The Expert's View with Jeremy Kirk

Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

Trump-Russia Conspiracy? Nope, Just Regular DNS Lookups

Report's Supposed Technical Evidence Doesn't Add Up, Security Experts Say
Trump-Russia Conspiracy? Nope, Just Regular DNS Lookups

It's the story several media outlets were pursuing, but highly cautious about publishing: Was there secret communication between Donald Trump's camp and a Russian bank?

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

In a U.S. presidential election where hacking - for the first time ever - has tremendously shaped the campaign, it was an alluring tip. With the U.S. vowing revenge for what it claims are Russian-led cyber operations, it is a potentially explosive story that could have thrown another last-minute hurdle before Election Day next Tuesday (see Clinton, Trump: Head-to-Head Over Purported Russian Hacks).

Slate's Franklin Foer took the leap, publishing a lengthy piece that detailed an odd discovery noticed by researchers with access to Domain Name System logs. DNS is the system that translates domain names into IP addresses. It underpins all internet activity, from email to loading web pages.

The researchers analyzed what are known as passive DNS logs, which record DNS lookups by hosts on the internet. Passive DNS is extremely useful, and many security companies have large visibility into DNS. For example, researchers use it to figure out which servers malicious software programs are trying to reach, which can lend further clues to where stolen data may be stashed.

Earlier this year, the Russian financial institution Alfa Bank began querying DNS hundreds of times for a host name registered to the Trump Organization. The pattern of DNS lookups suggested people within the organizations were communicating, Slate contends.

"The logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence," Foer writes.

It's tantalizing information, particularly since Trump encouraged Russia to find Hillary Clinton's missing emails, part of the long-running controversy over her use of a private email server. But since Foer's story was published, there are wide doubts as to whether that data has been accurately interpreted to the exclusion of more plausible explanations.

Alfa Bank has also strongly dismissed the Slate report and its allegations. "Alfa Bank wishes to make clear that there is no connection between Alfa Bank and Donald Trump, the Trump campaign, or the Trump organization," the bank says in a Nov. 1 statement. "Any suggestion to the contrary by this article is false."

Secret Communication, Anonymous Sources

Foer's piece does not lack for sourcing and includes Paul Vixie, a widely regarded computer scientist. But the core research came from someone nicknamed Tea Leaves, who runs a cybersecurity company, and two unnamed others. Foer goes to lengths to assure readers that Tea Leaves is an authoritative person and that the other two didn't want to be named due to their positions in industry and law enforcement.

The Intercept writes that it and other media outlets were passed an academic-style white paper, an analysis of that paper and a dossier on Alfa Bank. None of the authors of any of the documents have been identified, and it doesn't appear that material has been publicly released. But Alfa Bank says the information was given to reporters "by an anonymous cyber group."

The Trump server in question, mail1.trump-email.com, was set up for marketing purposes but didn't handle much traffic. The DNS lookups from Alfa Bank, which began earlier this year, spiked at key points during the campaign and during the Democratic and Republican conventions, which further raised eyebrows.

After The New York Times queried the Trump campaign in mid-September, the host was shut down. Four days later, a new host name was created, trump1.contact-client.com, which Alfa Bank reportedly tried to resolve. Vixie is quoted as saying someone would have had to inform Alfa Bank of the new host name for that to happen.

Several Investigations

Because the research has been circulating for a while privately, the FBI - on heightened alert over Russian hacking - investigated. But The New York Times reported Oct. 31 that the FBI "ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts."

While this was unfolding, Alfa Bank hired FireEye's computer forensics unit Mandiant to investigate. The bank allowed Mandiant access to systems in Moscow and gave investigators a scanned copy of a printed log showing 2,800 DNS lookups over three months earlier this year, which were provided to the bank by the media.

Anti-spam or other security software can generate such DNS lookups contained in the log, Mandiant says. "Nothing we have or have found alters our view as described above that there isn't evidence of substantive contact or a direct email or financial link between Alfa Bank and the Trump Campaign or Organization," according to a statement provided to ISMG.

Experts See 'Non-Scandal'

Robert Graham, CEO of Errata Security, has dismissed Slate's story as nonsense. He writes that the trump-email.com is registered to the Trump Organization but is actually administered by a company called Cendyn, which does marketing for hotels. DNS records show that Cendyn has set up many similar host names for its other marketing clients.

The system set up for Trump was probably sending marketing emails to Alfa Bank, which then did reverse DNS queries to figure out where the email was coming from.

"I've heard from other DNS malware researchers (names remain anonymous) who confirm they've seen lookups for 'mail1.trump-email.com' from all over the world, especially from tools like FireEye that process lots of spam email," Graham writes on his blog.

Graham's opinions on computer security are polarizing at times, but his analysis received praise from other experts who often spar with him.

"I rarely agree with @erratarob, but his analysis of the 'trump email server' non-scandal is spot on," writes Christopher Soghoian, principal technologist and a senior policy analyst with the ACLU Speech, Privacy, and Technology Project.

Thomas H. Ptacek, a principal with Latacora and founder of Matasano Security, humorously writes: "I rarely agree with @csoghoian and actively avoid agreeing with Rob Graham, but: yes. This is some shameful shit."

Beware Journalism Errors

The situation serves a cautionary tale when interpreting highly technical data and casting it in support of an unsubstantiated theory. It's not an uncommon problem in publishing: a journalist whose determination to publish a scoop clouds their otherwise objective, critical view of the facts.

The body of Foer's piece centers on establishing that these two servers communicated, which is indisputable, and that we should then believe:

  1. This is strange because many experts say so;
  2. This means there is something else going on.

But the "something else" is never justified with facts, leaving a gaping hole that attempts to be filled with endless background on U.S.-Russian cyber tension.

For the reader, reaching the end of the piece might induce a chin-stroking moment and interpretation that tilts toward impropriety by Trump's people. But Foer hedges heavily in the second-to-last paragraph, warning that the evidence is no smoking gun and there could be alternative explanations. By then, however, perhaps it's too late.



About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.