CIA Codewords and Abbreviations

(Updated: May 20, 2021)

Below are listings of codewords, cryptonyms and abbreviations used by the Central Intelligence Agency (CIA), especially related to its involvement in the collection of signals intelligence and its cyber operations. Older CIA codewords can be found on Wikipedia and on this list.

Similar lists are available on this website for
NSA, GCHQ and BND. See also the lists of abbreviations of SIGINT and COMSEC, and general telephony and internet terms.

Please keep in mind that a listing like this will always be work in progress!


Codewords related to Crypto AG

(Between 1970 and 2018, the CIA secretly owned the Swiss manufacturer of encryption equipment Crypto AG, until 1994 in a 50/50 partnership with German BND)

ALTER - Cryptonym for the chief of Research & Development at Crypto AG (1981) *
ATHENA - Cryptonym for Kjell-Ove "Henry" Widman, the principal crypto-mathematician of Crypto AG (1980-1995) *
AURORA - Cryptonym for InfoGuard, a Swiss company that became a joint venture between Crypto AG and Ascom in 1989 *

BALL - Cryptonym for Sture Nyberg, CEO of Crypto AG (1970-1975) *
BLOCK - Cryptonym for Heinz Wagner, CEO of Crypto AG (1976-1989) *
BUTCHER - Cryptonym for Gerrit Brussaard, who in 1978 was briefly head of R&D of Crypto AG *

CLAPPER - Cryptonym for Kurt Kirchhofer, in 1978 head of R&D, later sales manager at Crypto AG *

EOS - Cryptonym for the CIA in relation to Crypto AG *

FIDELIO - Cryptonym for Deutsche Treuhand Gesellschaft (DTG), the accounting firm involved in the purchase of Crypto AG *

GAMMA - Cryptonym for the German intelligence service BND in relation to Crypto AG *
GOLF - Cryptonym for AEH, the holding company that owned Crypto AG *

HOCKEY - Cryptonym for the NSA in relation to the Crypto AG operation *
HYDRA - Cryptonym for Hans Buehler, a salesman for Crypto AG *

METAL - Cryptonym for a BND officer involved in the Crypto AG operation *
MINERVA - Cryptonym for the Swiss manufacturer of encryption devices Crypto AG, which was purchased by CIA and BND in 1970 under operation THESAURUS *

NAVAHO - Cryptonym for Motorola in relation to Crypto AG *

OLYMPIA - Cryptonym for the German company Siemens in relation to Crypto AG *

QUINCE - Cryptonym for Switzerland in relation to Crypto AG *

REX - Cryptonym for Sigmar Horst-Joachim "Mickie" Grützmann, chief of Research & Development of Crypto AG (1978-1980) *
RUBICON - Code name for the joint CIA-BND project to secretly run the Swiss manufacturer of encryption devices Crypto AG (cryptonym: MINERVA). Before 1987 codenamed THESAURUS.*

SIEGFRIED - Cryptonym for Oscar Stuerzinger, technical director of Crypto AG *
SIGMA - Cryptonym for the German cryptologic service ZfCh in relation to Crypto AG *
SOCRATES - Cryptonym for a CIA fiduciary involved in the Crypto AG operation *
SPARTAN - Secret licensing agreement between the CIA and Boris Hagelin, owner of Crypto AG (1960-1970) *

THESAURUS - Code name for the joint CIA-BND project to buy (in 1970) and secretly run the Swiss manufacturer of encryption devices Crypto AG (cryptonym: MINERVA). In 1987 renamed into RUBICON.*
THRAN - Cryptonym for Transvertex *
TIGER - Cryptonym for Gretag, a Swiss competitor of Crypto AG *


Vault 7 and Vault 8 codewords

(From March to September 2017 Wikileaks published user guides and other documents (Vault 7) and in November 2017 also the source code (Vault 8) of CIA hacking tools)

Achilles - Capability to trojan an OS X disk image (.dmg) installer with one or more desired operator specified executables for a one-time execution; part of the Imperial project.
Aeris - Automated implant written in C that supports a number of POSIX-based systems; part of the Imperial project.
AfterMidnight - Framework that allows dynamically loading and executing malware payloads on a target computer.
Angelfire - Persistent framework that loads and executes custom implants on target computers running Windows XP or Win7; comprised of five components: Solartime, Wolfcreek, Keystone (previously MagicWand), BadMFS, and the Windows Transitory File system.
Archimedes - Tool used to attack a computer inside a Local Area Network (LAN).
Assassin - Automated implant that provides a simple collection platform on remote Windows computers.
Athena - Provides remote beacon and loader capabilities on target computers using Window XP to Windows 10.

BothanSpy - Implant that targets the SSH client program Xshell and steals user credentials for all active SSH sessions.
Broken Promise - Postprocessor to evaluate colelcted information; part of Brutal Kangaroo
Brutal Kangaroo - tool suite for Microsoft Windows that targets closed networks by air gap jumping using thumbdrives.

CherryBlossom - Tool for monitoring the internet activity of and performing software exploits on targets of interest.
CherryTree - Command and Control server for contacting the FlyTrap beacon
CherryWeb - Browser=based user interface to monitor the status of FlyTrap devices
CouchPotato - Remote tool for collection against RTSP/H.264 video streams.

Dark Mallet - Infector for the Triton MacOSX malware
Dark Matter - Projects that infect Apple Mac firmware, persisting evenwhen the operating system is re-installed.
DarkSeaSkies - An implant that persists in the EFI firmware of an Appple MacBook Air computer.
DerStarke - EFI persistent version of the Triton MacOSX (or Dark Mallet) malware.
Drifting Deadline - Thumbdrive infection tool; part of Brutal Kangaroo
Dumbo - Capability to suspend processes utilizing webcams and corrupt any video recordings that could compromise a physical access operation.

ELSA - Geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system
ExpressLane - Covert information collection tool used by the CIA to secretly exfiltrate data collections from systems provided to liaison services.

FlyTrap - A wireless device compromized by CherryBlossom

Grasshopper - Platform used to build customized malware payloads for Microsoft Windows systems.
Gyrfalcon - Implant that targets the OpenSSH client on Linux platforms to steal user credentials of active SSH sessions and collect full or partial OpenSSH session traffic

HighRise - Redirector function for SMS messaging that could be used by IOC tools that use SMS messages for communication between implants and listening posts
Hive - Back-end infrastructure malware used by CIA implants to transfer exfiltrated information from target computers to the CIA.

Imperial - Hacking project consisting of the Achilles, Aeris and Seapea components

Marble Framework - Used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.

NightSkies - A beacon/loader/implant tool for the Apple iPhone.

OutlawCountry - Malware that allows for the redirection of all outbound network traffic on a target computer

Pandemic - A persistant implant for Microsoft Windows machines that share files or program with remote users in a local network.
Protego - PIC-based missile control system developed by Raytheon

Scribbles - A document-watermarking preprocessing system to embed "web beacon"-style tags into documents that are likely to be copied by insiders, whistleblowers, journalists or others.
SeaPea - OS X Rootkit that provides stealth and tool launching capabilities; part of the Imperial project
Shadow - Primary persistence mechanism for Brutal Kangaroo.
Shattered Assurance - Server tool that handles automated infection of thumbdrives; part of Brutal Kangaroo.
Sonic Screwdriver - A mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting.

Triton - MacOSX malware

Weeping Angel - An implant designed for Samsung F series smart televisions.


Some other CIA codewords

APPLESAUCE - CIA station on Cyprus (1950s)
AQUATONE - Cryptonym for the development of the Lockheed U-2 spy plane

CHAOS - CIA domestic spying operation (1967-1973)
CONDOR - Operation in which the secret services of Argentina, Chile, Uruguay, Paraguay, Bolivia and Brazil, backed by the CIA, cooperated to suppress left-wing opposition movements and assassinate their leaders (1968–1989)
CONQUERER - NSA ECI compartment for joint NSA-CIA clandestine radio frequency operations (since 2003) *
CRISSCROSS - Database of telecommunications selectors, operated by the CIA and also used by DOJ, DOD and NSA

EASYCHAIR (EC) - CIA research project for developing resonant cavity covert listening devices (1954-1967)

GLOTAIC - Joint BND-CIA operation to acquire foreign telephone communications from the German subsidiary of MCI (2005) *
GOLD - Joint SIS-CIA operation to wiretap Soviet army landlines through a tunnel under Berlin (1953-1956; British codename: STOPWATCH)
Gray Magic - Secure e-mail system to communicate with private contractors *
GREYSTONE (GST) - CIA's highly secret rendition and interrogation programs (since 2001) *

HERCULES - CIA terrorism database
HYDRA - Program to secretly access databases maintained by foreign countries and extract data to add to US watchlists *

IVY BELLS - NSA, CIA and US Navy operation to place wire taps on Soviet underwater communication cables (1970s-1980s)

KLAMATH (KLM) - Classification control system which in 2003 included the NSA ECI compartments CONQUERER, LYSERGIC and WASHBURN *

OXCART - Code word for the development of the Lockheed A-12 reconnaissance aircraft and for the plane itself (since 1958)

PISCES - Joint NSA, CIA and State Department program collecting biometric data on border crossings from a wide range of countries *
PROTON - Storage and analysis system for the CRISSCROSS database of (telephony?) metadata of (counterintelligence) targets; operated by CIA and used by DOJ, DOD and NSA *
PSALM - Defunct Top Secret control system for intelligence related to the Cuban missile crisis (October 1962) *

QUANTUM LEAP - CIA tool to "find non-obvious linkages, new connections, and new information" from within a dataset *

RAINFALL - The joint CIA/NSA/DSD satellite ground station Pine Gap, Australia (F78) *
RAMPART-T (RAM-T) - Program providing access to land-based cables, in cooperation with the NSA, to collect communications from state leaders and their entourage (since 1991)*
ROCKING CHAIR (RC) - Dutch research program on behalf of the CIA for developing a telephone line bug (1960s) *

SHENANIGANS - Aircraft-based NSA geolocation system used by CIA (ca. 2013) *

TRIGON - Codename for Soviet diplomat and CIA agent Alexander Ogorodnik *

ULTIMATE - CIA operation sending weather balloons into Eastern Europe in order to map Soviet defense radar activity (1950s) *
UMBRAGE - Unit of the Remote Development Branch (RDB) that stockpiled hacking techniques from other hackers (before 2017)

VICTORYDANCE - Joint NSA-CIA operation to map WiFi fingerprints of nearly every major town in Yemen (ca. 2013) *

WASHBURN - NSA ECI compartment for an NSA-CIA CLANSIG effort to exploit a source in a Middle Eastern location (since 2003) *



AED - Applied Engineering Division (part of the EDG)
AIB - Automated Implants Branch (part of the AED)

BTTP - Basic Telecommunications Training Program

CAG - Crypto AG (Swiss crypto manufacturer purchased by CIA and BND in 1970)
CCI - Center for Cyber Intelligence (CIA hacking division, part of the DDI)
CIB - ? (part of the NOD)
CICM - Counterintelligence Mission Center
CIG - Central Intelligence Group (1946-1947)
CINEMA - CIA Information NEeds MAnagement (database)
CLANSIG - Clandestine Signals (joint NSA/CIA interception program) *
CMO - Collection Management Officers
CNB - Closed Network Branch (part of the ESD)
CO - Case Officer
CoB - Chief of Base
COG - Computer Operations Group (part of the CCI)
CoS - Chief of Station
CRD - ? (sub-compartment of HCS-P)
CREST - CIA Records Search Tool
CRT - Computer Research Team (part of the NOD)
CRU - ? (classification control system which includes GREYSTONE)
CTC - CIA CounterTerrorism Center
CTC/SO - CTC Special Operations

DA - Directorate of Analysis
DCI - Director of Central Intelligence (1946-2005)
D/CIA - Director of the Central Intelligence Agency (since 2005)
DDI - Directorate of Digital Innovation (CIA cyber division)
DDO - Deputy Director for Operations
DevLAN - Developers Local Area Network (internal computer system from which the Vault7 hacking tools were stolen)
DI - Directorate of Intelligence
DO - Directorate of Operations (Clandestine Service)
DS - Directorate of Support
DS&T - Directorate of Science & Technology

ECI - Exceptionally Controlled Information
EDB - Embedded Devices Branch (part of the AED)
EDG - Engineering Development Group (part of the CCI)
ESD - ? (part of the EDG)
ETB - ? (part of the ETB)

FINO - ? (part of the CCI)
FIO - ? (part of the CCI)
FSG - Field Service Group

GB - ? (part of the OED)

HCS - HUMINT Control System
HCS-O - HUMINT Control System-Operations
HCS-P - HUMINT Control System-Product
HUMINT - Human Intelligence

IB - Infrastructure Branch (part of the SED)
ICE - ? (part of the COG)
IOC - Information Operations Center
IVV - Independent Verification & Validation (part of the SED)

JIS - Joint Issues Staff (CIA liaison offices in foreign countries)

KLM - KLAMATH (see codewords listing)

MDB - Mobile Development Branch (part of the AED)
MRB - Mission Requirements Branch (part of the OED)

NCS - National Clandestine Service (2005-2015)
NDB - Network Devices Branch (part of the SED)
NEA - ? (part of the COG)
NEB - ? (part of the NOD)
NHB - New Headquarters Building (opened in 1991)
NOC - Non-Official Cover (for CIA operatives)
NOD - Network Operations Division (part of COG)
NRT - Network Research Team (part of the NOD)

OED - ? (part of the OTR)
OHB - Old Headquarters Building (opened in 1961)
OO - Operations Officers
OS - Office of Security
OSB - Operational Support Branch (part of the AED)
OSD - ? (part of the COG)
OSE - Open Source Enterprise (part of the DDI)
OSS - Office of Strategic Services (1942-1945)
OTR - Office of Technical Readiness (part of the DST)

P6 - Project 6 (joint BND, BfV and CIA anti-terrorism unit, stationed in Neuss, Germany; 2005-2010)*
PAG - Physical Access Group (part of the CCI)
PAG - Political Action Group (part of SAC)
PX - ? (database supporting the joint BND, BfV and CIA anti-terrorism unit Project 6)*

RDB - Remote Development Branch (part of the AED)

SAC- Special Activities Center (since 2016)
SAD- Special Activities Division (prior to 2016)
SCS - Special Collection Service (joint NSA-CIA unit)
SDB - Software Development Branch (part of the ESD)
SED - ? (part of the EDG)
SIB - Special Investigations Branch (part of OS)
SOG - Special Operations Group (part of SAC)
SOO - Staff Operations Officers
SPO - Special Police Officer
SRD - Special Requirements Division
SSO - Specialized Skills Officers

TAC - Technical Advisory Council (part of the EDG)
TISO - Technical Information Security Officer
TOB - ? (part of the NEA)
TOE - ? (part of the ICE)

UCL - UMBRAGE Component Library

WGB - Wireless Geolocation Branch (part of the ESD)
WTC - Warrington Training Center

X-2 - Counter Espionage Branch (1943-1945)


Organizational chart

Wikileaks has a partial organizational chart of the CIA, which provides a rough outline of its internal organization. It's a reconstruction and can also be subject to changes due to internal reorganizations. A chart of the National Clandestine Service (now Directorate of Operations) can be found here.

Links and Sources
- Internal report of the CIA's Wikileaks Task Force
- About How Codes Names Are Assigned
- Wikipedia article about the CIA cryptonym
- Article about Security Clearances and Classifications
- William M. Arkin, Code Names, Deciphering U.S. Military Plans, Programs, and Operations in the 9/11 World, Steerforth Press, 2005.


PLVS VLTRA said...

you're missing 30 clearances and the CIA Spartan Agency.

PLVS VLTRA said...

The Spartan Agency is the same as the Ahnenerbe

dxv515 said...

update all your links.....