Thursday, October 11, 2018

Why The Alfa Bank Mystery Is Key To Understanding Trump-Russia Collusion

One very big question remains unanswered as investigations into Russia’s cyber sabotage of the 2016 elections forge ahead: That question is not whether the Trump campaign colluded with Moscow, which it certainly did based on a wealth of evidence, but how the campaign and Vladimir Putin’s cyberwarriors communicated. 
There were, of course, numerous meetings between Trump campaign officials and Russia cutouts, and several of those officials are cooperating with Special Prosecutor Robert Mueller.  But solving what we'll call the Alfa Bank Mystery may go a long way to answering the question of how the campaign, in all likelihood operating from Trump Tower, and those cyberwarriors communicated about the nitty gritty of their collusion.  This included voter targeting and demographics and possibly coordinately damaging WikiLeaks releases of emails hacked by some of those cyberwarriors with candidate Trump's schedule of appearances and major stump speeches for maximum impact. 
What has been long known is that two servers owned by Alfa Bank, one of the largest banks in Russia, looked up the address of a Trump server nearly every day during the campaign, a total of more than than 2,000 times between May and September 2016. 
Dexter Filkins does not solve the mystery in an exhaustive new piece in The New Yorker. But he considerably advances our understanding of the mystery's parameters through interviews with savvy computer scientists who have found digital fingerprints that pretty much put the lie to the litany of rationales and excuses offered by the campaign and others in trying to explain away the deluge of lookups. 
The first thing you should know about the nitty-gritty of the mystery is that Alfa Bank and most of the people on the receiving end of the lookups probably didn't know they were occurring.  (I'll explain why in a moment.)   The second thing you should know is that key to discerning the importance of the lookups is understanding the Domain Name System (DNS), a worldwide network that acts as a sort of phone book for the Internet, translating domain names into IP addresses, the strings of numbers that computers use to identify one another. 
The computer scientists, who for the most part want to remain anonymous, became involved after reports in June 2016 that the Democratic National Committee (DNC) had been hacked, probably by Russians.  The computer scientists speculated that if the Russians were hacking the Democrats they must be hacking the Republicans, too.  They were, but were not releasing any of the hacked Republican materials. 
Intrigued by the possibility that there was collusion in the form of computer communications between the Trump campaign and Russians, the computer scientists began their search for fingerprints by examining DNS logs for domains associated with Republican candidates.  DNS logs are records of the servers used by private companies, public institutions and . . . yes, banks, and reveal who has been trying to connect with whom. 
One of the computer scientists, who called himself Max, told Filkins that they went looking looking for fingerprints similar to those on the Russian-hacked DNC computers, but "we didn't find what we were looking for.  [But] we found something totally different. Something unique." 
It was in the small town of Lititz in Pennsylvania Dutch country, that they stumbled on a domain linked to the Trump Organization that was behaving in a peculiar way.   
The server that housed the domain belonged to a company called Listrak, which mostly delivered mass-marketing e-mails.  Some Trump Organization domains sent mass e-mail blasts, but the one that Max and his colleagues spotted appeared not to be sending anything.  However, at the same time a very small group of companies -- two in all -- seemed to be trying to communicate with it.  
Examining records for the Trump domain over the summer of 2016, Max's group discovered DNS lookups from a pair of servers owned by Alfa Bank.  They found there were dozens of lookups on some days and far fewer on others, but the total number was more than 2,000 between May and September 2016.  
"We were watching this happen in real time --it was like watching an airplane fly by," Max said.  "And we thought, 'Why the hell is a Russian bank communicating with a server that belongs to the Trump Organization, and at such a rate?' " 
Only one other entity seemed to be reaching out to the Trump Organization's domain with any frequency: Spectrum Health, of Grand Rapids, Michigan. 
Spectrum Health is closely linked to the filthy-rich DeVos family, who are major Trump contributors.  They include Betsy DeVos, whom Trump appointed Secretary of Education, and her brother, the particularly vile Erik Prince, the founder of the notorious Blackwater group and who, to Special Counsel Mueller's great interest, in all likelihood was a Russian cutout when he secretly met after the election with a Putin pal in the Seychelles to discuss setting up a back channel between Trump and the Russian leader. 
Why was the Trump Organization's domain, set up to send mass-marketing e-mails, conducting such meager activity?  And why were computers at Alfa Bank and Spectrum Health trying to reach a server that didn't seem to be doing anything?
After analyzing the data, the answer became clear.  The fingerprints pointed to a covert communication channel that might have used a method called foldering.  With foldering, messages are written but not sent; instead, they are saved in a drafts folder, where an accomplice who also has access to the account can read them. 
The Trump campaign and Trump Organization, Alfa Bank and Spectrum Health have repeatedly and strenuously denied the covert channel finding.  Never missing an opportunity to bash the opposition, the Trump campaign added, “The only covert server is the one Hillary Clinton recklessly established in her basement."  One Trump Organization denial included a particularly convoluted explanation for the look-ups that indicates someone may have known what really was going on. 
(Alfa Bank may get a pass on this because it is the rare major Russian financial institution that has managed to stay an arm's length from Putin, would have suffered a public-relations disaster with Western customers if it was involved in the covert channel and, like I said, may actually have been unaware that its servers were being used for nefarious purposes.)  
In August, Max decided to reveal the data that he and his colleagues had assembled because, if the covert communications were real, "this potential threat to our country needed to be known before the election." 
He decided to hand over their findings to the FBI and Eric Lichtblau, a New York Times reporter with cybersecurity chops who in turn shared the findings with three computer scientists who were struck by the unusual traffic on the server and that substantial effort had gone into concealing it. 
"These people who should not be communicating are clearly communicating," concluded one of the computer scientists, Jean Camp of Indiana University. 
Lichtblau prepared a story.  The FBI asked The Times to sit on it, and then seemed to lose interest.  Then Dean Baquet, The Times' executive editor, decided that it would not suffice to report the existence of the computer contacts without knowing their purpose.  The resulting October 31 story not only was watered down, but it erroneously reported that the FBI had not found any links between the Trump campaign and Russia. 
A day earlier, Slate had published a story by Franklin Foer that made a detailed case for the possibility of a covert link between Alfa Bank and Trump and quoted several experts, most of whom said that there appeared to be no other plausible explanation for the data.

One aspect of Foer's story was particularly intriguing. 
On September 21, The Times had provided potential evidence of the communication channel to a Washington lobbying firm that worked for Alfa Bank.  Two days later, the Trump domain vanished from the Internet, but for four more days, the servers at Alfa Bank kept trying to look up the Trump domain.  Then, 10 minutes after the last attempt, one of them looked up another domain which had been configured to lead to the same Trump Organization server. 
The Slate story notwithstanding, interest in the Alpha Bank Mystery began to fade following Trump's November 8 victory.  This is not necessarily surprising given the extraordinary quantity of developments being reported as the shocking breadth and depth of the Russia scandal started to become known. 
Then an unnamed Democratic senator became interested. 
The senator enlisted Daniel Jones, a former FBI counterterrorism investigator who runs a security firm and a nonprofit initiative intended to keep elections free from foreign interference.  To assess the Alfa Bank data, Jones assembled yet another team of computer scientists and divided them into two geographic groups.  In order to encourage an unbiased outcome, Jones never introduced the East Coast group to the West Coast group.  
"I started from an assumption that this is a bunch of nonsense," one of the computer scientists, who used the pseudonym Leto, told Filkins.  But in the end he too became convinced that he was looking at a covert communications channel. 
"If I’m a cop, I'm not going to take this to the DA and say we're ready to prosecute," Leto said.  "I'm going to say we have enough to ask for a search warrant." 
No one is holding their breath waiting for that to happen, and there are a small army of detractors. 
Among them is Marcy Wheeler, a first-rate blogger whose posts at emptywheel have been some of the best on the Russia scandal. 
Wheeler's big gripe with analyses of the Alfa Bank scandal, which she reiterates after her initial read of the Filkins piece, is what she calls "shitty link analysis," or making unwarranted or weak connections and jumping to overarching conclusions based on those connections.  Wheeler is especially critical of Filkins' Spectrum Health tie-in and his assertion that Erik Prince's known activities on behalf of Trump validate that tie-in although better communications channels were available than "using the network of a hospital that his brother-in-law chairs but doesn't run." 
Wheeler concludes that "This Trump Tower – Alfa Bank story continues to spin journalists, not to mention academics and infosec experts, into uncharacteristic habits that don't appear to be leading to any real clarity about the topic at hand."      
I mostly disagree. 
In the final analysis (mine), it is impossible to dispute the conclusions of a small army of computer scientists who together and independently determined that at the heart of the Alpha Bank Mystery is the existence of a covert communication channel. 
If we have learned anything from the Russia scandal, is that "uncanny" series of events and seeming "coincidences" are anything but.  There was in all likelihood a sophisticated, deeply concealed means for members of the Trump campaign and those cyberwarriors to communicate undetected in real time, and a close reading of a timeline of many of the actions and reactions of both parties over the four-month period examined by the computer scientists reveal the probability of a sophisticated level of coordination. 
That makes chasing the Alpha Bank Mystery an imperative, not a fool's errand.  And when and if the mystery is solved, the major unanswered question of how Donald Trump usurped the presidency finally will have been answered.        

Click HERE for a comprehensive timeline of the Russia scandal
and related developments.      


Dan Leo said...

A continued thanks for your continuing work in making sense of all this. One can only hope that Mueller's people are digging into all this.

Bscharlott said...

My own hypothesis is that the Trump folks were using this channel to share polling data/analyses to help the Russians decide what groups/geographical areas to target with social media disinformation.

Anonymous said...

This might be a case where the technical minutiae overwhelms the layman's capacity to understand the nut of the matter. For instance, beyond Filkins, I don't know that it moves the issue forward to reference "Max" repeatedly, as he did. It might suffice to say that a team of computer forensics experts agree that the link is suspect.

I was sort of fascinated, though, to learn that there's an organized team of unsung and anonymous computer whizzes -- sort of like the ultimate Wikipedia editors -- who are relied upon to investigate, unpack and neutralize Internet-wide intrusions and malware.

Filkins' piece, and yours to a lesser extent, follows the technical bread crumbs so carefully that I worry we lose sight of what is ultimately in play. Still, I honor your elaboration of the mystery and take all your points. This could indeed prove to be the crux of the matter: how they communicated.