Slashdot Mirror

← Back to Stories (view on slashdot.org)

Computer Scientists Believe a Trump Server Was Communicating With a Russian Bank (slate.com)

Posted by BeauHD on from the fraternizing-with-the-enemy dept.

In light of the Democratic National Committee hack by the Russians earlier this year, a "tightly knit community of computer scientists" working in a variety of fields came up with the hypothesis, "which they set out to rigorously test: If the Russians were worming their way into the DNC, they might very well be attacking other entities central to the presidential campaign, including Donald Trump's many servers." In late July, one of the scientists who asked to be referred to as Tea Leaves discovered possible malware emanating from Russia, with the destination domain having Trump in its name. What the researcher saw "was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue": Slate Magazine reports: More data was needed, so he began carefully keeping logs of the Trump server's DNS activity. As he collected the logs, he would circulate them in periodic batches to colleagues in the cybersecurity world. Six of them began scrutinizing them for clues. The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn't the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation -- conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn't an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank. The server was first registered to Trump's business in 2009 and was set up to run consumer marketing campaigns. It had a history of sending mass emails on behalf of Trump-branded properties and products. Researchers were ultimately convinced that the server indeed belonged to Trump. But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. That wasn't the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses. A small portion of the logs showed communication with a server belonging to Michigan-based Spectrum Health.

2 of 548 comments (clear)

  1. Re:possibily illegal by Xenographic · · Score: 5, Informative

    Nah, it's worse than that, looks like they were sniffing traffic at either the ISP of one of the two endpoints or a backbone.

    If there were something here, you'd expect them to talk about finding data in the ICMP echo requests. You'd expect them to communicate over something normal like SSH. You'd expect some evidence that there was something illegal or improper going on here (other than, y'know, spying on other people's network traffic....).

    Their audience is apparently morons who don't know what a ping is.

  2. Re: BULL SH!T by ArmoredDragon · · Score: 5, Informative

    Without having read TFA, often even as a network engineer, I'll use the term "ping" even when not referring to ICMP. For example, I'll refer to an SNMP walk (of any kind) as a "ping".

    Still though, this doesn't come off as suspicious to me at all. Since when is it odd or otherwise unusual that a server belonging to a billionaire talks to a server belonging to a bank in a foreign country? That's like saying that it's odd that there's dog piss on a fire hydrant.