Real estate tycoon and putative presidential candidate Donald Trump responds to President Barack Obama's election victory by tweeting: "We can't let this happen. We should march on Washington and stop this travesty. Our nation is totally divided!" Apparently Trump is calling for some kind of uprising or insurrection that will prevent Obama from taking office again. Russian white supremacist, Internet producer and former Duma member Konstantin Rykov sees the tweet and responds via Twitter: "I'm ready. What should I do?" (The Tweet is in Russian.) Trump responds with a photo of him giving the camera, and presumably Rykov, a thumbs-up signal. Former US Ambassador to Russia Michael McFaul later describes Rykov as "one of the leading pro-Kremlin bloggers in Russia," and apparently has close connections to Putin. Another source later describes Rykov as a "chief voice and troll for the Kremlin on Twitter." Four years later, Rykov will write about the plan that will be hatched and apparently carried out to work with Trump to secure the presidency for him. (Washington Monthly, Donald Trump)
One of the experts later says, "We wanted to help defend both campaigns, because we wanted to preserve the integrity of the election." Another one of those scientists, who uses the pseudonym "Tea Leaves" for use in the October article by Slate, finds Russian malware targeting a Trump server. He soon determines that the malware is coming from the Alfa Bank in Moscow, which is irregularly but persistently pinging a server registered to the Trump Organization in New York. The expert begins sharing his findings with six of his colleagues. (Slate journalist Franklin Foer will interview two of "Tea Leaves"'s colleagues for his article, who will share extensive documentation and records with Foer. Numerous other academics and experts will vouch for "Tea Leaves"'s integrity and expertise. Indiana University computer scientist L. Jean Camp will say: "This is someone I know well and is very well-known in the networking community. When they say something about DNS, you believe them. This person has technical authority and access to data."
Not an Attack, but a Conversation
The researchers quickly determine that the Trump server is not under a malware attack, nor is it being pinged by bots. Instead, the server lookups seem to document human conversation that begin during office hours in New York and continue into office hours in Moscow. Foer will write, "It dawned on the researchers that this wasn't an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank." Cybersecurity expert Christopher Davis later says that the researchers were initially stymied because of the unusual configuration of the Trump server: "I've never seen a server set up like that. It looked weird, and it didn't pass the sniff test." The Trump server was set up to run consumer marketing campaigns, and was often used to send mass emails on behalf of Trump properties and products. But now the server is being used for something entirely different. It is not running anywhere near its capacity, making it difficult to justify the expense and interaction it takes to maintain it. Davis later says, "I get more mail in a day than the server handled." Moreover, the researchers determine that the Trump server is only configured to accept communications from a very small and specific set of IP addresses: Alfa Bank and a firm called Spectrum Health. That firm will deny any contact with Alfa Bank or Trump's business holdings, and will deny any communications between their computer network and the Trump server. Spectrum will say that the few traces it found came from spam marketing emails from a digital marketing firm, Cendyn, advertising Trump hotels. The Spectrum traffic only accounts for 13% of the server traffic; the rest is between the Trump server and Alfa Bank. Camp will conclude: "It's pretty clear that it's not an open mail server. These organizations are communicating in a way designed to block other people out." In October, DNS expert Paul Vixie will examine the records and conclude: "The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project." As the election campaign moves forward, and Trump issues increasingly heated denials about having any connections to Russia (even as he invites Russian hackers to breach Clinton's servers), the researchers become increasingly convinced that Trump is lying. The data tells a dramatically different story, though it does not provide conclusive evidence of ties between Trump and Russia. What it does show is a rise and fall in the frequency of communications between the bank and the Trump server during the election season: "At election-related moments, the traffic peaked," Camp will say. Traffic rises considerably during the time of both parties' conventions.
The researchers cautiously go public in September, posting about their findings, and linking to their data, in a Reddit thread. Asked by New York Times reporter Eric Lichtblau about the connections between the Trump server and the Alfa Bank servers on September 21, the bank denies any connections. Just before Lichtblau can pose his questions to the Trump campaign, the Trump domain name in question stops working. Foer will write: "The computer scientists believe there was one logical conclusion to be drawn: The Trump Organization shut down the server after Alfa was told that the Times might expose the connection." One expert will tell Foer that the domain was hastily and "very sloppily removed." One of the researchers will tell Foer that it seems like "the knee was hit in Moscow, the leg kicked in New York." By September 27, the Trump Organization is using a new host name, which enables communication to the same server via a different rout. The first attempt of the new host name, which is always a product of human input, is the Alfa Bank. Vixie and others will conclude that Trump officials are attempting to create a new channel of communications between Alfa and the Trump Organization. However, after Times reporters begin asking questions, the traffic between the servers stops entirely. Alfa Bank will deny any connections or communications between Trump and its officials, and will say it has hired cybersecurity firm Mandiant to investigate the communications. Mandiant's theory, Alfa will say, is that the connections between its servers and the Trump server are innocent spam contacts. Trump spokesperson Hope Hicks will go further, denying that the Trump server has not been used since 2010 in spite of the proof that it was used as late as September 2016, and refusing to answer questions about the 2016 contacts.
Doubts and Confirmations
Foer will have other experts explore the connections in a follow-up article. It is possible, cybersecurity expert Rob Graham will say, that the server was under the control of Cendyn, the spam marketing vendor, and the September shutdowns may have been coincidental. It is possible that the extensive communications between the Trump server and Alfa Bank are entirely spam marketing transmissions, and the bank servers' security protocols rejecting the spam, though no trace of spam emails are available. Camp will tell Foer, "It's highly implausible that spam would continue for so many months, that it would never be reported to spam blocker, or that nobody else in the world would see the spam during that time frame." A more likely explanation is that the Trump server is inundating the Alfa servers with marketing materials, though that cannot be proven given the data collected, and the vanishingly small likelihood that the Trump Organization would use an entire computer server to send generic marketing materials to a single target. Other experts cast doubt on the finding that the server traffic spikes during critical events during the election. And it is possible the DNS logs as provided to Foer are not complete. Foer will write: "As I noted in my piece, there's no foolproof way to verify that these logs are complete and unedited. I believe in their authenticity, because of the credibility of the academics and programmers who vouched for them by name – specifically, Paul Vixie and Jean Camp. They took a meaningful risk in attaching their names to the data. Jean Camp has posted the full set of logs. Now that they are easily available, others can form their own opinion as to their validity and what they demonstrate about the servers." Foer will conclude that while nothing can be conclusively proven, it seems likely that there was an unusual and secretive series of communications between the Alfa Bank and the Trump server. What those communications were, and their impact on the election, remains undisclosed. Eight of the nine experts Foer will first speak with still stand by their analysis; the ninth was not available for comment. (Slate, Slate, photo of AlfaBank front in Moscow via Moscow Times)Show less