Four years ago, the Trump Organization experienced a major cyber breach that could have allowed the perpetrator (or perpetrators) to mount malware attacks from the company’s web domains and may have enabled the intruders to gain access to the company’s computer network. Up until this week, this penetration had gone undetected by President Donald Trump’s company, according to several internet security researchers.
In 2013, a hacker (or hackers) apparently obtained access to the Trump Organization’s domain registration account and created at least 250 website subdomains that cybersecurity experts refer to as “shadow” subdomains. Each one of these shadow Trump subdomains pointed to a Russian IP address, meaning that they were hosted at these Russian addresses. (Every website domain is associated with one or more IP addresses. These addresses allow the internet to find the server that hosts the website. Authentic Trump Organization domains point to IP addresses that are hosted in the United States or countries where the company operates.) The creation of these shadow subdomains within the Trump Organization network was visible in the publicly available records of the company’s domains.
Here is a list of a Trump Organization shadow subdomains.
The subdomains and their associated Russian IP addresses have repeatedly been linked to possible malware campaigns, having been flagged in well-known research databases as potentially associated with malware. The vast majority of the shadow subdomains remained active until this week, indicating that the Trump Organization had taken no steps to disable them. This suggests that the company for the past four years was unaware of the breach. Had the infiltration been caught by the Trump Organization, the firm should have immediately decommissioned the shadow subdomains, according to cybersecurity experts contacted by Mother Jones.
Two weeks ago, a computer security expert, who wishes to remain unidentified, contacted Mother Jones and provided the list of the shadow Trump Organization subdomains. He explained what he believed had happened. Some hacker—or group—had gained access to the Trump Organization’s GoDaddy domain registration account. Like many companies, the Trump Organization has registered a long list of domain names, many of which it has never put to use. Some examples: BarronTrump.com, DonaldTrump.org, ChicagoTrumpTower.com, CelebrityPokerDealer.com, and DonaldTrumpPyramidScheme.com.
The existence of these shadow subdomains suggests a possible security compromise within Trump’s business network that created the potential for unknown actors—using these Trump Organization subdomains—to launch attacks that could trick computer users anywhere into handing over sensitive information and unknowingly allow the attackers access to their computers and network. In fact, the IP addresses associated with the fake subdomains are linked to an IP address for at least one domain previously used by hackers to deploy malware known as an “exploit kit,” which can allow an attacker to gain a computer user’s passwords and logins or to take over another computer and gain access to the files within it.
For each of more than a hundred of these Trump domains, the intruder created two shadow subdomains, with the names of these subdomains generally following a pattern: three to seven seemingly random letters placed before the real domain name. Here are examples from the list: bfdh.BarronTrump.com and dhfb.BarronTrump.com; bfch.DonaldTrump.org and bxdc.DonaldTrump.org; cesf.ChicagoTrumpTower.com and vsrv.ChicagoTrumpTower.com; dxgrg.CelebrityPokerDealer.com and vsrfg.CelebrityPokerDealer.com; and bdth.DonaldTrumpPyramidscheme.com and drhg.DonaldTrumpPyramidScheme.com.
The available historical data for these shadow subdomains indicate most of them were created in August 2013. When they first were set up, the shadow subdomains were aimed at one of 17 IP addresses on a network that was based in St. Petersburg, Russia, and they were hosted on servers owned by a company called the Petersburg Internet Network, a server provider with a reputation for hosting nefarious actors.
In a January 2015 blog post about fraudulent IP routing and malware, Doug Madory, the director of internet analysis at Dyn, called the Petersburg Internet Network “perhaps the leading contender for being named the Mos Eisley of the Internet,” a reference to the wild and seedy spaceport city on the planet Tatooine in the Star Wars movies. Currently, the IP addresses for these shadow Trump subdomains are registered to a different entity in Russia. According to several cybersecurity experts, the fact that the IP addresses point to Russia does not mean the Trump Organization breach originated there.
The shadow Trump Organization subdomains point to IP addresses in the range between 18.104.22.168 and 22.214.171.124—and these addresses are part of a larger network. In October 2013, a security researcher identified a website called BewareCommaDelimited.org deploying an exploit kit that was intended to pilfer passwords and other information from targeted computers and noted it was associated with this IP address: 126.96.36.199. That IP address is within the same network as the IP addresses used for the shadow Trump Organization subdomains—an indication that these subdomains might have been part of a network used to deploy malware against other computers.
This week, a researcher named C. Shawn Eib wrote a blog post highlighting the existence of the shadow subdomains, which had been referenced in a Twitter thread several weeks ago. Eib noted that “more than 250 subdomains of domains registered to the Trump Organization redirect traffic to computers in St. Petersburg, Russia.”
Another computer security expert, who also asked not to be named, notes that this network of shadow subdomains may have been established by a criminal enterprise looking to use the Trump Organization’s computer system as the launching pad for various cyberattacks on other individuals or entities. But, he adds, this breach also could be exploited by state or nonstate actors attempting to infiltrate the Trump Organization. “At the least,” he remarks, “it shows the Trump Organization has been badly run.”
In his blog post, Eib notes, “With an organization of this size, and with the added security concerns and scrutiny that a presidential campaign and victory would entail, it would be inexcusable for this to not have been discovered by their IT department. Any basic security audit would show the existence of these subdomains, and what servers they’re leading to. This is sloppy at best, and potentially criminally negligent at worst, depending on the traffic that is being run through these servers.”
All of the legitimate Trump Organization domains and the suspected subdomains were registered through GoDaddy. The creation of the shadow subdomains suggests that the hacker (or hackers) compromised the company’s GoDaddy account and, depending on how the account was penetrated, the intruders could have obtained passwords and access to other computers in the Trump Organization network.
The creation of these Trump Organization subdomains looks like a classic case of domain-shadowing, according to Steve Lord, a British cybersecurity expert at Raw Hex, a startup that trains people on micro-electronics and computer coding. He examined internet records and reviewed the matter for Mother Jones. Lord notes the Trump Organization shadow subdomains fit the pattern of a major case of domain-shadowing that in 2011 struck clients of GoDaddy, one of the largest domain registrars in the world.
In a March 2015 blog post, Nick Biasini, a threat researcher at Cisco’s Talos Security Intelligence and Research Group, described how domain-shadowing works:
These accounts are typically compromised through phishing. The threat actor then logs in with credentials and creates large amounts of subdomains. Since a lot of users have multiple domains this can provide a nearly endless supply of domains…This behavior has shown to be an effective way to avoid typical detection techniques like blacklisting of sites or IP addresses.
In the post, Biasini noted that the practice of domain-shadowing goes back to 2011 and, like everything else in the tech world, has become more sophisticated over time.
When cyber professionals notice suspected malware coming through their networks or in the wild, they often share this information with public malware databases so the broader information security community is aware and can analyze the potential malware. In the case of the Trump-related subdomains, many have been flagged as suspected malware carriers by IT professionals and security researchers who then uploaded references to these subdomains to VirusTotal, a malware research database.
VirusTotal lists the findings of cybersecurity firms that analyze URLs suspected of being associated with malware. For many but not all of the Trump-related subdomains, according to the VirusTotal listings, Kaspersky, the Russian antivirus company, detected a possible association with malware. (Kaspersky is in the news now due to allegations that it has worked with the Russian government to steal data from US government computers, a claim the company denies. Many security researchers, though, agree that the company is highly skilled at identifying Russian malware.)
“It’s telling that Kaspersky detected [this malware], while others didn’t,” Lord tells Mother Jones. That could be a measure of the malware’s sophistication.
The cybersecurity expert who shared the list with Mother Jones says he could find no legitimate use for the subdomains. He notes that the full scope of the attackers’ breach of the Trump Organization domains remains unclear, but he adds that the hackers who have launched attacks from this block of IP addresses have the ability to wage highly sophisticated cyber assaults. “I’d have to imagine that the file and mail servers on the Trump Org network would be the world’s largest repository of information that could be used to gain leverage over our president,” he remarks. He also points out that this breach signals the Trump Organization did not employ secure IT: “The big thing is that they didn’t notice.”
In response to request for comment, the Trump Organization sent this statement:
There has been no “hack” within the Trump Organization and the domain names [in question] do not host active websites and do not have any content. Publishing anything to the contrary would be highly irresponsible. Moreover, we have no association with the “shadow domains” you reference…and are looking into your inquiry with our third party domain registrar. There is no malware detected on any of these domains and our security team takes any and all threats very seriously.
The security expert who first shared the list of subdomains with Mother Jones notes that it is true that shadow subdomains “do not currently host active websites and that there is no reason to believe that there is currently any malware active on these domains.” But, he remarks, the Trump Organization’s registrar account “was likely compromised since someone created these hundreds of records and if it wasn’t an authorized Trump Org person, that only leaves unauthorized persons.”
Shown the Trump Organization’s statement, Lord replied,
There’s two possible situations as I see it. Either they set up their own domain records to point at servers hosted in St. Petersburg, Russia…or someone else did. In either case, the question is why. For an organization on the cusp of a number of investigations about suspicious links to Russia, I’d hoped they would’ve given more public thought to the possibility that their domain ownership was at some point hijacked possibly through no fault of their own before denying everything.
The Trump Organization did not respond to follow-up questions.
The security expert who first alerted Mother Jones to the Trump-related shadow subdomains noted that as soon as the Trump Organization responded for this story, records related to the subdomains began disappearing.