Security researchers have discovered evidence that hackers were able to register at least 250 shadow domains under the umbrella of the Trump Organisation. These subdomains are associated with Russian IP addresses and appear to have ties to possible malware campaigns. The subdomains have been active as recently as last week.
Mother Jones reports that it was first contacted by an unnamed computer security expert who believes hackers gained access to the GoDaddy account that the Trump Organisation uses to register its many domain names – the expert supplied a list of subdomains that were created in 2013.
As of February of this year, the Organisation had registered 3643 websites. Some of these domains, such as TrumpFraud.org or VoteAgainstTrump.com, are simply owned by the organisation to prevent someone else from buying them. Others, such as donaldtrumpoffice.com, have a legitimate association with Trump or just redirect to Trump.com. Whoever is responsible for registering the subdomains that are reportedly associated with Russian IPs simply tacked on a string of seemingly random letters before the domain name, for example, gjyg.donaldjtrumpoffice.com is one of the shadow subdomains.
There are plenty of legitimate reasons to employ subdomains. For example, an address such as reservations.trumphotel.com might be used to book a stay at one of the US president’s many hotels. But legitimate domains set up by the Trump Organisation are all associated with IP addresses in the US or other countries where the company does business. In August, a spokesperson for the company told the New York Times that “the Trump Organisation has never had any real estate holdings or interests in Russia”. The subdomains in question follow a circuitous path to Russian servers. Security Researcher C. Shawn Eib outlined the traffic route in blog post this week:
All known Trump domains are registered through GoDaddy, and many of the primary domains are hosted on GoDaddy shared servers. Nonetheless, there are multiple subdomains whose traffic is routed to servers in St. Petersburg, Russia. Traffic to these subdomains goes through a backbone in Italy, proceeds to Moscow, goes to a server located hundreds of miles away to the east, then finally arrives at a server in St. Petersburg.
The range of IP addresses these subdomains occupy on this server is 18.104.22.168-22.214.171.124, a block owned by HostKey.ru, also known as Mir Telematiki LTD. The odd hop to a server in what is reported as Siberia has an IP address of 126.96.36.199. An interesting note, few of the IP addresses in this large block belonging to HostKey.ru are actually hosting websites; the only ones currently known are 188.8.131.52-204.
When the subdomains were first set up, they pointed to 17 IP addresses that were hosted by Petersburg Internet Network. According to Mother Jones, the IP addresses have subsequently been “registered to a different entity in Russia”.
The subdomains currently point to an IP in a range between 184.108.40.206 and 220.127.116.11. Something that may or may not be notable is that those domains fall into a larger network that was tied to a website deploying an exploit kit in 2013.
Security researchers have been flagging some of the Trump subdomains and adding them to the malware research database VirusTotal. In at least one case, a file URL hosted by bfdh.barrontrump.com was identified by Kaspersky’s software as containing malware.
All of this sounds fairly technical and Mother Jones outlines some other suspicious associations with these subdomains and bad actors online, but the fact is we don’t know a whole lot about what these addresses may have been used for over the past four years. Gizmodo has contacted The Trump Organisation and GoDaddy for comment but we have yet to receive a reply. The Trump Organisation did supply this statement to Mother Jones:
There has been no “hack” within the Trump Organisation and the domain names [in question] do not host active websites and do not have any content. Publishing anything to the contrary would be highly irresponsible. Moreover, we have no association with the “shadow domains” you reference… and are looking into your inquiry with our third party domain registrar. There is no malware detected on any of these domains and our security team takes any and all threats very seriously.
Saying that there was “no ‘hack'” leaves open a few possibilities. The Trump people could mean that GoDaddy was compromised, or they could mean the domains were set up legitimately by someone in the company. Of course, the statement then goes on to claim the company has “no association” with the subdomains – whatever the hell that means.
What’s clear is that the Trump Organisation let a lot of shady looking subdomains be registered on top of its legitimate domain names, those subdomains direct to Russia, and the company claims it’s not associated with any of them. Hack or no hack, this is weird.
The biggest problem is that if hackers have been in control of Trump subdomains for years, they could have been wreaking all sorts of havoc that we’re unaware of. Maybe they used the domain names in phishing scams, maybe they used them for spreading malware, maybe they were able to penetrate the Trump Organisation’s files, maybe they have the coveted tax returns, or maybe this is all just a long-term way of setting up Trump with more bad associations with Russia. But, much like the US president and the Russian election hacking story, the Trump Organisation sure doesn’t seem to be taking this news very seriously.