Before John Durham’s Originator-1, There Was a Claimed BGP Hijack

In this post, I described that “Phil,” the guy I went to the FBI about because I suspected he had a role in the Guccifer 2.0 persona, had a role in the Alfa Bank story. As noted, Phil’s provable role in pushing the Alfa Bank story in October 2016 was minor and would have no effect on the false statement charge — for an alleged lie told in September 2016 — against Michael Sussmann. But because of Durham’s sweeping materiality claims, it might have an impact on discovery.

It has to do with the theory that Alfa Bank has about the DNS anomalies, a theory that Durham seems to share: that the data was faked.

As Alfa laid out in its now abandoned John Doe lawsuits, it claims that the anomalous DNS traffic that Michael Sussmann shared with the FBI in September 2016 was faked. The bank appears to believe not just that the data was faked, but that April Lorenzen is involved in some way. For example, it describes that Tea Leaves and “two accomplices” were sources for Franklin Foer (though elsewhere, the lawsuit claims that Tea Leaves was pointed to the data by the unknown John Doe defendants).

Durham seems even more sure that Lorenzen is the culprit. For example, he always refers to the data as “purported.” He refers to Lorenzen as “Originator-1” rather than “Data Scientist-1” or “Tea Leaves,” insinuating she fabricated the data. And when Sussmann asked for all evidence indicating that Durham had bullied witnesses, Durham provided emails involving Lorenzen’s lawyers.

Alfa Bank might be excused for imagining that Lorenzen is the primary culprit to have fabricated the data. According to Krypt3ia, when Alfa asked him for his communications, he only had one email, with a different journalist, to share. They quite clearly don’t understand that someone else was involved in publicizing these claims.

Durham doesn’t have the same excuse.

That’s because DOJ – of which Durham remains a part – knows at least some of the details about “Phil” that I laid out in my last post. Because they would have checked Twitter to vet some of my most basic claims, they almost certainly obtained the Twitter DMs (or at least the metadata) showing that Phil brokered the tie between Krypt3ia and the NYT.

To be clear: I have no evidence that Phil altered the DNS records. I’m agnostic about what caused the anomaly (though am convinced that the experts involved believe the anomaly is real, even if they offer varying explanations for the cause). But Durham has made the source of the anomaly an issue to bolster his claims about materiality. And, as Sussmann noted in a recent filing, “Much as the Special Counsel may now wish to ignore the allegations in the Indictment, he is bound by them.” So, it seems, Durham’s on the hook for telling Sussmann if DOJ knows of anyone else involved in pushing the Alfa Bank story who could be a possible culprit for fabricating the data, especially if that person was known to have clandestinely signed a comment, “Guccifer 2.0.”

Phil probably faked a BGP hijack

The fact that Phil alerted the NYT to the Russian proxy of Lorenzen’s data matters not just because he had, months earlier, claimed to work for an FSB-led company and, even before that, claimed to have been coerced by Russian intelligence at an overseas meeting before the known DNC operation started.

It also matters because (I believe) Phil faked an Internet routing record in the same month the Alfa/Trump/Spectrum anomalies started.

In May 2016, Phil shared what he claimed was a traceroute of a request to my site, an Internet routing record that is different than but related to the DNS records at the heart of the Alfa Bank story. The screencap he sent me purported to show that a request to my site had been routed through (to the best of my memory) some L3 routers in Chicago, to Australia, back to those L3 switches, to my site. Phil was claiming to show me proof that someone had diverted requests to my site overseas along the way – what is known as a BGP hijack. Phil showed this to me in the wake and context of a DDOS attack that had brought my site down for days, an attack which led me to rebuild my site, change hosts, and add Cloudflare DDOS protection.

May 2016, the month Phil showed me what I believe to be a faked traceroute, is the same month the anomalous traffic involving Alfa Bank, Spectrum Health, and a Trump-related server started.

Phil used that traceroute to claim that the US intelligence community was diverting and spying on traffic to my website.

The claim made no sense. The only thing that diverting my traffic would get spies is access to my readers’ metadata, which would be readily accessible via easier means, including with a subpoena to my host provider. Aside from a bunch of drafts that I’ve decided didn’t merit publication, there’s no non-public content on my site. I was not competent (and did not ask others) to assess the validity of the screencap itself, but I considered it unreliable because it didn’t show the query or originating IP address behind the record, which would be needed to test its provenance.

I don’t have that original traceroute (I replaced my phone not long after he sent it). But in June 2016 he shared a reverse DNS look-up related to my site that wasn’t altered but in which Phil invoked the earlier one.

I corrected him in this case – this IP address was readily explainable; it was Cloudflare (which Phil surely knew). But Phil nevertheless repeated his earlier claim that “they” were hijacking my traffic.

When I said that Phil had been tracking how requests to my site worked for some time before he left a comment signed [email protected] in July 2016, this weeks-long exchange is what I was referring to. He had, effectively, been watching as I added Cloudflare protection to my site.

These screencaps show that Phil, who months later would play a role in pushing the Alfa Bank story, was using DNS records — real and possibly faked — as a prop in a false story.

Phil tracked DOD contracts closely

That’s not the only detail that DOJ may know about that Durham should consider before insinuating that Lorenzen is the most likely culprit if this data was fabricated. DOJ may know that Phil tracked DOD contracts very closely. That’s important because it explains how Phil could have learned researchers would be looking closely at DNS records.

For years, I’ve believed that the Alfa-Trump-Spectrum Health effort was disinformation, because so much of what came out that year was and because I viewed the Spectrum Health stuff to be such a reach. My belief it might be disinformation only grew stronger when I discovered the focus on Spectrum Health, with its link to Erik Prince’s sister’s spouse, came just after Prince had asked Roger Stone about his efforts to reach out to WikiLeaks.

Certainly, Putin exploited the allegations afterwards to his advantage. He used them to push Alfa Bank’s Petr Aven to take a primary role in reaching out to Trump during the transition, at least as recounted in the Mueller Report.

According to Aven, at his Q4 2016 one-on-one meeting with Putin,981 Putin raised the prospect that the United States would impose additional sanctions on Russian interests, including sanctions against Aven and/or Alfa-Bank.982 Putin suggested that Aven needed to take steps to protect himself and Alfa-Bank.983

981 At the time of his Q4 2016 meeting with Putin, Aven was generally aware of the press coverage about Russian interference in the U.S. election. According to Aven, he did not discuss that topic with Putin at any point, and Putin did not mention the rationale behind the threat of new sanctions

Aven even used Richard Burt, one of the people scrutinized by the Fusion and DNS research, to reach out to Trump, effectively pursuing precisely the back channel between Alfa and Trump that Fusion suspected months earlier.

The relevant part of Aven’s interview is redacted, so it’s not clear whether Aven mentioned that Alfa Bank had been a key focus of the interference allegations. But that’s the presumptive subtext: along with the Steele dossier, the DNS anomaly – both of which, in several lawsuits since, Aven or Alfa have claimed were “gravely damaging” – raised suspicions about Alfa Bank and made it more likely the bank would be sanctioned than had been the case previously.

And before the bank did get sanctioned last month, Alfa was using the DNS anomaly to conduct a lawfare campaign to learn how the US uses DNS tracking to thwart hacks (one wonders if Putin ordered that campaign, like he personally ordered Aven to reach out to Trump). That campaign even got a bunch of frothy right-wingers to decry efforts to prevent and detect nation-state hacks on the US. So at the very least, Russia has exploited the Alfa-Trump allegations to great benefit, one measure of whether something could be deliberate disinformation.

But as I’ve talked to people who’ve tried to figure out what the anomaly was – including experts who believed it did reflect real communication as well as some who didn’t – they always explained that seeding disinformation in such a fashion would be useless. That’s because you couldn’t ensure that any disinformation you planted would be seen. That is, unlike the Steele dossier, which was being collected by an Oleg Deripaska associate and shared with the press (and for which there’s far more evidence Russia used it to plant disinformation), you could never expect the disinformation to be noisy enough to attract the desired attention.

In the years since the original story, how researchers who found the anomalous data obtained the DNS data has driven a lot of the hostility behind it. The researchers have tried to hide where they got the data for proprietary and cybersecurity reasons. John Durham has alleged there was some legal impropriety behind using it, even when used (as the researchers understood they were doing) to research ongoing nation-state hacks. And Alfa Bank was using lawfare to try to find out as much about the means by which this DNS traffic was observed by cybersecurity experts as possible. The full story of how the researchers accessed the data has yet to be reported, but as I understand it, there’s more complexity to the question than initially made out or than has made it into Durham’s court filings. That complexity would make it even harder to anticipate where DNS researchers were looking. So, multiple experts told me, it would be crazy to imagine anyone would have thought to seed disinformation in DNS records expecting it’d get picked up via those collection points in 2016, because no one would have expected anyone was observing all those collection points.

If a Fancy Bear shits in the DNS woods but there’s no one there to see it, did it really happen?

But there was, in fact, a way to anticipate it might get seen.

As the Sussmann indictment vaguely alluded to and this NYT story laid out in detail, researchers found the DNS anomalies in the context of preparing a bid for a DARPA research contract.

The involvement of the researchers traces back to the spring of 2016. DARPA, the Pentagon’s research funding agency, wanted to commission data scientists to develop the use of so-called DNS logs, records of when servers have prepared to communicate with other servers over the internet, as a tool for hacking investigations.

DARPA identified Georgia Tech as a potential recipient of funding and encouraged researchers there to develop examples. Mr. Antonakakis and Mr. Dagon reached out to Mr. Joffe to gain access to Neustar’s repository of DNS logs, people familiar with the matter said, and began sifting them.

Separately, when the news broke in June 2016 that Russia had hacked the Democratic National Committee’s servers, Mr. Dagon and Ms. Lorenzen began talking at a conference about whether such data might uncover other election-related hacking.

The DOD bidding process provided public notice that DARPA was asking researchers to explore multiple ways, including DNS traffic, to attribute persistent hacking campaigns in real time.

The initial DARPA RFP was posted on April 22, 2016, ten days before the anomalous traffic started but well after the Russian hacking campaign had launched (documents FOIAed by the frothers reveal that the project was under discussion for months before that). This RFP provided a way for anyone who tracked DOD contracts closely to know that people would be looking and the announcement itself included DNS records and network infrastructure among its desired measurements. Depending on the means by which DARPA communicated about the contract, it might also provide a way to find out who would be looking and how and where they would be looking, though as I understand it, the team at Georgia Tech would have been an obvious choice in any case.

Phil tracked DOD contracts very closely. In September 2016, for example, he sent me a text alerting me to a new Dataminr contract just 66 minutes after I published a post about the company (I later wrote up the contract).

Phil also told me, verbally, he was checking what contracts DOD had with one of the US tech companies for which a back door was exposed in summer 2016. He claimed he was doing so to see how badly the government had fucked itself with its failure to disclose the vulnerability. By memory (though I am not certain), I believe it was Juniper Networks, in the wake of the Shadow Brokers release of an NSA exploit targeting the company.

And even on top of Phil’s efforts to convince me that the DNC hack wasn’t done by APT 28, DOJ has other evidence that Phil tracked APT attribution efforts closely, even using official government resources to do so. So it would be unsurprising if he had taken an interest in a contract on APT attribution in real time.

Durham may have access to some or all of this

Durham insinuates the DNS records are faked and he appears to want to blame Lorenzen for faking them. But he may be ignoring evidence in DOJ’s possession that someone else who, I’ve now confirmed, played at least a minor role in pushing the Alfa Bank story was using Internet routing records, possibly faked, to support a false story in May 2016.

To be sure: while I know the investigation into Phil continued at least the better part of a year after my FBI interview about him, any feedback I’ve gotten about that investigation has been deliberately vague. So aside from the obvious things – like the Twitter records that would show Phil’s DMs with Krypt3ia and Nicole Perloth – I can’t be sure what is in DOJ’s possession.

I don’t even know whether the 302 from my FBI interview would mention Phil’s pitch of the Alfa Bank story to me. It was on a list of the things I had intended to describe in that interview. But I didn’t work from the list in the interview itself and I have no affirmative memory of having mentioned it. If I did, it would have amounted to me saying little more than, “he also was pushing the Alfa Bank story.”

That said, unless the FBI agents were epically incompetent, my 302 should mention Alfa Bank, because I’m absolutely certain I raised this post and its emphasis on the inclusion of Alfa Bank in an alarming April 2017 BGP hijack.

And in fact, there’s a way Durham could have found out about Phil’s role in the Alfa Bank story independent of my FBI interview. Of just two people in the US government with whom I shared some of the Alfa Bank-related texts I exchanged with Phil (both were Republicans), one was centrally involved in the investigations that fed into the Durham investigation. If this stuff matters, Durham should ask why several of his key source investigations didn’t focus on it.

Durham should know that Phil had a role in the Alfa Bank story.

And given his insinuations in the indictment that Lorenzen fabricated DNS data in May 2016, making the insinuation part of his materiality claims, Durham may be obligated to tell Michael Sussmann that DOJ already knows of someone who was pushing the Alfa Bank story who used DNS data to tell a false story in May and June 2016.

61 replies
    • emptywheel says:

      Yup. At the beginning of this process I assumed he would know. Now I’m fairly certain he has no idea.

      • Peterr says:

        I suspect that either Durham’s staff or Sussmann’s lawyers will inform him of this in short order — and I’d lean toward Sussmann’s lawyers beating the staff to it.

        • BobCon says:

          I would guess that Durham himself has deliberately stayed in the dark about a lot things. I think that would explain a lot about how he has operated.

          I think parts of his team are more likely to be aware, but even then I suspect there is a lot of compartmentalization of the conspiracy theories.

          And then I think there is the larger circle around the team, and odds are strong someone there is well aware of the players, even if there is still a lot of cluelessness about technical details.

      • Rugger9 says:

        ‘Plausible deniability’ might come in handy for political discourse and dirty tricks, but it seems rather counterproductive to play that game in court regarding a case that is already on thin ice.

        What does Durham gain, except for publicity and potentially a bar referral?

        • Phil says:

          He gains headlines that whip up the base and reinforces their need to be victims. The guy has been covering up for republicans and bashing democrats for years.

          The fact that he is still in the DOJ proves that it has a right wing culture that overlooks this kind of dishonesty.

          [Welcome back to emptywheel. SECOND REQUEST: Please use a more differentiated username when you comment next as we have several community members named “Phil” or “Philip” as requested on February 3. Thanks. /~Rayne]

  1. Silly but True says:

    This is all fascinating, and certainly distracting.

    Phil appears to be an epitome of the phrase “smiley glad-hands with hidden agendas” from Tool’s Aenema.

    Whether US was watching people who visits EW, given past government conduct against the Jameses Risen and Rosen, Thomas Drake, et. al. over the years, things like Holders surveillance of NYT and AP, or Brennan’s crusade against “leakers” during Congress torture investigation, and all of journalists surveillance of Mueller investigation leaks, I’m agnostic towards allegations of government’s efforts against journalists and whistleblowers; clearly our government has engaged in shenanigans on many occasions, so it’s not out of realm of possibility.

    At this point I hope it didn’t but it would not surprise me if it did.

  2. Tech Support says:

    While I am loathe to second guess EW’s logic, I’ve struggled to embrace the idea that this whole Alfa Bank/DNS hoo-hah was worthless. The absence of some affirmative explanation for the researcher’s findings has gnawed at me.

    (Insert picture of chain-smoking guy gesturing at wall of clippings and string here)

    Suddenly, how and why this DNS traffic is a load of BS makes a whole lot more sense. I genuinely feel better!

    One other thought. This “Phil” guy… even assuming this dude is a foreign spook of some sort, I’m amazed at how familiar his patterns of speech are. The basic tactics of fast-talking others are universal. Quadruple blind? /eyeroll

  3. DAT says:

    I said this in another thread, but added it just before it was closed. Therefore I’ll repeat myself. Spectrum Health, (My provider), would have physical addresses tied to phone # and email. That could be mined to tie disinformation consumers to specific political districts of interest to disinformation brokers. In other words, exfiltration of huge tranches of Spectrum Health info is not, on its face, valueless noise and meaningless chaff.

    • bmaz says:

      Do you follow Dissent Doe, aka @PogoWasRight, on twitter? You should, she is the best on medical and business records vis a vis privacy concerns and breaches. She is also a friend to us and this blog forever.

    • Ken Muldrew says:

      If I remember correctly, these are just huge tranches of DNS lookups. It’s fair to speculate that these lookups were related to the transfer of Spectrum Health information, but that’s just a guess; there is no evidence of any communication beyond the DNS records.

    • Dopey-o says:

      Spectrum Health client data would cover a small percentage of US voters, and I presume could be important toward flipping Michigan red in 2016. That’s a lot of effort for a small return.

      But other states were necessary to put Trump in the White House, if that was the goal. Why have we not seen similar attempts against entities in Florida, Georgia, Pennsylvania, Wisconsin, Arizona, etc?

      • Legonaut says:

        Given the obscurity of the “evidence” involving Spectrum (DNS records most likely to be ignored/missed if someone wasn’t pushing it), the question immediately arises: “Has anyone looked?”

        Followed by: “Would you know it if you found it?”

        Pareidolia is a horrible disease.

    • Rayne says:

      Except Spectrum is located in an area which trends GOP. Had this been a health care provider in the Metro Detroit area, specifically Oakland County, this would make more sense but nope. Clinton wasn’t going to win Grand Rapids and Kent County.
      Michigan 2016 presidential results by county
      The far better place to get highly-granular data related to voters’ political leanings was Facebook.

      • Ginevra diBenci says:

        Rayne, your map makes it graphically clear why the Trump Campaign’s antics in Antrim County were so absurd. I try to explain it to my Michignorant friends, but a picture’s worth an infinitude of statistics.

        • Rayne says:

          I wish I could tell you how woodtick-type redneck conservative Antrim County is. It’s sooooo white, less than 24,000 people in the entire county. There’s no way in hell the votes from that county would throw an election unless the entire election needed to be recounted.


          Or go to Google Maps, open satellite view, try to find the gigantic metropolis which is Antrim’s county seat.

          • Molly Pitcher says:

            Hey, they have 1 2/3 lakes and some actual brick buildings. You are kind of big city snooty about that woodtick thing. They have doubled their population since 1950. Sheesh.

            • Rayne says:

              LOL My husband’s family had a farm directly across from Antrim county on the west arm of Traverse Bay. My mom’s family is as woodtick as they can get from the UP where population is even thinner than Antrim and they have a lot fewer golf course resorts.

              I guess I’m saying I’m part woodtick and I sleep with a son-of-a-woodtick. We made part-woodtick babies. I know my woodticks.

                • Rayne says:

                  Let me check my garage…the son-of-a-woodtick has been woodworking all week, must be a 2-car garage full of pine and cedar right now.

                  • punaise says:

                    Bostonian Charles P Pierce at Esquire:

                    This isn’t a county road crew. Nobody’s getting one of these jobs because they have an uncle on the governor’s council. If the DOJ wants a 131-lawyer boost, it’s because the DOJ believes there will be plenty of work for the new folks to do. And it likely will not entirely involve running down people in deer camps in rural Pennsylvania or upper Michigan.

                    • Rayne says:


                      Venison summer sausage and jerky are worth the trip though, eh?

                      And lots of golf in the summer.

                    • punaise says:

                      @ Rayne: tempting: Come for the golf and tasty treats, stay for the anarchy, sedition and doomsday prepping!

                    • earlofhuntingdon says:

                      First encountered Gustafson’s on an Eagle Scout trip to Pictured Rocks. Best beef and venison jerky on the planet. Thankfully, it delivers.

    • CJ says:

      Physical addresses, phone numbers, and emails for voters are very readily commercially available; there would be no need to exfiltrate them from Spectrum, even for an op conducted on behalf of an unfriendly country … particularly since said country had warm relations with several players who would definitely have copies of such databases; indeed, they’d built businesses that used them.

      • Rayne says:

        Yes, voter records can be bought — or not. There was a hubbub at one point a few years ago (I think I might even have mentioned this in a post back then) that a database containing ~190 million voter records was out on the dark web. That would have been the records of every voter over a 16-20 year timespan since not every American votes in every election.

        What would weaponize this list is cross-indexing content from social media which could help identify those voters of any party affiliation which ones were most vulnerable to manipulation. Health care provider database wouldn’t be needed to do this, IMO.

        And in Michigan somebody likely did this successfully; there was a record undervote of 80,000 voters (voted down ticket leaving POTUS unselected/open) while Trump’s win margin was only 10,000 votes. Somebody/ies may have persuaded +80K voters not to bother with picking POTUS.

        • CJ says:

          Exactly. Plenty of reason for people to use a voter file to mobilize (or anti-mobilize) people for their own reasons; no reason to hack local health providers to try to construct your own.

          … particularly since Michigan sells their list of voters for $23:, which you then enrich by cross-referencing against the many marketing databases out there that have contact details. The state won’t give you voter history, unlike say Mississippi, but Spectrum wouldn’t have it, either.

  4. Doctor My Eyes says:

    Well, I’m just too late to this story line to follow very well, except to notice that in some ways it’s beginning to feel like a soap opera, in which the viewer can jump in at any point and expect to be entertained even as the story circles around familiar actors and plots while never reaching a resolution.

    So, I comment here only to remark how in awe I am of the grounded nature of Ms Wheeler. Is her mind safely protected in a jar several miles underground, free from the static of emotional stress? I long ago would have spun off into paranoid fantasies that would have clouded my thinking for at least a decade. One wonders if perhaps certain actors were hoping for such a neutralization of the Great Nemesis of Disinformers.

    Rarified clarity indeed, and a precious commodity in this fraught world.

  5. Savage Librarian says:

    Speaking of hospitals and data, remember this? This might sound a little off the wall, but it wouldn’t surprise me if “Phil” is somehow adjacent to Rudy, too.

    “L’Affaire Hampshire: Did Rudy Giuliani use a cheating scandal as cover for an illicit medical data operation?” – Portlus Glam, 9/4/18

    • klynn says:

      Key paragraph from the article:
      Wylie’s documents proved Cambridge Analytica had illegally harvested the Facebook data of over 50 million users and used it to build psychographic profiles of voters. In testimony before the Senate Judiciary Committee, Wylie described the tool he helped Bannon develop as a weapon of psychological warfare:
      “Cambridge Analytica sought to identify mental and emotional characteristics in certain subsets of the American population and worked to exploit them by designing them to activate some of the worst vulnerabilities in people, such as neuroticism, paranoia and racial biases,” Wylie said.

      I constantly wondered after Wylie’s testimony why Bannon was not charged for an act of war against US citizens? But activating a group of citizens in this manner would sure be helpful in a “Stop The Steal” plan. IANAL.

    • Eureka says:

      I do remember, and had also noted that that particular author (very vigilant re Rudy & Ukraine back in the day) has not seemed to be around in awhile.

        • Eureka says:

          Well the Russians are notorious hospital/health system hackers[/biomedical research, etc.] — for lots of reasons. I can’t think of an example atm pre-dating 2016 tho plenty in the interim — had just added something related on the Clarence Thomas page that closed.

          See also:

          So on that account we can set aside the NH hospital thing (from the piece) — which as far as we know is completely unrelated [or could be grift/ multitasking etc.] and also Spectrum Health. [As necessary data points.]

          [One coincident note that I will make about that NH hospital getting a new records system: news sources had indicated they were being probed or whatever / prompted to do so by external events. That is not only a set-up for “Oh, you have this problem (that my affiliates caused), here, let me help you with that”, but resembles the pattern with the attacks on EW’s site and Phil waiting in the wings to be “helpful” (in this case with gaslighting attributions and “evidence”).]

          I see what you’re saying wrt Wylie’s testimony. The thing about Spectrum is there’s no consensus about the DNS data, much less evidence that data were exfiltrated.

          We don’t know and I don’t know what evidence it would take, or that it’s available, for us _to_ know.

          If you go back to EW’s part one on this, note the dates Phil is trying to publicize this and my comment about it happening during the delayed WL release (which should have been for Oct 4th anniversary or maybe the 3rd) (big mouth Roger Stone, among others).

          That’s another data point IMO that goes towards this all being a false-attribution disinfo scam so they could discredit our IC’s eventual public attribution re the DNC etc. hacks. Seems to me like they shifted to another iron in the fire. (But they are multitastkers, so if there were data they could get…)

          • klynn says:

            Thanks for your insights Eureka.

            I’m going to go OT and shout out to Rayne. So, I’ve been waiting for MSM to say, “Our bad Mr. President, for criticizing your, “ ‘For God’s sake, this man cannot remain in power,’ comment.”

            It was spoken within a serious context of peace negotiators being poisoned.

            It’s a news bit getting buried.

            • Rayne says:

              Yeah, I think there’s so much to that meeting which hasn’t been examined. When you poison your own representative you’re sending a massive Fuck You to the entire process. Just mind boggling anyone would give Putin the benefit of the doubt at this point.

              Why aren’t analysts and journalists asking if Putin may do even worse if he’s willing to send that kind of Trojan horse to the first serious negotiation?

              • earlofhuntingdon says:

                Do “analysts and journalists” include Brett Stephens? Because he’s still selling the line that Vlad’s not such a bad guy.

                • Rayne says:

                  I read that POS apologia for mass murder of civilians. I can’t believe I subjected myself to that wretchedness.

                  Brett Stephens isn’t a journalist; he’s never done investigative work and reported facts. He’s a hack and a right-wing shill, has been since he was in college.

  6. Zinsky says:

    Again, outstanding cyber research and analysis. I know a fair amount about cybersecurity and the notion that these DNS lookups were “spoofed” is highly improbable. First, it would be difficult and second there would be no assurance that it would be noticed and appropriately examined. Color me doubtful of Durham’s assertion.

  7. Tom R. says:

    There are several ways to interpret the facts. The exciting ways make no sense.

    * Scenario #1: This is totally nefarious data exfiltration. That doesn’t make any sense, because there are other ways of accomplishing the same goal more easily and more securely. Use Tor. Use an innocuous middleman or two, rather than going directly from mail1.trump-email dot com to alfabank dot com.

    Also, most election-related data is relatively static, so there’s little sense in sending updates more than once per day. Look up the DNS record once, use that to set up a file transfer, and transfer today’s update all at once.

    * Scenario #2: As Durham says, it’s a provocation, intended to confuse the FBI and sully TFG’s campaign. This makes no sense for multiple reasons:

    2a) If Joffe et al. knew the DNS data was fake, they would not have dared tell the FBI about it, directly or through Sussman, because the FBI would ask the NSA to look at all the traffic (DNS and otherwise). The fakery would have been discovered instantly.

    Durham surely knows this.

    2b) It would have been trivial for somebody in Moscow, or in Kyiv, or in lots of other places to generate bogus DNS lookups and blame them on Alfa Bank, without the bank even knowing about it, just by injecting UDP port 53 packets with a fake source IP address.

    Durham surely knows that even if the data is fake, he will have a hard time proving who faked it.

    This sort of fakery would be almost as self-defeating as (2a). As soon as the DNS nonsense was reported, the NSA would have gone looking for related file transfer traffic, and wouldn’t have found any.

    * Scenario #3: It could be just a snafu. It could be just people drawing constellations in the sky and constructing elaborate stories about them.

    It is reported that Alfa Bank looked up mail1.trump-email dot com 2820 times in approximately 4 months. The allegedly “large” number of lookups is a nothingburger. It works out to roughly 23 times per day; maybe exactly 24 times per day, depending on details. This is what you would expect if the DNS A record has a time-to-live of one hour. There is nothing the least bit nefarious about that; right now has a 1 hour TTL and has a 5 minute TTL, presumably not because they are exfiltrating data via DNS.

    In this scenario, it’s not clear why Alfa Bank would contact mail1.trump-email dot com at all. There are innumerable possible explanations for this. One possibility is that somebody could send a bogus email to Alfa Bank, accidentally or otherwise, and the bank’s server would try to bounce it.

    * Leftovers:

    It seems Durham has decided that Sussman must be an Enemy of the State because he dared to suggest that the campaign might be communicating with the Russians. That’s a bit rich, given that Manafort shared campaign data with Kilimnik.

    In all scenarios, it is relevant to the story that mail1.trump-email dot com was essentially idle. A more active server would have had thousands of DNS lookups per hour, and the Alfa Bank lookups would have exhibited a much smaller signal-to-noise ratio.

    In scenario 1, it does not make sense for Alfa Bank to be involved with the exfiltration. In 2016 it was one of the few banks not in Putin’s pocket. It was reportedly not involved in the supposed financing of the supposed Trump Tower Moscow. It was not included in the sanctions imposed in 2014. Lots of other agencies were better positioned to receive the data.

    Similar words apply to scenario 2: If it’s a provocation, there’s no reason to pin it on Alfa Bank, when there are other more-plausible donkeys to pin it on.

    Reportedly on Friday Sep. 23rd 2016 the DNS A record for mail1.trump-email dot com was deleted. This did not take the machine offline or change its address; it was still there at A few days later it was discovered that a different name, i.e. dot com, was pointing to the same address. There is nothing remarkable about this. Commonly there are many domain names pointing to the same IP address.

    I don’t know who deleted the A record or why. For all I know it could have been routine housecleaning. In any case, it’s hard to see this as part of a nefarious plot. If you are running a crack house and you abandon it because the cops are closing in, you don’t simply choose a new name and resume operations 4 days later at the same address.

    Historical reference: Dexter Filkins summarizes what was known in 2018:

Comments are closed.