The Trump-Alfa Bank Server Mystery Resurfaces

The recent release of the final volume of the Senate Intelligence Committee report on Russian 2016 election interference and two new lawsuits by Russia’s Alfa Bank have brought back into the spotlight the puzzling lack of an explanation for the mysterious communications between the bank and the Trump Organization during the last presidential campaign.

It has been almost four years since a group of computer scientists disclosed, on the basis of DNS (Domain Name System) logs, that two internet servers belonging to Alfa Bank had looked up the address of the Trump Organization server 2,820 times between May and September 2016. Yet the long-awaited Senate report provides only this paltry, ambiguous conclusion:

“Based on the FBI’s assessment, the Committee did not find the DNS activity reflected the existence of covert communication between Alfa Bank and Trump Organization personnel. However, the Committee also could not positively determine an intent or purpose that would explain the unusual activity.”

As stated on page 24 of the Senate report, the committee was not able to see the underlying records that the FBI used in its briefings to members. So, although committee members have high-level security clearances, they appear to remain in the dark about the reasons for the server communications. Was the committee told what kind of technical diligence the FBI carried out, or whether the FBI used the talent of cyber experts such as those at Carnegie Mellon University, the CIA and NSA?

Amazingly, the committee may have interviewed only one source–Jae Cho, the IT director for the Trump Organization, who “did not recall conducting a system-wide review of the Trump Organization network to determine if there were any connections from the Trump Organization side with any of the Alfa Bank servers.” According to the report, Cho “inferred” that Alfa Bank’s servers were configured in a way that they could not have been used to transmit emails to the Trump server. But it was not just a question of emails. Writing in the New Yorker in 2018, Dexter Filkins noted that computer scientists who examined the data theorized that the look-ups could have represented other forms of communication, such as data transfers or a technique called foldering (a digital form of “dead dropping”).

Brad Parscale, the digital media director for Trump’s 2016 campaign, was even less helpful when questioned by the House Intelligence Committee in October 2017. Claiming that he forgot the name of the bank involved, Parscale dismissed the server incident with a nonsensical  statement: “Trump Org had done something on a server that for some service Cendyn was the provider of…And this other organization [Alfa Bank] also used the same company for something else and they just happened to have the same DNS entry, which is very common.”​ The DNS queries were from dedicated IP addresses owned by Alfa Bank, not by a hosting company sharing IP addresses. It has never been suggested that Alfa Bank and the Trump Organization shared domain names.

Mixed Messages from the Department of Justice

The FBI has been obfuscating about the Trump/Alfa server links ever since a lawyer for the Democratic National Committee (DNC), Michael Sussmann, told FBI General Counsel James Baker in mid-September 2016 about the findings of the computer scientists who had examined the data, and intelligence officials reportedly began briefing Congress about the mysterious connections around the same time. According to Filkins, later that month the agency persuaded the New York Times’ Eric Lichtblau to back off a story the paper planned to publish on the case because it would jeopardize the agency’s ongoing investigation. But an FBI official subsequently told Lichtblau “that there could be an innocuous explanation for the computer traffic.” So when his story finally appeared on Oct. 31, the message was that Trump and Alfa Bank had been exonerated, and the server mystery disappeared from the public’s radar.

Contrary to what many expected, the Mueller Report did not even mention the server allegations, and when asked about the case during his July 2019 testimony to the House Intelligence Committee, Mueller was foggy in his response: “Do not know whether it’s true…It may well have been investigated, although it’s my belief at this point, it’s not true.” Given the enormous implications of the allegations, Mueller surely could have said more to put the story to rest. Was he constrained in his investigation or what he could say by Attorney General William Barr or Deputy Attorney General Rod Rosenstein, or had his team for other reasons decided not to reach, whether privately or publicly, a more decisive conclusion?

The only other information on the case from the Department of Justice appeared in the December 2019 Inspector General’s report about the origins of the Russia investigation. A footnote on page 119 reads: “The FBI investigated whether there were cyber links between the Trump Organization and Alfa Bank, but concluded by early February 2017 that there were no such links.”

Though terse, those words could have helped put the issue to rest. But, the FBI’s investigation apparently did not end in early February 2017. In March 2017, a source close to the investigation told CNN that the probe was ongoing and there was more work for the FBI to do. And on April 1, 2017, a Kirkland & Ellis attorney representing Alfa Bank, Viet Dinh, met with the Justice Department and FBI in Chicago to discuss the server communications and “pledged full cooperation with government authorities,” according to a letter Dinh sent to the Senate Judiciary Committee. That said, Dinh described the meeting as Alfa Bank proactively reaching out to the government due to suspicious activity in 2017 involving unidentified third parties repeatedly querying the bank’s servers for an invalid host name related to Trump. Dinh wrote that his meeting in April 2017 was part of the federal authorities “continu[ing] to examine whether Alfa Bank has been the victim of illegal conduct.”

So what has actually happened with the FBI investigation? According to one source with high-level national security connections, the FBI could have decided not to pursue a criminal probe  (including, one might think, into allegations raised by Dinh) because of concerns about compromising “sources and methods” involving the sophisticated techniques of DNS analysis: “protection of sources and methods is always paramount, even when it means justice loses out.” A recent example is the DOJ’s decision last March to drop charges against Concord Management in the Internet Research Agency case, allegedly because of concerns that U.S.national security would be compromised by the government’s revelation of that kind of information during the trial process. Retired senior CIA officer John Sipher has also written persuasively about these tradeoffs in Just Security. Another possibility, my source suggested, is that the probe is part of a much broader counterintelligence investigation that is ongoing.

But it could also be, as Congressman Adam Schiff told the Washington Post last year, that there are disagreements between intelligence professionals on the one hand and Attorney General Barr and the White House on the other about what exactly can be shared with Congress in the general domain of topics involving Trump-Russia. Schiff observed: “I think the FBI is willing to be more forthcoming. I think the FBI and intelligence community are mindful of their statutory obligations, and they’re caught between a rock and a hard place with the combative posture that Bill Barr has taken.”

Alfa Bank’s New Lawsuits

Whatever the reasons for the inconclusive and odd accounts emanating from the DOJ and the FBI, Alfa Bank may now be capitalizing on the confusion. On June 11, the bank filed lawsuits in Palm Beach County, Florida and  Lancaster, Pennsylvania, where the companies that owned and administered the Trump server are located. The two similar complaints allege a criminal conspiracy by unidentified defendants (John Doe), who ostensibly forged emails by manipulating DNS data to make it appear that the bank was communicating with the Trump Organization.

Oddly, Alfa Bank’s new theory of the case is inconsistent with the company’s own prior statements. Dinh wrote in 2017 that the company hired Mandiant and that “Mandiant’s hypothesis was that any server-related activity between Alfa Bank and the Trump Organization was the result of an automated email-based campaign to market Trump properties to Alfa Bank employees.” So which is it? That innocuous account that Alfa Bank put forth earlier or the new nefarious one?

Demanding jury trials in the two swing states, Alfa Bank’s lawyers from Skadden Arps have issued aggressive subpoenas in the Florida case to computer scientists and DNS records custodians, as well as to Glenn Simpson, Peter Fritch and their firm Fusion GPS, which commissioned the Steele dossier, and former DNC lawyer Sussmann.

It is noteworthy that Skadden formerly employed Alex van der Zwaan, who was convicted in 2018 of lying to Mueller’s prosecutors about his communications with Paul Manafort, Rick Gates and Russian military intelligence (GRU) spy Konstantin Kilimnik during the 2016 election campaign. Van der Zwaan’s father-in-law is one of Alfa Bank’s co-owners, German Khan, and the law firm has represented Alfa Bank in numerous litigations over the years.

Alfa Bank’s complaint makes the erroneous claim that in October 2016 the FBI was granted a FISA warrant to wiretap the Trump server, citing two sources: Louise Mensch, a known purveyor of conspiracy theories, and the December IG report, which discusses only warrants granted in relation to Carter Page.

As evidence for its conspiracy allegations, the complaint cites an April 2020 study by the cybersecurity firm Ankura. According to the 41-page analysis, a “likely scenario” is that third parties artificially created the activity to make it appear as though a connection existed. But computer scientist L. Jean Camp, one of those who first studied the server data, gave me her assessment of the analysis just after it was posted on the Internet by the conservative website Just the News: “It confuses the issue by adding remote possibilities.”

One question is why the FBI did not discover this criminal conspiracy during its investigation of the server allegations – or at least we have no public indication of such a discovery, and it does not appear in the Senate report either. When I asked Jeffrey Birnbaum, whose public relations firm, BGR, represents Alfa Bank, if the bank took its new evidence from the Ankura study to the FBI for criminal prosecution, he responded in an email that Alfa Bank could not comment on any ongoing discussion with U.S. law enforcement.

The Interests of Alfa Bank and Barr Coincide?

Significantly, the Ankura study was commissioned for the bank by Kirkland & Ellis, where Barr and the recently retired Assistant Attorney General Brian Benczkowski had been partners before they took up their respective positions at Trump’s Department of Justice. (White House Counsel Pat Cippolone is another Kirkland & Ellis alumnus.)

While still at Kirkland & Ellis in 2017, Benczkowski represented Alfa Bank in its efforts to clear its name from allegations of collusion with the Trump campaign. He commissioned a computer forensics study by Stroz Friedberg that identified suspicious queries to Alfa Bank servers in 2017, a finding that suggested something similar could have occurred in 2016. Benczkowski also advised Alfa Bank in its lawsuit against BuzzFeed for publishing the Steele dossier, which alleged that two of Alfa Bank’s owners, Mikhail Fridman and Petr Aven, were conduits of information to Putin about the U.S. election. (Fridman, Aven and Khan also initiated defamation lawsuits in the United States against Christopher Steele and Fusion GPS. In June, the D.C. Court of Appeals upheld the August 2018 dismissal of the Steele case by the D.C. Superior Court.) While Benczkowski was still at the firm, Kirkland & Ellis began sending threatening letters to computer scientist Camp, who had posted the suspicious DNS logs on her website. Camp is among those who have recently been subpoenaed by Alfa Bank.

Benczkowski has said he thought it was appropriate to represent the litigious Russian bankers, who for years have been dogged by allegations of corruption, money-laundering and drug-trafficking. During the July 2017 Senate Judiciary Committee hearing on his nomination to head the DOJ Criminal Division, Benczkowski said that he had been “comfortable accepting the representation” of Alfa Bank because a November 2016 report on the server issued by the cybersecurity firm Mandiant “looked at the 2016 allegations and found them to be inaccurate, and there to be nothing to it.” In fact, the Mandiant study–commissioned by Skadden–was only a draft, and did not provide a conclusive explanation for the server communications.

What’s more, as stated in the study, Mandiant based some of its findings on an earlier analysis done for Alfa Bank by the Russian cybersecurity firm Group-1B, which works closely with the KGB successor agency the FSB. The FSB gave Group-1B a special clearance to handle top secret documents, and its CEO, Ilya Sachkov, who was honored as an innovator by Putin in the Kremlin last year, lectures at the FSB Academy.

Benczkowski’s work for Alfa Bank was a key reason for the opposition to his nomination by Democrats on the Senate Judiciary Committee. In a May 9, 2018 letter to President Trump, they expressed concerns that his refusal to recuse himself from Russia-related matters would adversely affect investigations involving Russia. Indeed, on Aug. 21, 2018, just five weeks after Benczkowski took up his DOJ job, he received an ethics waiver authorizing him to participate in a legal matter involving a “former client.” After repeated requests from Senate Democrats, the Justice Department provided the senators with only heavily redacted information about Benczkowski’s authorization. On Dec. 16, 2019, Benczkowski received a waiver to take part in a “confidential criminal matter involving his former employer” (presumably Kirkland & Ellis). This prompted the watchdog agency American Oversight, citing Benczkowski’s past work for Alfa Bank, to make a Freedom of Information request to the Justice Department’s Criminal Division for records relating to the waiver. There has been no response.

American Oversight Executive Director Austin Evers told me in an email: “In the Trump administration, officials have been given waivers to work on matters involving their former clients so long as they toe the administration’s line… Benczkowski may be abandoning ship [in leaving the DOJ], but the public needs to understand the full scope of his loyal conduct and should not allow him to escape accountability.”

In its complaint Alfa Bank says that the lawsuits are intended to clear its name of the false charges that it communicated secretly with the Trump campaign in 2016 and restore “its global reputation as the leading private bank in Russia.” But the server scandal has long since disappeared from the media, so why open up this can of worms? And why expose the bank to risks of revealing its own internal information in the discovery process, that is, if the cases were to proceed to the point where defendants are named? Whether intentional or not, Alfa Bank’s lawsuits may soon be used by others to try to cast a shadow over the 2020 election by stirring up bogus conspiracies and discrediting the probes that proved Russia’s interference in the2016 U.S. elections on Trump’s behalf.

Alfa Bank spokesman Birnbaum told me that the alleged criminal conspiracy of the bank’s connections to Trump “was not just an attack on Alfa Bank, one of the few remaining privately owned banks in Russia, but on the integrity of the U.S. political process.”

This is likely music to the ears of Barr. Ever since he assumed his post in February 2019, Barr has worked feverishly to discredit, even criminalize, the FBI’s investigation into Russia’s election interference and potential ties to Trump campaign associates. The upcoming report on the Russia investigation by Barr’s own appointed prosecutor, John Durham, could include references to the new Alfa Bank lawsuits and its allegations.

For its own purposes, the bank may have been better off leaving well enough alone with the impressions created by the Inspector General’s report that the FBI had wrapped up its investigation and found nothing. But the lawsuits can also be used by the Kremlin to help counter the claims by top U.S. intelligence officials that Russia has returned for a repeat performance in the 2020 campaign. And by issuing subpoenas for the records of the computer scientists and research firms, Alfa Bank might gain information that can be used by Russia’s intelligence services for their cyber assaults against the West.

Putin seeks to stir political controversy in the United States, particularly when it comes to elections. And,Alfa Bank’s owners have an interest in remaining on Putin’s good side. As Petr Aven told the Mueller team during an August 2018 interview, there would be “consequences” if he did not follow through with Putin’s directives. And the Senate Intelligence Committee report highlights Aven’s participation in Putin’s group of oligarchs who take implicit and explicit “directives” from the Russian president.

What About Spectrum Health?

Michigan-based Spectrum Health, whose board chairman in 2016 was Richard DeVos, husband of Trump’s education secretary, Betsy DeVos, is mentioned in the Ankura study as another possible victim of the conspiracy. Spectrum Health looked up the Trump server 714 times during that same May-September 2016 time period. (Together Alfa Bank and Spectrum Health accounted for 99 percent of the DNS look-ups.)

The DeVos family had more in common with Alfa Bank than a desire to get Trump elected, although its members contributed generously to Trump’s campaign. A direct marketing company co-owned by the family, Amway, had a large presence in Russia, with sales of around $270 million in 2016. Amway also had ties with Alfa Bank. In 2014, Amway partnered with Alfa Bank to establish a joint credit card. And a year later, Alfastrakhovanie, an insurance arm of the bank’s parent company, Alfa Group, became the insurer for hundreds of Amway employees in Russia.

Along with Alfa Bank, Amway doubtless welcomed Trump’s suggestions during the 2016 campaign that he would lift economic sanctions imposed on Russia after the 2014 annexation of Ukraine’s Crimean Peninsula. In a 2015 interview with the Russian business daily Vedomosti, Amway CEO Doug DeVos (brother-in-law of Betsy DeVos) complained that economic sanctions against Russia were taking its toll on Amway’s business there.

A possible explanation for the server communications is that they represented movement of data, which computer scientist Camp suggested to Filkins. Separately, a computer researcher who called himself Tea Pain reported a pattern of database replication between servers—a process whereby different versions of the same database are kept “in sync” so that new information or changes make their way to others. According to Tea Pain, Russia might have created a voter-targeting database, laundered through Alfa Bank, and Spectrum Health added value to the data through its extensive databases of email addresses and phone numbers: “Once back in the hands of Russian Intelligence, this massaged data could be programmatically matched up with social media handles to create a micro-targeted ‘hit list’ for the thousand Russian trolls employed by Putin.”

Evidence to support the database replication hypothesis includes a strange ping (seen on DNS logs posted by Camp) to the Trump server on July 26, 2016, from an IP address (79.134.218.130) belonging to a Russian internet provider in St. Petersburg, called OBIT. OBIT’s Russian website advertises that it has a large facility especially designed for data storage, and it includes among its many clients Concord Catering, which, along with its sister company Concord Management, sponsored the massive pro-Trump “information warfare” campaign carried out by the Internet Research Agency.

Database replication would explain how the Internet Research Agency gained access to the large quantities of U.S. voter data that it used to further its propaganda efforts on U.S. social media. CNN reported in late 2017 that “a number of Russian-linked Facebook ads specifically targeted Michigan and Wisconsin, two states crucial to Donald Trump’s victory last November… As part of their investigations, both special counsel Robert Mueller and congressional committees are seeking to determine whether the Russians received any help from Trump associates in where to target the ads.”

Neither Mueller nor congressional investigators have offered evidence that U.S. persons knowingly assisted the IRA, aside from promoting its pro-Trump messaging on social media. But, as noted above, prosecutors have dismissed the charges against the two Concord companies that oversaw the IRA, which likely means that new evidence will not emerge. As Barbara McQuade pointed out in Just Security, such decisions are almost always made before the indictment, but just before the IRA trial was set to begin in April, Barr and his associates claimed that a “classification determination” caused them to reverse course. McQuade observed that “his [Barr’s] decisions can only be met with suspicion. Is he protecting Trump from the disclosure of facts that will cause Americans to question the legitimacy of his election as president…?”

Final Thoughts

Alfa Bank owners Fridman, Aven, and Khan have a history of litigiousness that goes back to 2000, when the bank filed a defamation suit, which it lost, against the Center For Public Integrity. (Legal costs are not a deterrent. The collective net worth of the three men is estimated by Forbes at over $26 billion.) Buzzfeed’s warning, upon being sued by Alfa Bank in 2017, about the bank’s “shameless attempts to bully and intimidate” should be taken to heart. The bank’s aggressive legal actions cause huge expense and personal harm to those they go after. In a 2017 piece about the server mystery, CNN reported that “fear has now silenced several of the computer scientists who first analyzed the [DNS] data.”

Although Fridman, Aven, Kahn, and a fourth Alfa Bank owner, Alexei Kuzmichev, appeared on the January 2018 U.S. Treasury list of Russians with close Kremlin ties, they have avoided sanctions. This may in part be due to their ambitious public relations efforts, bolstered by generous donations to philanthropic causes. (Fridman recently gave $1.25 million to the Kennedy Center for renovating a lounge.)

The questions arising from Alfa Bank’s recent lawsuits make it all the more important to provide  the public with more information about the investigation of the Alfa Bank/Trump server links. A lot of questions remain unanswered. The Senate Intelligence Committee report states that Alfa Bank and the Trump Organization each asserted that there was no substantive communication between the two servers but the committee also pointedly notes that “their alternative explanations were not consistent.” This is a continuing story with some of the mystery surrounding it hopefully to be solved.

Image: Sean Gallup/Getty 

 

About the Author(s)

Amy Knight

Author of more than thirty scholarly articles and six books on Russian history and politics. Her most recent book is Orders To Kill: The Putin Regime and Political Murder (St. Martin's Press, 2017). Follow her on Twitter (@aknight613).