Yesterday I posted a “short take” about a secret communications channel between two servers, one at the Russian Alfa Bank and one at the Trump Organization. Today I’m going to post more about the communications and put this Russian Connection in the larger context of alleged Russian attempts to influence our election.
Ping! The secret link between Russia and the Trump Tower.
Franklin Foer (slate.com) asks Was a Trump Server Communicating With Russia? (h/t AZBlueMeanie at Blog for Arizona) Foer reviews the cyber-security evidence. This spring, a group of computer scientists set out to determine whether hackers were interfering with the Trump campaign. They found something they weren’t expecting.
The computer scientists discovered a pattern of internet traffic between a server registered to the Russian Alfa Bank and a server registered to the Trump Organization. Various cyber-security experts evaluated the pattern of communications. (Note that the contents of the communications were not available - just the metadata.)
The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn’t the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation—conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn’t an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank.
The researchers had initially stumbled in their diagnosis because of the odd configuration of Trump’s server. “I’ve never seen a server set up like that,” says Christopher Davis, who runs the cybersecurity firm HYAS InfoSec Inc. and won a FBI Director Award for Excellence for his work tracking down the authors of one of the world’s nastiest botnet attacks. “It looked weird, and it didn’t pass the sniff test.” The server was first registered to Trump’s business in 2009 and was set up to run consumer marketing campaigns. It had a history of sending mass emails on behalf of Trump-branded properties and products. Researchers were ultimately convinced that the server indeed belonged to Trump. (Click here to see the server’s registration record.) But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. “I get more mail in a day than the server handled,” Davis says.
In the parlance that has become familiar since the Edward Snowden revelations, the DNS logs reside in the realm of metadata. We can see a trail of transmissions, but we can’t see the actual substance of the communications. And we can’t even say with complete certitude that the servers exchanged email. One scientist, who wasn’t involved in the effort to compile and analyze the logs, ticked off a list of other possibilities: an errant piece of spam caroming between servers, a misdirected email that kept trying to reach its destination, which created the impression of sustained communication. “I’m seeing a preponderance of the evidence, but not a smoking gun,” he said. Richard Clayton, a cybersecurity researcher at Cambridge University who was sent one of the white papers laying out the evidence, acknowledges those objections and the alternative theories but considers them improbable. “I think mail is more likely, because it’s going to a machine running a mail server and [the host] is called mail. Dr. Occam says you should rule out mail before pulling out the more exotic explanations.”
I put the question of what kind of activity the logs recorded to the University of California’s Nicholas Weaver, another computer scientist not involved in compiling the logs. “I can’t attest to the logs themselves,” he told me, “but assuming they are legitimate they do indicate effectively human-level communication.”
Weaver’s statement raises another uncertainty: Are the logs authentic? Computer scientists are careful about vouching for evidence that emerges from unknown sources—especially since the logs were pasted in a text file, where they could conceivably have been edited. I asked nine computer scientists—some who agreed to speak on the record, some who asked for anonymity—if the DNS logs … could be forged or manipulated. They considered it nearly impossible. It would be easy enough to fake one or maybe even a dozen records of DNS lookups. But in the aggregate, the logs contained thousands of records, with nuances and patterns that not even the most skilled programmers would be able to recreate on this scale. “The data has got the right kind of fuzz growing on it,” Vixie told me. “It’s the interpacket gap, the spacing between the conversations, the total volume. If you look at those time stamps, they are not simulated. This bears every indication that it was collected from a live link.” I asked him if there was a chance that he was wrong about their authenticity. “This passes the reasonable person test,” he told me. “No reasonable person would come to the conclusion other than the one I’ve come to.” Others were equally emphatic. “It would be really, really hard to fake these,” Davis said. According to Camp, “When the technical community examined the data, the conclusion was pretty obvious.”
Tea Leaves [the original discoverer of the traffic] and his colleagues plotted the data from the logs on a timeline. What it illustrated was suggestive: The conversation between the Trump and Alfa servers appeared to follow the contours of political happenings in the United States. “At election-related moments, the traffic peaked,” according to Camp. There were considerably more DNS lookups, for instance, during the two conventions.
But the traffic came to a screeching halt after reporters at the New York Times started to ask questions.
The Times hadn’t yet been in touch with the Trump campaign—[the Times reporter] spoke with the campaign a week later—but shortly after it reached out to Alfa, the Trump domain name in question seemed to suddenly stop working. When the scientists looked up the host, the DNS server returned a fail message, evidence that it no longer functioned. … The computer scientists believe there was one logical conclusion to be drawn: The Trump Organization shut down the server after Alfa was told that the Times might expose the connection. Weaver told me the Trump domain was “very sloppily removed.” Or as another of the researchers put it, it looked like “the knee was hit in Moscow, the leg kicked in New York.”
Four days later, on Sept. 27, the Trump Organization created a new host name, trump1.contact-client.com, which enabled communication to the very same server via a different route. When a new host name is created, the first communication with it is never random. To reach the server after the resetting of the host name, the sender of the first inbound mail has to first learn of the name somehow. It’s simply impossible to randomly reach a renamed server. “That party had to have some kind of outbound message through SMS, phone, or some noninternet channel they used to communicate [the new configuration],” Paul Vixie told me. The first attempt to look up the revised host name came from Alfa Bank. “If this was a public server, we would have seen other traces,” Vixie says. “The only look-ups came from this particular source.”
According to Vixie and others, the new host name may have represented an attempt to establish a new channel of communication. But media inquiries into the nature of Trump’s relationship with Alfa Bank, which suggested that their communications were being monitored, may have deterred the parties from using it. Soon after the New York Times began to ask questions, the traffic between the servers stopped cold.
Foer reached out to Alfa Bank and Trump Organization representatives. Both entities denied the connection or attempted alternative explanations of the traffic. In the end, like the Trump Organization server, the Trump PR person stopped responding.
What the scientists amassed wasn’t a smoking gun. It’s a suggestive body of evidence that doesn’t absolutely preclude alternative explanations. But this evidence arrives in the broader context of the campaign and everything else that has come to light: The efforts of Donald Trump’s former campaign manager to bring Ukraine into Vladimir Putin’s orbit; the other Trump adviser whose communications with senior Russian officials have worried intelligence officials; the Russian hacking of the DNC and John Podesta’s email.
Did Russia create A Man from Moscow?
The secret communications link is but one part of a larger unfolding picture of “coordination between Donald Trump, his top advisors, and the Russian government”, the aim being to sway the election to Trump.
David Corn (Mother Jones) tells us that A Veteran Spy Has Given the FBI Information Alleging a Russian Operation to Cultivate Donald Trump He asks: Has the bureau investigated this material? (AZBlueMeanie at Blog for Arizona covers the same ground in today’s, Nov. 3rd, post.)
On Friday [October 28th, 2016], FBI Director James Comey set off a political blast when he informed congressional leaders that the bureau had stumbled across emails that might be pertinent to its completed inquiry into Hillary Clinton’s handling of emails when she was secretary of state. The Clinton campaign and others criticized Comey for intervening in a presidential campaign by breaking with Justice Department tradition and revealing information about an investigation—information that was vague and perhaps ultimately irrelevant—so close to Election Day. On Sunday, Senate Minority Leader Harry Reid upped the ante. He sent Comey a fiery letter saying the FBI chief may have broken the law and pointed to a potentially greater controversy: "In my communications with you and other top officials in the national security community, it has become clear that you possess explosive information about close ties and coordination between Donald Trump, his top advisors, and the Russian government …The public has a right to know this information."
… a former senior intelligence officer for a Western country who specialized in Russian counterintelligence tells Mother Jones that in recent months he provided the bureau with memos, based on his recent interactions with Russian sources, contending the Russian government has for years tried to co-opt and assist Trump—and that the FBI requested more information from him.
[The FBI won’t comment] But a senior US government official not involved in this case but familiar with the former spy tells Mother Jones that he has been a credible source with a proven record of providing reliable, sensitive, and important information to the US government.
… “It started off as a fairly general inquiry,” says the former spook, who asks not to be identified. But when he dug into Trump, he notes, he came across troubling information indicating connections between Trump and the Russian government. According to his sources, he says, “there was an established exchange of information between the Trump campaign and the Kremlin of mutual benefit.”
Mother Jones has reviewed that report and other memos this former spy wrote. The first memo, based on the former intelligence officer’s conversations with Russian sources, noted, “Russian regime has been cultivating, supporting and assisting TRUMP for at least 5 years. Aim, endorsed by PUTIN, has been to encourage splits and divisions in western alliance.” It maintained that Trump “and his inner circle have accepted a regular flow of intelligence from the Kremlin, including on his Democratic and other political rivals.” It claimed that Russian intelligence had “compromised” Trump during his visits to Moscow and could “blackmail him.” It also reported that Russian intelligence had compiled a dossier on Hillary Clinton based on “bugged conversations she had on various visits to Russia and intercepted phone calls.”
The former intelligence officer says the response from the FBI was “shock and horror.” The FBI, after receiving the first memo, did not immediately request additional material, according to the former intelligence officer and his American associates. Yet in August, they say, the FBI asked him for all information in his possession and for him to explain how the material had been gathered and to identify his sources. The former spy forwarded to the bureau several memos—some of which referred to members of Trump’s inner circle. After that point, he continued to share information with the FBI. “It’s quite clear there was or is a pretty substantial inquiry going on,” he says.
“This is something of huge significance, way above party politics,” the former intelligence officer comments. “I think [Trump’s] own party should be aware of this stuff as well.”
The FBI is certainly investigating the hacks attributed to Russia that have hit American political targets, including the Democratic National Committee and John Podesta, the chairman of Clinton’s presidential campaign. But there have been few public signs of whether that probe extends to examining possible contacts between the Russian government and Trump. (In recent weeks, reporters in Washington have pursued anonymous online reports that a computer server related to the Trump Organization engaged in a high level of activity with servers connected to Alfa Bank, the largest private bank in Russia. [See above for documentation.] On Monday, a Slate investigation detailed the pattern of unusual server activity but concluded, “We don’t yet know what this [Trump] server was for, but it deserves further explanation.” In an email to Mother Jones, Hope Hicks, a Trump campaign spokeswoman, maintains, “The Trump Organization is not sending or receiving any communications from this email server. The Trump Organization has no communication or relationship with this entity or any Russian entity.”)
Observe the language: “is not” and “has no” refer to the present. We know from the Slate report that the server connection was severed after the Times started asking questions. So the question is did the Trump Organization ever have communications and a relationship with Alfa Bank. That has not been answered.
There’s no way to tell whether the FBI has confirmed or debunked any of the allegations contained in the former spy’s memos. But a Russian intelligence attempt to co-opt or cultivate a presidential candidate would mark an even more serious operation than the hacking.
In the letter Reid sent to Comey on Sunday, he pointed out that months ago he had asked the FBI director to release information on Trump’s possible Russia ties. Since then, according to a Reid spokesman, Reid has been briefed several times. The spokesman adds, “He is confident that he knows enough to be extremely alarmed.”
We should all be alarmed. Now connect all this with my post yesterday on the “November ninth nightmare” and you get, as Tom Clancy once wrote, the sum of all fears.