One of the enduring enigmas of the investigation into potential coordination between the Trump campaign and Russia during the 2016 election centers on communications between a computer server registered to the Trump Organization and a Russian bank. It’s not a new story. Franklin Foer reported on it for Slate in the closing days of the 2016 campaign. Now Dexter Filkins, a Pulitzer Prize winning investigative journalist with The New Yorker, has picked up where that story left off two years ago. In a lengthy article published this week, Mr. Filkins chronicles the extraordinary detective work into a mystery that could hold the key to understanding what really happened between the Trump campaign and Russia.
In the summer of 2016 after the Russian hacks of the DNC, a group of elite computer scientists began sifting through mounds of data. They assumed that if the Russians were hacking Democrats, surely they would be targeting the Republicans as well. As they hunted for evidence of Russian attempts to attack Republican computer systems, they found something completely unexpected. A server registered to the Trump Organization (mail1.trump-email.com) was communicating almost exclusively with that of a Russian bank.
The group of cybersecurity experts had unusual access to the Domain Name System (DNS), a sort of phone book for the internet that allows computers to find each other. Whenever you do something online, your device must first connect to a DNS server to locate the computer you’re trying to reach. For example when you type RoughlyExplained.com into your browser, your computer will query a DNS server to obtain this site’s Internet Protocol or IP address — a string of numbers that identifies the location of our web server on the Internet. These DNS queries can be logged, leaving a record of attempts to connect to a site on the internet.
In the summer of 2016, the group began sifting through DNS logs of web addresses associated with Republicans. The were looking for patterns of DNS lookups similar to those that they had seen in the Russian hacking attacks on the DNC. What they found instead was decidedly odd.
The Trump server was being looked up almost exclusively by Alfa Bank, one of Russia’s largest banks, and to a lesser extent Spectrum Health, a company owned by Education Secretary Betsy DeVos’ family. DeVos’ brother is Eric Prince, who met with Russian officials in an effort to set up a back-channel communication link with Russia after the election.
The server had formerly been used to send marketing emails for Trump hotels. But, in March 2016 the Trump Organization switched to a new email marketing firm and the server lay mostly dormant. In May 2016, it came alive again.
Whatever was happening between these servers may reveal what, if anything, was really going on between the Trump campaign and Russia in the 2016 election.
The DNS records showed that Alfa Bank and Spectrum Health servers began repeatedly looking up the Trump server in May of 2016. As the campaign wore on, they did so with increasing frequency. Further, the DNS queries seemed to spike around key moments in the campaign. All this raised suspicions among the researchers that they had stumbled onto some sort of clandestine communication channel. Whatever was happening between these servers may reveal what, if anything, was really going on between the Trump campaign and Russia in the 2016 election.
DNS records don’t reveal what transpired once the computers connected. So, there’s no way to ascertain for sure why the computers were communicating from DNS queries alone. There could be innocent explanations for why the servers were talking. But, the researchers concluded, none of them seemed very plausible. “Is it possible there is an innocuous explanation for all this?” one of the experts who reviewed the data told The New Yorker. “Yes, of course. And it’s also possible that space aliens did this. It’s possible—just not very likely.”
Some have suggested that the unusual traffic was an attempt by Alfa’s servers to verify old emails or a glitch in its security software. There are, after all, a lot of ways computer servers can go haywire. Yet, the pattern of communications didn’t really fit that explanation. The lookups from Alfa’s servers came intermittently. Some days there would be a couple, other days there would be dozens. If it were a glitch, there would likely be a more regular rhythm to the lookups. This theory also doesn’t explain why those contacts would have accelerated as the campaign reached its climax. Further, why would Spectrum Health’s server just happen to be suffering from a similar glitch? The traffic between the servers had a randomness that looked a lot more like human activity.
There are a several ways such a system might have worked to facilitate communication. It could have functioned as an instant messaging system. Or, it could be something called “foldering,” a practice that is commonly used by people who want to communicate undetected. For example, messages might be written as draft emails and then read by the other party logged into the server.
While the traffic between the servers was strange, the way it stopped was stranger still.
While the traffic between the servers was strange, the way it stopped was stranger still. The New York Times’ Eric Lichtblau was also contacted by the computer scientists in 2016. On September 21, Mr. Lichtblau contacted Alfa Bank’s lobbyists in Washington for comment. Two days later, before Lichtblau had reached out to anyone in the Trump organization, the Trump domain disappeared from the internet. Both Alfa Bank and the Trump organization have strenuously denied any contact between them. Yet, it appears that someone with Alfa Bank must have given the Trump Organization a heads-up.
When the FBI got wind of Mr. Lichtblau’s reporting they pushed him to delay publication, arguing that it could interfere with their ongoing investigation into Trump and Russia. Ultimately Dean Baquet, The New York Times’ editor, pulled the plug on the story. Mr. Baquet was reluctant to publish unless they knew why the communications occurred.
If there was any communications between the Trump campaign and Russia, this server might have been at the center of it. As things stand now, we still don’t know definitively what it all means. Yet, there may be a way to solve the mystery.
The Trump server belonged to a Pennsylvania company called Listrak and was administered by Cendyn, a Florida-based e-mail marketing firm. Records maintained by the two companies might reveal what was really happening between the servers. Democrats on the House Intelligence Committee wanted to issue subpoenas to get the data, but the committee’s Republicans refused.
However, it’s very likely that Special Counsel Robert Mueller has been able to obtain those records. A local Pennsylvania news outlet reported in March 2017 that the FBI visited Listrak’s offices. According to its CEO, the company gave the FBI everything it asked for. Whether the Trump server‘s connection with a Russian bank was a fantastically unlikely coincidence or a smoking gun for so-called-collusion remains an open question. But, the odds are good that Special Counsel Mueller already knows the answer.