Brian Krebs is a well-known and respected computer security guy. He did a writeup after a witness to the following got charged with lying to an FBI agent when he didn’t disclose he was working for Hillary Clinton’s campaign while researching “funny” DNS (domain name server) requests between Alfa Bank in Moscow and Trump Tower in New York back in 2016.
It made a big splash among computer security people because what they did was look at DNS requests back when the DNC (democratic national committee) was hacked by Russia and emails leaked. They were looking for Russian computers asking for the IP addresses of DNC computers in the DNS logs.
What lit up instead (they didn’t get the Russian hackers they were looking for) were lots of communications between trump tower and Alfa Bank Moscow in the leadup to the 2016 election. Not only were the two computers asking DNS for each others’ address, the frequency of those requests went way up each time there were any developments in the election.
Background - people think of names like yahoo, amazon, sorryantivaxxer, etc. Computers use IP addresses. DNS servers return the IP address when a computer wants to talk to a website by name (or any web service) and logs the request. The trumps and the Russians didn’t understand they were leaving a trail that they were communicating by having their machines use the web names of their machines instead of the IP addresses. Names are more convenient to use thanks to DNS servers. Addresses can change but don’t always depending on the account. At any rate, names are easy but leave a trail that can be audited.
So anyway, the researchers spotted the abnormal communications and asked trump tower and Alfa Bank what the communications were about. The communications immediately stopped and servers with new names and different addresses appeared that picked the comms right back up after a short delay. They didn’t know how they were being tracked and thought they could hide different named systems (maybe the same systems with new names) but the end result was only that they revealed they were trying to keep the communications hidden.
When asked about the new machines, the communications dropped of the radar and stopped completely at least as far as could be revealed through DNS audits.
Krebs goes over all this stuff, has references, and discusses the meanings. Someone at trump tower was communicating very frequently with someone at Alfa Bank in Moscow. Oh yeah, Alfa Bank is a known cover for Russia’s FSB.
Other articles about this weren’t exactly sure what was going on and the FBI just kind of shrugged.
The trump organization tried to claim it was an ad server but Krebs explains why that excuse doesn’t fly. The thing is, DNS only shows the twin servers kept asking the DNS system for the other machine’s IP. It doesn’t reveal the content of the communications. Once the machines got the IP address of the other, communications were just between the systems. The only hope to recover content would be the big NSA systems that make copies and save communications that cross our international borders. That would likely be born classified and we probably won’t ever know unless it gets revealed as espionage or treason as part of all this other trump chaos. I wouldn’t bet against it.
What is known is the systems were in near constant communications and the frequency of those communications when graphed has big spikes around various news items like the “Russia if you’re listening” thing, and other big splash things back then.
Again, Krebs is upset that one of the researchers got in trouble when he didn’t mention his Hillary ties when asked but he has a great discussion of the situation. There is no doubt the systems were communicating. Krebs explains why they weren’t doing the things trumpco claimed. So what were they doing and why were the communications so tied to news events? Who was using them? Why?
Anyone curious can make up their own minds but it sure looks to me like trump had an open communications line with Putin and the Kremlin through Alfa Bank. Since the communications went dark, the safest assumption is that they caught on that DNS was ratting on the communications so they switched to IP addresses instead. The guys asking questions were DNS people. Not a hard leap to figure out that’s what blew the whistle. Trivial to switch to just using IP addresses and it hides the communications from convenient view. To get at comms using IP addresses, you have to do a man in the middle attack or own one of the servers in the path. A lot harder. Plus there would likely be encryption involved to further obfuscate whatever was being said.
So likely won’t ever know but the fact that trump and Alfa never adequately explained it, and their explanations don’t fit with what is known, and in light of all the other Russian ties, it sure looks like coordination and communication between the trump campaign and Russia leading up to the 2016 election.
Combine that with highest level classified materials unsecured at Mar-a-Lago and it could be trump has always been Putin’s tool and either useful idiot or outright spy.