of gain.”

    Much has been written about the decades-long shadow war between Iran and Washington, in which both sides have avoided a full military confrontation but have carried out sabotage, assassinations and cyberattacks. But the six informants, interviewed by Reuters for the first time, gave an unprecedented firsthand account of the deadly spy game from the perspective of Iranians who served as CIA foot soldiers.

    The six Iranians served prison terms ranging from five to 10 years. Four of them, including Hosseini, stayed in Iran after their release and remain vulnerable to rearrest. Two fled the country and have become stateless refugees.

    The six men acknowledged that their CIA handlers never made firm promises to help if they were caught. Still, all had believed that U.S. assistance would one day come.

    The espionage busts could pose a challenge to the CIA’s credibility as it seeks to rebuild its spy network in Iran. The country’s state media publicized some of these cases, portraying the agency as feckless and inept.

    “It’s a stain on the U.S. government,” Hosseini told Reuters.

    CIA spokeswoman Tammy Kupperman Thorp declined to comment on Hosseini, the cases of other captured Iranians or any aspect of how the agency conducts operations. But she said the CIA would never be careless with the lives of those who help the agency.

    “CIA takes its obligations to protect the people that work with us very seriously and we know that many do so bravely at great personal risk,” Thorpe said. “The notion that CIA would not work as hard as possible to safeguard them is false.”

    The CIA says it does its utmost to safeguard people who assist the agency. A Reuters investigation found that the CIA was often careless in protecting lower-level sources in Iran. REUTERS/Larry Downing

    An angry volunteer

    Hosseini’s leap to espionage came after he had climbed a steep path to a lucrative career. The son of a tailor, he grew up in Tehran and learned lathing and auto mechanics, he said, showing Reuters his trade-school diploma.

    Along the way, teachers spotted Hosseini’s intelligence and pushed him to study industrial engineering at the prestigious Amirkabir University of Technology, he said. Hosseini said a professor there put him in touch with a former student with ties to the Iranian government who eventually became his business partner.

    Founded in 2001, their engineering company provided services to help businesses optimize energy consumption. The firm at first worked mainly with food and steel factories, Hosseini said, over time scoring contracts with Iran’s energy and defense industries. Hosseini’s account of his professional background is confirmed in corporate records, Iranian media accounts and interviews with six associates.

    Hosseini said the company’s success made his family affluent, allowing him to buy a large house, drive imported cars and go on foreign vacations. But in the years after the election of President Mahmoud Ahmadinejad, who served from 2005 to 2013, his business teetered.

    Gholamreza Hosseini in 2005 at the University of Tehran Science and Technology Park. The engineer said he later supplied information about two important Iranian nuclear sites to the CIA. Handout via REUTERS

    Under Ahmadinejad, a hardliner aligned with the country’s theocratic ruler, Iran’s security forces were encouraged to enter the industrial sector, increasing the military’s control over lucrative commercial projects. Established companies often found themselves relegated to the role of subcontractors for these newcomers, Iranian democracy activists said, shrinking their slice of the pie.

    Before long, Hosseini said, all of his new contracts had to be routed through some of these firms, forcing him to lay off workers as earnings tumbled.

    “They didn’t know how to do the work, but they took the lion’s share of the profits,” said Hosseini, his voice rising as he recounted the events a decade later. “It was as if you were the head of the company, doing everything from 0 to 100, and seeing your salary being given to the most junior employees. I felt raped.”

    At the same time, U.S. rhetoric was ramping up against Ahmadinejad. Washington viewed Iran’s president as a dangerous provocateur set on building nuclear weapons. Hosseini began to feel that his life was being destroyed by a corrupt system, and that the government was too erratic to be allowed to obtain nukes. His anger grew.

    One day in 2007, he said he opened the CIA public website and clicked the link to contact the agency: “I’m an engineer who has worked at the nuclear site Natanz and I have information,” he wrote in Persian.

    Located 200 miles south of Tehran, Natanz is a major facility for uranium enrichment. Archived web records from Hosseini’s engineering firm from 2007 say the company worked on civilian electrical power projects. Reuters could not independently confirm Hosseini’s work at Natanz.

    A month later, to his surprise, Hosseini said he received an email back from the CIA.

    Part of the team?

    Three months after that contact, Hosseini said he flew to Dubai. At the fashionable shopping market Souk Madinat Jumeirah, he looked for a blonde woman holding a black book. He was standing outside the restaurant where they had agreed to meet, when she arrived accompanied by a man.

    The restaurant manager guided them to a table secluded in a corner. The woman introduced herself only as Chris, speaking in English while her colleague translated in Persian. As she sipped a glass of champagne, Chris told him they were the people Hosseini had been exchanging messages with over the past few months in Google’s chat platform. She asked Hosseini about his work.

    Hosseini said he explained that his company had several years earlier worked on contracts to optimize the flow of electricity at the Natanz site, a complex balancing act to keep centrifuges spinning at precisely the speed needed to enrich uranium. Located in central Iran, Natanz was the heart of Tehran’s nuclear program, which the government said was to produce civilian electricity. But Washington saw Natanz as the core of Iran’s push to acquire nuclear weapons.

    Hosseini told Chris his firm was a subcontractor of Kalaye Electric, a company sanctioned in 2007 by the U.S. government over its alleged role in Iran’s nuclear development program. He added that he was seeking additional contracts at other sensitive nuclear and military sites.

    Kalaye Electric did not respond to requests for comment.

    The next day the three met again, this time at Hosseini’s hotel room overlooking the Gulf. Hosseini unfurled a maze-like map across the desk showing the electricity connected to the Natanz nuclear facility. As he did, Chris’s mouth dropped open wide, Hosseini recalled.

    While several years old, Hosseini explained, the map’s notations of the amount of power flowing into the facility provided Washington a baseline to estimate the number of centrifuges currently active. That evidence, he believed, could be used to assess progress toward processing the highly enriched uranium needed for a nuclear weapon.

    Hosseini said he didn’t know it at the time, but Natanz was already in the crosshairs of U.S. authorities. That same year, Washington and Israel launched a cyberweapon that would sabotage those very centrifuges, infecting them with a virus that would cripple uranium enrichment at Natanz for years to come, security analysts concluded. Reuters could not determine whether the information provided by Hosseini assisted in that cyber sabotage or other operations.

    Iran’s then-President Mahmoud Ahmadinejad on a 2008 visit to the Natanz nuclear enrichment facility in central Iran. REUTERS/Presidential official website/Handout (IRAN)

    In subsequent meetings, Hosseini said, the CIA asked him to turn his attention to a broader U.S. goal: identifying possible critical points in Iran’s national electric grid that would cause long and paralyzing blackouts if struck by a missile or saboteurs.

    Hosseini said he continued to meet with the CIA in Thailand and Malaysia, in a total of seven meetings over three years. To show evidence of his travels, Hosseini provided photographs of entry stamps in his passport for all but his first two trips, for which he said he had used an older, now discarded, passport.

    As the relationship progressed, Hosseini said, Chris was replaced with a male handler who was accompanied by officials described as more senior in the CIA’s Iran operations, as well as technical experts able to keep up with his engineering jargon.

    The new role motivated Hosseini, injecting his work with a sense of urgency and purpose. He scrambled to win business that would give him greater access to the intelligence the CIA sought. He said his company secured a contract with a unit of Setad, the sprawling business conglomerate controlled by Iran’s Supreme Leader Ayatollah Ali Khamenei, to assess the electrical needs of a giant shopping and commercial building project in the north of Tehran.

    Iranians walk on a promenade in northern Tehran late last year. The United States and Iran severed diplomatic ties more than 40 years ago. Relations between the two nations remain strained. Majid Asgaripour/WANA (West Asia News Agency) via REUTERS

    Representing the supreme leader’s commercial organization, Hosseini pushed the state power company Tavanir for the electricity the sprawling development required, Hosseini said. When Tavanir said it didn’t have enough electricity to meet the project’s giant demands, Hosseini asked the company to provide in-depth analyses of the national grid. This allowed him access to maps showing how electricity flowed to nuclear and military sites and how critical points of the network could be sabotaged.

    Setad and Tavanir did not respond to requests for comment.

    In August 2008, a year after becoming a spy, Hosseini said he met with an older, broad-shouldered CIA officer and others at a hotel in Dubai.

    Gholamreza Hosseini says a CIA officer purchased this stuffed bear for his daughter as a birthday gift.

    “We need to expand the commitment,” Hosseini recounted the officer saying. The officer handed Hosseini a piece of paper and asked him to write a promise that he would not provide the information he was sharing to another government, a CIA practice intended to deepen a feeling of commitment from an informant, two former CIA officials said.

    Another CIA officer in the meeting then showed Hosseini a covert communications system he could use to reach his handlers: a rudimentary Persian-language soccer news website called Iraniangoals.com. Entering a password into the search bar caused a secret messaging window to pop up, allowing Hosseini to send information and receive instructions from the CIA.

    When Hosseini lamented missing his daughter’s third birthday during one of the trips, he said a CIA officer bought him a teddy bear to give to the child. “I felt that I had joined the team,” Hosseini told Reuters.

    Secret system breakdown

    What Hosseini didn’t know was that the world’s most powerful intelligence agency had given him a tool that likely led to his capture. In 2018, Yahoo News reported that a flawed web-based covert communications system had led to the arrest and execution of dozens of CIA informants in Iran and China.

    Reuters located the secret CIA communications site identified by Hosseini, Iraniangoals.com, in an internet archive where it remains publicly available. Reuters then asked two independent cyber analysts – Bill Marczak of University of Toronto’s Citizen Lab, and Zach Edwards of Victory Medium – to probe how Iran may have used weaknesses in the CIA’s own technology to unmask Hosseini and other CIA informants. The two are experts on privacy and cybersecurity, with experience analyzing electronic intelligence operations. The effort represents the first independent technical analysis of the intelligence failure.

    Iraniangoals.com looked like a site for sports fans.

    But what looked like a search bar was actually a password field.

    In fact, the HTML code for the searchbar contains the word “password.”

    Typing a password into the search bar triggered a login process.

    A successful login would open access to a hidden messaging interface for corresponding with the CIA.

    Marczak and Edwards quickly discovered that the secret messaging window hidden inside Iraniangoals.com could be spotted by simply right-clicking on the page to bring up the website’s coding. This code contained descriptions of secret functions, including the words “message” and “compose” – easily found clues that a messaging capability had been built into the site. The coding for the search bar that triggered the secret messaging software was labeled “password.”

    Far from being customized, high-end spycraft, Iraniangoals.com was one of hundreds of websites mass-produced by the CIA to give to its sources, the independent analysts concluded. These rudimentary sites were devoted to topics such as beauty, fitness and entertainment, among them a Star Wars fan page and another for the late American talk show host Johnny Carson.

    Each fake website was assigned to only one spy in order to limit exposure of the entire network in case any single agent was captured, two former CIA officials told Reuters.

    But the CIA made identifying those sites easy, the independent analysts said. Marczak located more than 350 websites containing the same secret messaging system, all of which have been offline for at least nine years and archived. Edwards confirmed his findings and methodology. Online records they analyzed reveal the hosting space for these front websites was often purchased in bulk by the dozen, often from the same internet providers, on the same server space. The result was that numerical identifiers, or IP addresses, for many of these websites were sequential, much like houses on the same street.

    “The CIA really failed with this,” said Marczak, the Citizen Lab researcher. The covert messaging system, he said, “stuck out like a sore thumb.”

    In addition, some sites bore strikingly similar names. For example, while Hosseini was communicating with the CIA through Iraniangoals.com, a site named Iraniangoalkicks.com was built for another informant. At least two dozen of the 350-plus sites produced by the CIA appeared to be messaging platforms for Iranian operatives, the analysts found.

    All told, these features meant the discovery of a single spy using one of these websites would have allowed Iranian intelligence to uncover additional pages used by other CIA informants. Once those sites were identified, nabbing the operatives using them would have been simple: The Iranians just had to wait and see who showed up. In essence, the CIA used the same row of bushes for its informants worldwide. Any attentive espionage rival would have been able to spot them all, the analysts said.

    This vulnerability went far beyond Iran. Written in various languages, the websites appeared to be a conduit for CIA communications with operatives in at least 20 countries, among them China, Brazil, Russia, Thailand and Ghana, the analysts found.

    CIA spokeswoman Thorp declined to comment on the system.

    Reuters confirmed the nature of the intelligence failure of the CIA’s cookie-cutter websites with three former national security officials.

    The agency wasn’t fully aware that this system had been compromised until 2013, after many of its agents began to go missing, according to the former U.S. officials.

    Still, the CIA had never considered the network safe enough for its most prized sources. Top-tier informants receive custom-made covert communications tools, built from scratch at agency headquarters in Langley, Virginia, to seamlessly blend into the life of a spy without drawing attention, three former CIA officers said.

    The mass-produced sites, they said, were for sources who were either not considered fully vetted or had limited, albeit potentially valuable, access to state secrets.

    “This is for a person viewed as not worth the investment of advanced tradecraft,” one of the former CIA officials said.

    The CIA declined to comment on the covert communications system and the intelligence failure.

    SOURCE

    Donate to support Ujasusi Blog, click photo below

    Screenshot--43-
    Evarist Chahali

    Evarist Chahali

    Read more posts by this author.