September 23, 2021

In October 2016, media outlets reported that data collected by some of the world’s most renowned cybersecurity experts had identified frequent and unexplained communications between an email server used by the Trump Organization and Alfa Bank, one of Russia’s largest financial institutions. Those publications set off speculation about a possible secret back-channel of communications, as well as a series of lawsuits and investigations that culminated last week with the indictment of the same former federal cybercrime prosecutor who brought the data to the attention of the FBI five years ago.

The first page of Alfa Bank’s 2020 complaint.

Since 2018, access to an exhaustive report commissioned by the U.S. Senate Armed Services Committee on data that prompted those experts to seek out the FBI has been limited to a handful of Senate committee leaders, Alfa Bank, and special prosecutors appointed to look into the origins of the FBI investigation on alleged ties between Trump and Russia.

That report is now public, ironically thanks to a pair of lawsuits filed by Alfa Bank, which doesn’t directly dispute the information collected by the researchers. Rather, it claims that the data they found was the result of a “highly sophisticated cyberattacks against it in 2016 and 2017” intended “to fabricate apparent communications” between Alfa Bank and the Trump Organization.

The data at issue refers to communications traversing the Domain Name System (DNS), a global database that maps computer-friendly coordinates like Internet addresses (e.g., 8.8.8.8) to more human-friendly domain names (example.com). Whenever an Internet user gets online to visit a website or send an email, the user’s device sends a query through the Domain Name System.

Many different entities capture and record this DNS data as it traverses the public Internet, allowing researchers to go back later and see which Internet addresses resolved to what domain names, when, and for how long. Sometimes the metadata generated by these lookups can be used to identify or infer persistent network connections between different Internet hosts.

The DNS strangeness was first identified in 2016 by a group of security experts who told reporters they were alarmed at the hacking of the Democratic National Committee, and grew concerned that the same attackers might also target Republican leaders and institutions.

Scrutinizing the Trump Organization’s online footprint, the researchers determined that for several months during the spring and summer of 2016, Internet servers at Alfa Bank in Russia, Spectrum Health in Michigan, and Heartland Payment Systems in New Jersey accounted for nearly all of the several thousand DNS lookups for a specific Trump Organization server (mail1.trump-email.com).

This chart from a court filing Sept. 14, 2021 shows the top sources of traffic to the Trump Organization email server over a four month period in the spring and summer of 2016. DNS lookups from Alfa Bank constituted the majority of those requests.

The researchers said they couldn’t be sure what kind of communications between those servers had caused the DNS lookups, but concluded that the data would be extremely difficult to fabricate.

As recounted in this 2018 New Yorker story, New York Times journalist Eric Lichtblau met with FBI officials in late September 2016 to discuss the researchers’ findings. The bureau asked him to hold the story because publishing might disrupt an ongoing investigation. On Sept. 21, 2016, Lichtblau reportedly shared the DNS data with B.G.R., a Washington lobbying firm that worked with Alfa Bank.

Lichtblau’s reporting on the DNS findings ended up buried in an October 31, 2016 story titled “Investigating Donald Trump, F.B.I. Sees No Clear Link to Russia,” which stated that the FBI “ultimately concluded that there could be an innocuous explanation, like marketing email or spam,” that might explain the unusual DNS connections.

But that same day, Slate’s Franklin Foer published a story based on his interactions with the researchers. Foer noted that roughly two days after Lichtblau shared the DNS data with B.G.R., the Trump Organization email server domain vanished from the Internet — its domain effectively decoupled from its Internet address.

Foer wrote that The Times hadn’t yet been in touch with the Trump campaign about the DNS data when the Trump email domain suddenly went offline.  Odder still, four days later the Trump Organization created a new host — trump1.contact-client.com — and the very first DNS lookup to that new domain came from servers at Alfa Bank.

The researchers concluded that the new domain enabled communication to the very same server via a different route.

“When a new host name is created, the first communication with it is never random,” Foer wrote. “To reach the server after the resetting of the host name, the sender of the first inbound mail has to first learn of the name somehow. It’s simply impossible to randomly reach a renamed server.”

“That party had to have some kind of outbound message through SMS, phone, or some noninternet channel they used to communicate [the new configuration],” DNS expert Paul Vixie told Foer. “The first attempt to look up the revised host name came from Alfa Bank. If this was a public server, we would have seen other traces. The only look-ups came from this particular source.”

THE THEORIES

Both the Trump organization and Alfa Bank have denied using or establishing any sort of secret channel of communications, and have offered differing explanations as to how the data gathered by the experts could have been faked or misinterpreted.

In a follow-up story by Foer, the Trump Organization suggested that the DNS lookups might be the result of spam or email advertising various Trump properties, and said a Florida based marketing firm called Cendyn registered and managed the email server in question.

But Cendyn told CNN that its contract to provide email marketing services to the Trump Organization ended in March 2016 — weeks before the DNS lookups chronicled by the researchers started appearing. Cendyn told CNN that a different client had been communicating with Alfa Bank using Cendyn communications applications — a claim that Alfa Bank denied.

Alfa Bank subsequently hired computer forensics firms Mandiant and Stroz Friedberg to examine the DNS data presented by the researchers. Both companies concluded there was no evidence of email communications between Alfa Bank and the Trump Organization. However, both firms also acknowledged that Alfa Bank didn’t share any DNS data for the relevant four-month time period identified by the researchers.

Another theory for the DNS weirdness outlined in Mandiant’s report is that Alfa Bank’s servers performed the repeated DNS lookups for the Trump Organization server because its internal Trend Micro antivirus product routinely scanned domains in emails for signs of malicious activity — and that incoming marketing emails promoting Trump properties could have explained the traffic.

The researchers maintained this did not explain similar and repeated DNS lookups made to the Trump Organization email server by Spectrum Health, which is closely tied to the DeVos family (Betsy DeVos would later be appointed Secretary of Education by President Trump).

FISHING EXPEDITION

In June 2020, Alfa Bank filed two “John Doe” lawsuits, one in Pennsylvania and another in Florida. Their stated purpose was to identify the anonymous hackers behind the “highly sophisticated cyberattacks” that they claim were responsible for the mysterious DNS lookups.

Alfa Bank has so far subpoenaed at least 49 people or entities — including all of the security experts quoted in the 2016 media stories referenced above, and others who’d merely offered their perspectives on the matter via social media. At least 15 of those individuals or entities have since been deposed. Alfa Bank’s most recent subpoena was issued Aug. 26, 2021.

L. Jean Camp, a professor at the Indiana University School of Informatics and Computing, was among the first to publish some of the DNS data collected by the research group. In 2017, Alfa Bank sent Camp a series of threatening letters suggesting she was “a central figure” in the what the company would later claim was “malicious cyber activity targeting its computer network.” The letters and responses from her attorneys are published on her website.

Camp’s attorneys and Indiana University have managed to keep her from being deposed by both Alfa Bank and John H. Durham, the special counsel appointed by the Trump administration to look into the origins of the Russia investigation (although Camp said Alfa Bank was able to obtain certain emails through the school’s public records request policy).

“If MIT had had the commitment to academic freedom that Indiana University has shown throughout this entire process, Aaron Swartz would still be alive,” Camp said.

Camp said she’s bothered that the Alfa Bank and Trump special counsel investigations have cast the researchers in such a sinister light, when many of those subpoenaed have spent a lifetime trying to make the Internet more secure.

“Not including me, they’ve subpoenaed some people who are significant, consistent and important contributors to the security of American networks against the very attacks coming from Russia,” Camp said. “I think they’re using law enforcement to attack network security, and to determine the ways in which their previous attacks have been and are being detected.”

Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, told KrebsOnSecurity he complied with the subpoena requests for specific emails he’d sent to colleagues about the DNS data, noting that Alfa Bank could have otherwise obtained them through the schools’ public records policy.

Weaver said Alfa Bank’s lawsuit has nothing to do with uncovering the truth about the DNS data, but rather with intimidating and silencing researchers who’ve spoken out about it.

“It’s clearly abusive, so I’m willing to call it out for what it is, which is a John Doe lawsuit for a fishing expedition,” Weaver said.

TURNABOUT IS FAIR PLAY

Among those subpoenaed and deposed by Alfa Bank was Daniel J. Jones, a former investigator for the FBI and the U.S. Senate who is perhaps best known for his role in leading the investigation into the U.S. Central Intelligence Agency’s use of torture in the wake of the Sept. 11 attacks.

Jones runs The Democracy Integrity Project (TDIP), a nonprofit in Washington, D.C. whose stated mission includes efforts to research, investigate and help mitigate foreign interference in elections in the United States and its allies overseas. In 2018, U.S. Senate investigators asked TDIP to produce and share a detailed analysis of the DNS data, which it did without payment. That lengthy report was never publicly released by the committee nor anyone else.

That is, until Sept. 14, 2021, when Jones and TDIP filed their own lawsuit against Alfa Bank. According to Jones’ complaint, Alfa Bank had entered into a confidentiality agreement regarding certain sensitive and personal information Jones was compelled to provide as part of complying with the subpoena.

Yet on Aug. 20, Alfa Bank attorneys sent written notice that it was challenging portions of the confidentiality agreement. Jones’ complaint asserts that Alfa Bank intends to publicly file portions of these confidential exhibits, an outcome that could jeopardize his safety.

This would not be the first time testimony Jones provided under a confidentiality agreement ended up in the public eye. TDIP’s complaint notes that before Jones met with FBI officials in 2017 to discuss Russian disinformation campaigns, he was assured by two FBI agents that his identity would be protected from exposure and that any information he provided to the FBI would not be associated with him.

Nevertheless, in 2018 the House Permanent Select Committee on Intelligence released a redacted report on Russian active measures. The report blacked out Jones’ name, but a series of footnotes in the report named his employer and included links to his organization’s website. Jones’ complaint spends several pages detailing the thousands of death threats he received after that report was published online.

THE TDIP REPORT

As part of his lawsuit against Alfa Bank, Jones published 40 pages from the 600+ page report he submitted to the U.S. Senate in 2018. From reviewing its table of contents, the remainder of the unpublished report appears to delve deeply into details about Alfa Bank’s history, its owners, and their connections to the Kremlin.

The report notes that unlike other domains the Trump Organization used to send mass marketing emails, the domain at issue — mail1.trump-email.com — was configured in such a way that would have prevented it from effectively sending marketing or bulk emails. Or at least prevented most of the missives sent through the domain from ever making it past spam filters.

Nor was the domain configured like other Trump Organization domains that demonstrably did send commercial email, Jones’ analysis found. Also, the mail1.trump-email.com domain was never once flagged as sending spam by any of the 57 different spam block lists published online at the time.

“If large amounts of marketing emails were emanating from mail1.trump-email.com, it’s likely that some receivers of those emails would have marked them as spam,” Jones’ 2018 report reasons. “Spam is nothing new on the internet, and mass mailings create easily observed phenomena, such as a wide dispersion of backscatter queries from spam filters. No such evidence is found in the logs.”

However, Jones’ report did find that mail1.trump-email.com was configured to accept incoming email. Jones cites testing conducted by one of the researchers who found the mail1.trump-email.com rejected messages with an automated reply saying the server couldn’t accept messages from that particular sender.

“This test reveals that either the server was configured to reject email from everyone, or that the server was configured to accept only emails from specific senders,” TDIP wrote.

The report also puts a finer point on the circumstances surrounding the disappearance of that Trump Organization email domain just two days after The New York Times shared the DNS data with Alfa Bank’s representatives.

“After the record was deleted for mail1.trump-email.com on Sept. 23, 2016, Alfa Bank and Spectrum Health continued to conduct DNS lookups for mail1.trump-email.com,” reads the report. “In the case of Alfa Bank, this behavior persisted until late Friday night on Sept. 23, 2016 (Moscow time). At that point, Alfa Bank ceased its DNS lookups of mail1.trump-email.com.”

Less than ten minutes later, a server assigned to Alfa Bank was the first source in the DNS data-set examined (37 million DNS records from January 1, 2016 to January 15, 2017) to conduct a DNS look-up for the server name ‘trump1.contact-client.com.’ The answer received was 66.216.133.29 — the same IP address used for mail1.trump-email.com that was deleted in the days after The New York Times inquired with Alfa Bank about the unusual server connections.

“No servers associated with Alfa Bank ever conducted a DNS lookup for trump1.contact-client.com again, and the next DNS look-up for trump1.contact-client.com did not occur until October 5, 2016,” the report continues. “Three of these five look-ups from October 2016 originated from Russia.”

A copy of the complaint filed by Jones against Alfa Bank is available here (PDF).

THE SUSSMANN INDICTMENT

The person who first brought the DNS data to the attention of the FBI in Sept. 2016 was Michael Sussmann, a 57-year-old cybersecurity lawyer and former computer crimes prosecutor who represented the Democratic National Committee and Hillary Clinton’s presidential campaign.

Last week, the special counsel Durham indicted Sussmann on charges of making a false statement to the FBI. The New York Times reports the accusation focuses on a meeting Sussmann had Sept. 19, 2016 with James A. Baker, the FBI’s top lawyer at the time. Sussmann had reportedly met with Baker to discuss the DNS data uncovered by the researchers.

“The indictment says Mr. Sussmann falsely told the F.B.I. lawyer that he had no clients, but he was really representing both a technology executive and the Hillary Clinton campaign,” The Times wrote.

Sussmann has pleaded not guilty to the charges.

ANALYSIS

The Sussmann indictment refers to the various researchers who contacted him in 2016 by placeholder names, such as Tech Executive-1 and Researcher-1 and Researcher-2. The tone of indictment reads as if describing a vast web of nefarious or illegal activities, although it doesn’t attempt to address the veracity of any specific concerns raised by the researchers.  Here is one example:

“From in or about July 2016 through at least in or about February 2017, however, Originator-I, Researcher-I, and Researcher-2 also exploited Internet Company­-1′ s data and other data to assist Tech Executive-I in his efforts to conduct research concerning Trump’s potential ties to Russia.”

Quoting from emails between Tech Executive-1 and the researchers, the indictment makes clear that Mr. Durham has subpoenaed many of the same researchers who’ve been subpoenaed and or deposed in the concurrent John Doe lawsuits from Russia’s Alfa Bank.

To date, Alfa Bank has yet to name a single defendant in its lawsuits. In the meantime, the Sussmann indictment is being dissected by many users on social media who have been closely following the Trump administration’s inquiry into the Russia investigation. The majority of these social media posts appear to be crowdsourcing an effort to pinpoint the real-life identities behind the placeholder names in the indictment.

At one level, it doesn’t matter which explanation of the DNS data you believe: There is a very real possibility that the way this entire inquiry has been handled could negatively affect the FBI’s ability to collect crucial and sensitive investigative tips for years to come.

After all, who in their right mind is going to volunteer confidential information to the FBI if they fear there’s even the slightest chance that future shifting political winds could end up seeing them prosecuted, threatened with physical violence or death on social media, and/or exposed to expensive legal fees and depositions from private companies as a result?

Such a perception could give rise to a sort of “chilling effect,” discouraging honest, well-meaning people from speaking up when they suspect or know about a potential threat to national security or sovereignty.

This would be a less-than-ideal outcome in the context of today’s top cyber threat for most organizations: Ransomware. With few exceptions, the U.S. government has watched helplessly as organized cybercrime gangs — many of whose members hail from Russia or from former Soviet nations that are friendly to Moscow — have extorted billions of dollars from victims, and disrupted or ruined countless businesses.

To help shift the playing field against ransomware actors, the Justice Department and other federal law enforcement agencies have been trying to encourage more ransomware victims to come forward and share sensitive details about their attacks. The U.S. government has even offered up to $10 million for information leading to the arrest and conviction of cybercriminals involved in ransomware.

But given the way the government has essentially shot all of the messengers with its handling of the Sussmann case, who could blame those with useful and valid tips if they opted to stay silent?


139 thoughts on “Indictment, Lawsuits Revive Trump-Alfa Bank Story

    1. VM

      This, and also nowadays literally anyone could use sources from Github to create a malware to siphon confidential data outside through DNS requests (usually only few block outgoing DNS requests).

    2. john A

      That is what the Russians are claiming. They don’t deny the pattern looks like communication.

    3. g wright

      I think it’s absolutely pitiful how far people will go to cover up their wrong doing and make other’s look bad. I read this article a few times because it’s hard to believe that people’s lives are being threatened for doing their jobs and being honest about it. When will doing the right thing out weigh deception and lies?

  1. Steve J

    Frankly amazed that the email server itself wasn’t hacked and the emails are published somewhere in cyberspace.

      1. SeymourB

        That used to be the case but now, provided proper payments get made to the right people, it’s no longer the case.

  2. Wayne

    Great report, Brian.

    I remember a very low traffic but persistent connection being detected between a Trump Organization and, as I recall, a Russian bank. Was it Alfa? It was suspected that both hosts had a Word document open and when they wanted to talk to the other side, they’d type their query, the other side would see it, erase what was written, then type their response. This mode of communication apparently left little or no forensic or interceptible trace.

    1. JamminJ

      Kinda like the old “draft email” channel.
      Dynamic web documents in a browser are updated via websockets. It leaves a trace.
      It just shifts all the artifacts to the cloud provider. For that type of communication, assume the FBI has worked with Microsoft or Google already.

    2. Richard Turnbull

      “Little or no forensic…trace,” sure, as long as there are no bugs in the room. No photographs obtained of the room which might intentify the alleged perps, etc.
      FBI investigators have gone to extraordinary lengths to infiltrate agents or contracted bugging experts into organized crime domiciles, social clubs, and any other connected venue. See also the first two chapters of COMPROMISED : Counterintelligence and the Threat of Donald J. Trump (2020) by Peter Strzok, for an account of some of the highlights of a years-long investigation to expose a Russian intel operation, using similar methods.

    3. Kurt O

      Brain, great job,
      Sussmann was a paid political operative, looking for a high-level appointment after the election, who lied when he said he was just being a good citizen while planting a hit piece on the opposition. Sussmann had a clear agenda, motivation, and means.
      We are now getting to the bottom of this entire episode that has proven to be the greatest political dirty trick in American history.
      Here we are, five years later, and none of the many Trump/Russia collusion investigations have found anyone guilty for actual 2016 election activities on the Trump side. On the other side Kevin Clinesmith of the Mueller investigation team forged documents to the FISA court, and was caught red-handed. Sussmann is next in line.
      I would like to add that someone else has done a great deal of research on this issue for a long time from a less technical angle. He has been studying this for years as both a lawyer and journalist, is no fan of Trump, the Dems or the Reps but he gets his facts straight. I urge everyone to read Glenn Greenwald, at https://greenwald.substack.com/p/the-indictment-of-hillary-clintons

      1. JamminJ

        Plenty of indictments and convictions in the
        Russia investigation. Mueller did NOT exonerate Trump. Basically just punted.

        Even if there was no explicit/illegal collusion with Russia, there are still plenty of indirect/unethical ways for Russia to “help” the campaign. Dirty tricks, and meddling are legal if you obfuscate enough.

        Trunk supporters are gonna want to make this all about Sussmann, which is a red herring. The evidence stands on its own without him. Plenty of other non-political security researchers saying the same thing.

        It’s funny to see the desperation to deflect and demonize again.

        Even if this email server scandal is nothing, it seems like Trump’s getting a taste of his own medicine. It’s similar to his attacks on Clinton’s email server.

        1. Paul

          Not one indictment for this conspiracy was linked to the alleged Trump/Russia collusion. It was because of charges discovered during the fishing expedition began by the Clinton/DNC party. Charges of their own personal short-comings. The dominos have started to fall. It was a conspiracy of the DNC/Clinton team to get Hilary elected. Will you continue the believe the lie that you’ve been spoon-fed? If so, you are a useful idiot, and Stalin would have loved you in Russia. Do your own research. What is most glaring and obvious is the answer to one simple question: Who would Putin want as President? The answer? It wasn’t Trump.

          1. JamminJ

            More than half of the indictments were links between the Trump Campaign and Russia.

            Trump sycophants and apologists like to focus on the word “collusion”, because they know that there is no legal/criminal definition. They cannot use the word collusion, because the correct word is “conspiracy”.
            Every person who makes a claim about “collusion”, is usually a defender of Trump’s crimes, using a word they don’t understand in order to distract and misdirect.

            https://en.wikipedia.org/wiki/Criminal_charges_brought_in_the_Special_Counsel_investigation_(2017%E2%80%932019)

            1. FNORD

              Wikipedia as a source for political information? What a joke. How about some real investigative reporting?

              1. Dr. Gr

                Basic facts are available, even on wikipedia.
                Trump lovers seem to hate facts, and fact checking.
                Is your idea of “investigative reporting” to troll reddit and 8kun?

                1. FNORD

                  Sure. I’ve made articles on Wikipedia about rodent and bird species that were missing from the site. Wikipedia can be highly useful when looking up basic info like capital cities or animal species or sport stats or phone specs or movie/TV shows, etc. My point was that Wikipedia is highly unreliable when it comes to political information. Reddit is mostly useless and I’m not familiar with 8kun.

                  1. Dr Gr

                    8kun evolved from 8chan and 4chan. Heavy Qanon folks.
                    It really depends on what information you’re after. Like you said, basic facts.
                    The OP claimed that none of the indictments in the Russia Trump investigations were about conspiracy. The wiki summarized the indictments in a chart. Pretty plain to see that claim was wrong.
                    Good thing about the wiki format too, is they can link to the indictments directly without going through media spin and opinions. That’s why I keep coming back to Krebs, direct linking to the court documents.

                  2. viki

                    Do you at least have any real insanely glaring examples?
                    How do you talk about a controversial political topic and have the condition of ‘success’ that everyone agrees? Controversy by definition is a strong differing of opinions and wikipedia does a fair job of denoting them out and looking at both sides to varying degrees of perceived accuracy or resonance with any particular audience. If you have something sourced and provable to add, you have the ability to do that. It’s ultimately up to you to demonstrate it is unassailably valid and supported. There’s no reason you should just let any of the “incorrect” information stand if you’re serious about it. But it’s also by the same sword that only the supported, verifiable position can be taken as true whether or not there is a further unsupported, unverifiable maybe-truth that cannot be proven. “If you can’t reliably and thoroughly prove it, it’s pop fiction until you can.” – George Soros, King of Spain

                    1. FNORD

                      The article claiming Russia hacked the DNC and gave the data to Wikileaks. Nonsense.

          2. JamminJ

            You seem to have bought all the lies that your cult leader has pushed. Talk about Spoon-fed. If your world-view aligns with something a narcissistic megalomaniac seems to repeat every time he’s on TV, then that’s a red flag that YOU are being spoon-fed.

            Putin knows Trump is soft on Russia. Putin hates the Clintons, almost as much as the GOP does.
            Trump has financial interests in Russia, way more than the Clintons ever had. Can we really trust a real estate Mogul who has so many business dealings with our biggest adversary? Add to that, he refuses to release his tax returns, refuses to divest or put his business in an independent trust.
            All that makes him vulnerable to foreign interests and influence. Especially in places like Russia, ruled by a dictator who is a very skilled former FSB intelligence officer. Their cornerstone training is in applying this kind of pressure on “assets”.

            Why does Trump hire so many people with deep ties to Russia, then act surprised with they are arrest and convicted for conspiracies with Russians.

            “do your own research” is Qanon code for “go down conspiracy rabbit holes and pick from the buffet, whatever affirms your own beliefs”.
            “Research” on today’s internet is simply not going to reveal any truth. It’s far more likely to indoctrinate and recruit you into some cult mentality.
            If you really want to “research” COVID, go to medical school and focus on virology and epidemiology.
            If you want to “research” indictments, go to law school or join law enforcement.
            If you want to “research” geopolitics and international espionage, then you have to …REDACTED…
            If you don’t have time to do this… then you need to find legitimate and objective experts with no political leanings.
            The reality is that people who think they are “doing research” on the internet… are just consuming propaganda. Talking heads, pundits, and other professional liars. Then they consume syndicated, 2nd or 3rd hand information already spun, twisted and malformed into a political narrative.

          3. anom

            Oh for sure Vlad, except for that time on video where you admitted it, and also Helsinki.
            Nice try “own research guy” but nobody need convince you that Trump is prison bound.
            Nobody needs to pour you a glass of calming lemonade while you watch it happen either.
            It’s happening independent of you and your desperate partisan political concerns.

            So much evidence in every direction that he can’t even get a good lawyer anymore,
            preferring LIVE TV confessors with rodent-like teeth and oil leaks. He’s screwed.
            If that upsets you, very sorry to break the news here in a security forum, do get over it.
            Whether or not he’s a full blown asset of KGB, he’s a traitor and a criminal fraud, liar.
            You need better antiheroes or martyrs, whichever you decide in imminent hindsight.

      2. Joe

        Glenn Greenwald is trash and is a huge fan of saying he isn’t a huge fan of Trump while doing the things a huge fan of Trump does.
        There’s a reason he’s been fired from all his former gigs and is publishing on substack now.

        Also anyone that read the Mueller report would have come away with the conclusion that Trump did the crimes, but Mueller didn’t believe he had the jurisdiction to charge the POTUS. That is why everyone else was charged and he was an unindicted co-conspirator in several cases. Hell the Michael Cohen case literally said conspirator #1 won the presidential election.

        1. FNORD

          Now that you’ve spewed official narrative talking points do you have any original thoughts on the matter?

      3. wrong

        “Here we are, five years later, and none of the many Trump/Russia collusion investigations have found anyone guilty for actual 2016 election activities on the Trump side”

        Uninformed / Liar. Period.

  3. Christopher Engel

    Are you actually advocating that an attorney be allowed to lie to the FBI as part of ongoing criminal investigation? According to the indictment Sussmann told the FBI he was not representing any client and simply representing the public interest. Yet he billed the Clinton campaign for all that work, including the meeting he had with the FBI. In no sort of world should anyone condone such behavior, least of all someone involved with cyber-security. Ethics are supposed to matter to us.

    It’s pretty clear that Sussmann was trying to gin up some political controversy on the part of the Clinton campaign to justify the Russia collusion narrative they were pushing. Even if he believed that narrative himself, lying to the FBI about why he was involved is not something anyone should be condoning.

    P.S. Simply having DNS entries doesn’t mean there is anything illicit or illegal about the traffic going on. I’m sure if we looked in the DNS cache for the Clinton Foundation or even Krebs there would be all sorts of interesting entries…. it doesn’t imply anything about WHY those requests are being made.

    From Substack
    “The meeting with the FBI’s Baker, for example, was charged to the Clinton campaign as “work and communications regarding confidential project.” In fact, according to Durham, “all or nearly all” of Sussmann’s work on the Alfa Bank story prior to meeting Baker was “billed to the Clinton campaign.”

    1. Ryan Johnson

      Yeah I’m a little shocked at this article not pointing out these basic facts.

      1. BrianKrebs Post author

        There are thousands of media stories and theories on social media that explore how and why the collection of the DNS data was supposedly all just an effort to make the former president look bad. This is definitely not one of them.

        The story looks at the technical details in the newly released report, and concludes that the government has done itself and the nation a disservice with this prosecution because it will likely have a chilling effect on smart people coming forward with tips about potential cyber threats to U.S. national security and sovereignty.

        1. David L

          Why do you think the “smart people” provided their research to a political operative rather than directly to law enforcement?

          The lesson should be that “smart people” should not use political operatives to distribute their research.

          1. David Thompson

            Smart people prefer to work with other smart people, for various reasons. The first being that stupid people do not understand, or choose not to understand, the implications of the data being provided. The second being that stupid people support King Bonespurs the Bankrupt and/or profit from that support.
            Data is data, correlation is correlation. The sources of the data, not the person publicizing or providing it, are the salient considerations clearly revealed in this post.
            Go back to the FACT of the near instantaneous shuttering of the Trump site once it was revealed someone was investigating it, then get back to us on how that does not make you suspicious of the historical connections of that site and the re-direction of its connections to shady customers.

            1. David Loader

              Of course the timing is suspicious; so is the FACT that the smart people used a political operative to serve their information to the FBI. Why?

              The FBI did not discover proof of collusion. Are the FBI the “stupid people” you were referring to? Were there holes in the data? No way to correlate events? Political operatives at work? Poor investigative techniques?

              Motivations are important to understand. Especially when information – whether from a mail server, a DNS server or a discarded laptop – takes such a convoluted route to the FBI.

              P.S. I’m not a fan of Trump; save your insults for someone else.

              1. Christopher Engel

                According to the emails cited in the indictment the “smart people” in question were working for an “unnamed tech executive” who had been promised a “top cybersecurity position” in the new administration had Clinton been elected (the prosecutor supposedly has an email where the tech executive states that) and the tech executive in question also had employed the legal services of the same paid political operative. It’s pretty obvious what was going on here, if you connect the dots.

                P.S. The fact that you even have to state your not a fan of Trump for your perfectly valid criticism to be accepted is pretty sad commentary

                1. JamminJ

                  If you’re a fan of “connecting the dots” when they only implicate Trump’s enemies, but not so keen on “connecting the dots” when it implicates Trump and/or his allies… then you don’t need to claim you’re “not a fan of Trump”.

                  The hypocrisy reveals intent and motivations.

                  1. Christopher Engel

                    Uhmm…. I didn’t make that claim. David did. You are conversing with 2 different people.

                    FWIW – I highly suspect Trump has corruption issues himself. I wouldn’t be shocked if somewhere around 5 percent of what he’s actually been accused of is true (He’s pretty much been accused of everything under the sun, including stuff that happened before he was even born). However, that’s not relevant to this particular article.

                    1. JamminJ

                      You referenced the claim in your comment, “The fact that you even have to state your (sic) not a fan of Trump…”

                      I didn’t say it was your claim. I’m just saying that making the disclaimer of “not a fan of Trump” doesn’t mean the comment will be accepted. People often feign neutrality to have their opinions accepted. This caveat disclaimer does nothing, as the totality of a person’s comments will speak clearly for itself.

                      The act of defending Trump in this instance, while being silent (or worse supporting) the same thing when it was “Hillary’s Email Server”, shows the true motivation and politics.
                      It wasn’t that long ago that Trump supporters made wilder accusations, based on less evidence. There may be nothing here, I agree, but this is really Karma coming back around.

              2. Richard Turnbull

                Wait, when exactly did the mammoth load of credible evidence showing possible collusion, over a period of some ten months, by dozens and dozens of Trump staffers vanish?
                You can find the evidence for “collusion” referred to in the Mueller Report only in passing, since Mueller’s remit was not to find “collusion” but crimes.
                Wait while locate the downloaded Mueller Report so I can cite the relevant pages…Volume 1, Part IV: RUSSIAN GOVERNMENT LINKS TO AND CONTACTS WITH THE TRUMP CAMPAIGN ; start with page 66, A. Campaign Period (September 2015, November 8, 2016).”
                None of this has ever been cogently refuted — Breitbart News Network, rants from Alex Jones etc. to the contrary notwithstanding.

                1. David Loader

                  Perhaps my comment should have been that the FBI discovered no proof of collusion that would be considered a crime.

                  1. Richard Turnbull

                    No, it should be “the despicable collusion the FBI discovered was not on the agenda for indictments,” which is not the same thing at all. Notice that the Mueller Report was compiled whle Trump was in office, and he was impeached for the first time shortly after Mueller testified about its findings. Probably it was considered a better course to remove Trump first via impeachment, or through the 25th Amendment process, as Trump is clearly non compos mentis before, during, and after his time in office. Once the leader and prime organizer of the collusion was out of power, there would be plenty of time to round up the rest. As it is, Paul Manafort, Roger Stone, Lt. General Michael Flynn, Trump’s ex-lawyer Michael Cohen, Rick Gates, George Papadopoulos, were convicted, some are doing prison time, and others involved with the campaign charged with other offenses, like Steve Bannon, charged with fraud for a fund raising scam connected with the “border wall,” which Bannon of course denies.

                2. quit lyin turnbull

                  “the investigation did not identify evidence that any U.S. persons knowingly or intentionally coordinated with the IRA’s interference operation”

                  https://theintercept.imgix.net/wp-uploads/sites/1/2019/04/ira11-1555617882.jpg?auto=compress%2Cformat&q=90&w=1024&h=154

                  This makes sense, since all the info came from the DNC and their personal lawyers Marc Elias and his flunky Michael Sussman.

                  https://nypost.com/2021/09/20/dem-plot-to-steele-the-white-house-anatomy-of-a-political-dirty-trick/

                  1. William Ashbaugh

                    Another Trump cultist speaks up. Your hypocrisy is plain to see as you reference some far-right opinion piece from the NYPost.
                    You still believe in Birtherism too, right?

                    Always trying to blame all their problems on the DNC. You Qanon conspiracy theorists need to be booted from the internet and the world.

                    1. Not a trumper

                      “The ends justify the means”

                      – Liberals since Trump began running.

                      William, its unfortunate your response to my facts, that refuted the lies in this thread (JamminJ has 25% of the comments in this thread, all shilling for big DNC), is to attack me, incorrectly, as if who I liked would in any way invalidate the facts I just presented.

                      Identity politics, a DNC staple since the Emancipation Proclamation vote.

                      https://www.govtrack.us/congress/votes/37-3/h384

                    2. William Ashbaugh

                      You cannot deny it. You quack like a duck. You spew the same lies that Qanon Trump cultist spew.

                      You haven’t presented any facts.
                      You literally posted a link to an opinion editorial.
                      You don’t even understand the definition of identity politics. This isn’t identity politics but rather your own delusions and conspiratorial thinking that is obviously QAnon.

                      Now you are bringing up yet another ridiculous myth. Straight out of Prager and debunked hundreds of times. The southern conservative Democrats of 150 years ago, have nothing to do with modern day political parties. All of those conservatives and their families now vote Republican.
                      Are you really that indoctrinated into hating Democrats that you don’t recognize that there is nothing eternal about the name. The racist dixiecrats families are still there, voting for conservatives, it doesn’t matter what party affiliation they are.

                      There was a time when the party was called Democratic-Republicans, then they split. The names weren’t always like they are today. There were plenty of conservative Democrats and plenty of liberal Republicans back then.
                      Abraham Lincoln was a liberal Republican from the north. He was nothing like Trump.

                      I know you desperately want to make this about some evil, demonic political organization. That’s why you got some perverted glee out of seeing the involvement of any politically affiliated lawyers you could demonize.

                      But I don’t blame you for your ignorance. History has shown us that even Hitler was granted a passionate, devoted following of millions of germans. They did not recognize the signs of a narcissist megalomaniac. They did not recognize the propaganda and psychological tactics used to create an external enemy (Jews, Roma, immigrants and Communists).

                      Americans like to think that we’re just smarter and more loving of democracy, and we would not fall for the same thing here. But those who really remember Germany in the 1920s are all gone now. And we have forgotten the how the rhetoric works.

                      I pray that you would wake up from your hypnosis. We’ve already had the equivalent of a Beer Hall putsch (failed coup), and possibly a riechstag fire (attack on Parliament / Congress blamed on communists / Antifa).

        2. Christopher Engel

          Sussmann was not some whistleblower providing tips about cyber-threats to the U.S. He was a paid political operative who was hired by a political campaign to generate bad PR about the opposing political campaign. He was billing the Clinton campaign for this work.

          How could that possibly chill any legitimate sort of cyber-researcher from cooperating with law enforcement….. particularly when such researchers don’t make a habit of lying to law enforcement while doing it.

          Further, no legitimate cyber-security researcher is going to conclude something illicit is happening simply because a DNS query was made. If you expose any sort of site that accepts an email address in a form and does automated replies to that form, I can get your server to do a DNS lookup of any FQDN I want simply by spoofing the email address in the form. Even if that wasn’t the case though, there are any number of reasons why legitimate email traffic can pass between two organizations. You would need to know something about the content of the email to know anything about WHY the traffic is passing. Any legitimate cyber-security expert should be able to tell you that. You can’t simply ASSUME something is illicit without examining the content.

          1. JamminJ

            Whistleblower, witness, or legal counsel. They ALL talk to the FBI and this could chill anyone from cooperating if they think that they can be indicted for telling the truth.

            Researchers are being subpoenaed just the same.
            If they suspect the FBI is going to throw them under the bus (by accusing them of lying, or just doxxing them in public records), they aren’t going to trust them and won’t speak freely.

            “if he didn’t lie to the FBI, then he has nothing to worry about”.
            So you must also believe that the several Trump allies/associates who were indicted (some convicted) of “lying to the FBI” during the Russian investigation… are also guilty?

            You acknowledge that people have objectives to merely generate bad press for an opposing campaign. Do you not understand that accusations, even if unfounded, could be an objective in itself?
            Trump just wanted a public statement from Ukraine that they were launching an investigation into the Bidens. Even if nothing came of it, that’s enough to do damage.
            Merely accusing someone of a crime, is equally damaging, even if they drop the charges. They get their headlines.

            Also, the general presence of DNS queries isn’t interesting. It’s the fact of the very first query when a host comes online. That’s not coincidence, that’s not random, that’s not nothing.

        3. NateDawgsGma42

          I love reading Brian’s stuff but do not forget where he came from… Washington Post. You do not lean further left than the w post so if you’re looking for a middle of the road piece on anything Trump or Biden related, look elsewhere.

          The water has and will always be slightly tainted with a little political bias.

          1. JamminJ

            Political bias doesn’t bother me. Everyone has it, and then left/right bias is pretty easy to spot.
            What really concerns me is the factual/fantasy spectrum.

            Although both sides can and have gone down the road of fantasy conspiracy theories over the decades, (the left original had the most anti-vaxxers), the right has seriously gone off the deep end with Trump.
            It didn’t have to be this way. Conservatives can be grounded in reality, but the recent purge means they can’t get elected/reelected.

            Take a look at mediabiasfactcheck which objectively and without judgment rates media outlets on left/right bias, and factual reporting.

            1. FNORD

              First you cite Wikipedia, then MediaBiasFactCheck? Your opinion have moved from mildly interesting to complete nonsense. Get better sources and read a wider variety.

              1. American Voter

                Its sad and pathetic that rather than talk about Hillary Clintons lawyers being indicted for a felony, and the technical details of that lie, a lot of you are babbling about Trump and Russia. Ironically this was the exact lie Sussman was selling on behalf of Hillary. Mueller spent years investigating these claims planted by the Clinton campaign, but never once charged Trump. They charged Manafort who worked for the Podestas. A new defunct lobbying group whose sole differentiator was access to Hillary.

                It’s insane the amount of lies and deceit that went on to actively spy on a current Presidential candidate, and rather than call all that out, here you “politics as religion” people are babbling that somehow all of that behavior was OK because it was done against someone you disagree with politically.

                WOW.

            2. FNORD

              First you cite Wikipedia, then MediaBiasFactCheck? Get better sources and read The Grayzone, like me.

              1. Ryan Johnson

                Hate to break it to you, but The Grayzone is a conspiracy theory website. Consortium is just aggregating news articles from other websites. Be careful what you link in your comments, and you might want to read the whole thing and research who is writing it.
                With wikipedia, at least you can check the citations directly and they do remove POV often. MediaBiasFactCheck is not a news source, just sums up the fact checking from a particular source. For which Grayzone fails and is labeled a “Questionable Source”.

                1. American Voter

                  It’s sad and pathetic that the personality cult of Donald Trump still remains and is trolling the internet for any good news.
                  They have spent years demonizing their political opponents and have convinced a sizable portion of the American people that they are literal Satan worshiping pedophiles.
                  This is just an extension of that.

                  They want to focus so much on the alleged crimes of Hillary Clinton and now are crying foul when the exact same investigations into an email server are directed at them.
                  Trump has a history of retaliation and pettiness. He will sue everyone including his own family for speaking the truth. And is willing to yield all the powers of the office in order to prosecute his enemies. This has been proven many times.
                  This latest indictment is complete vindictiveness and is designed to attack all of his political opponents. He appointed people specifically to have indictments for anybody involved in investigating him or his cronies.
                  Trump is a wannabe mob boss. And this is what happens when a mob boss gets powerful enough to buy judges and prosecutors. You get indictments like this.

                  Now his sycophants, shills, and trolls are here to exaggerate and lie.

                  The reality is that this is just Trump getting exactly what he sowed. Even if, especially if, there was nothing nefarious with this email server, it’s exactly the type of accusation that he threw at Clinton and ultimately allowed him to win the presidency.

                2. FNORD

                  Someone other than me used FNORD to post the following:

                  FNORD
                  September 28, 2021

                  First you cite Wikipedia, then MediaBiasFactCheck? Get better sources and read The Grayzone, like me.

                  I’ve never mentioned The Grayzone.
                  I suppose somebody wanted to muddy the waters here. Can’t imagine why.

                  1. Ryan Johnson

                    Whichever FNORD did twice comment with a quote and link to an article from The Grayzone. Those link to a consortium website that seems to just syndicate from other sites. If you scroll to the bottom, they explicitly say the article is from The Grayzone.
                    So it really undercuts your points when you get them from an extremist conspiracy theorist.

                    1. FNORD

                      It was actually an article written by Aaron Mate who writes for The Grayzone and CN.

                      Since we’re on the subject, how did you determine that the The Grayzone is a “conspiracy theory website”? Did you read it on Wikipedia or a fact-checking site? Would you cite it, please?

                3. FNORD

                  “Be careful what you link in your comments, and you might want to read the whole thing and research who is writing it.”

                  Perhaps you should take your own advice. CN does aggregate news articles but is also an investigative news site. Original articles are published regularly. In fact, it was the first investigative news site on the Internet. Started by Robert Parry, you know, one of the guys that broke the broke the Iran-Contra story back in the the day and the Russia-gate nonsense back in 2016. Perhaps you should give it another look.

                  1. Ryan Johnson

                    First of all, that’s not how credibility works. It’s not really transferable.
                    Consortium news explicitly says, The views expressed are solely those of the author and may or may not reflect those of Consortium News.

                    It’s like seeing an opinion editorial and otherwise credible newspaper. You’re getting lies that were paid to be there.

                    Secondly, the founder died years ago. When you have an editorial site that’s nothing but opinion pieces, and now it’s run by somebody else. You’re not going to get the same. And even if he was on the right side of history in the ’80s doesn’t make him correct this time. Do you believe everything Bob Woodward says? He’s even more credible when it comes to presidential scandal.

                    Lots of news outlets change over time. I think most of them get much worse with new ownership or funding. I don’t know this Robert Parry, but I ran Contra was a very long time ago. Even Rudy Giuliani was once a respectable law enforcement leader and mayor. People go off the deep end when they get old.

                    Everyone has an agenda and is biased, and it’s important for you to independently find credible sources. Don’t just take it as fact from a website’s about page that they are investigative journalists. Are there any credible independent third party analysis that confirms their bona fides?

                    But again, consortium news and its founder are not at all relevant if they merely repost like a retweet, from a completely different news site. And when you dig deeper on the grayzone, you find all sorts of extremist and
                    disturbing stuff. Not only does it have no credibility, but it actually makes people want to think the opposite of their claims.

                    You may have a lot of respect for Robert Parry, but you’re getting your information from Max Blumenthal. It’s the ol bait and switch.

              2. FNORD

                This post is not the same FNORD as the earlier posts. This FNOR is an imposter.

                1. Ryan Johnson

                  Whichever FNORD it was,
                  did twice comment with a quote and link to an article from The Grayzone. Those link to a consortium website that seems to just syndicate from other sites. If you scroll to the bottom, they explicitly say the article is from The Grayzone.

                  So it really undercuts your points when you get them from an extremist conspiracy theorist.

              3. FNORD

                “FNORD
                September 28, 2021

                First you cite Wikipedia, then MediaBiasFactCheck? Get better sources and read The Grayzone, like me.”

                JamminJ, is that you?

                  1. FNORD

                    So your the one who lauded The Grayzone using FNORD as your user name?

          2. FNORD

            “…further left than the w post…”
            Don’t you mean the CIA and it’s Mighty Wurlitzer? That’s what comes out of WaPo.

      2. Richard Turnbull

        “According to Durham”….You mean the Trump appointee?
        There needs to exist a provable direct billing, for these particular acts, to “clients” who are in fact the Clinton campaign.
        When Sussman stated he had “no clients” funding a particular effort, it’s simply not enough, by itself, to show that he represented the Clinton campaign in the same time -frame. That’s no contradiction.
        THIS REPLY was meant for Christopher Engel, for Ryan Johnson I add that it’s whether or not these ARE “basic facts” that is at the center of the controversy. Presumption of innocence is not even the main issue: it’s possible corruption in the process behind the indictment itself. It remains true that the overall inquiry may have exactly the deleterious effects noted by Brian, though. So it’s a mess, that’s for sure.

        1. Christopher Engel

          If there isn’t evidence than there won’t be a case to prosecute will there? Durham claims to have the evidence. It’s listed in the indictment. Yes, I’m assuming he wouldn’t list it if he didn’t have it. Yes, Mr Sussman deserves the presumption of innocence.

          I think your partisanship may be showing here. Every time a Democrat appointed D.A. indicts a Republican should we announce that they were a “Democrat appointee” in order to throw skepticism about the validity of the indictment or do you have some specific evidence that Durham engaged in prosecutorial misconduct for political purposes…. say like falsifying information on an application for a FISA warrant? or illegally leaking information incidentally collected under a FISA warrant and which was supposed to be under seal to protect a U.S. citizens 4th Amendment Rights to the media? Anything like that?

    2. JamminJ

      Why are you quoting “SubStack”? Do you think they are a reputable source of news?

      “Sussmann’s lawyers deny that he ever said he had no client”
      “The case against Mr. Sussmann turns on Mr. Baker’s recollection that Mr. Sussmann told him he was not at the meeting on behalf of any client — which Mr. Sussmann denies saying. There were no witnesses to their conversation.”
      -nytimes

      You seem to already believe the allegations in the indictment. Sussmann is pleading not guilty, and he’s gonna win. The case will be thrown out or dropped because it all hinges on someone’s recollection in an unrecorded informal conversation.

      The indictment is just meant for intimidation and nothing more. Which is why Krebs concluded that this could really hurt whistleblowers, and other witnesses from speaking with the FBI,…. because they could easily turn around and indict someone for “false statement”, based on what someone may or may not have remembered you saying 4 years ago.
      It’s dangerous precedent.

      1. Christopher Engel

        Sussmann isn’t some whistle-blower. He’s a lawyer that was being paid to work professionally for a political campaign to generate bad press for an opposing campaign. How would that possibly chill any honest whistleblower or researcher?

        Further if he didn’t lie to the FBI, then he has nothing to worry about.

    3. Jamie A.

      You don’t really believe in reading things through before commenting, do you? I assume you have to redo code quite often.

      Krebs provided links to the actual Senate report that was locked down. If you followed the link to Dan Jones’s complaint, and went in a few pages, you’ll see that he actually provided about 40 pages – the Exec (n00bs) summary section of the 650+ page report. Pretty %$##&^ compelling. And his report was commissioned by the Senate. Says it took a year, and cost $millions. Then look at the drivel from Mandiant and Stroz. The Stroz rebuttal is an embarrassing joke. *And* they both admit they never actually got to look at Alfa Bank’s systems or data, because Alfa Bank said they didn’t keep logs for more than 24 hours. they just took Alfa’s word for it.

      Krebs links to Amy Knight’s great article from last year:
      “Amazingly, the committee may have interviewed only one source–Jae Cho, the IT director for the Trump Organization, who “did not recall conducting a system-wide review of the Trump Organization network to determine if there were any connections from the Trump Organization side with any of the Alfa Bank servers.” ”

      Yeah, that’s the way to investigate. Ask the target if they committed the act. When they say no, well, that’s is good enough. The FBI seems to have also done a shoddy job. They should be ashamed.

      As far as Sussmann, if you read the indictment, you would have seen two glaring points and errors you made:
      1) The indictment spells out (it had to) that he did NOT bill the DNC for the meeting with Baker. So correct that drivel in your comment.
      2) The indictment and the Senate testimony that Baker gave makes clear that *He did not remember if Sussmann told him*. Which is why the legal profession is so up in arms.

      Bottom line, it is clear that Krebs is *not* commenting on the politics or Sussmann. He is pointing out that no matter what, when we share information with the USG related to cyber attacks and compromises confidentially, and the USG (FBI especially) tell you that your name will be kept “absolutely confidential”, the USG is going to give your name up publicly at the first push. *Which is really bad for the Country* (US in this case) because people like us will be very careful about sharing in future. Everyone except the bad guys lose. Are you one of them? Furrfu!

    4. Richard Turnbull

      “According to Durham”….You mean the Trump appointee?
      There needs to exist a provable direct billing, for these particular acts, to “clients” who are in fact the Clinton campaign.
      When Sussman stated he had “no clients” funding a particular effort, it’s simply not enough, by itself, to show that he represented the Clinton campaign in the same time -frame. That’s no contradiction.

    5. Jamie A

      Christopher,

      I’m not sure that I see anyone suggesting that an attorney be allowed to lie. It does appear that there is some doubt as to whether he did lie – Sussmann says he did not, Baker under *oath* says he doesn’t remember what Sussmann said. No other witnesses or recordings or even notes by Baker. Feels like Durham is doing his best to try and show something for his two year odyssey. Also as far as I understand things, Sussmann is innocent until proven guilty? No judgment here.

      However, relevant to this reporting by Mr. Krebs, in the process of Durham’s two year investigation he seems to have subpoenaed a large number of legitimate researchers. He didn’t “ask” them – he *subpoenaed” them. Even when he could have gotten the same information by just doing a formal records request. And the result of that is, I am prepared to bet, people like Nick and Jean had to hire some really really expensive attorneys. They may have been covered by insurance, or their universities or employers (I read that Jean Camp’s school did pick up the tab for some of her bills and/or defended her against the subpoenas).

      Judging by Brian’s reporting above, and the Alfa Bank Lawsuits, there are 10+ people who have been subpoenaed by Durham, are highly respected in the industry. Putting aside the strange coincidence that Alfa Bank seems to be following in the footsteps of Durham’s investigation, are you suggesting that this is an ok thing to happen? Or do you agree that the fact that the Government decided to subpoena researchers who have *stellar* reputations, and force them into a) revealing all kinds of research they may be doing in all kinds of areas, like human rights, government ethics, and Law Enforcement overreach, as academics, and b) spending hard-earned money to hire lawyers to deal with the sprawling investigation that seems to have hit its 5-year statute of limitations by apparently only indicting an Attorney based on someone’s sworn recollection of “I don’t really remember…”? (I won’t allude to the “ham sandwich” meme here).

      If that isn’t chilling to you, then I have to assume you’re ok with a situation going forward where any Law Enforcement person or agent can get a court to authorize them to come poking through all of your systems and records, because you once identified a malicious IP address to other researchers.

      As far as your suggestions about the science and technology behind DNS activity, I am assuming your expertise is in another area, and you failed to read, or understand the Jones document. A residential house with a basement, and electrical usage 90 times more than every other similar sized house on the street, could absolutely be a hydroponic grow-room for someone with a love for Orchids. But then again, hey, its just a simple case of high usage of electrical energy. Nothing to see there.

      DNS can be *much* more indicative of things than just a log entry for a random interesting site. And if it was *really* interesting, a responsible researcher would do further expanded research and collaborate with other researchers. And if it looked like more than a “simple” set of entries, and there was additional data indicating that there was something perhaps malicious about it, and the researchers had some form of consensus that there was a good chance that there was something “hinky” going, responsible researchers would pas the information on to LE for them to investigate. That’s what we do. But probably less so going forward. Which is Brian’s point. *Not* whether Sussmann is a political hack who lied to the Government. That’s for other fora.

      If you read Brian’s website regularly, or you actually do malware research, you’ll know that very often, it is the DNS activity that first indicates miscreant activity, and b) helps lead to the source. Right?

      So, I suggest you bypass the political conjecture and hyperbole here, and concentrate on the facts that have been provided. In fact, iirc, the data that Jones utilized (including the 38 million DNS entries) was actually published on Jean Camps website at some stage. I’m not going to look now, because I sure as hell don’t want that to be enough for someone like Durham to come and subpoena me.

      1. Christopher Engel

        Points….
        1) If you are materially involved in a criminal case, I suspect you will be subpoenaed. That may suck but it goes with the territory. If these researchers work DID turn up evidence of criminal activity between the Trump and Alfa did they expect NOT to be subpoenaed or called into court to testify about the work they did? That would be hopelessly naive, don’t you think?

        2) If the evidence presented in Durham’s indictment is accurate. At least some of the researchers in question are not simply innocent bystanders. They were explicitly engaged by a tech executive who had been promised an appointment to a top cyber-security post (CISA???) to dig up dirt on the Trump campaign for the Clinton campaign. There is nothing inherently illegal or even unethical about that….but yes, I would expect in doing so that the targets of such an investigation would be entitled (and likely) to bring you into court or at least have you deposed in order to detail exactly what you did and how. Is the target of such…. let’s call it what it is, hostile research…. entitled to no legal remedy? Even if they are completely innocent of any wrong-doing but the research is presented in such a way as to represent something sinister? How would you feel if the shoe was on the other foot?

        3) I have 20+ years of cyber-security experience. I know what I’m talking about. All the evidence presented shows that Alfa and (to lesser extent Spectrum Health) were making a significant number of DNS queries for A records of a specific host that corresponded to an email server that was managed by a marketing company that had been engaged by the Trump organization… and that very few other entities were making such records. That tells you that the queries are happening it doesn’t tell you WHY those queries where happening or WHAT they were being used for…… and you can’t responsibly ASSUME or INFER what the cause of that was based upon that alone, let alone infer it’s something malicious. If you do, you are being something other than a responsible cyber-security proffessional.

        1. JamminJ

          1) “If you are materially involved in a criminal case, I suspect you will be subpoenaed.”
          “Alfa Bank has so far subpoenaed at least 49 people or entities — including all of the security experts quoted in the 2016 media stories referenced above, and others who’d merely offered their perspectives on the matter via social media. ”
          This isn’t the criminal case, but a civil lawsuit to uncover researchers and their methods of discovery.
          That alone is suspicious when a private company subpoenas someone over their independent perspective on social media completely independent of a criminal investigation.

          2) “..explicitly engaged by a tech executive who had been promised an appointment to a top cyber-security post..”
          “.. the targets of such an investigation would be entitled (and likely) to bring you into court or at least have you deposed in order to detail exactly what you did and how. Is the target of such, let’s call it what it is, hostile research..”
          That would be fair, yes.
          But that’s not what is happening. The vast majority of those subpoenaed are not this Tech-Executive-1 person. Not even political operatives.
          And more importantly, it’s not just heightened scrutiny that can be expected from any witness with political bias, rather, it is an attempt to throw out any evidence just on the basis of who presents it first.
          Both sides do this. And cybersecurity professionals need not bother with the political affiliations of witnesses, rather just the facts. In this case, the facts do not rely on the word or personal credibility of Tech-Executive-1. In contrast, the allegations that Sussmann lied to the FBI, relies on hearsay for which there were no witnesses, is wholly refuted, and the FBI lawyer who supposedly heard it, says he doesn’t remember. See the difference between evidence that relies on human memory, and facts that are independent of who presents them first?

          3) You left out the most interesting parts. It’s not just the high percentage of DNS queries. But the timing of the very first DNS query after a hostname change, was from the same source. They should not have been able to know the new name, and immediately start querying like that. Also, the fact that the server shut down operations right after it became public, is also very suspect.
          No, conclusions cannot be reached with JUST this information. But that is why an investigation is needed. And it doesn’t help that the Trump Organization and Alfa Bank are not cooperating. So, the same weapon of accusation and speculation into an Email Server that really helped Clinton lose the election, Karma is coming back around. Even if there is nothing here, Trump is the Gander and Clinton was the Goose. What’s good for the Goose is good for the Gander.

  4. Paul McCarthy

    I don’t trust the FBI as far as one can throw them, corrupt from the top down

    1. Richard Turnbull

      I don’t trust anyone who was closely connected with Trump in his crooked “business ventures,” nor as enablers of his numerous frauds, lies and hoaxes, nor in his thefts from contractors, sub-contractors, employees, and the American people, nor anyone who obdurately and obtusely defends him even after two solid impeachment cases were made against his exortions and traitorous incitement of domestic terrorism and sedition.
      Although to be fair, the vote to impeach Trump was 57 in the majority of the Senate for a righteous convction , 43 to acquit, whose names will live in infamy forever, so there’s that!
      Also, no trust at all for anyone involved in failing to report to the local or higher authorities what Trump and his fellow malefactors were up to, in regard to criminal and/or fraudulent depredations , at any point in the last forty years, when it comes to that.
      I will borrow your original phrase, ” as far as one can throw them,” and add several that are not original with me: “Everything Trump touches dies,” (GOP strategist Rick Wilson), and Lord Acton’s observation that “Power tends to corrupt, and absolute power corrupts absolutely.”

  5. David L.

    Sussman lied to the FBI. How is that the government’s fault?

    If someone believes that the FBI thoroughly investigated the information introduced to them by Sussman and found no evidence of collusion, does that mean that the “researchers” powering those accusations were mistaken, lying or just trying to find something that would match their political desires?

    I tend to agree with Glen Greenwald’s analysis: “The DOJ’s new charging document, approved by Biden’s Attorney General, sheds bright light onto the Russiagate fraud and how journalistic corruption was key..”

    1. Jamie A

      David L,

      You say: “Sussman lied to the FBI.”

      Hrmmm. Judge, jury, and executioner maybe?

      You’re in the wrong thread.

      1. David L.

        Guilty as charged. I should have included “allegedly” in the comment.

  6. ralph seifer

    Great story, Brian. I confess I didn’t understand all the back & forth, but I certainly agree with your conclusion. If confidential communications cannot be maintained in confidence, why in God’s name would one trouble to say anything?? Ralph L Seifer, Long Beach, California

  7. Too Afraid of the Corrupt FBI to State Name

    The Confrontation Clause found in the Sixth Amendment provides that “in all criminal prosecutions, the accused shall enjoy the right…to be confronted with the witnesses against him.”
    So confidential accusers should not only not be protected, they should not exist. And whatever public benefit you think anonymous accusers might bring in some circumstances is far outweighed by the egregious villainous conduct of the FBI and other ‘justice’ department actors who repeatedly commit felonies and file false warrant applications even to the temerity to subterfuge and intimidate a Presidential candidate of the United States. And I note that HIllary would have been intimidated as well if she would have won in 2016.
    Brian Krebs, you most especially, who has bravely endured the manifold repercussions of making public accusations should appreciate that it is confrontable-witnesses that have nothing to hide and lead to the best understanding of the truth.

    1. njo

      >Brian Krebs, you most especially, who has bravely endured the manifold repercussions of making public accusations should appreciate that it is confrontable

      This seems like a weird argument. I would have quit if I had experienced a fraction of the abuse Krebs has received. I’d have quit after having armed police handcuff me. (https://krebsonsecurity.com/2013/03/the-world-has-no-room-for-cowards/) I’d have quit after almost getting framed for drug trafficking. (https://krebsonsecurity.com/2013/07/mail-from-the-velvet-cybercrime-underground/) How has “confrontation” improved the quality of coverage here, besides intimidating others from covering the same subjects?

      The side effect of “confronting” witnesses like this is that people will be afraid to come forward.

    2. JamminJ

      The accused only gets to confront witnesses against him/her… when they get their day in court.
      This circus is all pre-court drama.

      The thing about politics is that it is mostly the court of “public opinion”. So they don’t really want or care to go through an actual trial. They want to make accusations, counter-accusations, and posture in front of TV cameras, to win in the court of public opinion.
      Trump did it with Clinton with her “email scandal”. This is just the same again.

  8. JamminJ

    “Sussmann’s lawyers deny that he ever said he had no clients”
    “The case against Mr. Sussmann turns on Mr. Baker’s recollection that Mr. Sussmann told him he was not at the meeting on behalf of any client which Mr. Sussmann denies saying. There were no witnesses to their conversation.”
    -nytimes

    Sussmann is pleading not guilty, and he’s gonna win. The case will be thrown out or dropped because it all hinges on someone’s recollection in an unrecorded informal conversation.

    Greenwald was completely silent when Trump did the same thing against Clinton, and when he tried the same thing on Biden. All about creating a media narrative. Both use the power/influence at their disposal to “investigate” their political opponents in the most public way. Even if they lose in court, the public perception is enough to sway elections.
    That’s why Trump tried so hard to “investigate” the Bidens.

    Russia collusion with Trump may not have happened explicitly or in any meaningful way…. but the investigation into Russian collusion, and the counter-investigation into the investigation, is turning out the same way. Box your political opponents into “lying to the FBI”, so you can punish them for speaking out.

    There were lots of indictments during the Russia investigation too. If you consider this indictment of “lying to the FBI” to be legit, you must also acknowledge and accept the many Trump associates who were also indicted and convicted of the same.

  9. Bob

    First time I heard of this (yes, I’m not in the latest scandal loop). Sussmann, Hilary, Trump, Alfa Bank, unnamed characters (who, what, conduct their own fishing expedition to find dirt on Trump by, what, disclosing privileged information?) — a bunch of political animals, it seems. Somehow I’m not feeling sorry for any of them. Am feeling sorry for the judicial system being used for this crap.

    Can’t help wondering though if the veracity of the DNS data has been independently confirmed or not.

    1. JamminJ

      Yep, it’s all a bunch of political games. Journalists, law enforcement, and the public are all caught in the middle, with many being co-opted into participation.
      As security researches, it’s hard to continue to ignore the churn.

  10. JamminJ

    Brian, do you have any worry or concerns that your own investigations/comments/conclusions on this site will subject you to FBI inquiry?

  11. Nun

    Regarding the first table, there’s no such place as Rehoboth, RI. Maybe the researchers meant Rehoboth, MA or DE.

  12. Almo

    I would *never* make the statement that Trump was the first US President to try to “weaponize” DOJ or FBI. However, there is a suspicion in my mind that he had dirt to cover up when he took office, and there was this little thing with Comey statements about Hillary 1-2 weeks before the 2016 elections that may have deflected from the Alfa investigation enough to lead to the last four improbable years. FBI: dead center in the investigations of Benghazi, RussiaGate, and the Hillary email server, but finding little and costing taxpayers “buh-zillions”!? It begs a lot of questions about their ethics, tactics, and overall *legitimacy* in the world of cyber-crime we inhabit today.

    1. JamminJ

      Yep.
      The FBI’s reputation for objectivity in politics is pretty much gone.
      They will need at least 12 years of zero scandals and indication of political favoritism before they can begin to undo the damage.

      I would like to see legislation that makes the bureau completely independent from the Executive branch when it comes to political figures. Maybe a division of the FBI created like a non-partisan committee to handle all investigations that go up toward the DOJ and White House.
      Right now, POTUS being able to fire or hire key FBI leadership gets in the way.

  13. Christopher Engel

    On a side note – Why are the researchers only looking at “A” record queries. If they actually had access to Name Server logs that were authorative for that Trump domain and posited some sort of secret email communications between the two…. where are the MX lookups? If Alfa were trying to deliver emails back to the Trump org, there should be a bunch of MX lookups as well, where are they?

    P.P.S. If you really were trying to bother setting up some secret communication channel and you actually wanted to keep it secret why would you even bother using public DNS? Both sides would have a static known IP address so why would you need to do public DNS lookups in the first place? Further, why wouldn’t you just setup a point to point IPSec Tunnel to carry such communications or if you wanted to be more subtle use proxies or peer to peer? Or for that matter, a secure email alternative where the email message never leaves the host server. If I were actually trying to setup some secret communications channel, there are probably a dozen different approaches that I would take that would be better than what was implied in this case. Doesn’t make much sense.

    1. JamminJ

      More likely the DNS requests are coincidental to the communication.

      Remember how all the criminals thought they were so smart communicating via email drafts?
      They didn’t need “hackers” or any other IT people to establish something complicated.
      Both parties log into a web-based email server, and save drafts. Nothing gets “sent”. No MX records, no IPSec tunnels or 3rd party proxies. No 3rd party needed at all, if one side has an email server with a web frontend.

      So the Trump campaign mail server may just have someone logging in from Alfa Bank, rather than sending an email. Maybe to save “drafts”. It would leave HTTP logs on the two networks, but maybe those get deleted.
      The actual communication logs might be harder to find, because HTTP is unlike DNS which is often available on other 3rd party systems (resolvers/forwarders).

      Lack of sophistication is not exculpatory evidence.

      1. Christopher Engel

        If I read the email right, the server in question was run by a marketing firm engaged by the Trump campaign and was responding to SMTP requests (but not accepting connections). That sounds like a pretty doubtful setup for a secure webmail server.

        Sounds like a very typical setup for a server built to send (but not receive) email from some application. The lack of an SPF would be a bit unusual but not completely out of the pale for a marketing server. I’d also want to know when the SPF was checked in relation to the DNS queries.

        Further, there is ALOT of information that I would want to know about where those logs were pulled from…..
        … Was it the authorative Name Server for that Domain? Was it the sole Name Server? Primary, Secondary? Was it part of a cluster? Sitting behind a load balancer?

        Without actually knowing those details it leaves alot of unanswered questions about how complete a picture we are actually getting.

        1. JamminJ

          “Jones’ report did find that mail1.trump-email.com WAS configured to accept incoming email. Jones cites testing conducted by one of the researchers who found the mail1.trump-email.com rejected messages with an automated reply saying the server couldn’t accept messages from that particular sender.
          “This test reveals that either the server was configured to reject email from everyone, or that the server was configured to accept only emails from specific senders,” TDIP wrote.”

          DNS is quite often the first indicator, precisely because there are usually several places it can get pulled from. This becomes especially important in criminal investigations where one or both parties of communication cannot be trusted to maintain logs (intentional deletion or policy of not keeping logs). It’s pretty bad and suspicious to only have 24 hours of connection logs.

          Like the article states, there are several theories that could lead to what was found. It is still also possible that looking for actual email messages might not reveal anything if DNS records are from someone at Alfa Bank actually logging in to the email server’s web console (like saving draft messages that are never sent).

          Totally within the realm of plausibility that someone at Alfa Bank is shadow managing some outgoing emails. Perhaps previewing mass-mailer campaigns before they go out. Perhaps “massaging the message content” a little to craft a cohesive narrative.

          The point is, don’t get hung up on one or two ways to communicate. It doesn’t have to be traditional email. And don’t go down a rabbit hole because there would be other, smarter, more complex ways for a covert channel. It really could just be novice political operatives who think they’re clever, without actually doing anything technically savvy.

        2. Jamie A

          Christopher:

          See, sometimes you are asking the kinds of questions a good researcher would want to know. And you come across as a good, questioning researcher 🙂

          Some of the things identfied are anomalous as you mention, and you would want to know.
          I know you have only had a couple of hours to think about the Dan Jones report, and you don’t have access to the other 600 pages, and you presumably don’t actually know what information the researchers found and handed over to the FBI, do you? I am pretty sure that it was relatively trivial to know whether the data was coming from an authoritative server or a stub resolver, or a proxy, etc. and you probably also know that there is no logical difference between a Primary and a Secondary Server (the wrong terms technically, but a non DNS expert likely wouldn’t know that) other than the Master (what you refer to as the Primary) feeds updates to the Slave (Secondary in your speak), but both of them are equally authoritative. And I’m sure you also know that in many cases the Master is actually hidden, for security purposes.

          And as you no doubt know, it is relatively elementary to be able to identify whether there is a load balancer (they misbehave in many cases!). And to often know the manufacturer, and sometimes the code level of the nameservers and load balancers, right? ALL from outside the edge routers of the network that hosts the nameservers. You can also tell if they’re part of a cluster. And you can tell if the network is using ANYCAST, internally, or even externally.

          And as far as knowing whether SPF was being checked, if you read Jones’s report, as I suggested earlier, you would have seen that Jones did exactly that, in a very disciplined way. Based on the people being subpoenaed by Alfa Bank, I am *pretty* sure they know how to do all of these things “without” getting access, without LE help, and without “hacking” the network. See, DNS is *really* much more sophisticated than 99% of cyber people realise, or give credit for. And that’s likely why the researchers, who are supposed to have been amongst the top DNS people, probably found the anomalous activities – if there was nefarious stuff going on between the three organizations, they likely did not take these edge case signals into account.

  14. Pat Cho

    Having read “The Plaintiff in Chief: A portrait of Donald Trump in 3500 Lawsuits” by David D Zirin, on how Trump has used the legal system as a weapon throughout his career to get his way and to intimidate others, I found the lawsuits by Alfa Bank to be very reminiscent of the standard Trump play book. One can’t help wonder whether the bank is being advised by Trump or if they just read the book and realized what a wonderful tool the legal sytem can be for intimidation.

  15. Gordo

    “mail1.trump-email.com — was configured in such a way that would have prevented it from effectively sending marketing or bulk emails”

    I don’t believe that’s entirely accurate:
    1. The SPF record has a ~all (SOFT fail), rather than -all (HARD fail), so it’s up to the receiver to allow it in or not based on their receiver policy
    2. There is no requirement for mail servers to honor SPF records. While this is certainly a best-practice, and likely setup on all receivers at Alfa Bank, there’s no way for the FBI to know for sure without working with law enforcement in Russia to validate the configuration on those servers.

  16. Jamie A

    Gordo:

    You are generally correct. But this is not about the general case.

    If you look at Jones’s report (careful, turns out that for some reason there is a lot of important “stuff” in the footnotes – the footnotes are not only citations) you’ll see that all of the other machines in that Listrak /24 were configured differently, and responded differently to this mail1.trump-email.com one. Then you’ll see that they tested, and the Alfa Bank systems did examine and reject based on SPF records. You’ll also note that this server has never shown up on any DNSBLs. If it was sending even 100% opt-in legitimate bulk mail, there are always idiots who pres the “This is spam” button, and the IP address would show up in a block list. But, nada.

    Look at pages 23, 24, and 25 of the 687 page Appendix A. Make sure you look at the *Footnotes*. It seems that in the way Jones did his report, he used footnotes in the executive summary to include data from the unpublished rest of the 687 pages that was necessary or relevant for his 40 page executive summary.

    Then make sure you also look at Page 47. Under the “Inconclusive” subheading, it shows that Jones tested and Alfa Bank *did* perform SPF/DKIM lookups, but not for the Trump server.

    In fact, make sure you look at the “Technical Attachment” sections, from page 47 to 50. That’s the type of rigour academics apply to research stuff like this.

    So it is not just logs of DNS queries. It is the behaviour of the systems and DNS. Not so simple for people who aren’t DNS experts.

    Gotta tell you, the more I go back and look at the documents following interesting comments here, the more I am picking up that this wasn’t that “Nothing burger” or “hoax”. Of course if the 687 page 12 month multi$ analysis is to be believed. And if Durham got this document (he apparently did) then it means that he must have interviewed/grilled Jones and his people in the Grand Jury, under oath. Using the “very best experts” the DoJ could find. Not impressed.

    BTW make sure you read his analysis of the Madiant and Stroz reports that Alfa cites as proof that the researchers reports were wrong. Those two companies should be really embarrassed.
    I am wondering why there is no mention or debunking of Jones’s report in Durhams 27 page indictment, where he trashes everybody? Recall that this was a *Republican* controlled Senate Committee that asked Jones to do the investigation and report. Same committee that seems to have “disappeared” the report from being released. And did you notice that there was *no* mention of the data or analysis being false or wrong or manipulated in Durhams indictment?

    Maybe that is yet to come. But it would seem the statute of limitations has also run out on that. Maybe? IANAL.

  17. PR

    For those readers having difficulty understanding the purpose of Brian Krebs’s article, I quote the following excerpt from the Washington Post article on the topic.
    “there are a lot of cases that could be brought but aren’t because they are so trivial. And this seems to fall into that category to me. The indictment itself says the FBI already knew Sussmann was a lawyer for the Democratic National Committee.”

    And

    “It’s unclear how much longer Durham plans to continue his work as special counsel, but Sussmann’s indictment could prolong the investigation, because he has sought to win Sussmann’s cooperation against other individuals of interest to the special counsel, according to two people familiar with the investigation, who spoke on the condition of anonymity to describe Durham’s legal strategy.”

    Article URL: https://www.washingtonpost.com/national-security/john-durham-michael-sussmann-hillary-clinton/2021/09/16/ed8ba0e6-1696-11ec-a5e5-ceecb895922f_story.html

  18. Moike

    Although not the point of the article, the virgin DNS query for trump1.contact-client.com could have originated if trump1.contact-client.com hosted a contact landing web page or beacon, and the receiving server at Alfa was screening incoming marketing email web links originating from anywhere.

    1. Christopher Engel

      Yes or it simply could have been from the new name the SMTP server was advertising when it came back on line after the DNS when sending out a promotional email. Nothing particularly telling or nefarious there.

      Imagine this scenario…

      – HELO Alfa I’m mail1.trump-email.com (66.216.133.29) I have a marketing email I’d like to deliver to you.
      -ALFA – Let my SPAM Filter check to see if the host name you are claiming to be publicly resolves to the IP address I see you coming from..
      – ALFA does a DNS Query for mail1.trump-email.com … query shows up in logs for the authoritative name server.
      – Admin for Marketing Company running mail1.trump-email.com shuts down the SMTP Server while making requested DNS changes by client. Emails are sitting in queue waiting to go out.
      – DNS for trump1.contact-client.com goes live, Admin dutifully changes the SMTP Host Name of the SMTP server to match the new public DNS FQDN and turns the SMTP Server back on.
      – Next email sitting in queue gets picked up by the server (now under trump1.contact-client.com) for sending out.
      – HELO Alfa, I am trump1.contact-client.com (66.216.133.29). I have a marketing email I’d like to deliver to you.
      -ALFA – Let my SPAM Filter check to see if the host name you are claiming to be publicly resolves to the IP address I see you coming from..
      – ALFA does a DNS Query for trump1.contact-client.com … query shows up in logs for the authoritative name server.

      This explains exactly what was seen. Frankly the domain name change and the timing of the response is the LEAST interesting/unusual aspect of this in my book.

      The lack of the SPF record, lack of getting on any RBL’s and the proportion of DNS queries only coming from a couple domains are odder….. although I can think of ways those could get explained as well.

      1. Bryant Durrell

        Thanks for this; I was thinking about this same basic scenario. Alternatively, as you said elsewhere, trump1.contact-client.com could have been added to an MX record. These aren’t weird possibilities.

        The repeated DNS queries from a couple of servers is weirder, but what if an email server was configured to retry a bounced email every X minutes indefinitely? I’ve managed enough email servers in my day and poor behavior like that seems really plausible.

      2. Jamie A.

        Christopher,

        I’ve been thinking more about your hypotheses. I decided to test your main (first) one. This was interesting to research, BTW.
        -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.
        In my testing, from the moment the outbound MTA connects to port 25 on the receiver, and says EHLO/HELO, to the time that the SPF and SPAM look-ups are done, in a fully protected anti-spam environment, the message itself is flowing in less then 50ms. That is within the same region (my home lab, and my research network at work, different carriers). Allowing for the latency inherent between Pennsylvania and Moscow, with RTT of 90ms per exchange (DNS, etc) and assuming a generous minimum of 3, it looks like less than 400ms total.

        What a coincidence that the Cendyn/Listrak admin killed the process in that strange 400ms interval! What are the chances?

        Of course, stranger coincidences have happened.

        The second thing I looked at was the pattern of the ALFA DNS servers with the mail1. record compared to the trump1. record. For months the ALFA DNS system had been making queries at a really high rate. Yet ALFA and Mandiant and Stroz had not found any actual emails received. Then the admin changed the host-name, and ALFA now did a single lookup. No email found there either. Then stopped for at least the next two days. I wonder why it stopped those frequent lookups with the new record? I’m not talking about the NXDOMAIN or SERVFAIL records at the end – I’m talking over the 3 months before.
        Maybe ALFA Bank was ALSO making changes in that same 10 minute window, related to trump sourced connections? Another amazing related coincidence.
        Maybe someone at Trump/Cendyn and someone at Alfa was/were talking to each other after all?

  19. Erich Berger

    Hillary learned something after failing to discredit/destroy Monica Lewinski. Monica had the dress. Indisputable. Some “smart people” suggested to her that they could put the Trump Organization’s DNA into the Russia Conspiracy. She was enraged with Trump for his comment satirically asking the Russians to “release more emails, let’s see ’em.” It’s a modern-day version of The Dreyfuss Affair.

  20. nathan L brown

    I don’t believe anything from all those in Washington (politicians, FBI, CIA, etc) and all of the Press. None have credibility with me anymore.

    1. JamminJ

      Did they ever? Be honest. Most people who say they’re disaffected, never had a care to begin with.

      1. nathan L brown

        Yes they did, just not anymore. Not caring has nothing to do with it. I care a great deal, always have.

          1. introspection

            When did you have a greater credibility to challenge any of them?
            You’re both effectively singular gossips by comparison.

          2. introspection

            Politicians are chosen by We the People and deserve our respect. What credibility do you have to challenge them?

            1. C Taylor

              That’s the dumbest thing I’ve heard. Grow a brain. Not one of them deserves respect. Especially not the career criminal trump.

              1. introspection

                Trump deserves no respect whatsoever, that is true.
                That doesn’t mean there are no real civil servants who do.
                You don’t have to agree, you don’t have to like the system,
                I don’t think there’s anyone who wouldn’t make changes,
                and it’s many layers of abstraction from a meritocracy.
                None of that vindicates the nihilism in vilifying all elected,
                which you ought realize is a Trump talking point as well.

  21. Reader

    “Many different entities capture and record this DNS data as it traverses the public Internet, allowing researchers to go back later and see which Internet addresses resolved to what domain names, when, and for how long. Sometimes the metadata generated by these lookups can be used to identify or infer persistent network connections between different Internet hosts.”

    How does one get ahold of this data? How do these entities get their data? Given that it underpins everything else, independent verification and establishing provenance seems to be vitally important. I’ve seen a lot of samples and screenshots of “datasets” from conspiracy theory fans in my life around trump things that I’m highly disinclied to believe claims without being able to reproduce and/andor corrpborate them myself.

    1. JamminJ

      Yeah, I feel the same way.
      DNS does leave more tracks in more places than relying on the endpoints which are not cooperating with investigators.
      Only 24 hours worth of logs on one side is pretty fishy. That’s why DNS seems to be the only evidence so far.
      Not a lot to go on and definitely too soon to jump to conclusions. This may be completely nothing.

  22. C Taylor

    Interesting stuff but I would offer that if Sussmann didn’t lie about representing Clinton (he was billing her for the time he spent with the FBI), he wouldn’t have been prosecuted. Why would he hide that?

    1. JamminJ

      I think that’s the point of the article. He didn’t lie.

      He is denying it. The conversation was not recorded and did not have notes. The only FBI person in the room says he doesn’t remember.
      And the most important thing, the FBI already knew who he worked for.

      Combine that knowledge with all of the other subpoenas, and you understand that this indictment is without teeth and will likely be dropped. It only exists for intimidation.

  23. morganism

    follow the money?

    this could also possibly be the scheme that made mini-payments to many of the active pro-trump senators and reps.
    those congressmen, went from under 1% of small donations (under 200 bucks?) to 98% of their donations.
    devin nunes and jim jordan are just two of them, and gaetz just started reporting the same, i believe. Someone reposted a chart on @devincow with some of the more eyebrow raising stats

    Time to check the logs from their platforms, and WinRed, and see if they were getting all their “donations” from Global Payments, which bought out Heartland Payments in 2016?

    Heartland Payment Systems’ last headquarters were in Princeton, New Jersey. An acquisition by Global Payments, expected to be worth $3.8 billion or $4.3 billion. was finalized on April 25, 2016.Wikipedia

  24. Reduce Spam Please

    Shame on you Krebs .. Posting this to get your comments numbers up ..

    Gordo’s analysis is quite correct .. From personal experience I have messed up a SPF record on a live mail server before, its quit painful .. At least 2/3rds of the internet will reject your email without an NDR .. You realize the problem and fix it in 30 min .. But it takes up to 24s hour for the internet’s DNS to update the change .. It not something you want to explain to your Bos or Client ..

    I cannot imagine why anyone would operate a legitimate mail server without a proper SPF record for it in today’s world of spam blocking .. Relying just on RBLs leave you vulnerable to spam from any rogue mail server .. And others are correct, a lot of mail servers do not use SPF records .. Seams fortunate non of my clients need to hear from these SPF less mail servers ..

    20 years + IT support

    1. JamminJ

      This Krebs article didn’t seem to mention SPF at all. What are you referencing? Other commenters?

      This article is very detailed and covers a lot. Some people fixate on the parts they have experience with, naturally. The DNS doesn’t reveal everything, not much really. No conclusions can be made.

      1. Please no Spam

        Perhaps you did not hit “Continue Reading” for complete article .. Copy and paste of section does not show SPF record (its a Graphic) look in the following part of article:

        THE TDIP REPORT

        As part of his lawsuit against Alfa Bank, Jones published 40 pages from the 600+ page report he submitted to the U.S. Senate in 2018. From reviewing its table of contents, the remainder of the unpublished report appears to delve deeply into details about Alfa Bank’s history, its owners, and their connections to the Kremlin.

        The report notes that unlike other domains the Trump Organization used to send mass marketing emails, the domain at issue — mail1.trump-email.com — was configured in such a way that would have prevented it from effectively sending marketing or bulk emails. Or at least prevented most of the missives sent through the domain from ever making it past spam filters.

        Nor was the domain configured like other Trump Organization domains that demonstrably did send commercial email, Jones’ analysis found. Also, the mail1.trump-email.com domain was never once flagged as sending spam by any of the 57 different spam block lists published online at the time.

        1. JamminJ

          Ah, its only mentioned in that one graphic. Thanks.

          I wonder if the 600 page report talks more about SPF, or if it is more of a side note that doesn’t change much of the report.
          From this Krebs article, it doesn’t appear that much of anything hinges on it.

          1. Please no Spam

            Hmm Think you missed the two points made by others ..

            Point one .. The Mail server in Question is a probably a rogue server setup by someone that did not have access to the Authoritative DNS for the Domain .. That is why SPF record is not correct for server ..

            Point two .. Any one can get any mail server to to do DNS requests for any other place on the internet with well crafted messages .. The DNS queries probably mean nothing ..

            On a side Note .. The IP of the possibly rogue server is managed by a US consumer facing ISP that does some business services .. I am Sure the FBI has whatever the info is on who paid for that service by now .. The FBI knows whether or not its a legit Trump Server ..

            The whole thing smells like a poorly thought out scam .. The FBI is probably forced to investigate regardless of the the political fallout ..

            Get some popcorn sit back and watch the fireworks !!

            1. JamminJ

              So why would someone at a marketing firm contracted by the Trump organization, to send marketing email, set up a email server that didn’t work for sending email?

              Cendyn, a third-party vendor that operated the server on behalf of the Trump Organization, informed CNN that its contract to provide email marketing services to the Trump Organization ended in March 2016, and that a different client had been communicating with Alfa Bank using Cendyn communications applications. Alfa Bank denied this claim.

              Nobody is claiming the email server was Sending DNS requests. Rather the other way around. Alfa Bank was sending DNS requests to the email server.

              =============
              When the Trump Organization deleted the “A” record for this Trump Organization server, any attempt to communicate with the server would fail. DNS records reveal that immediately after “mail1.trump-email.com” was deleted, the servers associated with Alfa Bank and Spectrum Health repeatedly attempted to do a DNS look-up of “mail1.trump-email.com,” but the DNS look-up repeatedly failed, as the “A” record had been deleted?

              In addition to the surge in failed DNS look-ups for “mail1.trump-email.com” from the Alfa Bank and Spectrum Health servers, there were observed failed DNS look-ups originating from a new Alfa Bank IP address (217.12.97.137) seeking the name “mail.trump-email.com.moscow.alfaintra.net” for a period of 5-6 minutes.
              Data-set entitled “DNSLUPSMAIL1082417.” This was likely a mistyped address by a human on the Alfa Bank network.
              The DNS look-ups begin at 2016-09-23T13:50:50 (starting 2 minutes and 44 seconds after the last successful DNS look-up for “mail1.trump-email.com”) and end at 2016-09-23T13:56:29.
              These DNS look-ups were not seen previously in the data and are never seen again outside of this 5-6 minute period. The timing of the DNS look-ups by this new IP address associated with Alfa Bank coincide exactly with the deletion of the “A” record by a representative of the Trump Organization.

              After the “A” record was deleted for “maill.trump-email.com” on September 23, 2016, Alfa Bank and Spectrum Health continued to conduct DNS look-ups for “mail1.trump-email.com.” The response to these DNS look-ups indicated that there was no longer a server named “maill.trump-email.com.” In the case of Alfa Bank, this behavior persisted until late Friday night, on September 27, 2016 (Moscow time).
              At that point, Alfa Bank ceased its DNS look-ups of “mail1.trump-email.com.” Less than ten minutes later (2016-09-27T19:48:55), a server assigned to Alfa Bank was the first source in the DNS data-set (37 million DNS records from January 1, 2016,to January is, 2017) to conduct a DNS look-up for the server name “trumpl.contact­client.com”

              The fact that Alfa Bank was the first entity (IP address) to conduct a DNS look-up for “trumpl.contact-client.com” in the data-set could indicate that someone at Alfa Bank was in some manner made aware of the new Trump Organization server name.
              To continue the telephone analogy, it is as if a person at the Trump Organization created a new unlisted telephone number, and shortly thereafter, the first incoming call received was from Alfa Bank, the most frequent caller of the old telephone number. Put another way, the only way Alfa Bank would have known to “call the telephone number,” was if it was informed what number to call.

              TIMELINE
              • 2009– “Mail1.trump-email.com” is registered on behalf of the Trump Organization on August 14, 2009, to manage consumer marketing campaigns by Cendyn, a third-party vendor.
              • March 2016 — Cendyn claims to send the last marketing email for the Trump Organization. Cendyn’s contract with the Trump Organization is replaced by Serenata, a German email marketing company who states that it never used “mail1.trump-email.com.”
              • May 2016 through September 2016 – During this period, “mail1.trump-email.com” is regularly, and almost exclusively, communicating with Alfa Bank, Spectrum Health, and Heartland Payment Systems.
              • September 21, 2016 – As part of an investigation, The New York Times contacts representatives of Alfa Bank and asks for an explanation for the unusual communications between the Alfa Bank servers and “mail1.trump-email.com.”
              • September 23, 2016 -Two days after The New York Times approaches Alfa Bank, the Trump Organization deletes the “A” record for “mail1.trump-email.com,” which was initially registered to the Trump Organization in 2009 (this deletion occurred prior to any approach by The New York Times to the Trump Organization).
              • September 27, 2016 – A server assigned to Alfa Bank is the first entity (IP address) in the DNS data-set to conduct a DNS look-up for a server named “trump1.contact-client.com.” The answer received is 66.216.133.29, the same IP address previously used for “mail1.trump-email.com.”
              • November 2016 – The “A” record for “trump1.contact-client.com” is deleted.

              In summary, two days after The New York Times approached Alfa Bank about its unusual connections to “mail1.trump-email.com,” someone working on behalf of the Trump Organization deleted the name of the server that had been the subject of the DNS look-ups by Alfa Bank, Spectrum Health, and Heartland Payment Systems. The first entity (IP address) in the DNS data­set (37 million DNS records from January 1, 2016,to January 15, 2017) to conduct a DNS look-up for “trump1.contact-client.com,” associated with the same IP address (66.216.133.29), was a server associated with Alfa Bank.
              The deletion of “mail1.trump-email.com” was a human action, not automated. Similarly, the initial DNS look-up by the Alfa Bank server of “trump1.contact-client.com” was likely the result of human input and interaction.
              =============

              Lack of SPF could have been a mistake, yeah. It could be the kind of mistake overlooked since this email server was never intended to send out, just receive. Or maybe not even act as an email server at all.
              I don’t think the SPF is all that important, as it could be a mistake that doesn’t validate or invalid any theory.

              DNS requests and their timing are really interesting. It doesn’t appear like spoofing, because as the data shows, someone at Alfa Bank seemed to get the new host and domain name immediately after it changed.

  25. Jamie A.

    Christopher:

    Your hypothesis is certainly intriguing. So as to not completely bore the non technical folks, or the “technical” readers who still think that a recursive resolver asks the Root for the TLD DNS address, then asks the TLD DNS server for the SLD DNS address, and then asks the SLD DNS server for the hostname’s address – LOL. Let’s look at your hypothesis. BTW if you think the researchers’ and Dan Jones’s final conclusions are truly dodgy, you’re obviously not very technical when it comes to DNS, despite knowing the buzzwords. But I digress. My comments in square brackets [ ] inline below:

    .-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

    CE> Imagine this scenario…
    – HELO Alfa I’m mail1.trump-email.com (66.216.133.29) I have a marketing email I’d like to deliver to you.
    
-ALFA – Let my SPAM Filter check to see if the host name you are claiming to be publicly resolves to the IP address I see you coming from..
– ALFA does a DNS Query for mail1.trump-email.com … query shows up in logs for the authoritative name server.
– Admin for Marketing Company running mail1.trump-email.com shuts down the SMTP Server while making requested DNS changes by client. Emails are sitting in queue waiting to go out.


    JA> [OK. Remembering that the system is no longer mail1.trump-email.com, it is now trump1.contact.client.com, and HELO or EHLOs with this new name. How do you explain the fact that the ALFA (and Spectrum) systems continued making queries for days after the DNS entry for mail1.trump-email.com was originally removed? Would you care to identify which version of DNS resolver ignores the TTLs within the SOA record? Was the bank’s DNS server code really that old, or broken? What is your explanation for that? Moving on to your next point above…
    No. Only 1, 2, or 3 emails are sitting there, for Alfa Bank. Look at the data from Jones or Camp. Only 3 places were looking up the mail1.trump-email.com hostname.]

    CE> – DNS for trump1.contact-client.com goes live, Admin dutifully changes the SMTP Host Name of the SMTP server to match the new public DNS FQDN and turns the SMTP Server back on.

    JA> [Oh – so what happened to the earlier query by the ALFA server? What response did it get? And what did it do following the response, or non-response?]

    CE> 
– Next email sitting in queue gets picked up by the server (now under trump1.contact-client.com) for sending out.

    – HELO Alfa, I am trump1.contact-client.com (66.216.133.29). I have a marketing email I’d like to deliver to you.

    -ALFA – Let my SPAM Filter check to see if the host name you are claiming to be publicly resolves to the IP address I see you coming from..

    – ALFA does a DNS Query for trump1.contact-client.com … query shows up in logs for the authoritative name server.
    This explains exactly what was seen.

    JA> [Oh? The logs show an A query. If my SPAM filter is of any commercial value, it would know that looking up the A record for a port 25 connection only confirms my hostname resolves to that IP address. It doesn’t tell you that the IP address is authorised to send email on behalf of that hostname. Wouldn’t a decent filter do an SPF query and/or a DKIM query of some kind? And maybe an IN-ADDR lookup? Or are you thinking another kind of lookup? Where was that in the logs? Per Jones, ALFA’s servers did SPF lookups at least for all other mail it received. But never for mail1.trump-email.com. A thought here: I don’t recall seeing it in any of the research or papers, but I wonder if there were any lookups in any of the log data that were for other xxx.contact-client.com customers of Cendyn’s and whether any of them did an SPF lookup? Maybe someone who has access to Camp’s original data can check?

    So where did that new single email go, after the DNS query/answer checked out? All of ALFAs top notch, expert, specialized, brilliant, investigative firms (Mandiant/FireEye and Stroz (LOL!)) confirmed that ALFA had not received any spam from Trump systems during that period. Explain that, please.]

    CE> Frankly the domain name change and the timing of the response is the LEAST interesting/unusual aspect of this in my book.

    JA> [Seriously? You keep demonstrating that your technical understanding of DNS is actually pretty basic. These things don’t happen based on any known DNS software I have worked with. Or any MTAs. Unless perhaps you can provide some running code where all these things in the report can happen? The domain change was obviously manual (your explanation and others further down who claim experience with cocking up DNS records and rushing to fix the errors is plausible on its own). But how do you explain the fact that multiple parties who normally have really good passive DNS data show only that single Alfa Bank->trump1.contact-client.com lookup 10 minutes later, with no follow-up SPF or IN-ADDR lookup, and then crickets for a couple of days. Any explanation for that?]

    CE> The lack of the SPF record, lack of getting on any RBL’s and the proportion of DNS queries only coming from a couple domains are odder….. although I can think of ways those could get explained as well.

    [I’m sure you could. I’ve tried to help you understand the anomalous things that I’ve been able to glean from actually reading the various reports, but I don’t think you’re really listening, and you’re not researching the parts you don’t understand. This post of yours really nails it – you believe that an amazing set of coincidences happened to occur, with timing, universe, broken resolver systems all over the place, spam that had a Harry Potter cloaking shield, etc. and then you finish up with a couple of items that you admit might be odd, but hey, they’re spurious events that you might be able to think of ways to explain away.

    As a researcher, I am taught to look at all the possibilities. It feels like you are focused on debunking each point on its own, rather than focusing on the large number of points taken together, and how unusual they are as a set. I’m not positing that there was anything malicious going on – I haven’t seen any evidence of that. But I would say that the activities were highly unusual from a DNS point of view. Not to belabour the point, but the 40 page extract from Dan Jones certainly shows some academic rigour. Would you at least concede that the whole event was worth someone taking a closer look?

    Given your continual stretching of imagination, it seems that you’re really good at turning the techie version of Occam’s Razor on its head. And yes, I do know that Occam’s razor has been misinterpreted. So, for the non-techies who haven’t yet fallen asleep or passed out from boredom, here:

    Sometimes, the simplest solution is often the correct one. Or, when you hear hooves, you don’t think zebras. Or worse, pterodactyls.]

  26. William Ashbaugh

    Wow! I didn’t realize that the Trump-Alfa bank servers talking story was this big. It looks like the lawyers are having a big payday though.
    Judging from the number of comments from the same persons, Krebs readers don’t have a lot to do.

  27. FNORD

    Kreb’s story buries the lead.

    “The indictment of Hillary Clinton attorney Michael Sussmann offers new evidence that the Trump-Russia conspiracy theory that engulfed former President Donald Trump’s term in office was itself the product of fabrications involving Clinton’s 2016 campaign. Although Sussmann faces just one count on a false statement charge, the 27-page charging document offers an expansive window into how the Russiagate scam began, and how Democratic operatives, intelligence officials and establishment media figures dishonestly fed it to the public.”

    See: https://consortiumnews.com/2021/09/21/with-clinton-lawyer-charged-russiagate-scam-now-under-indictment/

    Both the DNC and the RNC are corrupt entities.

    1. Ryan Johnson

      Overall, we rate The Grayzone Far-Left Biased and Questionable based on the promotion of propaganda, conspiracy theories, and consistent one-sided reporting.

      Reasoning: Propaganda, Conspiracies, False Claims
      Bias Rating: FAR LEFT
      Factual Reporting: MIXED
      Country: USA (44/180 Press Freedom)
      Media Type: Website
      Traffic/Popularity: Medium Traffic
      MBFC Credibility Rating: LOW CREDIBILITY

    2. Richard Turnbull

      Trump says to Georgia election officials, “just find me all the votes I need to overturn the election”.
      Trump says to Ukraine, “just announce an investigation into my political opponents”.

      “John H. Durham, the special counsel appointed by the Trump administration to look into the origins of the Russia investigation”

      I bet Trump says to Durham, “just find something to indict anyone looking into my ties with Russia”.
      Durham looks for the easiest path to please Trump, “Uh, how about Sussmann, we can say that he failed to tell us who he was working for, that can be considered ‘lying to the FBI'”
      Baker in front of the Senate, “I won’t testify to that. I don’t remember him saying that he wasn’t representing other clients”

      Mr. Sussmann is a former computer crimes prosecutor who worked for the Justice Department for 12 years. In 2016, he represented the Democratic National Committee on issues related to Russia’s hacking of its servers.

      Mr. Sussmann’s lawyers have accused the special counsel, John H. Durham, of seeking an indictment of their client for political reasons. Mr. Durham was tapped in 2019 by Trump administration officials to review the F.B.I.’s investigation after the president and his allies cast doubt on its legitimacy.

      In the weeks before the presidential election, then-Attorney General William P. Barr appointed Mr. Durham as special counsel, ensuring the inquiry would continue no matter who won the White House.

    3. Richard Turnbull

      It is pretty transparent to see what is going on with the indictment of Sussmann, especially if you know Trump and his history.
      Trump says to Georgia election officials, “just find me all the votes I need to overturn the election”.
      Trump says to Ukraine, “just announce an investigation into my political opponents”.

      “John H. Durham, the special counsel appointed by the Trump administration to look into the origins of the Russia investigation”

      I bet Trump says to Durham, “just find something to indict anyone looking into my ties with Russia”.
      Durham looks for the easiest path to please Trump, “Uh, how about Sussmann, we can say that he failed to tell us who he was working for, that can be considered ‘lying to the FBI'”
      Baker in front of the Senate, “I won’t testify to that. I don’t remember him saying that he wasn’t representing other clients”

      Mr. Sussmann is a former computer crimes prosecutor who worked for the Justice Department for 12 years. In 2016, he represented the Democratic National Committee on issues related to Russia’s hacking of its servers.

      Mr. Sussmann’s lawyers have accused the special counsel, John H. Durham, of seeking an indictment of their client for political reasons. Mr. Durham was tapped in 2019 by Trump administration officials to review the F.B.I.’s investigation after the president and his allies cast doubt on its legitimacy.

      In the weeks before the presidential election, then-Attorney General William P. Barr appointed Mr. Durham as special counsel, ensuring the inquiry would continue no matter who won the White House.

  28. Haha

    There is a complete idiot on Twitter who saw the graphic you posted about the DNS queries and interpreted it to mean that InMotion Hosting, a well-known and legitimate hosting company that made ONLY ONE DNS query, is some sort of shady far-right operation that is secretly hosting hundreds of hateful websites out of a business school at Pepperdine University. I can’t stop laughing.

Comments are closed.