On 31 October 2016 Slate published an article with the headline “Was a Trump Server Communicating With Russia?.” The inquisitive title introduced a lengthy article and a mish-mash of circumstantial details positing that Donald Trump maintained “secretive” financial ties to Russia which came to light in the course of an unofficial investigation:
In late spring, this community of malware hunters placed itself in a high state of alarm. Word arrived that Russian hackers had infiltrated the servers of the Democratic National Committee, an attack persuasively detailed by the respected cybersecurity firm CrowdStrike. The computer scientists posited a logical hypothesis, which they set out to rigorously test: If the Russians were worming their way into the DNC, they might very well be attacking other entities central to the presidential campaign, including Donald Trump’s many servers. “We wanted to help defend both campaigns, because we wanted to preserve the integrity of the election,” says one of the academics, who works at a university that asked him not to speak with reporters because of the sensitive nature of his work.
Earlier [in October 2016], the group of computer scientists passed [logs of the Trump server’s DNS activity] to Paul Vixie. In the world of DNS experts, there’s no higher authority. Vixie wrote central strands of the DNS code that makes the internet work. After studying the logs, he concluded, “The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project.” Put differently, the logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence. Over the summer, the scientists observed the communications trail from a distance … While the researchers went about their work, the conventional wisdom about Russian interference in the campaign began to shift. There were reports that the Trump campaign had ordered the Republican Party to rewrite its platform position on Ukraine, maneuvering the GOP toward a policy preferred by Russia, though the Trump campaign denied having a hand in the change. Then Trump announced in an interview with the New York Times his unwillingness to spring to the defense of NATO allies in the face of a Russian invasion. Trump even invited Russian hackers to go hunting for Clinton’s emails, then passed the comment off as a joke.
The article held that a “bank in Moscow kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue,” adding that through further research the investigating parties determined “[the activity] wasn’t an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank” and contained several asides about the unquestionable credibility of the unnamed individuals party to the project for example:
“This [investigator] is someone I know well and is very well-known in the networking community,” said [a computer scientist]. “When they say something about DNS, you believe them. This person has technical authority and access to data.”
The independent research done by the unnamed “community of malware hunters” purportedly commenced in mid-2016, shortly after rumors about Russian interference in that year’s election began circulating. By September 2016, Slate reported that the self-appointed investigators had begun attempting to draw interest to their research (in one instance, by posting the information to a Reddit thread). After a New York Times reporter met with a U.S.-based representative from Alfa Bank for an unspecified related story, the Slate article asserted, a Trump domain purportedly under observation “seemed to suddenly stop working.” The researchers came to a subsequent conclusion, which the piece built upon in a remarkably far reaching manner:
The computer scientists believe there was one logical conclusion to be drawn: The Trump Organization shut down the server after Alfa was told that the Times might expose the connection. [Uninvolved computer scientist Nicholas] Weaver told me the Trump domain was “very sloppily removed.” Or as another of the researchers put it, it looked like “the knee was hit in Moscow, the leg kicked in New York.”
What the scientists amassed wasn’t a smoking gun. It’s a suggestive body of evidence that doesn’t absolutely preclude alternative explanations. But this evidence arrives in the broader context of the campaign and everything else that has come to light: The efforts of Donald Trump’s former campaign manager to bring Ukraine into Vladimir Putin’s orbit; the other Trump adviser whose communications with senior Russian officials have worried intelligence officials; the Russian hacking of the DNC and John Podesta’s email.
The Slate article’s appearance just one week prior to the November 2016 general election unsurprisingly turned heads, despite its speculative nature. On the same day, the partisan Occupy Democrats web site published an item claiming that in an “October Surprise” development, ABC News had uncovered “hundreds of millions of dollars” in payments from Russians to Trump:
An ABC News investigation has found that Donald Trump has “numerous ties” to Russian interests both here in the United States and in Russia. “The level of business amounts to hundreds of millions of dollars — what he received as a result of interaction with Russian businessmen. They were happy to invest with him, and they were happy to work with Donald Trump. And they were happy to associate —[and] be associated with Donald Trump” says Sergei Millian, who heads a U.S.-Russia business group.
Many social media users exposed only to the dueling headlines were left with the impression the two reports were linked and mutually substantiating. But Occupy Democrats’ “October Surprise” piece was originally reported by another news outlet more than one month earlier and pertained to purported business (not campaign) dealings Trump had with Russian business interests (some of whom were U.S.-based). Moreover, its editorial focus was whether Trump’s potential business links to Russia would influence his foreign policy decisions; it did not suggest Trump’s campaign was being bought by “Russian payments.”
The Trump campaign addressed and denied the allegations, while Hillary Clinton immediately tweeted twice about them:
— Hillary Clinton (@HillaryClinton) October 31, 2016
Computer scientists have apparently uncovered a covert server linking the Trump Organization to a Russian-based bank. pic.twitter.com/8f8n9xMzUU
— Hillary Clinton (@HillaryClinton) November 1, 2016
Much of the content of the Slate piece came from persons unable or unwilling to disclose their identities and credentials (and were therefore unavailable for questions), but it wasn’t long before cybersecurity expert Robert Graham of Errata Security tackled the claims. In a more concise and far less speculative blog post, Graham cast reams of doubt on the entire claim set and noted that a hotel marketing management company (Cendyn), not Trump, controlled the domains in question:
According to this Slate article, Trump has a secret server for communicating with Russia. Even Hillary has piled onto this story … This is nonsense. The evidence available on the Internet is that Trump neither (directly) controls the domain “trump-email.com”, nor has access to the server. Instead, the domain was set up and controlled by Cendyn, a company that does marketing/promotions for hotels, including many of Trump’s hotels. Cendyn outsources the email portions of its campaigns to a company called Listrak, which actually owns/operates the physical server in a data center in [Philadelphia].
In other words, Trump’s response is (minus the political bits) likely true, supported by the evidence. It’s the conclusion I came to even before seeing [Trump’s] response.
When you view this “secret” server in context, surrounded by the other email servers operated by Listrak on behalf of Cendyn, it becomes more obvious what’s going on … It’s Cendyn that registered and who controls the trump-email.com domain, as seen in the WHOIS information. That the Trump Organization is the registrant, but not the admin, demonstrates that Trump doesn’t have direct control over it … When the domain information was changed last September 23, it was Cendyn who did the change, not the Trump Organization. This link lists a bunch of other hotel-related domains that Cendyn likewise controls, some Trump related, some related to Trump’s hotel competitors, like Hyatt and Sheraton.
Cendyn’s claim they are reusing the server for some other purpose is likely true. If you are an enterprising journalist with $399 in your budget, you can find this out … I’ve heard from other DNS malware researchers (names remain anonymous) who confirm they’ve seen lookups for “mail1.trump-email.com” from all over the world, especially from tools like FireEye that process lots of spam email. One person claimed that lookups started failing for them back in late June — and thus the claim of successful responses until September are false. In other words, the “change” after the NYTimes queried Alfa Bank may not be because Cendyn (or Trump) changed anything, but because that was the first they checked and noticed that lookup errors were happening.
That this is just normal marketing business from Cendyn and Listrak is the overwhelming logical explanation for all this. People are tempted to pull nefarious explanations out of their imaginations for things they don’t understand. But for those of us with experience in this sort of thing, what we see here is a normal messed up marketing (aka. spam) system that the Trump Organization doesn’t have control over. Knowing who owns and controls these servers, it’s unreasonable to believe that Trump is using them for secret emails. Far from “secret” or “private” servers as Hillary claims, these servers are wide open and obvious.
Graham concluded by noting that experts consulted by Slate offered piecemeal confirmations, none adding up to a whole:
But the article quotes several experts confirming the story, so how does that jibe with this blog post. The answer is that none of the experts confirmed the story.
Read more carefully. None of the identified experts confirmed the story. Instead, the experts looked at pieces, and confirmed part of the story. Vixie rightly confirmed that the pattern of DNS requests came from humans, and not automated systems. Chris Davis rightly confirmed the server doesn’t look like a normal email server.
Neither of them, however, confirmed that Trump has a secret server for communicating with the Russians. Both of their statements are consistent with what I describe above — that’s it’s a Cendyn operated server for marketing campaigns independent of the Trump Organization.
Those researchers violated their principles
The big story isn’t the conspiracy theory about Trump, but that these malware researchers exploited their privileged access for some purpose other than malware research.
Graham (who concurrently affirmed on Twitter that he was supporting Clinton) supplemented his piece with several tweets providing ancillary information, as well as comment from peers in the field of cybersecurity:
Because journalists are good at tricking “experts” into give the desired answer, not the best answer. https://t.co/9wZr38B4eP
— Rob Zombie Graham? (@ErrataRob) November 1, 2016
— Thomas H. Ptacek (@tqbf) November 1, 2016
— Christopher Soghoian (@csoghoian) November 1, 2016
Damn, all three of us agreeing on something is the first sign of the apocalypse. https://t.co/Vd5QGQgYSC
— Rob Zombie Graham? (@ErrataRob) November 1, 2016
“But the peaks line up with campaign events”
No, they really don’t. It’s just human tendency to find pattern out of noise pic.twitter.com/7CMt1T3kKV
— Rob Zombie Graham? (@ErrataRob) November 1, 2016
On the same day Slate‘s piece appeared, the New York Times reporter it referenced published his own article about Trump’s purported ties to Alfa Bank. The conclusion of that piece was more in line with Graham’s take:
In classified sessions in August and September, intelligence officials also briefed congressional leaders on the possibility of financial ties between Russians and people connected to Mr. Trump. They focused particular attention on what cyberexperts said appeared to be a mysterious computer back channel between the Trump Organization and the Alfa Bank, which is one of Russia’s biggest banks and whose owners have longstanding ties to Mr. Putin.
F.B.I. officials spent weeks examining computer data showing an odd stream of activity to a Trump Organization server and Alfa Bank. Computer logs obtained by The New York Times show that two servers at Alfa Bank sent more than 2,700 “look-up” messages — a first step for one system’s computers to talk to another — to a Trump-connected server beginning in the spring. But the F.B.I. ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.
Alfa Bank also sent us a statement of their own, holding that no connection existed between that financial institution and Donald Trump:
Alfa Bank wishes to make clear that there is no connection between Alfa Bank and Donald Trump, the Trump campaign or the Trump organization. Any suggestion to the contrary is false.
Alfa Bank hired Mandiant, one of the world’s foremost U.S. cyber security experts, to investigate allegations of a connection by the media and it has found nothing to support them. Mandiant found no substantive contact, email or financial link between Alfa Bank and the Trump Campaign or Organization. Mandiant conducted a deep dive and investigated Alfa Bank’s IT systems both remotely and on the ground in Moscow and there was no evidence of notable contact.
Neither Alfa Bank nor its principals, including Mikhail Fridman and Petr Aven, have or have had any contact with Mr. Trump or his organizations. Fridman and Aven have never met Mr. Trump nor have they or Alfa Bank had any business dealings with him. Neither Alfa Bank nor its officers have sent Mr. Trump or his organisation any emails, information or money. Alfa Bank does not have and has never had any special or exclusive internet connection with Mr. Trump or his entities. The assertion of a special or private link is patently false.
Mandiant’s working hypothesis, echoing what the New York Times said was the FBI’s conclusion, is that the alleged activity noticed by reporters was caused by an email marketing/spam campaign by a marketing server, which triggered security software.
Commenting further on the allegations, Mandiant said:
Mandiant, a FireEye company, has been retained by Alfa Bank to investigate information given to them by various media. The information that has been presented is a list of dates, times, IP Addresses and Domain Names. The list appears to be a scanned copy of a printed log. There is no information which indicates where the list has come from. The list contains approx. 2800 look ups of a Domain Name over a period of 90 days. The information presented is inconclusive and is not evidence of substantive contact or a direct email or financial link between Alfa Bank and the Trump Campaign or Organization. The list presented does not contain enough information to show that there has been any actual activity opposed to simple DNS look ups, which can come from a variety of sources including anti-spam and other security software.
As part of the ongoing investigation, Alfa Bank has opened its IT systems to Mandiant, which has investigated both remotely and on the ground in Moscow. We are continuing our investigation. Nothing we have or have found alters our view as described above that there isn’t evidence of substantive contact or a direct email or financial link between Alfa Bank and the Trump Campaign or Organization.
Rumors about Donald Trump’s purported ties to Russia have circulated roughly since the July 2016 DNC Leaks and subsequent allegations that information dumped via WikiLeaks was an attempt to attack Hillary Clinton for the mutual benefit of those entities. But the Slate article (presented as a question in its title) simply strung together circumstantial details to suggest Trump had a server connection to Russia. A concurrent and a subsequent look at its conclusions (the latter by a cybersecurity expert who was not anonymous) asserted that the claims were unsubstantiated and likely amounted to nothing.
In March 2017, CNN reported that the issue was still under investigation by the FBI, but nothing substantive had yet been turned up:
Federal investigators and computer scientists continue to examine whether there was a computer server connection between the Trump Organization and a Russian bank, sources close to the investigation tell CNN.
Questions about the possible connection were widely dismissed four months ago. But the FBI’s investigation remains open, the sources said, and is in the hands of the FBI’s counterintelligence team — the same one looking into Russia’s suspected interference in the 2016 election.
One U.S. official said investigators find the server relationship “odd” and are not ignoring it. But the official said there is still more work for the FBI to do. Investigators have not yet determined whether a connection would be significant.