According to a report from Slate‘s Franklin Foer, a group of computer experts are claiming to have found a computer belonging to Donald Trump‘s organization that has been set up to send and receive emails exclusively from a Russian bank.
Late last spring, the group got word that Russian hackers had infiltrated the servers of the Democratic National Committee. Figuring that if the Russians were able to penetrate the DNC, they could be attacking other entities central to the 2016 campaign, including Donald Trump’s many servers.
“We wanted to help defend both campaigns, because we wanted to preserve the integrity of the election,” one of the experts said, according to Slate.
This July, a member of the group identifying himself as “Tea Leaves” analyzed one of Trump’s servers and found “what looked like malware emanating from Russia.”
The destination domain had Trump in its name, which of course attracted Tea Leaves’ attention. But his discovery of the data was pure happenstance—a surprising needle in a large haystack of DNS [domain name system] lookups on his screen. “I have an outlier here that connects to Russia in a strange way,” he wrote in his notes. He couldn’t quite figure it out at first. But what he saw was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue.
Tea Leaves began monitoring the Trump server’s DNS activity and shared it with his colleagues so they could search for clues.
The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn’t the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation—conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn’t an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank.
According to data analyzed from one of Trump’s servers, activity suggested that emails were being exchanged with Alfa Bank. When the New York Times contacted the bank to inquire, the server was immediately cut off on Trump’s end.
From Foer’s report:
Four days later, on Sept. 27, the Trump Organization created a new host name, trump1.contact-client.com, which enabled communication to the very same server via a different route. When a new host name is created, the first communication with it is never random. To reach the server after the resetting of the host name, the sender of the first inbound mail has to first learn of the name somehow. It’s simply impossible to randomly reach a renamed server.
“I’ve never seen a server set up like that,” said Christopher Davis of the cybersecurity firm HYAS InfoSec Inc. “It looked weird, and it didn’t pass the sniff test.”
Aside from the most glaring possibility that the server serves the purpose of keeping communication between the Trump campaign and a Russian bank, Foer makes sure to point out that other less likely, although possible, scenarios could provide an explanation.
What the scientists amassed wasn’t a smoking gun. It’s a suggestive body of evidence that doesn’t absolutely preclude alternative explanations. But this evidence arrives in the broader context of the campaign and everything else that has come to light: The efforts of Donald Trump’s former campaign manager to bring Ukraine into Vladimir Putin’s orbit; the other Trump adviser whose communications with senior Russian officials have worried intelligence officials; the Russian hacking of the DNC and John Podesta’s email.