Russian bank said it was hacked to frame connection with Trump Organization

Posted at 7:03 PM, Mar 17, 2017

(CNN) -- The Russian bank that had an "odd" internet link to the Trump Organization during the presidential campaign is now claiming that U.S.-based hackers have recently launched cyberattacks to try to frame the bank.

Cybersecurity experts say this hack is a common type of prank. And it's not directly related to activity discovered last year between the computer servers of Alfa Bank and the Trump Organization.

Alfa Bank believes the hack is meant to make it seem as if the Trump Organization is currently communicating with it.

In a statement, Alfa Bank said "the cyberattacks are an attempt by unknown parties to manufacture the illusion of contact" between Alfa Bank and the Trump Organization.

Last week, CNN revealed that the FBI's counterintelligence team is still investigating whether there was a computer server connection between the Trump Organization and Alfa Bank during the U.S. election, according to sources close to the investigation.

The CNN report showed that the corporations offered only possible explanations -- but no proof -- as to why Alfa Bank was repeatedly looking up the contact information for a computer server used by the Trump Organization.

But on Friday, Alfa Bank claimed hackers are now trying to perpetuate that suspicion by tricking the Trump Organization into sending communication toward the bank.

According to the bank: The idea here is that hackers recently knocked on the Trump server's door, but posed as Alfa Bank -- so the Trump server sent the bank real, unsolicited responses.

One attack happened on February 18, the bank said. (The bank did not mention that to CNN before its story published on March 10.)

After CNN published its story about the puzzling Trump-Alfa situation, hackers stepped up their attack on the Trump Organization with "spoofed" signals for five hours, which were then directed back towards the bank, Alfa Bank said.

Hackers continued this attack on March 13, the bank said.

The bank contacted the FBI and offered "complete co-operation in finding the people behind attempted cyberattacks." A US law enforcement official confirmed that the FBI was contacted.

Afa Bank has hired investigators at Stroz Friedberg, a New York cybersecurity firm started by an ex-FBI agent and former federal prosecutor.

The Trump Organization did not respond to CNN's questions.

"It sounds like some merry pranksters are having fun with some pranks," said Robert Graham, a cybersecurity expert who has been a vocal skeptic of theories that Alfa Bank and the Trump Organization had a secret communication channel.




The back story

Last year, a small group of computer scientists obtained internet traffic records from the complex system that serves as the internet's phone book. Access to these records is reserved for highly trusted cybersecurity firs and companies that provide this lookup service.

These signals were captured as they traveled along the internet's Domain Name System (DNS).

These leaked records show that Alfa Bank servers repeatedly looked up the unique internet address of a particular Trump Organization computer server in the United States.

In the computer world, it's the equivalent of looking up someone's phone number -- over and over again. While there isn't necessarily a phone call, it usually indicates an intention to communicate, according to several computer scientists.

What puzzled them was why a Russian bank was repeatedly looking up the contact information for

Publicly available internet records show that address, which was registered to the Trump Organization, points to an IP address that lives on an otherwise dull machine operated by a company in the tiny rural town of Lititz, Pennsylvania.

From May 4 until September 23, the Russian bank looked up the address to this Trump corporate server 2,820 times -- more lookups than the Trump server received from any other source.

Alfa Bank alone represents 80% of the lookups, according to these leaked internet records. Computer scientists who have reviewed the data found Alfa's presence odd -- and outsized.

Slate and The New York Times were first to report the unusual server activity.

This server behavior alarmed one computer expert who had privileged access to this technical information last year. That person, who remains anonymous and goes by the moniker "Tea Leaves," obtained this information from internet traffic meant to remain private. It is unclear where Tea Leaves worked or how Tea Leaves obtained access to the information.

Tea Leaves gave that data to a small band of computer scientists who joined forces to examine it, several members of that group told CNN, which has also reviewed the data.

Alfa Bank continues to investigate who is "behind this elaborate hoax."

Alfa Bank hired U.S. cybersecurity firm Mandiant to look into the matter, and it ended up with a "working hypothesis" that Trump Hotels sent over marketing emails, annoying spam that set off the bank's computer network defenses, which in turn caused these DNS lookups. The results were inconclusive. Investigators couldn't find a single marketing email sent that summer. One source with direct knowledge noted importantly that Mandiant was only given the ability to perform "a narrow search."

Because of that, the mystery continues.

New hacking claims

The bank's recent claims add a new layer to this already confusing, high-tech story.

According to Alfa Bank's description of recent events, hackers have recently tricked a Trump Organization computer server into sending internet traffic to Alfa Bank.

Hackers have "manufactured this deceit by 'spoofing' or falsifying DNS lookups to create the impression of communication between Alfa Bank and the Trump Organization," the bank said in a statement.

Alfa Bank offered this analogy: "A simple analogy would be someone in the U.S. sending an empty envelope... to a Trump office... addressed to Trump, but on the back of the envelope the return address is Russia... instead of its own real address."

"So, on cursory examination, Alfa Bank appears to have been receiving responses to queries it never actually sent."

Alex McGeorge, head of threat intelligence at cybersecurity firm Immunity, said this is a prank "that is simple to do from pretty much any internet connected computer. We could probably manufacture this from a Starbucks."

Igor Volovich, another cybersecurity expert, noted that "It's easy to spoof queries... and make them appear as if originating from Alfa Bank."

The bank said it received "more than 1,340" such DNS responses in recent days.

Paul V. Mockapetris, an American computer scientist who helped invent DNS, called this a "laughably small" attack that was likely done simply to "raise suspicions."

CNN's Shimon Prokupecz contributed to this story.

The-CNN-Wire™ & © 2017 Cable News Network, Inc., a Time Warner Company. All rights reserved.