A long-running fight over accusations of computer links between Donald Trump and a Russian bank has intensified recently, shedding new light on how the government uses obscure Internet data to hunt for hackers and underscoring how the legal battles rage on regarding the 2016 presidential race.
When the claim first surfaced, some computer researchers argued that the DNS data, while not definitive, indicated human communications between the Trump Organization and Russia. Other experts dismissed that idea, saying the nature of the data made it easy to create a fake trail.
The fight over what the Alfa Bank computer data did or didn’t show largely faded from public view. But it roared back to life this fall.
In September, special counsel John Durham indicted Michael Sussmann, a lawyer with ties to Democrats, on charges that he lied to the FBI in 2016 about who his client was when he brought the bureau information about the Alfa Bank computer allegations. Sussmann has pleaded not guilty.
Separately, Alfa Bank is suing a number of unknown hackers — “John Does” — who the bank claims fabricated data to “create the false appearance of a covert communication channel between Alfa Bank and the Trump Organization.” As part of that lawsuit, the bank has sought to subpoena the researchers who initially raised concerns about Alfa’s DNS records.
Lawyers for some of those researchers argue Alfa Bank’s suit is an improper effort to use information from Durham’s investigation to help Russian interests better understand how the U.S. government detects and gathers evidence against hackers.
The lawsuit “is a Trojan horse to monitor what is transpiring before a federal grand jury exploring the same matters, and serves as an information-gathering tool about U.S. cybersecurity methods and means to benefit the Russian political regime,” attorneys for two of the researchers wrote this month to the Florida judge overseeing the lawsuit.
The lawsuit, now nearly a year and a half old, has yet to identify any of the John Doe defendants. It has spawned court fights in several states as some computer experts resist the bank’s demands for information, decrying the case as an attempt to silence or punish security experts.
At a court hearing last week in Fairfax, Michael McIntosh, a lawyer for the bank, said the Sussmann indictment “supports key elements of Alfa Bank’s complaint.” At the same time, he insisted there was nothing untoward about subpoenaing people who attorneys believe have relevant information.
The indictment says the FBI investigated the computer links and concluded “there was insufficient evidence to support the allegations of a secret communications channel” between the bank and Trump’s business. Among other things, it said, “the email server at issue was not owned or operated by the Trump Organization, but rather, had been administered by a mass marketing email company that sent advertisements for Trump hotels and hundreds of other clients.”
The same indictment also detailed the role one of Sussmann’s clients — Internet entrepreneur Rodney Joffe, identified only as “Tech Executive-1” — played in examining the DNS data that Sussmann brought to the FBI.
Now, Joffe’s lawyers are fighting a subpoena from Alfa Bank. Joffe’s attorney Steven Tyrrell urged Fairfax County Judge Thomas Mann to quash Alfa Bank’s subpoena, noting that a Rhode Island judge had ruled earlier in the week against Alfa’s effort to subpoena computer researcher April Lorenzen.
In that case, Judge Sarah Taft-Carter found the bank’s requests were too far-reaching, “equate to a fishing expedition, fail to satisfy the relevancy requirement, and constitute an abuse” of the legal fact-finding process. She also ruled that there was no reason to believe that Alfa’s requests for information “would reasonably lead to the identification of the John Doe Defendants.”
Mann, however, ruled in Alfa Bank’s favor and against Joffe, who until his recent retirement helped build and lead companies that hold vast quantities of DNS data. Cybersecurity experts say those companies are valuable sources of information for the FBI and other agencies investigating transnational hackers because researchers can search the data for unusual patterns of connections between computers.
In 2013, Joffe was the recipient of an FBI Director’s Award for helping the government tackle a global botnet operation. At the court hearing in Fairfax, Tyrrell also said Joffe’s work was important in the government’s response to the 2020 hack of SolarWinds, a Texas-based company whose software was breached in a major Russian cyberattack.
Joffe’s role in the events of 2016 have come under particular scrutiny from both Durham and Alfa Bank, pulling back the curtain on how the government uses DNS records to build cases against hackers.
“As part of their lawyer-client relationship,” Sussmann, Joffe, another lawyer at Sussmann’s firm and “individuals acting on behalf” of the campaign of Democrat Hillary Clinton worked together “to share information about the Russian Bank Data with the media and others, claiming that it demonstrated the existence of a secret communications channel,” the indictment says.
The government does not hold large volumes of DNS data itself but has contracts with companies to search their information, according to several computer experts familiar with the practice. Those searches do not require warrants. Government lawyers do not believe the DNS data searches raise privacy concerns because the data shows computers talking to each other but does not identify the people or firms behind those Internet addresses.
Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, Calif., who turned over a small number of emails in response to an Alfa Bank subpoena, said the original DNS data about Alfa Bank does suggest human communication through the two computer systems. But he said details of exactly what information was traveling back and forth in 2016 is no longer particularly important because much more is known now about the Trump Organization’s interactions with Russian entities during that time.
David Monnier, a cybersecurity expert at Team Cymru, said DNS data can be “very useful” to law enforcement, particularly in helping spot instances when a host computer is infected “because once a computer is infected, it typically looks up for a command-and-control server … so you’ll often see that pattern of looking up a host every couple minutes, a kind of heartbeat.”
When they find suspicious connections in DNS data, the FBI or other agencies may seek more information from Internet service providers, these people said. But without further investigation with more data, said Monnier, it’s difficult to draw many conclusions.
“It gets tricky when you try to validate a single connection,” he said. “It is easily spoofed. I could make a request for a domain claiming to be you asking for the resolution of the IP address, even though you’re not doing the lookup.”
He scoffed at the notion that a deeper public understanding of how the government uses DNS data to hunt computer criminals would reveal U.S. secrets to hackers or foreign governments like Russia.
“This isn’t secret sauce anymore,” he said. “We’re talking about a 20-year-old method.”