Russia's Alfa Bank says cyberattacks falsely tie it to Trump

Register now

(Bloomberg) -- Alfa Bank said it was a victim of hackers intent on giving a false impression that the Russian lender has communicated with the Trump Organization, and it’s asking U.S. law enforcement authorities for help.

The bank said Friday that it was hit by three attempted domain name server (DNS) attacks since mid-February. Unidentified individuals made DNS requests to a Trump Organization server disguised to look as if they came from Alfa Bank, prompting responses from the Trump server back to the lender, the bank said in a statement. The DNS attacks came from individuals using U.S. servers, including some hosted by Google and Amazon, the bank said.

Alfa Bank said it had offered U.S. law enforcement agencies its full cooperation to track down the people behind the suspected cyberattacks. It has separately hired a U.S. cyber forensics firm, Stroz Friedberg, to investigate the attacks.

“The cyberattacks are an attempt by unknown parties to manufacture the illusion of contact between Alfa Bank’s DNS servers and ‘Trump servers,’ ” an Alfa Bank representative said in a statement. “We have gone to the U.S. Justice Department and offered our complete cooperation to get to the bottom of this sham and fraud.”

New Questions

Alfa Bank is going public as new questions have emerged about possible electronic communications between a server at the bank and one identified with the Trump Organization during the 2016 presidential campaign.

CNN reported last week that the Federal Bureau of Investigation’s counterintelligence unit continued to investigate that odd traffic pattern, which researchers suggested could be a private communication channel. Alfa Bank has denied that any such channel existed. The FBI didn’t respond to requests for comment.

It’s the first time that Alfa Bank has suggested that it’s been the target of a hoax. Computer specialists say it may be hard to determine whether the earlier traffic was part of a hoax unless the most recent attacker is identified.

According to the bank, an unidentified individual or group sent DNS queries from U.S. servers on Feb. 18, making it appear they came from MOSCow.ALFAintRa.nET. The mix of uppercase and lowercase letters indicates human intervention, it said. Two more attacks occurred on March 11 and 13.

U.S. media outlets including CNN asked the bank about its possible links to the Trump Organization a few days after the Feb. 18 attacks, Alfa Bank said.

Common Tactic

Falsifying communications is common in Russia’s corporate wars, said Ilya Sachkov, chief executive officer of Group-IB, Russia’s leading cyber-forensics firm. One company hires hackers to “emulate” communication between two companies before presenting the falsified evidence to a court, he said. Such emulations are easy to uncover but serve their purpose, he said.

Alfa Bank founders Mikhail Friedman and Petr Aven have denied any contact with President Donald Trump or his organizations. Last year, the bank hired Mandiant, the cyber-forensics division of FireEye Inc., to investigate its computer systems about potential contact between a Trump-affiliated server and the bank’s servers. In November, Mandiant said it had examined a list of dates, times, Internet Protocol addresses and domain names tied to the servers.

Stroz Friedberg confirmed that it was hired by Alfa Bank to investigate the matter. Mandiant didn’t immediately respond to requests for comment.

“The list presented does not contain enough information to show there has been any actual activity opposed to simple DNS look-ups, which can come from a variety of sources, including anti-spam and other security software,” Mandiant said at the time.

--With assistance from Stepan Kravchenko

For reprint and licensing requests for this article, click here.