Trump Tower and Alfa Bank

| No Comments | No TrackBacks

Salon's Franklin Foer looks into Trump's connection with Russia's Alfa Bank; it's disturbing, in a coffin-nail kind of way:

In late July, one of these [computer] scientists--who asked to be referred to as Tea Leaves, a pseudonym that would protect his relationship with the networks and banks that employ him to sift their data--found what looked like malware emanating from Russia. The destination domain had Trump in its name, which of course attracted Tea Leaves' attention. But his discovery of the data was pure happenstance--a surprising needle in a large haystack of DNS lookups on his screen. "I have an outlier here that connects to Russia in a strange way," he wrote in his notes. He couldn't quite figure it out at first. But what he saw was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue.

More data was needed, so he began carefully keeping logs of the Trump server's DNS activity. As he collected the logs, he would circulate them in periodic batches to colleagues in the cybersecurity world. Six of them began scrutinizing them for clues.

(I communicated extensively with Tea Leaves and two of his closest collaborators, who also spoke with me on the condition of anonymity, since they work for firms trusted by corporations and law enforcement to analyze sensitive data. They persuasively demonstrated some of their analytical methods to me--and showed me two white papers, which they had circulated so that colleagues could check their analysis. I also spoke with academics who vouched for Tea Leaves' integrity and his unusual access to information.

This was not a malware attack or the work of bots, writes Foer:

The irregular pattern of server lookups actually resembled the pattern of human conversation--conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn't an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank.

Trump's server configuration "looked weird, and it didn't pass the sniff test," and "this capacious server handled a strangely small load of traffic:"

Eighty-seven percent of the DNS lookups involved the two Alfa Bank servers. "It's pretty clear that it's not an open mail server," Camp told me. "These organizations are communicating in a way designed to block other people out."

Earlier this month, the group of computer scientists passed the logs to Paul Vixie. In the world of DNS experts, there's no higher authority. Vixie wrote central strands of the DNS code that makes the internet work. After studying the logs, he concluded, "The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project." Put differently, the logs suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence. Over the summer, the scientists observed the communications trail from a distance. [...]

"I have nothing to do with Russia," he [Trump] told one reporter, a flat denial that he repeated over and over. [but] The sweeping nature of Trump's claim, however, prodded the scientists to dig deeper. They were increasingly confident that they were observing data that contradicted Trump's claims.

One scientist said, "I'm seeing a preponderance of the evidence, but not a smoking gun." The NYT investigated such intriguing tales as how Alfa Bank's founder Mikhail Fridman "rose from operating a window washing company" to become "the second richest man in Russia, valued by Forbes at $15.3 billion:"

The Times hadn't yet been in touch with the Trump campaign--Lichtblau spoke with the campaign a week later--but shortly after it reached out to Alfa, the Trump domain name in question seemed to suddenly stop working. [...] The computer scientists believe there was one logical conclusion to be drawn: The Trump Organization shut down the server after Alfa was told that the Times might expose the connection.

Foer observes:

Four days later, on Sept. 27, the Trump Organization created a new host name,, which enabled communication to the very same server via a different route.

There were, of course, dubious denials from the Trump camp--from "Alfa Bank does not have and has never had any special or exclusive internet connection with Mr. Trump or his entities" to "The Trump Organization has no communication or relationship with this entity or any Russian entity."

"What the scientists amassed wasn't a smoking gun," he admits:

It's a suggestive body of evidence that doesn't absolutely preclude alternative explanations. But this evidence arrives in the broader context of the campaign and everything else that has come to light: The efforts of Donald Trump's former campaign manager to bring Ukraine into Vladimir Putin's orbit; the other Trump adviser whose communications with senior Russian officials have worried intelligence officials; the Russian hacking of the DNC and John Podesta's email.

We don't yet know what this server was for, but it deserves further explanation.

update (11/2 @ 9:11pm):
Foer's follow-up piece on Alfa Bank offers this caveat:

The computer scientists had no actual examples of email exchanged between Trump and Alfa--only inferences about that prospect, based on their close reading of the logs. I spoke with many DNS experts. They found the evidence strongly suggestive of a relationship between the Trump Organization and the bank but not conclusive.

In addition to "responses from the Trump campaign and Alfa Bank," Foer also provides "a series of valuable objections and credible alternate theories" about the Trump/Alfa connection--including that the server in question [] "was run and managed by Cendyn, a vendor that organizes email marketing campaigns for hotels and resorts:"

At first, Trump spokeswoman Hope Hicks told me the server "has not been used since 2010." She continued, "To be clear, The Trump Organization is not sending or receiving any communications from this email server." The Intercept has since turned up at least two examples of a Trump email, promoting hotels, being sent from that server in 2015 and 2016.

"It seems unlikely," Foer snarks, "that a campaign would so exclusively focus its efforts on a bank in Russia." His explanation for the investigation makes his rationale explicit:

I pursued this story because I was impressed by the emphatic belief of the experts I consulted, my suspicions were raised by the evidence they presented, and I thought I would be remiss if I sat on data that I believed deserves to be evaluated and understood before we elect the next president. The underlying context for the piece is that Donald Trump has cultivated a troubling relationship with Russia, and the U.S. government has identified Russia as trying to meddle in this election.

No TrackBacks

TrackBack URL:

Leave a comment

About this Entry

This page contains a single entry by cognitivedissident published on November 1, 2016 12:45 PM.

Trumpism and "hate spin" was the previous entry in this blog.

Fox and "peak propaganda" is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • About
  • Contact
OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.031