Computer Scientists Believe a Trump Server Was Communicating With a Russian Bank

In light of the Democratic National Committee hack by the Russians earlier this year, a "tightly knit community of computer scientists" working in a variety of fields came up with the hypothesis, "which they set out to rigorously test: If the Russians were worming their way into the DNC, they might very well be attacking other entities central to the presidential campaign, including Donald Trump's many servers." In late July, one of the scientists who asked to be referred to as Tea Leaves discovered possible malware emanating from Russia, with the destination domain having Trump in its name. What the researcher saw "was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue": Slate Magazine reports: More data was needed, so he began carefully keeping logs of the Trump server's DNS activity. As he collected the logs, he would circulate them in periodic batches to colleagues in the cybersecurity world. Six of them began scrutinizing them for clues. The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn't the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation -- conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn't an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank. The server was first registered to Trump's business in 2009 and was set up to run consumer marketing campaigns. It had a history of sending mass emails on behalf of Trump-branded properties and products. Researchers were ultimately convinced that the server indeed belonged to Trump. But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. That wasn't the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses. A small portion of the logs showed communication with a server belonging to Michigan-based Spectrum Health.

Re:I've seen things at least that strange

It's a well-researched and written story.

What a fucking joke. This is still slashdot, right? There are still people here that understand TCP/IP and DNS, right? I only ask because the author of the slate article makes it abundantly clear that he is unaware of the difference between a server and a domain.

The server was first registered to Trump’s business in 2009

Does that look well researched to anyone here? If you were consulting with a reporter writing a story about servers and DNS, would you let him leave that sentence in the story? Or would you correct him?

More:

But what he saw was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue.

What is on 5th Avenue? I'll give you a hint, it isn't the bank, the server or the domain. Someone go stop the presses, I think we just found the mailing address of Trump's office.

But now this capacious server handled a strangely small load of traffic, such a small load that it would be hard for a company to justify the expense and trouble it would take to maintain it. “I get more mail in a day than the server handled,” Davis says.

That wasn’t the only oddity. When the researchers pinged the server, they received error messages. They concluded that the server was set to accept only incoming communication from a very small handful of IP addresses.

Ok, so the server isn't advertising itself with a banner that says "I am a beowolf cluster, and these chumps have be running 5 emails a day." How do these "researchers" know what it is inside? Did they commit some felonies to find out? Do I sense yet another batch of Democrats taking the 5th in the near future?

Assuming they get in through some means, what do they find? Is it a capacious server with huge operating costs, like geothermal liquid cooling? Or is it a 1U stuffed into a rack somewhere and forgotten until someone walks past and notices that the idiot light is lit, 6 months after it shuts itself off because the PSU fan failed? Or is this server just an A record in DNS somewhere, in a domain that exists mostly so that recipient mailservers have a SPF record to look at? They don't tell us any specifics. My guess is that the "well-researched" writer thinks that each domain name needs a big dedicated server, at least to the extent that he is able to recognize them as distinct concepts and objects.

I don't know about you guys, but I check my domain names and purge stale domains about once per decade. The $15 per year to leave them on autopilot autorenewal mode is literally less expensive than my effort to sift through the list plucking out the ones that I no longer need.