Trump Server Mystery Produces Fresh Conflict
WASHINGTON — The charge was narrow: John H. Durham, the special counsel appointed by the Trump administration to scour the Russia investigation, indicted a cybersecurity lawyer this month on a single count of lying to the F.B.I.
But Mr. Durham used a 27-page indictment to lay out a far more expansive tale, one in which four computer scientists who were not charged in the case “exploited” their access to internet data to develop an explosive theory about cyberconnections in 2016 between Donald J. Trump’s company and a Kremlin-linked bank — a theory, he insinuated, they did not really believe.
Mr. Durham’s version of events set off reverberations beyond the courtroom. Trump supporters seized on the indictment, saying it shows that suspicions about possible covert communications between Russia’s Alfa Bank and Mr. Trump’s company were a deliberate hoax by supporters of Hillary Clinton and portraying it as evidence that the entire Russia investigation was unwarranted.
Emails obtained by The New York Times and interviews with people familiar with the matter, who spoke on the condition of anonymity to discuss issues being investigated by federal authorities, provide a fuller and more complex account of how a group of cyberexperts discovered the odd internet data and developed their hypothesis about what could explain it.
At the same time, defense lawyers for the scientists say it is Mr. Durham’s indictment that is misleading. Their clients, they say, believed their hypothesis was a plausible explanation for the odd data they had uncovered — and still do.
The Alfa Bank results “have been validated and are reproducible. The findings of the researchers were true then and remain true today; reports that these findings were innocuous or a hoax are simply wrong,” said Jody Westby and Mark Rasch, lawyers for David Dagon, a Georgia Institute of Technology data scientist and one of the researchers whom the indictment discussed but did not name.
Steven A. Tyrrell, a lawyer for Rodney Joffe, an internet entrepreneur and another of the four data experts, said his client had a duty to share the information with the F.B.I. and that the indictment “gratuitously presents an incomplete and misleading picture” of his role.
Mr. Durham’s indictment provided evidence that two participants in the matter — Mr. Joffe and Michael Sussmann, the cybersecurity lawyer accused of falsely saying he had no client when he brought the findings of the researchers to the F.B.I. — interacted with the Clinton campaign as they worked to bring their suspicions to journalists and federal agents.
A spokesman for Mr. Durham declined to comment. The special counsel’s office issued a fresh grand jury subpoena to Mr. Sussmann’s former law firm, Perkins Coie, sometime after Mr. Sussmann was indicted on Sept. 16, in a development first reported on Thursday by CNN and confirmed by a person familiar with the matter. It is unclear whether the subpoena pertained to Alfa Bank or whether Mr. Durham has finished his investigation into that case.
Mr. Durham uncovered law firm billing records showing that Mr. Sussmann, who represented the Democratic National Committee on issues related to Russia’s hacking of its servers, had logged his time on the Alfa Bank matter as work for the Clinton campaign. Mr. Sussmann has denied lying to the F.B.I. about who he was representing in coming forward with the Alfa Bank data, while saying he was representing only Mr. Joffe and not the campaign.
Mr. Durham also found that Mr. Joffe had met with one of Mr. Sussmann’s law firm partners, Marc Elias, who was then the Clinton campaign’s general counsel, and researchers from Fusion GPS, an investigative firm Mr. Elias had commissioned to scrutinize Mr. Trump’s purported ties to Russia. Fusion GPS drafted a paper on Alfa Bank’s ties to the Kremlin that Mr. Sussmann also provided to the F.B.I.
In the heat of the presidential race, Democrats quickly sought to capitalize on the research. On Sept. 15, four days before Mr. Sussmann met with the F.B.I. about the findings, Mr. Elias sent an email to the Clinton campaign manager, Robbie Mook, its communications director, Jennifer Palmieri, and its national security adviser, Jake Sullivan, whose subject line referred to an Alfa Bank article, the indictment said.
Six weeks later, after Slate ran a lengthy article about the Alfa Bank suspicions, the Clinton campaign pounced. Mrs. Clinton’s Twitter feed linked to the article and ran an image stating the suspicions as fact, declaring, “It’s time for Trump to answer serious questions about his ties to Russia.”
The F.B.I., which had already started its Trump-Russia investigation before it heard about the possible Trump-Alfa connections, quickly dismissed the suspicions, apparently concluding the interactions were probably caused by marketing emails sent by an outside firm using a domain registered to the Trump Organization. The report by the Russia special counsel, Robert S. Mueller III, ignored the issue.
The data remains a mystery. A 2018 analysis commissioned by the Senate, made public this month, detailed technical reasons to doubt that marketing emails were the cause. A Senate report last year accepted the F.B.I.’s assessment that it was unlikely to have been a covert communications channel, but also said it had no good explanation for “the unusual activity.”
Whatever caused the odd data, at issue in the wake of the indictment is whether Mr. Joffe and the other three computer scientists considered their own theory dubious and yet cynically went forward anyway, as Mr. Durham suggests, or whether they truly believed the data was alarming and put forward their hypothesis in good faith.
Earlier articles on Alfa Bank, including in Slate and The New Yorker, did not name the researchers, and used pseudonyms like “Max” and “Tea Leaves” for two of them. Mr. Durham’s indictment did not name them, either.
But three of their names have appeared among a list of data experts in a lawsuit brought by Alfa Bank, and Trump supporters have speculated online about their identities. The Times has confirmed them, and their lawyers provided statements defending their actions.
The indictment’s “Originator-1” is April Lorenzen, chief data scientist at the information services firm Zetalytics. Her lawyer, Michael J. Connolly, said she has “dedicated her life to the critical work of thwarting dangerous cyberattacks on our country,” adding: “Any suggestion that she engaged in wrongdoing is unequivocally false.”
The indictment’s “Researcher-1” is another computer scientist at Georgia Tech, Manos Antonakakis. “Researcher-2” is Mr. Dagon. And “Tech Executive-1” is Mr. Joffe, who in 2013 received the F.B.I. Director’s Award for helping crack a cybercrime case, and retired this month from Neustar, another information services company.
In addition, the Alfa Bank suspicions were only half of what the researchers sought to bring to the government’s attention, according to several people familiar with the matter.
Their other set of concerns centered on data suggesting that a YotaPhone — a Russian-made smartphone rarely seen in the United States — had been used from networks serving the White House, Trump Tower and Spectrum Health, a Michigan hospital company whose server had also interacted with the Trump server.
Mr. Sussmann relayed their YotaPhone findings to counterintelligence officials at the C.I.A. in February 2017, the people said. It is not clear whether the government ever investigated them.
The involvement of the researchers traces back to the spring of 2016. DARPA, the Pentagon’s research funding agency, wanted to commission data scientists to develop the use of so-called DNS logs, records of when servers have prepared to communicate with other servers over the internet, as a tool for hacking investigations.
DARPA identified Georgia Tech as a potential recipient of funding and encouraged researchers there to develop examples. Mr. Antonakakis and Mr. Dagon reached out to Mr. Joffe to gain access to Neustar’s repository of DNS logs, people familiar with the matter said, and began sifting them.
Separately, when the news broke in June 2016 that Russia had hacked the Democratic National Committee’s servers, Mr. Dagon and Ms. Lorenzen began talking at a conference about whether such data might uncover other election-related hacking.
Ms. Lorenzen eventually noticed an odd pattern: a server called mail1.trump-email.com appeared to be communicating almost exclusively with servers at Alfa Bank and Spectrum Health. She shared her findings with Mr. Dagon, the people said, and they both discussed it with Mr. Joffe.
“Half the time I stop myself and wonder: am I really seeing evidence of espionage on behalf of a presidential candidate?” Mr. Dagon wrote in an email to Mr. Joffe on July 29, after WikiLeaks made public stolen Democratic emails timed to disrupt the party’s convention and Mr. Trump urged Russia to hack Mrs. Clinton.
By early August, the researchers had combined forces and were increasingly focusing on the Alfa Bank data, the people said. Mr. Joffe reached out to his lawyer, Mr. Sussmann, who would take the researchers’ data and hypothesis to the F.B.I. on Sept. 19, 2016.
Defense lawyers contend the indictment presented a skewed portrait of their clients’ thinking by selectively quoting from their emails.
The indictment quotesAugust emails from Ms. Lorenzen and Mr. Antonakakis worrying that they might not know if someone had faked the DNS data. But people familiar with the matter said the indictment omitted later discussion of reasons to doubt any attempt to spoof the overall pattern could go undetected.
The indictment says Mr. Joffe sent an email on Aug. 21 urging more research about Mr. Trump, which he stated could “give the base of a very useful narrative,” while also expressing a belief that the Trump server at issue was “a red herring” and they should ignore it because it had been used by the mass-marketing company.
The full email provides context: Mr. Trump had claimed he had no dealings in Russia and yet manylinks appeared to exist, Mr. Joffe noted, citing an article that discussed aspirations to build a Trump Tower in Moscow. Despite the “red herring” line, the same email also showed that Mr. Joffe nevertheless remained suspicious about Alfa Bank, proposing a deeper hunt in the data “for the anomalies that we believe exist.”
He wrote: “If we can show possible email communication between” any Trump server and an Alfa Bank server “that has occurred in the last few weeks, we have the beginning of a narrative,” adding that such communications with any “Russian or Ukrainian financial institutions would give the base of a very useful narrative.”
Mr. Tyrrell, his lawyer, said that research in the weeks that followed, omitted by the indictment, had yielded evidence that the specific subsidiary server in apparent contact with Alfa Bank had not been used to send bulk marketing emails. That further discussion, he said, changed his client’s mind about whether it was a red herring.
“The quotation of the ‘red herring’ email is deeply misleading,” he said, adding: “The research process is iterative and this is exactly how it should work. Their efforts culminated in the well-supported conclusions that were ultimately delivered to the F.B.I.”
The indictment also quoted from emails in mid-September, when the researchers were discussing a paper on their suspicions that Mr. Sussmann would soon take to the F.B.I. It says Mr. Joffe asked if the paper’s hypothesis would strike security experts as a “plausible explanation.”
The paper’s conclusion was somewhat qualified, an email shows, saying “there were other possible explanations,” but the only “plausible” one was that Alfa Bank and the Trump Organization had taken steps “to obfuscate their communications.”
The indictment suggested Ms. Lorenzen’s reaction to the paper was guarded, describing an email from her as “stating, in part, that it was ‘plausible’ in the ‘narrow scope’ defined by” Mr. Joffe. But the text of her email displays enthusiasm.
“In the narrow scope of what you have defined above, I agree wholeheartedly that it is plausible,” she wrote, adding: “If the white paper intends to say that there are communications between at least Alfa and Trump, which are being intentionally hidden by Alfa and Trump I absolutely believe that is the case,” her email said.
The indictment cited emails by Mr. Antonakakis in August in which he flagged holes and noted they disliked Mr. Trump, and in September in which he approvingly noted that the paper did not get into a technical issue that specialists would raise.
Mr. Antonakakis’ lawyer, Mark E. Schamel, said his client had provided “feedback on an early draft of data that was cause for additional investigation.” And, he said, their hypothesis “to this day, remains a plausible working theory.”
The indictment also suggests Mr. Dagon’s support for the paper’s hypothesis was qualified, describing his email response as “acknowledging that questions remained, but stating, in substance and in part, that the paper should be shared with government officials.”
The text of that email shows Mr. Dagon was forcefully supportive. He proposed editing the paper to declare as “fact” that it was clear “that there are hidden communications between Trump and Alfa Bank,” and said he believed the findings met the probable cause standard to open a criminal investigation.
“Hopefully the intended audience are officials with subpoena powers, who can investigate the purpose” of the apparent Alfa Bank connection, Mr. Dagon wrote.
In the end, Mr. Durham came to investigate them.