Slate’s Franklin Foer is reporting that computer experts say they've detected something very, very odd: A computer registered to Donald Trump's company that seems to have been set up to send and receive emails exclusively from a Russian bank.
The researchers quickly dismissed their initial fear that the logs represented a malware attack. The communication wasn’t the work of bots. The irregular pattern of server lookups actually resembled the pattern of human conversation—conversations that began during office hours in New York and continued during office hours in Moscow. It dawned on the researchers that this wasn’t an attack, but a sustained relationship between a server registered to the Trump Organization and two servers registered to an entity called Alfa Bank.
The technical details of this story are complex, but the short version is this: The researchers found a machine on Trump's business network sending and receiving data that would suggest emails being exchanged, and the machine was set up to link only to a very small set of other machines in the world, the Alfa Bank link being the most important.
After New York Times reporters contacted Alfa Bank to inquire, the link was suddenly severed from Trump's side. But then:
Four days later, on Sept. 27, the Trump Organization created a new host name, trump1.contact-client.com, which enabled communication to the very same server via a different route. When a new host name is created, the first communication with it is never random. To reach the server after the resetting of the host name, the sender of the first inbound mail has to first learn of the name somehow. It’s simply impossible to randomly reach a renamed server.
The link between the servers are dead now, and both sides are denying business dealings with the other. So putting aside as much of the technical jargon as we can: What's going on?
There are quite a few possibilities. The first and most obvious one is that the server is exactly what it seems to be: a link to relay emails between Trump's company, or at least someone within it, and the named Russian bank.
A less likely but still plausible scenario is that Trump's internal network was seriously compromised—that researchers caught someone who had successfully "hacked" into Trump's network, into the bank’s network, and was using both. That seems a far more remote scenario because of the reported traffic patterns—not only traffic going out from the Trump server, but other traffic going in. In addition, experienced hackers would almost certainly never be so dimwitted as to use traceable DNS addresses instead of more surreptitious and effective means.
As Slate suggests, there are other, more innocuous technical possibilities too. But none of them fit the data quite as well as the simplest explanation: The two machines were indeed set up as a private link between the companies.
We also know that there isn't much chance of this link being accidental. The reestablishment of the same private link under a new server name proves that fairly definitively.
We just don't know why it was there.