Complicated article on the question of whether Alfa Bank, Trump Organization and Spectrum Health were communicating just up to Sept 2016. Dexter Filkins, of the New Yorker does a deep dive into the what may have happened.
I do not fully understand the ins and outs of this, so if someone who wants to decipher, please do.
The hack of the D.N.C. seemed like a pernicious attack on the integrity of the Web, as well as on the American political system. The scientists decided to investigate whether any Republicans had been hacked, too. “We were trying to protect them,” Max said.
Max’s group began combing the Domain Name System, a worldwide network that acts as a sort of phone book for the Internet, translating easy-to-remember domain names into I.P. addresses, the strings of numbers that computers use to identify one another. Whenever someone goes online—to send an e-mail, to visit a Web site—her device contacts the Domain Name System to locate the computer that it is trying to connect with. Each query, known as a D.N.S. lookup, can be logged, leaving records in a constellation of servers that extends through private companies, public institutions, and universities. Max and his group are part of a community that has unusual access to these records, which are especially useful to cybersecurity experts who work to protect clients from attacks.
As Max and his colleagues searched D.N.S. logs for domains associated with Republican candidates, they were perplexed by what they encountered. “We went looking for fingerprints similar to what was on the D.N.C. computers, but we didn’t find what we were looking for,” Max told me. “We found something totally different—something unique.” In the small town of Lititz, Pennsylvania, a domain linked to the Trump Organization (mail1.trump-email.com) seemed to be behaving in a peculiar way. The server that housed the domain belonged to a company called Listrak, which mostly helped deliver mass-marketing e-mails: blasts of messages advertising spa treatments, Las Vegas weekends, and other enticements. Some Trump Organization domains sent mass e-mail blasts, but the one that Max and his colleagues spotted appeared not to be sending anything. At the same time, though, a very small group of companies seemed to be trying to communicate with it.
Examining records for the Trump domain, Max’s group discovered D.N.S. lookups from a pair of servers owned by Alfa Bank, one of the largest banks in Russia. Alfa Bank’s computers were looking up the address of the Trump server nearly every day. There were dozens of lookups on some days and far fewer on others, but the total number was notable: between May and September, Alfa Bank looked up the Trump Organization’s domain more than two thousand times. “We were watching this happen in real time—it was like watching an airplane fly by,” Max said. “And we thought, Why the hell is a Russian bank communicating with a server that belongs to the Trump Organization, and at such a rate?”
The D.N.S. records raised vexing questions. Why was the Trump Organization’s domain, set up to send mass-marketing e-mails, conducting such meagre activity? And why were computers at Alfa Bank and Spectrum Health trying to reach a server that didn’t seem to be doing anything? After analyzing the data, Max said, “We decided this was a covert communication channel.”
The Trump Organization, Alfa Bank, and Spectrum Health have repeatedly denied any contact. But the question of whether Max’s conclusion was correct remains enormously consequential. Was this evidence of an illicit connection between Russia and the Trump campaign? Or was it merely a coincidence, cyber trash, that fed suspicions in a dark time?
One remarkable aspect of Foer’s story involved the way that the Trump domain had stopped working. On September 21st, he wrote, the Times had delivered potential evidence of communications to B.G.R., a Washington lobbying firm that worked for Alfa Bank. Two days later, the Trump domain vanished from the Internet. (Technically, its “A record,” which translates the domain name to an I.P. address, was deleted. If the D.N.S. is a phone book, the domain name was effectively decoupled from its number.) For four days, the servers at Alfa Bank kept trying to look up the Trump domain. Then, ten minutes after the last attempt, one of them looked up another domain, which had been configured to lead to the same Trump Organization server.
“I bark and I bark but I never feel like I effect real change.”
Max’s group was surprised. The Trump domain had been shut down after the Times contacted Alfa Bank’s representatives—but before the newspaper contacted Trump. “That shows a human interaction,” Max concluded. “Certain actions leave fingerprints.” He reasoned that someone representing Alfa Bank had alerted the Trump Organization, which shut down the domain, set up another one, and then informed Alfa Bank of the new address.
A week after the Times story appeared, Trump won the election. On Inauguration Day, Liz Spayd, the Times’ ombudsman, published a column criticizing the paper’s handling of stories related to Trump and Russia, including the Alfa Bank connection. “The Times was too timid in its decisions not to publish the material it had,” she wrote. Spayd’s article did not sit well with Baquet. “It was a bad column,” he told the Washington Post. Spayd argued that Slate had acted correctly by publishing a more aggressive story, which Baquet dismissed as a “fairly ridiculous conclusion.” That June, Spayd’s job was eliminated, as the paper’s publisher said that the position of ombudsman had become outdated in the digital age. When I talked to Baquet recently, he still felt that he had been right to resist discussing the server in greater depth, but he acknowledged that the Times had been too quick to disclaim the possibility of Trump’s connections to Russia. “The story was written too knowingly,” he said. “The headline was flawed. We didn’t know then what we know now.”
Trump’s advocates claimed that the investigations sponsored by Alfa Bank had proved that Alfa and the Trump Organization were not communicating. In fact, they sidestepped the question. Mandiant, one of the cybersecurity firms, said that it was unable to inspect the bank’s D.N.S. logs from 2016, because Alfa retained such records for only twenty-four hours. The other firm, Stroz Friedberg, gave the same explanation for why it, too, was “unable to verify” the data.
For some, the most baffling part of the puzzle was the way that the lookups stopped. The Trump domain vanished from the Web on the morning of Friday, September 23rd, two days after the Times presented its data to B.G.R., Alfa Bank’s lobbyists in Washington, but before it called Trump or Cendyn. In Max’s view, this was evidence of direct contact between Alfa Bank and Trump. One researcher whom Foer interviewed put it vividly: “The knee was hit in Moscow, the leg kicked in New York.” There is, however, at least one possibility that doesn’t involve Moscow: the lobbyists in Washington could have passed along a warning to Trump, as a courtesy. But B.G.R. denies doing this, calling the idea “ridiculous on its face.”
If Trump and Alfa Bank—as well as Spectrum Health and Heartland Payment Systems—were communicating, what might they have been talking about? Max and some of the other scientists I spoke to theorized that they may have been using the system to signal one another about events or tasks that had to be performed: money to be transferred, for instance, or data to be copied. “My guess is that, whenever someone wanted to talk, they would do a D.N.S. lookup and then route the traffic somewhere else,” Richard Clayton, of the University of Cambridge, said. Camp also speculated that the system may have been used to coördinate the movement of data. She noted that Cambridge Analytica, which was working for the Trump campaign, took millions of personal records from Facebook. In Camp’s scenario, these could have been transferred to the Russian government, to help guide its targeting of American voters before the election.
The researchers I spoke with were careful to point out that the limits of D.N.S. data prevent them from going beyond speculation.If employees of the companies were talking, the traffic reveals nothing about who they were or what they were saying; it is difficult to rule out something as banal as a protracted game of video poker. “If I’m a cop, I’m not going to take this to the D.A. and say we’re ready to prosecute,” Leto said. “I’m going to say we have enough to ask for a search warrant.” More complete information could be difficult to obtain. This March, after Republicans on the House Intelligence Committee announced that it had found no evidence of collusion between the Trump campaign and Russia, the committee’s Democrats filed a dissent, arguing that there were many matters still to be investigated, including the Trump Organization’s connections to Alfa Bank. The Democrats implored the majority to force Cendyn to turn over computer data that would help determine what had happened. Those records could show who in the Trump Organization used the server. There would probably also be a record of who shut down the Trump domain after the Times contacted Alfa Bank. Cendyn might have records of any outgoing communications sent by the Trump Organization. But the request for further investigation is unlikely to proceed as long as Republicans hold the majority. “We’ve all looked at the data, and it doesn’t look right,” a congressional staffer told me. “But how do you get to the truth?”
The enigma, for now, remains an enigma. The only people likely to finally resolve the question of Alfa Bank and the Trump Organization are federal investigators. Max told me that no one in his group had been contacted. But, he said, it wasn’t necessary for anyone in the F.B.I. to talk to him, if the agents gathered the right information from other sources, like Listrak and Cendyn. “I hope Mueller has all of it,” he said.