Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

For The Record  

FTR #573 Alfa Males—One Helluva Conspiracy Theory, Part II

Record­ed Octo­ber 15, 2006

Lis­ten: MP3 Side 1   Side 2

Intro­duc­tion: Con­tin­u­ing analy­sis of what British Prime Min­is­ter Tony Blair described as a “glob­al net­work” behind the 9/11 attacks, this pro­gram details evi­den­tiary trib­u­taries between the pow­er­ful, well-con­nect­ed and crim­i­nal Alfa con­sor­tium and peo­ple and insti­tu­tions con­nect­ed to the events of 9/11. A Russ­ian com­pa­ny with what Mr. Emory describes as “more con­nec­tions than a switch­board,” Alfa has links to Vik­tor Kozeny, the Carl Duis­berg Gesellschaft and to pow­er­ful peo­ple and insti­tu­tions con­nect­ed to the Bush admin­is­tra­tion. Kozeny is alleged to have par­tic­i­pat­ed in an Alfa scheme to defraud numer­ous U.S. investors and com­pa­nies and is also the man who employed Wolf­gang Bohringer, one of 9/11 hijack­er Mohamed Atta’s Ger­man asso­ciates in Flori­da. The Carl Duis­berg Gesellschaft spon­sored Mohamed Atta’s entrance into Ger­many and, per­haps, Flori­da. That same Carl Duis­berg Gesellschaft also main­tains a fel­low­ship on behalf of Alfa Group. Alfa’s activ­i­ties in the Unit­ed States are aid­ed and abet­ted by the pow­er­ful lob­by­ing firm of Bar­bour, Grif­fith and Rogers, inti­mate­ly con­nect­ed to the admin­is­tra­tion of George W. Bush. Hans Bod­mer and Pyotr Aven (two of Kozeny’s asso­ciates in a scheme to gain con­trol of the state oil com­pa­ny of Azer­bai­jan) are also alleged to have worked with Kozeny and Alfa in the defraud­ing of IPOC. The glob­al net­work to which Blair referred and that sup­port­ed the 9/11 hijack­ers embod­ies a fusion of the under­world and the over­world. Engaged in drug traf­fick­ing on sev­er­al con­ti­nents, this net­work also oper­ates in con­junc­tion with pow­er­ful cor­po­rate enti­ties in Europe, the Mid­dle East, Latin Amer­i­ca and the Unit­ed States. FTR#’s 433, 530, 536, 570 sup­ple­ment the infor­ma­tion pre­sent­ed here and should be exam­ined in order to gain a firmer under­stand­ing of this com­plex net­work. As Mr. Emory not­ed in the broad­cast, “If this seems con­fus­ing, it is meant to be!”

Pro­gram High­lights Include: Links between the Alfa group and the roy­al fam­i­ly of Liecht­en­stein; links between the roy­al fam­i­ly of Liecht­en­stein and the milieu of 9/11; Haley Bar­bour (of Bar­bour, Grif­fith and Rogers) and his busi­ness con­nec­tions with com­pa­nies belong­ing to the busi­ness empire of for­mer Nazi spy and appar­ent Al Qae­da financier Youssef Nada; the appar­ent­ly ille­gal oper­a­tions per­formed by GOP big­wig Ed Rogers’ Dili­gence Inc. secu­ri­ty firm on behalf of Alfa; the wall of secre­cy sur­round­ing the iden­ti­ty of the Ger­mans spon­sors of Atta’s activ­i­ties under the aus­pices of the Carl Duis­berg Gesellschaft.

1. Begin­ning with back­ground infor­ma­tion essen­tial for under­stand­ing the present dis­cus­sion of Alfa Group, the pro­gram reca­pit­u­lates crit­i­cal infor­ma­tion from FTR#530. Begin­ning with review of the Carl Duis­berg Gesellschaft’s spon­sor­ship of 9/11 hijack­er Mohamed Atta, the pro­gram reviews the rela­tion­ship between the CDS and the Alfa Fel­low­ship, an area of over­lap between the milieux of Alfa and 9/11. In addi­tion, the pro­gram notes that a key Alfa lawyer (Nor­bert Seeger) also fronts for the roy­al fam­i­ly of Liecht­en­stein, them­selves linked to the milieu of 9/11 through the bank Al Taqwa. After review­ing the CDS/Alfa/9/11 link, the pro­gram presents infor­ma­tion about a law­suit brought against Alfa in the Unit­ed States. In the expose of this area of Alfa’s oper­a­tions, we will see yet anoth­er area of over­lap between the milieu of Alfa and that of 9/11. One of the play­ers in the Alfa gam­bit dis­cussed in this pro­gram is Vik­tor Kozeny. Mohamed Atta’s Ger­man “broth­er” Wolf­gang Bohringer was a pilot for Kozeny. (For more about the Kozeny/Bohringer rela­tion­ship, see FTR#570. Note that para­graph 5 of that dis­cus­sion, high­lights links between Kozeny, Hans Bod­mer and Pyotr Aven. Both Bod­mer and Aven are defen­dants, along with Kozeny, in the suit against Alfa.) “Russ­ian cor­po­ra­tion Alfa Group Con­sor­tium and its U.S. enti­ty, Alfa Cap­i­tal Mar­kets, Inc., are a crim­i­nal enter­prise that has used U.S. banks and stock exchanges as an inte­gral part of their theft schemes, cost­ing Amer­i­can tax­pay­ers and stock­hold­ers hun­dreds of mil­lions of dol­lars, IPOC Inter­na­tion­al Growth Fund, Ltd., alleges in a fed­er­al rack­e­teer­ing law­suit filed late Thurs­day. The suit alleges that Alfa, one of the largest busi­ness con­glom­er­ates in the Russ­ian Fed­er­a­tion — along with Russ­ian oli­garch Mikhail Frid­man and U.S. cit­i­zen Leonid Rozhet­skin — engaged in a vast inter­na­tion­al mon­ey laun­der­ing and fraud scheme in an attempt to take con­trol of the Russ­ian cel­lu­lar indus­try. ‘By doing so, defen­dants’ con­duct has had a sub­stan­tial effect on the Unit­ed States and its cit­i­zens, and much of the crim­i­nal con­duct occurred in the Unit­ed States,’ the suit, filed in U.S. Dis­trict Court for the South­ern Dis­trict of New York, said.”
(“ ‘Defen­dants’ Ten­ta­cles Reach Into and Injure Numer­ous Amer­i­cans’” [PRNewswire]; Forbes; 6/9/2006.)

2. Note that Alfa’s activ­i­ties in the U.S. received assis­tance from Amer­i­can gov­ern­men­tal insti­tu­tions. “The crim­i­nal enter­prise affect­ed Amer­i­cans, U.S.-based investors and U.S. inter­ests in numer­ous ways, the com­plaint alleges, involv­ing the eva­sion of U.S. tax­es, insid­er trad­ing of shares on U.S. stock mar­kets, and wiring pay­ments through New York banks. The Alfa Group Con­sor­tium received sup­port from the Over­seas Pri­vate Invest­ment Cor­po­ra­tion, a U.S. gov­ern­ment devel­op­ment agency, to pro­vide a sig­nif­i­cant por­tion of fund­ing for one of Alfa’s relat­ed busi­ness­es.’ The com­plaint alleges that the rack­e­teer­ing and oth­er wrongs cit­ed in this case hurt U.S. investors, U.S. tax­pay­ers and U.S. finan­cial mar­kets,’ said W. Gor­don Dobie, an attor­ney with Win­ston & Strawn LLP, which filed the case for IPOC Inter­na­tion­al Growth Fund, Ltd. ‘It’s my opin­ion that the defen­dants should be called to account in court for their con­duct.’” (Idem.)

3. Note that two of the defen­dants in the Alfa suit are Hans Bod­mer and Pyotr Aven, two of Vik­tor Kozeny’s co-con­spir­a­tors in a scheme to gain con­trol of the Azeri state oil com­pa­ny. Again, for more about this con­nec­tion, see FTR#570. “The com­plaint also alleges that Rozhet­skin and Frid­man were assist­ed by Hans Bod­mer, who served as escrow agent and sent instruc­tions to IPOC to wire mon­ey through banks in New York for the ben­e­fit of the defen­dants. Bod­mer recent­ly plead guilty to crim­i­nal con­spir­a­cy to laun­der mon­ey and con­spir­a­cy to vio­late the U.S. For­eign Cor­rupt Prac­tices Act in con­nec­tion with an unre­lat­ed scheme to bribe for­eign lead­ers. …Notes to Edi­tors: IPOC Inter­na­tion­al Growth Fund, Ltd. is an open-end­ed mutu­al fund com­pa­ny based in Bermu­da. The suit, based on claims under the Rack­e­teer Influ­enced and Cor­rupt Orga­ni­za­tions (RICO) Act, charges that Frid­man con­spired with Rozhet­skin to steal IPOC’s inter­est through mon­ey laun­der­ing, bribery, wire fraud and oth­er crim­i­nal wrong­do­ings. Oth­er defen­dants are Alfa Cap­i­tal Mar­kets, Inc., a U.S. cor­po­ra­tion; Alfa Tele­com (n/k/a) Alti­mo; and Hans Bod­mer. Alfa Group Con­sor­tium is an asso­ci­a­tion of var­i­ous com­pa­nies con­trolled by Frid­man. It con­trols major inter­na­tion­al cor­po­ra­tions trad­ed in the Unit­ed States, includ­ing Vim­pel­Com (NYSE) Rus­si­a’s sec­ond largest mobile tele­coms com­pa­ny, Gold­en Tele­com (NASDAQ) and Turk­cell (NYSE). For more infor­ma­tion about IPOC, go to ipocfund.com. A copy of the law­suit is being post­ed on this Web site June 9. ‘The Many Ties to the Unit­ed States.’ As the law­suit states, ‘... defen­dants’ ten­ta­cles reach into and injure numer­ous Amer­i­cans....’ The investors, tax­pay­ers and finan­cial mar­kets of the Unit­ed States have been harmed.” (Idem.)

4. Note the pres­ence in this alleged scheme of Vik­tor Kozeny (as well as Kozeny’s co-con­spir­a­tors in the Azeri oil con­spir­a­cy Hans Bod­mer and Pyotr Aven), for whom Atta asso­ciate Wolf­gang Bohringer worked. Again, check out FTR#570. Note also that the Russ­ian edi­tion of Forbes was inves­ti­gat­ing Leonard Rozhet­skin, one of the defen­dants in the suit and a major “Alfa Male.” The Russ­ian edi­tor of Forbes was recent­ly mur­dered, alleged­ly by Russ­ian orga­nized crime ele­ments. Was that mur­der part of the con­spir­a­to­r­i­al process set forth here? “The below sets out the indi­vid­u­als and firms referred to in the law­suit, and pro­vides some fur­ther infor­ma­tion: The Defen­dants: Leonard Rozhet­skin: ‘Defen­dant Leonard Rozhet­skin is a for­mer direc­tor and prin­ci­pal share­hold­er of LV Finance Group Lim­it­ed (‘LVFG’). He is a Unit­ed States tax­pay­er and cit­i­zen, owns prop­er­ty in the Dis­trict, and lived in the Dis­trict for more than a decade ... fea­tured on the cov­er of the Russ­ian edi­tion of Forbes with the title: ‘The Most Dan­ger­ous Shark in Our Waters.’... Rozhet­skin resides in the Unit­ed States....’[pg.6]’ Hans Bod­mer: ‘Defen­dant Hans Bod­mer ... assist­ed Rozhet­skin and Frid­man with the Son­ic Duo/MegaFon theft scheme ... worked with his co-con­spir­a­tors to send instruc­tions to IPOC to wire mon­ey through banks in New York for the ben­e­fit of the Defen­dants. Bod­mer is no stranger to crim­i­nal pros­e­cu­tion in the Unit­ed States, hav­ing recent­ly pled guilty to the crim­i­nal con­spir­a­cy to laun­der mon­ey and con­spir­a­cy to vio­late the Unit­ed States For­eign Cor­rupt Prac­tices Act in con­nec­tion with the scheme to bribe for­eign lead­ers (along with Vic­tor Kozeny, who is cur­rent­ly being extra­dit­ed to New York from the Bahamas) [Ital­ics are Mr. Emory’s]. Case No: 01: 05-CR-00518-RCC-ALL (S.D.N.Y.).’ [pg. 9]” (Idem.)

5. More about the defen­dants, includ­ing Kozeny asso­ciate Pyotr Aven: “Mikhail Frid­man: ‘Defen­dant Mikhail Frid­man cur­rent­ly serves as Chair­man of the Board of Direc­tors of co-con­spir­a­tor Alfa Bank and as Chair­man of the Board of Direc­tors of Defen­dant Con­sor­tium Alfa Group. Frid­man fur­ther served on the Board of Vim­pel­Com, a NYSE com­pa­ny, and has con­trol over Gold­en Tele­com, a NASDAQ com­pa­ny ... pur­chased the Unit­ed States trad­ing firm owned by Amer­i­can, Mark Rich, the one time com­modi­ties baron par­doned by Pres­i­dent Clin­ton with much con­tro­ver­sy. Frid­man pur­ports to have become a phil­an­thropist in the Unit­ed States’ and is a mem­ber of the Board of the Coun­cil on For­eign Rela­tions based in New York. [pgs. 6–7] Pyotr Aven: ‘Defen­dant Pyotr Aven also has been a major par­tic­i­pant in the scheme and worked direct­ly with Rozhet­skin and Frid­man in the mis­ap­pro­pri­a­tion and theft of IPOC monies. Aven is a direc­tor of Gold­en Tele­com, a NASDAQ com­pa­ny, which reg­u­lar­ly files with the Unit­ed States Secu­ri­ties Exchange Com­mis­sion. He is a con­tro­ver­sial fig­ure: As observed by the Unit­ed States Dis­trict Court for the Dis­trict of Colum­bia, a Russ­ian ‘cor­rup­tion task force informed [the gov­ern­ment] that Aven was engaged in var­i­ous mis­deeds, includ­ing drug traf­fick­ing. See OAO Alfa Bank v. Cen­ter for Pub­lic Integri­ty, Civ. Action No. 00–2208 (JDB), Mem. Op., Sept. 22, 2005 at 11 n.26.’ [pg. 8]” (Idem.)

6. Next, the dis­cus­sion turns to Bar­bour, Grif­fith Rogers, the PR firm head­ed by Haley Bar­bour, the G.O.P. Gov­er­nor of Mis­sis­sip­pi. In addi­tion to Bar­bour (linked to the milieu of 9/11 in oth­er ways, set forth below), Lan­ny Grif­fith and Ed Rogers (also major Repub­li­can pow­er bro­kers) head the lob­by­ing firm. More about the back­ground of Lan­ny Grif­fith and Ed Rogers: “After man­ag­ing the first Pres­i­dent Bush’s 1988 cam­paign in the South­ern states, Bush appoint­ed him [Lan­ny Grif­fith] as spe­cial assis­tant to the pres­i­dent for inter­gov­ern­men­tal affairs. Grif­fith then served as Bush’s assis­tant sec­re­tary of edu­ca­tion from 1991 to 1993, when he joined Barbour’s lob­by shop. One­time deputy assis­tant to Pres­i­dent George H.W. Bush. He [Ed Rogers] is mar­ried to Edwina Rogers, for­mer asso­ciate direc­tor of the White House­’s Nation­al Eco­nom­ic Coun­cil. [1]” (Idem.)

7. Note that Bar­bour Grif­fith and Rogers lob­bied on behalf of the Alfa Group in the Unit­ed States! As if that wasn’t unap­pe­tiz­ing enough, we should not fail to take stock of the fact that Rogers’ secu­ri­ty out­fit Dili­gence, Inc. alleged­ly ille­gal­ly appro­pri­at­ed infor­ma­tion from the IPOC. “Bar­bour Grif­fith and Rogers: ‘The Alfa Group con­ducts such sig­nif­i­cant and var­ied busi­ness in the Unit­ed States that it has actu­al­ly found it to be in its inter­est to spend mil­lions of dol­lars court­ing the Amer­i­can polit­i­cal elite through Wash­ing­ton D.C. based lob­by­ing firm of Bar­bour Grif­fith and Rogers, LLC which lob­bies Con­gress and oth­ers in Wash­ing­ton on its behalf.’ [pgs. 7–8] ‘In addi­tion to using his lob­by­ing firm, Alfa Group has retained Edward Rogers’ Wash­ing­ton D.C. based ‘inves­tiga­tive’ firm, Dili­gence, Inc. — which has crim­i­nal­ly mis­ap­pro­pri­at­ed IPOC infor­ma­tion as described fur­ther below....[pg. 8] Dili­gence, Inc.: ‘Defen­dants have also paid U.S.-based Dili­gence, Inc. to steal IPOC prop­er­ty in Bermu­da. Indeed, at the Frid­man M.C. Enter­prise’s direc­tion Dili­gence bribed offi­cials of an account­ing firm and/or oth­er­wise mis­ap­pro­pri­at­ed IPOC prop­er­ty. More specif­i­cal­ly, Dili­gence, Inc. describes itself on its web site and in its press releas­es as a com­pa­ny com­prised of for­mer Cen­tral Intel­li­gence Agency (‘CIA’) and British MI5 oper­a­tives that ‘spe­cial­ize in obtain­ing non-pub­lic or hard-to-get infor­ma­tion on cor­po­ra­tions.’ See http://www.diligencecorp.com. Dili­gence, Inc. is owned in part by Edward Rogers who has also been paid mil­lions by defen­dants to lob­by Con­gress and con­sult for Alfa.’ [pg. 24]” (Idem.)

8. For­mer oper­a­tives for the CIA and MI5 (British domes­tic intel­li­gence), the Dili­gence employ­ees alleged­ly used their for­mer (“for­mer”?) espi­onage con­nec­tions and cre­den­tials to mis­ap­pro­pri­ate key doc­u­ments from the IPOC. “ ‘In vio­la­tion of 18 U.S.C. sec­tion 912 and at Defen­dant Alfa’s instruc­tions, Dili­gence, Inc. posed as Unit­ed States Agents act­ing under the author­i­ty of the Unit­ed States to mis­ap­pro­pri­ate IPOC infor­ma­tion from an account­ing firm. Defen­dants fur­ther vio­lat­ed 18 U.S.C. sec­tion 913 by search­ing IPOC prop­er­ty while false­ly rep­re­sent­ing, through Dili­gence, Inc., to be agents of the Unit­ed States. By doing so, Defen­dants have had an effect on the Unit­ed States.’ [pg. 24]” (Idem.)

9. The broad­cast con­cludes with review of infor­ma­tion pre­sent­ed in para­graphs 15–17 of FTR#433. Recap­ping the links between Haley Barbour’s New Bridge Strate­gies (a major con­trac­tor in Iraq) and sub­sidiary com­pa­nies of the Nasreddin/Nada finan­cial and busi­ness empire, the pro­gram sets forth anoth­er evi­den­tiary trib­u­tary between the milieu of the 9/11 attacks and the high­est ech­e­lons of the GOP. (Nada and Nasred­din are the prin­ci­ples in the Al Taqwa net­work. For more about Al Taqwa, the GOP lead­er­ship and 9/11 see—among oth­er programs—FTR#’s 454, 455, 456.)


2 comments for “FTR #573 Alfa Males—One Helluva Conspiracy Theory, Part II”

  1. Leonid Rozhet­skin van­ished

    Posted by adam | October 9, 2013, 3:47 pm
  2. Oh, look at that: In a report that’s bound to be a bomb­shell with a week left to go in the cam­paign, a group of cyber­se­cu­ri­ty researchers has what appears to be strong dig­i­tal cir­cum­stan­tial evi­dence that the Trump orga­ni­za­tion set up a serv­er specif­i­cal­ly to com­mu­ni­cate secret­ly with a promi­nent Russ­ian bank with ties to the Krem­lin. Not only that but the com­mu­ni­ca­tion pat­tern the researchers were observ­ing appear to up tick with the cam­paign sea­son and sig­nif­i­cant polit­i­cal events. And the Trump cam­paign does­n’t appear to have any mean­ing­ful expla­na­tion for the serv­er, claim­ing was used for mar­ket­ing emails until 2010, and all the com­mu­ni­ca­tion the researchers observed (which was almost exclu­sive­ly com­mu­ni­cate with this one Russ­ian bank) was just reg­u­lar serv­er activ­i­ty and had noth­ing to do with emails. So this is a very sus­pi­cious set dig­i­tal activ­i­ty between Trump’s orga­ni­za­tion and a Russ­ian bank, and it’s one hel­lu­va bank:


    Was a Trump Serv­er Com­mu­ni­cat­ing With Rus­sia?

    This spring, a group of com­put­er sci­en­tists set out to deter­mine whether hack­ers were inter­fer­ing with the Trump cam­paign. They found some­thing they weren’t expect­ing.

    By Franklin Foer
    Oct. 31 2016 5:36 PM

    The great­est mir­a­cle of the inter­net is that it exists—the sec­ond great­est is that it per­sists. Every so often we’re remind­ed that bad actors wield great skill and have lit­tle con­science about the harm they inflict on the world’s dig­i­tal ner­vous sys­tem. They invent virus­es, bot­nets, and sundry species of mal­ware. There’s good mon­ey to be made deflect­ing these incur­sions. But a small, tight­ly knit com­mu­ni­ty of com­put­er sci­en­tists who pur­sue such work—some at cyber­se­cu­ri­ty firms, some in acad­e­mia, some with close ties to three-let­ter fed­er­al agencies—is also spurred by a sense of shared ide­al­ism and con­sid­ers itself the benev­o­lent posse that chas­es off the rogues and rogue states that try to pur­loin sen­si­tive data and infect the inter­net with their bugs. “We’re the Union of Con­cerned Nerds,” in the wry for­mu­la­tion of the Indi­ana Uni­ver­si­ty com­put­er sci­en­tist L. Jean Camp.

    In late spring, this com­mu­ni­ty of mal­ware hunters placed itself in a high state of alarm. Word arrived that Russ­ian hack­ers had infil­trat­ed the servers of the Demo­c­ra­t­ic Nation­al Com­mit­tee, an attack per­sua­sive­ly detailed by the respect­ed cyber­se­cu­ri­ty firm Crowd­Strike. The com­put­er sci­en­tists posit­ed a log­i­cal hypoth­e­sis, which they set out to rig­or­ous­ly test: If the Rus­sians were worm­ing their way into the DNC, they might very well be attack­ing oth­er enti­ties cen­tral to the pres­i­den­tial cam­paign, includ­ing Don­ald Trump’s many servers. “We want­ed to help defend both cam­paigns, because we want­ed to pre­serve the integri­ty of the elec­tion,” says one of the aca­d­e­mics, who works at a uni­ver­si­ty that asked him not to speak with reporters because of the sen­si­tive nature of his work.

    Hunt­ing for mal­ware requires high­ly spe­cial­ized knowl­edge of the intri­ca­cies of the domain name system—the pro­to­col that allows us to type email address­es and web­site names to ini­ti­ate com­mu­ni­ca­tion. DNS enables our words to set in motion a chain of con­nec­tions between servers, which in turn deliv­ers the results we desire. Before a mail serv­er can deliv­er a mes­sage to anoth­er mail serv­er, it has to look up its IP address using the DNS. Com­put­er sci­en­tists have built a set of mas­sive DNS data­bas­es, which pro­vide frag­men­tary his­to­ries of com­mu­ni­ca­tions flows, in part to cre­ate an archive of mal­ware: a kind of cat­a­log of the tricks bad actors have tried to pull, which often involve mas­querad­ing as legit­i­mate actors. These data­bas­es can give a use­ful, though far from com­pre­hen­sive, snap­shot of traf­fic across the inter­net. Some of the most trust­ed DNS specialists—an elite group of mal­ware hunters, who work for pri­vate contractors—have access to near­ly com­pre­hen­sive logs of com­mu­ni­ca­tion between servers. They work in close con­cert with inter­net ser­vice providers, the net­works through which most of us con­nect to the inter­net, and the ones that are most vul­ner­a­ble to mas­sive attacks. To extend the traf­fic metaphor, these sci­en­tists have cam­eras post­ed on the internet’s stop­lights and over­pass­es. They are entrust­ed with some­thing close to a com­plete record of all the servers of the world con­nect­ing with one anoth­er.

    In late July, one of these scientists—who asked to be referred to as Tea Leaves, a pseu­do­nym that would pro­tect his rela­tion­ship with the net­works and banks that employ him to sift their data—found what looked like mal­ware ema­nat­ing from Rus­sia. The des­ti­na­tion domain had Trump in its name, which of course attract­ed Tea Leaves’ atten­tion. But his dis­cov­ery of the data was pure happenstance—a sur­pris­ing nee­dle in a large haystack of DNS lookups on his screen. “I have an out­lier here that con­nects to Rus­sia in a strange way,” he wrote in his notes. He couldn’t quite fig­ure it out at first. But what he saw was a bank in Moscow that kept irreg­u­lar­ly ping­ing a serv­er reg­is­tered to the Trump Orga­ni­za­tion on Fifth Avenue.

    More data was need­ed, so he began care­ful­ly keep­ing logs of the Trump server’s DNS activ­i­ty. As he col­lect­ed the logs, he would cir­cu­late them in peri­od­ic batch­es to col­leagues in the cyber­se­cu­ri­ty world. Six of them began scru­ti­niz­ing them for clues.

    (I com­mu­ni­cat­ed exten­sive­ly with Tea Leaves and two of his clos­est col­lab­o­ra­tors, who also spoke with me on the con­di­tion of anonymi­ty, since they work for firms trust­ed by cor­po­ra­tions and law enforce­ment to ana­lyze sen­si­tive data. They per­sua­sive­ly demon­strat­ed some of their ana­lyt­i­cal meth­ods to me—and showed me two white papers, which they had cir­cu­lat­ed so that col­leagues could check their analy­sis. I also spoke with aca­d­e­mics who vouched for Tea Leaves’ integri­ty and his unusu­al access to infor­ma­tion. “This is some­one I know well and is very well-known in the net­work­ing com­mu­ni­ty,” said Camp. “When they say some­thing about DNS, you believe them. This per­son has tech­ni­cal author­i­ty and access to data.”)

    The researchers quick­ly dis­missed their ini­tial fear that the logs rep­re­sent­ed a mal­ware attack. The com­mu­ni­ca­tion wasn’t the work of bots. The irreg­u­lar pat­tern of serv­er lookups actu­al­ly resem­bled the pat­tern of human conversation—conversations that began dur­ing office hours in New York and con­tin­ued dur­ing office hours in Moscow. It dawned on the researchers that this wasn’t an attack, but a sus­tained rela­tion­ship between a serv­er reg­is­tered to the Trump Orga­ni­za­tion and two servers reg­is­tered to an enti­ty called Alfa Bank.

    The researchers had ini­tial­ly stum­bled in their diag­no­sis because of the odd con­fig­u­ra­tion of Trump’s serv­er. “I’ve nev­er seen a serv­er set up like that,” says Christo­pher Davis, who runs the cyber­se­cu­ri­ty firm HYAS InfoS­ec Inc. and won a FBI Direc­tor Award for Excel­lence for his work track­ing down the authors of one of the world’s nas­ti­est bot­net attacks. “It looked weird, and it didn’t pass the sniff test.” The serv­er was first reg­is­tered to Trump’s busi­ness in 2009 and was set up to run con­sumer mar­ket­ing cam­paigns. It had a his­to­ry of send­ing mass emails on behalf of Trump-brand­ed prop­er­ties and prod­ucts. Researchers were ulti­mate­ly con­vinced that the serv­er indeed belonged to Trump. (Click here to see the server’s reg­is­tra­tion record.) But now this capa­cious serv­er han­dled a strange­ly small load of traf­fic, such a small load that it would be hard for a com­pa­ny to jus­ti­fy the expense and trou­ble it would take to main­tain it. “I get more mail in a day than the serv­er han­dled,” Davis says.

    That wasn’t the only odd­i­ty. When the researchers pinged the serv­er, they received error mes­sages. They con­clud­ed that the serv­er was set to accept only incom­ing com­mu­ni­ca­tion from a very small hand­ful of IP address­es. A small por­tion of the logs showed com­mu­ni­ca­tion with a serv­er belong­ing to Michi­gan-based Spec­trum Health. (The com­pa­ny said in a state­ment: “Spec­trum Health does not have a rela­tion­ship with Alfa Bank or any of the Trump orga­ni­za­tions. We have con­clud­ed a rig­or­ous inves­ti­ga­tion with both our inter­nal IT secu­ri­ty spe­cial­ists and expert cyber secu­ri­ty firms. Our experts have con­duct­ed a detailed analy­sis of the alleged inter­net traf­fic and did not find any evi­dence that it includ­ed any actu­al com­mu­ni­ca­tions (no emails, chat, text, etc.) between Spec­trum Health and Alfa Bank or any of the Trump orga­ni­za­tions. While we did find a small num­ber of incom­ing spam mar­ket­ing emails, they orig­i­nat­ed from a dig­i­tal mar­ket­ing com­pa­ny, Cen­dyn, adver­tis­ing Trump Hotels.”)

    Spec­trum account­ed for a rel­a­tive­ly triv­ial por­tion of the traf­fic. Eighty-sev­en per­cent of the DNS lookups involved the two Alfa Bank servers. “It’s pret­ty clear that it’s not an open mail serv­er,” Camp told me. “These orga­ni­za­tions are com­mu­ni­cat­ing in a way designed to block oth­er peo­ple out.”

    Ear­li­er this month, the group of com­put­er sci­en­tists passed the logs to Paul Vix­ie. In the world of DNS experts, there’s no high­er author­i­ty. Vix­ie wrote cen­tral strands of the DNS code that makes the inter­net work. After study­ing the logs, he con­clud­ed, “The par­ties were com­mu­ni­cat­ing in a secre­tive fash­ion. The oper­a­tive word is secre­tive. This is more akin to what crim­i­nal syn­di­cates do if they are putting togeth­er a project.” Put dif­fer­ent­ly, the logs sug­gest­ed that Trump and Alfa had con­fig­ured some­thing like a dig­i­tal hot­line con­nect­ing the two enti­ties, shut­ting out the rest of the world, and designed to obscure its own exis­tence. Over the sum­mer, the sci­en­tists observed the com­mu­ni­ca­tions trail from a dis­tance.

    * * *

    While the researchers went about their work, the con­ven­tion­al wis­dom about Russ­ian inter­fer­ence in the cam­paign began to shift. There were reports that the Trump cam­paign had ordered the Repub­li­can Par­ty to rewrite its plat­form posi­tion on Ukraine, maneu­ver­ing the GOP toward a pol­i­cy pre­ferred by Rus­sia, though the Trump cam­paign denied hav­ing a hand in the change. Then Trump announced in an inter­view with the New York Times his unwill­ing­ness to spring to the defense of NATO allies in the face of a Russ­ian inva­sion. Trump even invit­ed Russ­ian hack­ers to go hunt­ing for Clinton’s emails, then passed the com­ment off as a joke. (I wrote about Trump’s rela­tion­ship with Rus­sia in ear­ly July.)

    In the face of accu­sa­tions that he is some­how backed by Putin or in busi­ness with Russ­ian investors, Trump has issued cat­e­gor­i­cal state­ments. “I mean I have noth­ing to do with Rus­sia,” he told one reporter, a flat denial that he repeat­ed over and over. Of course, it’s pos­si­ble that these state­ments are sin­cere and even cor­rect. The sweep­ing nature of Trump’s claim, how­ev­er, prod­ded the sci­en­tists to dig deep­er. They were increas­ing­ly con­fi­dent that they were observ­ing data that con­tra­dict­ed Trump’s claims.

    In the par­lance that has become famil­iar since the Edward Snow­den rev­e­la­tions, the DNS logs reside in the realm of meta­da­ta. We can see a trail of trans­mis­sions, but we can’t see the actu­al sub­stance of the com­mu­ni­ca­tions. And we can’t even say with com­plete cer­ti­tude that the servers exchanged email. One sci­en­tist, who wasn’t involved in the effort to com­pile and ana­lyze the logs, ticked off a list of oth­er pos­si­bil­i­ties: an errant piece of spam car­oming between servers, a mis­di­rect­ed email that kept try­ing to reach its des­ti­na­tion, which cre­at­ed the impres­sion of sus­tained com­mu­ni­ca­tion. “I’m see­ing a pre­pon­der­ance of the evi­dence, but not a smok­ing gun,” he said. Richard Clay­ton, a cyber­se­cu­ri­ty researcher at Cam­bridge Uni­ver­si­ty who was sent one of the white papers lay­ing out the evi­dence, acknowl­edges those objec­tions and the alter­na­tive the­o­ries but con­sid­ers them improb­a­ble. “I think mail is more like­ly, because it’s going to a machine run­ning a mail serv­er and [the host] is called mail. Dr. Occam says you should rule out mail before pulling out the more exot­ic expla­na­tions.” After Tea Leaves post­ed his analy­sis on Red­dit, a secu­ri­ty blog­ger who goes by Krypt3ia expressed ini­tial doubts—but his analy­sis was tar­nished by sev­er­al incor­rect assump­tions, and as he exam­ined the mat­ter, his skep­ti­cism of Tea Leaves soft­ened some­what.

    I put the ques­tion of what kind of activ­i­ty the logs record­ed to the Uni­ver­si­ty of California’s Nicholas Weaver, anoth­er com­put­er sci­en­tist not involved in com­pil­ing the logs. “I can’t attest to the logs them­selves,” he told me, “but assum­ing they are legit­i­mate they do indi­cate effec­tive­ly human-lev­el com­mu­ni­ca­tion.”

    Weaver’s state­ment rais­es anoth­er uncer­tain­ty: Are the logs authen­tic? Com­put­er sci­en­tists are care­ful about vouch­ing for evi­dence that emerges from unknown sources—especially since the logs were past­ed in a text file, where they could con­ceiv­ably have been edit­ed. I asked nine com­put­er scientists—some who agreed to speak on the record, some who asked for anonymity—if the DNS logs that Tea Leaves and his col­lab­o­ra­tors dis­cov­ered could be forged or manip­u­lat­ed. They con­sid­ered it near­ly impos­si­ble. It would be easy enough to fake one or maybe even a dozen records of DNS lookups. But in the aggre­gate, the logs con­tained thou­sands of records, with nuances and pat­terns that not even the most skilled pro­gram­mers would be able to recre­ate on this scale. “The data has got the right kind of fuzz grow­ing on it,” Vix­ie told me. “It’s the inter­pack­et gap, the spac­ing between the con­ver­sa­tions, the total vol­ume. If you look at those time stamps, they are not sim­u­lat­ed. This bears every indi­ca­tion that it was col­lect­ed from a live link.” I asked him if there was a chance that he was wrong about their authen­tic­i­ty. “This pass­es the rea­son­able per­son test,” he told me. “No rea­son­able per­son would come to the con­clu­sion oth­er than the one I’ve come to.” Oth­ers were equal­ly emphat­ic. “It would be real­ly, real­ly hard to fake these,” Davis said. Accord­ing to Camp, “When the tech­ni­cal com­mu­ni­ty exam­ined the data, the con­clu­sion was pret­ty obvi­ous.”

    It’s pos­si­ble to impute polit­i­cal motives to the com­put­er sci­en­tists, some of whom have crit­i­cized Trump on social media. But many of the sci­en­tists who talked to me for this sto­ry are Repub­li­cans. And almost all have strong incen­tives for steer­ing clear of con­tro­ver­sy. Some work at pub­lic insti­tu­tions, where they are vul­ner­a­ble to polit­i­cal pres­sure. Oth­ers work for firms that rely on gov­ern­ment contracts—a rela­tion­ship that tends to squash posi­tions that could be mis­in­ter­pret­ed as out­spo­ken.

    * * *


    Alfa’s oli­garchs occu­pied an unusu­al posi­tion in Putin’s fir­ma­ment. They were insid­ers but not in the clos­est ring of pow­er. “It’s like they were his judo pals,” one for­mer U.S. gov­ern­ment offi­cial who knows Frid­man told me. “They were always wor­ried about where they stood in the peck­ing order and always feared expro­pri­a­tion.” Frid­man and Aven, how­ev­er, are adept at stay­ing close to pow­er. As the U.S. Dis­trict Court for the Dis­trict of Colum­bia once ruled, in the course of dis­miss­ing a libel suit the bankers filed, “Aven and Frid­man have assumed an unfore­seen lev­el of promi­nence and influ­ence in the eco­nom­ic and polit­i­cal affairs of their nation.”

    Unlike oth­er Russ­ian firms, Alfa has oper­at­ed smooth­ly and effort­less­ly in the West. It has nev­er been slapped with sanc­tions. Frid­man and Aven have cul­ti­vat­ed a rep­u­ta­tion as benef­i­cent phil­an­thropists. They endowed a pres­ti­gious fel­low­ship. The Woodrow Wil­son Inter­na­tion­al Cen­ter for Schol­ars, the Amer­i­can-gov­ern­ment fund­ed think tank, gave Aven its award for “Cor­po­rate Cit­i­zen­ship” in 2015. To pro­tect its inter­ests in Wash­ing­ton, Alfa hired as its lob­by­ist for­mer Rea­gan admin­is­tra­tion offi­cial Ed Rogers. Richard Burt, who helped Trump write the speech in which he first laid out his for­eign pol­i­cy, serves on Alfa’s senior advi­so­ry board. The brand­ing cam­paign has worked well. Dur­ing the first Oba­ma term, Frid­man and Aven met with offi­cials in the White House on two occa­sions, accord­ing to vis­i­tor logs.

    Frid­man and Aven have sig­nif­i­cant busi­ness inter­ests to pro­mote in the West. One of their hold­ing com­pa­nies, Let­terOne, has vowed to invest as much as $3 bil­lion in U.S. health care. This year, it sank $200 mil­lion into Uber. This is, of course, mon­ey that might oth­er­wise be invest­ed in Rus­sia. Accord­ing to a for­mer U.S. offi­cial, Putin tol­er­ates this con­di­tion because Alfa advances Russ­ian inter­ests. It pro­motes itself as an avatar of Russ­ian prowess. “It’s our moral duty to become a glob­al play­er, to prove a Russ­ian can trans­form into an inter­na­tion­al busi­ness­man,” Frid­man told the Finan­cial Times.

    * * *

    Tea Leaves and his col­leagues plot­ted the data from the logs on a time­line. What it illus­trat­ed was sug­ges­tive: The con­ver­sa­tion between the Trump and Alfa servers appeared to fol­low the con­tours of polit­i­cal hap­pen­ings in the Unit­ed States. “At elec­tion-relat­ed moments, the traf­fic peaked,” accord­ing to Camp. There were con­sid­er­ably more DNS lookups, for instance, dur­ing the two con­ven­tions.

    In Sep­tem­ber, the sci­en­tists tried to get the pub­lic to pay atten­tion to their data. One of them post­ed a link to the logs in a Red­dit thread. Around the same time, the New York Times’ Eric Licht­blau and Steven Lee Myers began chas­ing the sto­ry.* (They are still pur­su­ing it.) Licht­blau met with a Wash­ing­ton rep­re­sen­ta­tive of Alfa Bank on Sept. 21, and the bank denied hav­ing any con­nec­tion to Trump. (Licht­blau told me that Times pol­i­cy pre­vents him from com­ment­ing on his report­ing.)

    The Times hadn’t yet been in touch with the Trump campaign—Lichtblau spoke with the cam­paign a week lat­er—but short­ly after it reached out to Alfa, the Trump domain name in ques­tion seemed to sud­den­ly stop work­ing. When the sci­en­tists looked up the host, the DNS serv­er returned a fail mes­sage, evi­dence that it no longer func­tioned. Or as it is tech­ni­cal­ly diag­nosed, it had “SERV­FAILed.” (On the time­line above, this is the moment at the end of the chronol­o­gy when the traf­fic abrupt­ly spikes, as servers fran­ti­cal­ly attempt to resend reject­ed mes­sages.) The com­put­er sci­en­tists believe there was one log­i­cal con­clu­sion to be drawn: The Trump Orga­ni­za­tion shut down the serv­er after Alfa was told that the Times might expose the con­nec­tion. Weaver told me the Trump domain was “very slop­pi­ly removed.” Or as anoth­er of the researchers put it, it looked like “the knee was hit in Moscow, the leg kicked in New York.”

    Four days lat­er, on Sept. 27, the Trump Orga­ni­za­tion cre­at­ed a new host name, trump1.contact-client.com, which enabled com­mu­ni­ca­tion to the very same serv­er via a dif­fer­ent route. When a new host name is cre­at­ed, the first com­mu­ni­ca­tion with it is nev­er ran­dom. To reach the serv­er after the reset­ting of the host name, the sender of the first inbound mail has to first learn of the name some­how. It’s sim­ply impos­si­ble to ran­dom­ly reach a renamed serv­er. “That par­ty had to have some kind of out­bound mes­sage through SMS, phone, or some non­in­ter­net chan­nel they used to com­mu­ni­cate [the new con­fig­u­ra­tion],” Paul Vix­ie told me. The first attempt to look up the revised host name came from Alfa Bank. “If this was a pub­lic serv­er, we would have seen oth­er traces,” Vix­ie says. “The only look-ups came from this par­tic­u­lar source.”

    Accord­ing to Vix­ie and oth­ers, the new host name may have rep­re­sent­ed an attempt to estab­lish a new chan­nel of com­mu­ni­ca­tion. But media inquiries into the nature of Trump’s rela­tion­ship with Alfa Bank, which sug­gest­ed that their com­mu­ni­ca­tions were being mon­i­tored, may have deterred the par­ties from using it. Soon after the New York Times began to ask ques­tions, the traf­fic between the servers stopped cold.

    * * *

    Last week, I wrote to Alfa Bank ask­ing if it could explain why its servers attempt­ed to con­nect with the Trump Orga­ni­za­tion on such a reg­u­lar basis. Its Wash­ing­ton rep­re­sen­ta­tive, Jef­frey Birn­baum of the pub­lic rela­tions firm BGR, pro­vid­ed me the fol­low­ing response:

    Alfa hired Man­di­ant, one of the world’s fore­most cyber secu­ri­ty experts, to inves­ti­gate and it has found noth­ing to the alle­ga­tions. I hope the below answers respond clear­ly to your ques­tions. Nei­ther Alfa Bank nor its prin­ci­pals, includ­ing Mikhail Frid­man and Petr Aven, have or have had any con­tact with Mr. Trump or his orga­ni­za­tions. Frid­man and Aven have nev­er met Mr. Trump nor have they or Alfa Bank had any busi­ness deal­ings with him. Nei­ther Alfa nor its offi­cers have sent Mr. Trump or his orga­ni­za­tions any emails, infor­ma­tion or mon­ey. Alfa Bank does not have and has nev­er had any spe­cial or exclu­sive inter­net con­nec­tion with Mr. Trump or his enti­ties. The asser­tion of a spe­cial or pri­vate link is patent­ly false.

    I asked Birn­baum if he would con­nect me with Man­di­ant to elab­o­rate on its find­ings. He told me:

    Man­di­ant is still doing its deep dive into the Alfa Bank sys­tems. Its lead­ing the­o­ry is that Alfa Bank’s servers may have been respond­ing with com­mon DNS look ups to spam sent to it by a mar­ket­ing serv­er. But it does­n’t want to speak on the record until it’s fin­ished its inves­ti­ga­tion.

    It’s hard to eval­u­ate the find­ings of an inves­ti­ga­tion that hasn’t end­ed. And of course, even the most rep­utable firm in the world isn’t like­ly to loud­ly broad­cast an opin­ion that bites the hand of its client.

    I posed the same basic ques­tions to the Trump cam­paign. Trump spokes­woman Hope Hicks sent me this in response to my ques­tions by email:

    The email serv­er, set up for mar­ket­ing pur­pos­es and oper­at­ed by a third-par­ty, has not been used since 2010. The cur­rent traf­fic on the serv­er from Alpha­bank’s [sic] IP address is reg­u­lar DNS serv­er traffic—not email traf­fic. To be clear, The Trump Orga­ni­za­tion is not send­ing or receiv­ing any com­mu­ni­ca­tions from this email serv­er. The Trump Orga­ni­za­tion has no com­mu­ni­ca­tion or rela­tion­ship with this enti­ty or any Russ­ian enti­ty.

    I asked Hicks to explain what caused the Trump Orga­ni­za­tion to rename its host after the New York Times called Alfa. I also asked how the Trump Orga­ni­za­tion arrived at its judg­ment that there was no email traf­fic. (Fur­ther­more, there’s no such thing as “reg­u­lar” DNS serv­er traf­fic, at least not accord­ing to the com­put­er sci­en­tists I con­sult­ed. The very rea­son DNS exists is to enable email and oth­er means of com­mu­ni­ca­tion.) She nev­er pro­vid­ed me with a response.

    What the sci­en­tists amassed wasn’t a smok­ing gun. It’s a sug­ges­tive body of evi­dence that doesn’t absolute­ly pre­clude alter­na­tive expla­na­tions. But this evi­dence arrives in the broad­er con­text of the cam­paign and every­thing else that has come to light: The efforts of Don­ald Trump’s for­mer cam­paign man­ag­er to bring Ukraine into Vladimir Putin’s orbit; the oth­er Trump advis­er whose com­mu­ni­ca­tions with senior Russ­ian offi­cials have wor­ried intel­li­gence offi­cials; the Russ­ian hack­ing of the DNC and John Podesta’s email.

    We don’t yet know what this serv­er was for, but it deserves fur­ther expla­na­tion.

    “Ear­li­er this month, the group of com­put­er sci­en­tists passed the logs to Paul Vix­ie. In the world of DNS experts, there’s no high­er author­i­ty. Vix­ie wrote cen­tral strands of the DNS code that makes the inter­net work. After study­ing the logs, he con­clud­ed, “The par­ties were com­mu­ni­cat­ing in a secre­tive fash­ion. The oper­a­tive word is secre­tive. This is more akin to what crim­i­nal syn­di­cates do if they are putting togeth­er a project.” Put dif­fer­ent­ly, the logs sug­gest­ed that Trump and Alfa had con­fig­ured some­thing like a dig­i­tal hot­line con­nect­ing the two enti­ties, shut­ting out the rest of the world, and designed to obscure its own exis­tence. Over the sum­mer, the sci­en­tists observed the com­mu­ni­ca­tions trail from a dis­tance.”

    Well, that is quite a bomb­shell if it pans out. Maybe not exact­ly the bomb­shell that the emerg­ing cov­er­age of the sto­ry will depict, but still quite a bomb­shell.

    Posted by Pterrafractyl | October 31, 2016, 7:15 pm

Post a comment