Replies

But a small, tightly knit community of computer scientists who pursue such work—some at cybersecurity firms, some in academia, some with close ties to three-letter federal agencies—is also spurred by a sense of shared idealism and considers itself the benevolent posse that chases off the rogues and rogue states that try to purloin sensitive data and infect the internet with their bugs. “We’re the Union of Concerned Nerds,” in the wry formulation of the Indiana University computer scientist L. Jean Camp. In late spring, this community of malware hunters placed itself in a high state of alarm. Word arrived that Russian hackers had infiltrated the servers of the Democratic National Committee, an attack persuasively detailed by the respected cybersecurity firm CrowdStrike. The computer scientists posited a logical hypothesis, which they set out to rigorously test: If the Russians were worming their way into the DNC, they might very well be attacking other entities central to the presidential campaign, including Donald Trump’s many servers. “We wanted to help defend both campaigns, because we wanted to preserve the integrity of the election,” says one of the academics, who works at a university that asked him not to speak with reporters because of the sensitive nature of his work. . .In late July, one of these scientists—who asked to be referred to as Tea Leaves, a pseudonym that would protect his relationship with the networks and banks that employ him to sift their data—found what looked like malware emanating from Russia. The destination domain had Trump in its name, which of course attracted Tea Leaves’ attention. But his discovery of the data was pure happenstance—a surprising needle in a large haystack of DNS lookups on his screen. “I have an outlier here that connects to Russia in a strange way,” he wrote in his notes. He couldn’t quite figure it out at first. But what he saw was a bank in Moscow that kept irregularly pinging a server registered to the Trump Organization on Fifth Avenue. . .The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn’t the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation—conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn’t an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank. The researchers had initially stumbled in their diagnosis because of the odd configuration of Trump’s server. “I’ve never seen a server set up like that,” says Christopher Davis, who runs the cybersecurity firm HYAS InfoSec Inc. and won a FBI Director Award for Excellence for his work tracking down the authors of one of the world’s nastiest botnet attacks. . .(The company said in a statement: “Spectrum Health does not have a relationship with Alfa Bank or any of the Trump organizations. We have concluded a rigorous investigation with both our internal IT security specialists and expert cyber security firms. Our experts have conducted a detailed analysis of the alleged internet traffic and did not find any evidence that it included any actual communications (no emails, chat, text, etc.) between Spectrum Health and Alfa Bank or any of the Trump organizations. While we did find a small number of incoming spam marketing emails, they originated from a digital marketing company, Cendyn, advertising Trump Hotels.”) Spectrum accounted for a relatively trivial portion of the traffic. Eighty-seven percent of the DNS lookups involved the two Alfa Bank servers. “It’s pretty clear that it’s not an open mail server,” Camp told me. “These organizations are communicating in a way designed to block other people out.” : "Was a Trump Server Communicating With Russia? This spring, a group of computer scientists set out to determine whether hackers were interfering with the Trump campaign. They found something they weren’t expecting." By Franklin Foer (10/31/2016)

An anonymous IT expert known only as “Tea Leaves” who had access to the supposedly private technical information was sufficiently alarmed by it to pass it onto a group of computer scientists. This group then passed the data to American media, including CNN and The New York Times. . .CNN reports that "Tea Leaves" now refuses to be interviewed through an intermediary. Trump Organisation under further FBI investigation for link to Russian bank (03/10/2017)

In June, 2016, after news broke that the Democratic National Committee had been hacked, a group of prominent computer scientists went on alert. Reports said that the infiltrators were probably Russian, which suggested to most members of the group that one of the country’s intelligence agencies had been involved. They speculated that if the Russians were hacking the Democrats they must be hacking the Republicans, too. “We thought there was no way in the world the Russians would just attack the Democrats,” one of the computer scientists, who asked to be identified only as Max, told me. The group was small—a handful of scientists, scattered across the country—and politically diverse. (Max described himself as “a John McCain Republican.”). . .I met with Max and his lawyer repeatedly, and interviewed other prominent computer experts. (Among them were Jean Camp, of Indiana University; Steven Bellovin, of Columbia University; Daniel Kahn Gillmor, of the A.C.L.U.; Richard Clayton, of the University of Cambridge; Matt Blaze, of the University of Pennsylvania; and Paul Vixie, of Farsight Security.) Several of them independently reviewed the records that Max’s group had discovered and confirmed that they would be difficult to fake. A senior aide on Capitol Hill, who works in national security, said that Max’s research is widely respected among experts in computer science and cybersecurity. . .In August, 2016, Max decided to reveal the data that he and his colleagues had assembled. “If the covert communications were real, this potential threat to our country needed to be known before the election,” he said. After some discussion, he and his lawyer decided to hand over the findings to Eric Lichtblau, of the Times. Lichtblau met with Max, and began to look at the data. . .As Lichtblau talked to experts, he became increasingly convinced that the data suggested a substantive connection. “Not only is there clearly something there but there’s clearly something that someone has gone to great lengths to conceal,” he told me. Jean Camp, of Indiana University, had also vetted some of the data. “These people who should not be communicating are clearly communicating,” she said. In order to encourage discussion among analysts, Camp posted a portion of the raw data on her Web site. . .Over time, the F.B.I.’s interest in the possibility of an Alfa Bank connection seemed to wane. An agency official told Lichtblau that there could be an innocuous explanation for the computer traffic. Then, on October 30th, Senate Minority Leader Harry Reid wrote a letter to James Comey, the director of the F.B.I., charging that the Bureau was withholding information about “close ties and coordination” between the Trump campaign and Russia. “We had a window,” Lichtblau said. His story about Alfa Bank ran the next day. But it bore only a modest resemblance to what he had filed. The headline— “Investigating Donald Trump, F.B.I. Sees No Clear Link to Russia”—seemed to exonerate the Trump campaign. And, though the article mentioned the server, it omitted any reference to the computer scientists who had told Lichtblau that the Trump Organization and Alfa Bank might have been communicating. “We were saying that the investigation was basically over—and it was just beginning,” Lichtblau told me. That same day, Slate ran a story, by Franklin Foer, that made a detailed case for the possibility of a covert link between Alfa Bank and Trump. Foer’s report was based largely on information from a colleague of Max’s who called himself Tea Leaves. Foer quoted several outside experts; most said that there appeared to be no other plausible explanation for the data. . .In April, 2017, Lichtblau left the Times, after fifteen years—in part, he said, because of the way that the Alfa Bank story was handled. He went to work for CNN, but resigned less than two months later, amid controversy over another story that he had worked on, about the Trump aide Anthony Scaramucci. This April, Lichtblau returned to the Times newsroom for a celebration: he had been part of a team of Times reporters that was awarded a Pulitzer Prize for its work on other aspects of the Trump campaign. . .Alfa Bank hired two cybersecurity firms, Mandiant and Stroz Friedberg, to review the data. Both firms reported that they had found no evidence of communications with the Trump Organization. The bank also began trying to uncover the anonymous sources in the Slate piece. Attorneys representing Alfa contacted Jean Camp, telling her that they were considering legal action and asking her to identify the researchers who had assembled the data. She declined to reveal their names. “This is what tenure is for,” she told me. Was There a Connection Between a Russian Bank and the Trump Campaign? A team of computer scientists sifted through records of unusual Web traffic in search of answers. (10/15/2018)