We now believe this is a really big story. Time to go deeper. Multiple MSM reports suggested that the over 250 Trump Organization Sub-domains were directed to Russia because of a hack. The hack they referred to is called Shadowgate.
Here’s an ABC News piece saying essentially the same thing—that the Trump sub-domains match the pattern of so-called “Shadowgate.”
Here’s where they got their stories wrong.
The GoDaddy Shadow Domain exploits occurred in 2011 and 2014, not in 2013. A spokesman from GoDaddy says the same in the ABC News piece.
Talos asserted in 2016 that GoDaddy had removed all affected sub-domains.
So how are we seeing them up until last week?
The Trump sub-domains that existed in 2013 were exactly the same as the ones that were still present last week. This does not match the shadow domain pattern of rapidly changing sub-domains.
None of the Trump top-level domains appear to have have hosted malware during this time period. If hackers had gotten into the Trump GoDaddy account, why didn’t they install malware on the high-traffic websites themselves?
And a Giant WTF To GoDaddy! GoDaddy asserts that it has measures in place to monitor for malicious activity.
GoDaddy would not let us create a sub-domain pointing to the IP address to which sub-domains of http://721fifth.com were pointed until last week.
Why didn’t GoDaddy check all of their A records and delete any sub-domains pointing to these malicious IP addresses?
Why did GoDaddy allow these sub-domains to exist only for the Trump Organization? They cleared them out of all other accounts and wouldn’t allow them to be manually added?
Oh, and by the way, Robert Parsons, Founder and now Board Member of GoDaddy, donated one million dollars to the Trump inauguration!
Finally, if it’s not Shadowgate, what could it be?
What about Peter Levashov, arrested in Barcelona for running a botnet? And possibly for election meddling.
His botnet was known as Kelihos, and it used the domain gorotza.biz for much of its dirty work.
Let’s have one more look at those Trump sub-domains, in use as recently as October 27!
And now let’s look at a few sub-domains on gorotza.biz. Familiar?
Meanwhile, back in “Siberia” (which has now been shown to actually be located in Moscow), our friendly mystery server is routing traffic for one other domain tested. Wikileaks.org.
Read the rest of the series.
Written by Unhackthevote