Profile picture
John Panzer @jpanzer
, 25 tweets, 6 min read Read on Twitter
This is a really good deep dive into Trump/Alfa/Spectrum Health. I have a few other things to say about the reports of Mandiant and Stroz Friedberg, hired by Alfa, but this has most of the key points. Especially the last half. newyorker.com/magazine/2018/…
Just a quick thread about some technical aspects of this story. The Mandiant report is the key one for the 2016 events so I'll focus on that one. The only version I know of is here: assets.documentcloud.org/documents/3899…
Exhibit II of the above is the Mandiant Nov 4 "DRAFT" report (why no final report? Was there a final report prepared? Where is it?). Anyway, this "DRAFT" report states:
"When Mandiant was engaged, a Russian security firm, Group IB, had already drafted a report that outlines the DNS environment in question and “whois” registrations ... Mandiant reviewed the report and initiated a detailed analysis of the DNS logs, email logs, ...
...Deep Discovery Inspector (DDI) logs, proxy logs, and email archives in coordination with the Alfa-Bank Team. Log retention periods for DNS logs were set to 24 hours. Neither Alfa-Bank nor Mandiant could recover historical data beyond that period of time."
So, (1) there is a prior report from "Group IB" (group-ib.com/leadership.html) which no one but Mandiant has seen; we don't really know what was in it (possibly nothing). (2) Nobody made a backup copy of DNS access logs before they were rotated out and erased.
The Mandiant report also seems to be going down a rabbit hole of looking for "email" traffic FROM Alfa TO the Cendyne/Trump server: "There is no information showing the type or the content of the communication. However, “email look-ups” suggest only DNS MX lookups..."
So I compared the sample on page 6 of Exhibit II to the data published by Jean Camp: ljean.com/NetworkRecords…. The first few lines of that file correspond to the first 4 lines of the Mandiant's report for lookups May 4-10, 2016. But Jean Camp's data is clearly A record lookups.
("04-May-2016 06:48:06 client 217.12.97.15 query: mail1.trump-email.com IN A + (66.216.133.29)") Significance: If this is an A record lookup, it's not part of the [E]SMTP protocol, which would use an MX record lookup.
Maybe the NYT provided Alfa with only a very highly redacted set of logs, but it's weird that the type of lookup was removed.
The next Mandiant statement is interesting to parse. "At the time Mandiant initiated their investigation, Alfa-Bank’s log retention period was set to 24 hours." [When was that? What was it back in October 2016? Unknown.]
"Alfa-Bank indicated this was due to normal operations generating a high volume of requests; therefore, physical space for log storage was not economically feasible." [This is likely standard, but capturing logs once an issue arises is standard too; why wasn't it done?]
More specifically, Alfa was informed about the lookups by the NYT on Sep 21, 2016; the DNS lookups continued through Sep 23, 2016, though they started getting errors on Sep 22. The Mandiant report doesn't explain why Alfa didn't save ANY of the DNS records from Sep 21-23...
...when theoretically their IT staff (or Group IB?) was frantically investigating. The very first task they should have done was to copy sample logs, at the very least, and archive them. Mandiant doesn't mention this.
Mandiant notes that DNS logs from Oct 7, 2016 and after were available for analysis in ArcSight (an archive/analysis tool). Thus it appears somebody (Group IB? Mandiant? Alfa?) set up new DNS log archiving on or after Oct 7 -- does this mean Mandiant started Oct 7?
As the New Yorker piece accurately noted, the explanation that the Deep Discovery Inspector might have created the DNS pings from re-scanning older emails from spring 2016 from the trump1 server is contradicted by Mandiant's findings.
Mandiant found "Further tests with other domain names indicated that Deep Discovery Inspector would try to resolve the domain name again, irregularly over the course of two days." In other words, after an email was more than 2 days old, it would not generate more DNS pings.
But the last marketing email from the trump1 server was many months before the 1st DNS lookup. So per Mandiant's own report, they could not replicate the DNS lookup patterns with the data Alfa gave them.
The New Yorker piece lays this out pretty well. There is one hypothesis it leaves out, however -- that the Deep Discovery Inspector was in fact operating exactly the way Mandiant hypothesized, that it was triggered by email from the trump1 server arriving at Alfa Bank. But...
...any email arriving through September 2016 SHOULD have been in the Alfa email archives that it provided to Mandiant. Unless, of course, Alfa deleted those emails from the archives it provided a month later to Mandiant, for some reason, throwing the Mandiant analysis off.
(This hypothesis is similar to those in the New Yorker article, but it just supposes that the existing software on the trump1 server was re-purposed to send something other than marketing emails to Alfa and Spectrum Health. Just because Mandiant didn't find emails in Oct/Nov...
...is not proof that the emails didn't exist in September 2016, but were deleted out of the email archives provided for Mandiant to analyze later.)

More generally, the Mandiant analysis appears to be based on data provided by Alfa for it to look at, not a forensic examination...
...of all of Alfa's systems. Alfa later over-stated the depth of Mandiant's investigation and strength of its conclusions as well (e.g., snopes.com/fact-check/tru…). So the Mandiant investigation (started Oct 7)? was at best inconclusive.
By the way: If this "re-scan" idea held any water, and it did somehow re-scan really child marketing emails, you'd expect (1) it would have done it for all the old emails not just Trump marketing ones (2) it would have continued past sep 23! ...

Neither thing was observed by the DNS researchers or Mandiant. So we have lots of evidence against any kind of bug like that one, leaving us with... no explanation offered by Alfa at all, just threatened lawsuits.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to John Panzer
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!