Why the FBI Dismissed Claims of Secret Trump–Russia Link

Why the FBI Dismissed Claims of Secret Trump–Russia Link
The FBI headquarters in Washington on Jan. 2, 2020. (Samira Bouaou/The Epoch Times)
Zachary Stieber
News Analysis

FBI agents, just weeks before the 2016 election, opened an investigation into allegations of a secret communication channel between Donald Trump and Russia. The bureau closed the probe after several months but did not make public that it had dismissed the claims, which came from Hillary Clinton’s campaign and a group of researchers.

Details of the FBI’s analyses, and CIA treatment of the claims, emerged during the trial of ex-Clinton lawyer Michael Sussmann.

‘Jumped to Conclusions’

The white paper and data handed over to the FBI by Sussmann on Sept. 19, 2016, asserted there was a “secret email server” used by the Trump Organization that was communicating with Alfa Bank in Moscow through “another unusually-configured server” at Spectrum Health in Michigan.
“These servers are configured for direct communications between the Trump organization and Alfa Bank to the exclusion of all other systems,” researchers wrote. “The only plausible reason,” they claimed, “is to hide the considerably recent email traffic occurring between the Trump organization and Alfa Bank.”

Scott Hellman, an agent who specializes in investigating cyber crimes, took the first crack at the allegations with Nathan Batty, a colleague. The pair spent inside of a day examining the data, and quickly concluded that whoever penned the white paper “had jumped to some conclusions that were not supported by the technical data,” Hellman testified.

The allegations were based on purported “look-ups,” or Domain Name System requests, between mail1.trump-email.com, the server allegedly controlled by Trump’s business, and servers belonging to the Russian bank. DNS lookups are a way for a computer to find another computer’s Internet Protocol address (IP address), a unique number needed for communication between computers.

The researchers said they tried to connect with the Trump server and that the server would not accept mail from their IP address, or returned what was essentially an error message, Hellman said. The researchers used that, among other data, to suggest the Trump server would only communicate with certain devices, such as those linked to Alfa Bank.

“That didn’t make sense to me. It was sort of like if I knocked on your door, and you told me to go away—I don’t want to talk to you—I’m then going to assume that you’re only willing to talk to other people. I can’t make that assumption. I don’t know if you’re willing to talk to anybody. But that’s what they had done,” he said. “When they received an error message, they assumed that that computer wasn’t willing to talk to them, but it was willing to talk to others, and there was no evidence to suggest that. So assumptions like that is what I was referring to.”

Hellman and Batty wrote in their assessment that they found it suspicious that the activity the researchers highlighted began just three weeks before the researchers began their investigation. They called it “abnormal” that Trump would name the supposed secret server a name that included his name, use a domain registered to his own business, and communicate directly to Alfa Bank’s IP address as opposed to masking the communications.

They also said that Russia’s state-sponsored technical abilities “exceed the [operations] of that suggested in the report.”

Hellman, who is still with the FBI, said in a chat message at the time that the paper “feels a little 5150ish.” He said he meant that “perhaps the person who had drafted this document was suffering from some mental disability.”
Batty wrote that the data was “intended to overwhelm and confuse the reader.” “We think it’s a setup,” he later told Dan Wierzbicki, an FBI supervisor.

‘No Evidence’

Under pressure from then-FBI Director James Comey and other senior officials, a hybrid cyber-counterintelligence team based in Chicago took control of the data and opened a full investigation, the most serious step the FBI could have taken.

Thumb drives containing the white paper and the underlying data outlined the conclusions reached by the researchers and some of the data they used, but that was just a “snapshot,” forcing FBI investigators to “create the whole picture from scratch,” Allison Sands, the agent who led the investigation, said on the stand.

Sands, now with Roku, compared it to trying to assemble a puzzle without the benefit of having a box at which to look.

The Trump domain was on a server in Pennsylvania owned by a company named Listrak, an internet server provider. The domain was registered to a company named Central Dynamics, which is based in Florida. The domain was being leased from GoDaddy.

Agents reached out to the companies for data and answers. Listrak confirmed that the server was only configured to send emails, not receive any. It also provided some 135,000 records. Central Dynamics provided closer to 500,000 records and GoDaddy handed over a similar amount.

The Chicago team determined that the Trump Organization and Alfa Bank servers “almost certainly did not communicate intentionally or covertly,” according to a heavily redacted assessment dated Oct. 3, 2016.

The determination was based on an examination of the allegations conducted on behalf of Alfa Bank. The examination concluded the Alfa Bank servers may have conducted the DNS lookups in response to spam emails sent by Listrak or Central Dynamics.

“Alfa Bank’s conclusions corroborate current FBI investigative activity, which has not identified any evidence to support the whitepaper’s hypothesis that Alfa-Bank and Trump Organization servers intentionally, covertly communicated via DNS channels,” the document stated.

It was learned that Central Dynamics established the domain in partnership with the Trump Organization in 2009 but the company never used the domain, which had only received about 14 emails, all of which were blocked as spam or malware.

“It was largely dormant for the lifespan of its life, was currently inactive, and that it was entirely a ‘from’ email address, so it only sent outbound messages,” Sands explained.

Additionally, the FBI saw that in logs from Listrak, the server had sent emails to over 30,000 domains in 107 countries, none of which were affiliated with Alfa Bank, according to the document on the closing of the investigation.

“From all of the U.S. companies we had spoken to, of the logs that we had looked at, as well as the Mandiant report from the Alfa Bank servers, there was no evidence that this covert communication channel existed,” Sands said.

“Our investigation was unable to substantiate any of the allegations in the white paper,” said Curtis Heide, another FBI agent involved in the probe.

Listrak and Central Dynamics did not respond to requests for comment. Rodney Joffe, another client of Sussmann; his business associate April Lorenzen; and Georgia Institute of Technology professors David Dagon and Manos Antonakikis, who created the white paper and compiled the data, did not respond to inquiries. Several of the researchers were poised to testify, but were not called after they said they would plead the Fifth Amendment.

‘Did Not Pass Analytical Muster’

The other piece of the allegations involved Spectrum. Researchers said the nonprofit healthcare company was essentially being utilized as an intermediary between Trump’s business and Alfa Bank, through a The Onion Router (TOR) node, a technology designed by the U.S. government that enables anonymity.

FBI investigators went to a website, TORproject.org, to see if any of Spectrum’s servers were or had ever been used as a TOR node, and found that they had not.

The agents also received logs and records from Spectrum, and “did not see any unusual activity,” Sands said.

That part of the allegations “did not pass analytical muster,” Ryan Gaynor, an agent monitoring the investigation for senior leaders from the Washington area, testified. “It didn’t have merit.”

“In 2016, media coverage alleged internet traffic between a computer server affiliated with the Trump organization and the computer servers of Alfa Bank (a Russian bank) and Spectrum Health. Spectrum Health does not and never has had any relationship with Alfa Bank or any of the Trump organizations,” a Spectrum spokesperson told The Epoch Times in an email.

“As we have previously stated, we concluded a rigorous review with both our internal IT security specialists and expert cyber security firms. That review’s detailed analysis of the alleged internet traffic did not find any evidence of any actual communications (no emails, chat, text, etc.) between Spectrum Health and Alfa Bank or any of the Trump organizations. While we did find a small number of incoming spam marketing emails, they originated from a third party,” the spokesperson added.

CIA Conclusions

According to special counsel John Durham’s team, which prosecuted Sussmann—the lawyer who was acquitted—the CIA also analyzed the allegations, and concluded they were not only not true, but were not plausible.

Sussmann went to the CIA in early 2017, apparently frustrated by the FBI’s investigation. He met with a retired agent first, then with two agents on Feb. 9, 2017.

Sussmann handed over white papers and underlying data purportedly supporting documents, which included allegations involving Trump’s business and Alfa Bank and allegations concerning Russian-made phones, according to a memorandum of the meeting and testimony by one of the agents.

In court papers, prosecutors referred to the CIA as “Agency-2.” They said that CIA analysts believed the data from the researchers was fabricated.

“While the FBI did not reach an ultimate conclusion regarding the data’s accuracy or whether it might have been in whole or in part genuine, spoofed, altered, or fabricated, Agency-2 concluded in early 2017 that the Russian Bank-1 data and Russian Phone Provider-1 data was not ’technically plausible,‘ did not ’withstand technical scrutiny,‘ ’contained gaps,‘ ’conflicted with [itself],‘ and was ’user created and not machine/tool generated.'” prosecutors said in a filing before the trial.

Little was said on the subject during the trial because U.S. District Judge Christopher Cooper, an Obama appointee, ruled that prosecutors could not broach the possibility of the data being spoofed unless the defense did. Defense lawyers did not bring it up.

There were several moments, however, when statements slipped through.

When presented with an email Joffe sent to his group just five days before Sussmann gave the data to the FBI, Heide said that “it appears, from this email, that this report may have been fabricated.”

The statement was later struck from the record, as was the email.

Cooper also ordered redacted a portion of the report authored by Hellman and Batty that said the data “might have been intentionally generated and might have been fabricated,” according to Andrew DeFilippis, one of the prosecutors.

“I will not allow [Hellman] to talk about whether it’s fabricated or spoofed,” Cooper said, adding that doing so would encroach on his order.

Ankura, a Washington-based consultancy hired by Alfa Bank, said in a previous report (pdf) obtained by Just the News that its analysis of records and the timing of the allegations suggested that somebody mimicked the Central Dynamic servers to send fabricated emails, or “inauthentic DNS queries, ” to Alfa Bank “to create a connection between Alfa-Bank and the Trump Organization.”
The CIA didn’t respond to an inquiry. The Epoch Times has filed a Freedom of Information Act request for the CIA documents.

Years of Speculation

Speculation about the nefarious activity alleged in the white paper continued for years as the FBI and CIA remained silent about their findings.

The first stories about a possible secret link between the Trump Organization and Alfa Bank ran in Slate and the New York Times on Oct. 31, 2016—just one week before the presidential election.

The logs the researchers studied “suggested that Trump and Alfa had configured something like a digital hotline connecting the two entities, shutting out the rest of the world, and designed to obscure its own existence,” Slate reporter Franklin Foer wrote in his article. “We don’t yet know what this server was for, but it deserves further explanation,” he added later.

Foer was one of multiple reporters in communication with Fusion GPS, the firm hired by the Clinton campaign that conducted opposition research on Trump, before his article was published.

The New York Times said the FBI was investigating the purported link but “ultimately concluded that there could be an innocuous explanation, like a marketing email or spam, for the computer contacts.”

In March 2017, CNN reported, citing anonymous sources, that the FBI investigation into the matter was still ongoing. That was false, according to the trial documents and testimony.

The New Yorker, in late 2018, published a lengthy article suggesting there was a secret channel between Trump’s business and the Russian bank.

Only Slate’s article has been corrected, and not since a day after publication. Some of the stories still contain false information; all have outdated details. Spokespersons for the publications did not respond to requests for comment.

The allegations divided technology experts when first promoted, but reporters found a number willing to make comments supporting the researchers’ theories.

“The parties were communicating in a secretive fashion. The operative word is secretive. This is more akin to what criminal syndicates do if they are putting together a project,” Paul Vixie, the CEO of Farsight Security, told Slate. Richard Clayton, of the University of Cambridge, told the New Yorker he believed the server connections signaled times when Trump Organization and Alfa Bank officials wanted to talk.

Of the eight researchers mentioned or quoted in the pieces as suggesting the allegations made sense, none were willing to talk on the record about what they think now based on the newly emerged information.

“Thanks for reaching out, but I’m not interested,” Vixie, now with Amazon Web Services, told The Epoch Times in a LinkedIn message. “I know nothing of how they came to their conclusions,” Clayton added via email, referring to the FBI and the CIA. Of the Sussmann trial, he said, “I haven’t been following that.”

Steven Bellovin, a professor at Columbia University, referred a request for comment to his lawyer. “We are not going to comment on the matter,” the lawyer said.

Some outlets did publish articles portraying the allegations as unreliable, including The Intercept and the Washington Post. And some experts cast doubt on the claims, including Robert Graham, a cybersecurity specialist, who wrote that the allegations were “nonsense.”

“While I of course think the DNS logs were nonsense, I’m still not sure how [t]he FBI came to that conclusion,” Graham told The Epoch Times in a Twitter message. “I think the basic issue is that it looks like an unsubstantiated conspiracy theory, and that this is why they didn’t do more.”