As we mentioned in part two of our Trump Subdomain story, various media outlets including Mother Jones and ABC News have asserted that the subdomains found on the Trump GoDaddy domains match the pattern of so-called “Shadowgate“, in which attackers hacked into accounts belonging to GoDaddy customers and set up around 10,000 malicious subdomains.
The GoDaddy Shadow Domain exploits occurred in 2011 and 2014, not in 2013. A spokesman from GoDaddy says the same, in the ABC News piece.
Additionally, Cisco’s Talos Intelligence Group asserted in 2016 that GoDaddy had removed all affected subdomains.
Another key difference between the Trump subdomains and the Shadow Domain exploits is that the Trump subdomains that existed in 2013 were exactly the same as the ones that were still present on October 31. This does not match the shadow domain pattern of rapidly changing subdomains:
Finally, none of the Trump top-level domains appear to have have hosted malware during this time period. If hackers had gotten into the Trump GoDaddy account, why didn’t they install malware on the high-traffic websites themselves?
Besides taking issue with the media’s reporting on the Trump subdomains, we are confused about why they were allowed to persist in GoDaddy’s DNS system. GoDaddy asserts that it has measures in place to monitor for malicious activity, and indeed, the system would not let us create a subdomain pointing to the HostKey.ru IP address that subdomains of 721fifth.com were pointed to up until very recently.
Why didn’t GoDaddy check all of their A records and delete any subdomains pointing to these malicious IP addresses?
Finally, if these subdomains were not due to Shadowgate, what could they be?
Remember Peter Levashov, who was arrested in Barcelona for running a botnet? And possibly for election meddling?
Levashov’s botnet was known as Kelihos, and it used the domain gorotza.biz for much of its dirty work.
Let’s have one more look at those Trump subdomains, in use and flagged for malware as recently as October 27!
And now let’s look at a few subdomains on gorotza.biz. Does this pattern look familiar?
One other thing… The route that those subdomains were taking, through that server that initially appeared to be in Siberia? Turns out that “Siberia” is looking more like Moscow, and our friendly mystery server is routing traffic for one other domain tested. Wikileaks.
We are working to better understand the exact nature of these subdomains – what they were used for, and what sort of system may have taken their place. Please stay tuned.
Click here for Mike’s companion thread on this article.