The Trump Organization, like most large entities, has numerous domains registered for various purposes. It is not at all unusual for large organizations to use subdomains to make server management easier. For instance, the Apple, Inc support site is support.apple.com. This allows the Apple support website to be administered completely independently of its main website and even to be hosted on a different server. Domains and subdomains, using a protocol known as DNS, are translated into IP addresses, which allow your traffic to arrive at the correct destination.
In the case of the Trump Organization, expected subdomains might include reservations.trumphotels.com or jobs.donaldtrumpexecutiveoffice.com.
But when we took a closer look at Trump Organization subdomains, we found something unusual and alarming.
It seems highly unusual that an organization, and now Presidential administration, while under investigation for colluding with a foreign adversary in a concerted effort to undermine American democracy, would allow even a semblance of impropriety like this to happen. Yet that appears to be exactly what the Trump organization has decided to do.
All known Trump domains are registered through GoDaddy, and many of the primary domains are hosted on GoDaddy shared servers. Nonetheless, there are multiple subdomains whose traffic is routed to servers in St. Petersburg, Russia. Traffic to these subdomains goes through a backbone in Italy, proceeds to Moscow, goes to a server located hundreds of miles away to the east, then finally arrives at a server in St. Petersburg.
The range of IP addresses these subdomains occupy on this server is 184.108.40.206-220.127.116.11, a block owned by HostKey.ru, also known as Mir Telematiki LTD. The odd hop to a server in what is reported as Siberia has an IP address of 18.104.22.168. An interesting note, few of the IP addresses in this large block belonging to HostKey.ru are actually hosting websites; the only ones currently known are 22.214.171.124-204.
This IP block has slightly different Whois registration information than other blocks owned by Hostkey.ru. The contact listed for this IP block is a Andrey Shevchenko, who started working at GazProm approximately a month after these subdomains were set up.
With few exceptions, these subdomains were set up in August 2013. Alienvault’s OTX service contains records of some of these subdomains being in use as recently as March, 2017. Many, but not all, are still active and the DNS records are still set to allow these subdomains to route to the Russian servers.
Our team has conducted both ping tests and traceroutes that show that these servers are still up and operational, and that these subdomains are still directed to these Russian servers. Each subdomain is named with a seemingly random string of letters, presumably to prevent a ordinary users from stumbling on them by mistake.
Take for example the subdomain dsfs.donald-trump-entrepreneurs-initative.com. As with the other subdomains, no user-visible content is present here. We ran a traceroute on this subdomain to reveal the path taken by network traffic to this address. Here is what we found:
Of particular note: the IP address 126.96.36.199 in the traceroute results is apparently located far east of Moscow, near the town of Vanavara in the desolate Russian precinct Krasnoyarsk Krai. This location is very near the site of the Tunguska event in 1908, an apparent meteor explosion that flattened nearly 800 square miles of forest. However, there seems to be no appreciable increase in latency (the time it takes to go from one server to another) while making this round trip. Instead, it shows approximately the same latency as the servers known to be located in Moscow.
This IP address along with all the IPs in the route once the traffic enters Russia, belongs to the same service provider used by one of the servers hosting Wikileaks.org. This server was established approximately one week before the Podesta emails were released, and is located in Moscow, with IP location tools showing both the Trump subdomain traffic transiting through and Wikileaks hosted in a building located near the Kremlin. Wikileaks has multiple servers, two located in Moscow, and the route for that traffic also includes the trip to Siberia, again with little difference in latency when making this long round trip.
In addition to the subdomains themselves, there are OTX records of filenames referencing inappropriate content being on these servers. Many of these filenames are repeated on multiple servers and quite a few have filenames that appear to be “leetspeak”, in which numbers are substituted for letters to create English language phrases. Examples include d3li3V3R1t0d4Y.html1.zip (Deliver 1 Today), l0v3LYg1rLS0nlY4y0U.html1.zip (Lovely Girls Only for You), n1cEG1rLSatTh1Sw33kEND988.html1.zip (Nice girls at this Weekend), and gR33TpUsSY4Tth1SwE3k.html1.zip (Great p***y 4 T this week). None of these file names were found in examples of known malware.
If it weren’t for the fact that these have been in use for over four years at this point, and still reachable today, this would look like someone had hacked these domains and left the files as a form of defacement, or possibly used them for a spam or malware campaign. But certainly with an organization of this size, and with the added security concerns and scrutiny that a presidential campaign and victory would entail, it would be inexcusable for this to not have been discovered by their IT department. Any basic security audit would show the existence of these subdomains, and what servers they’re leading to. This is sloppy at best, and potentially criminally negligent at worst, depending on the traffic that is being run through these servers.
So the question is: why is the Trump Organization continuing to allow hidden subdomains to run to servers hosted in Russia?
Click here for Mike’s companion thread on Twitter.
— C. Shawn Eib
Owner, CSE Security, LLC
Click here for part two.