A few days ago we reported that more than 250 Trump Organization subdomains are in communication with servers in Russia, one of which is a Hostkey.ru server that hosts WikiLeaks.org.
In Mother Jones and elsewhere, articles about our findings concluded that the Trump domain registry had been compromised by a third party, and that this compromise was somehow never detected by the Trump Organization’s IT department.
Despite this assertion, the existence and persistence of these subdomains do not fit the attack described, and that calls for a closer look.
The Trump Organization has stated:
There has been no “hack” within the Trump Organization and the domain names [in question] do not host active websites and do not have any content. Publishing anything to the contrary would be highly irresponsible. Moreover, we have no association with the “shadow domains” you reference…
These statements conflict: either they were hacked and these subdomains were added and somehow never noticed, or they were not hacked and these subdomains were created intentionally.
The Mother Jones article states:
In 2013, a hacker (or hackers) apparently obtained access to the Trump Organization’s domain registration account and created at least 250 website subdomains that cybersecurity experts refer to as “shadow” subdomains.
On the surface, the subdomains discovered resemble classic “shadow domains” that can be set up by hackers who have compromised a domain registration account. But a closer look reveals that it would have been nearly impossible for such domains to have persisted undetected for four years.
From this article about shadow domains:
The above description points to two of the most obvious reasons that the compromised Trump subdomains do NOT fit the profile of classic “shadow domains”, and thus were probably not the work of a malicious third-party:
1) One of the reasons why this technique is so effective is that registrant accounts are rarely checked.
2) Another reason is that when the subdomains are finally called into play in an attack, they’re rotated rapidly.
In the case of the Trump Organization compromise, both of these indicators are invalid. The Trump Organization has clearly checked these registrant accounts multiple times since 2013 as they create new websites and change the hosting of the existing ones. Additionally, these subdomain names appear to have persisted without change since they were created.
How was this done then? When? By whom?
Let’s look at just one of the many compromised Trump domains – 721fifth.com – the website for Trump Tower itself.
This website is currently hosted on a Rackspace server, although its nameservers are GoDaddy’s. According to DNS records, the website has been hosted at Rackspace since 2015, although the domain name has been in use since 2013. According to OTX, the compromised subdomains have also existed since late 2013.
Based on a nmap scan posted to Twitter by @PropOrNot we took a more closer look at this domain, and found it is pointed to a Rackspace server with the hostname “trump2.parscalecloud.com”:
In order for the 721fifth.com domain to have been pointed to the trump2.parscalecloud.com host in 2015, someone must have logged into the Trump Organization account’s DNS records at GoDaddy and changed the “A” record for the domain.
In doing so, they must have noticed that there were several subdomains associated with this domain, and that these subdomains were pointed at IP addresses completely unrelated to either Rackspace or GoDaddy. One of these subdomains, which still exists as of this writing, is fghft.721fifth.com. A traceroute on this subdomain reveals that it is pointed to the IP address 188.8.131.52:
In order to illustrate what it takes to point a subdomain at an IP address, we registered a new domain with GoDaddy – toomanyfuckingcoincidences.com. After setting up the site, here is what the DNS settings looked like:
We then proceeded to add a few subdomains:
First – note that it is VERY obvious within this interface that new subdomains have been added, and that they point to IP addresses that are completely different from the IP address of the main domain.
Second – note that GoDaddy’s security system prevented us from pointing a new subdomain to the 184.108.40.206 IP address that fghft.721fifth.com is pointed to, due to malware concerns at that host.
The date of the creation of these domains and the date of the first detection of these subdomains is very interesting. They were created around the end of 2013, just a few months after the Trump Organization hosted the Miss Universe pageant in Moscow.
Click here for Mike’s companion thread on Twitter.
Click here for part three.