Threat Management, Threat Intelligence

Trump Organization didn’t discover shadow subdomains with Russian IPs for four years

A series of shadow subdomains, all with Russian IP addresses and associated with malware campaigns, were created after hackers accessed the domain registration account of the Trump organization and likely went undiscovered until as recently as this week.

The subdomains could be plainly seen in records of the Trump Organization's domains, according to a report in Mother Jones. 

The publication was alerted to 250 shadow domains by a security pro who postulated that hackers had accessed the Trump organization.

In a Wednesday blog post on Unhack the Vote, researcher and activist C. Shawn Eib claimed his team ran a traceroute on one of the subdomains, noting that its IP address 91.218.245.201, “along with all the IPs in the route once the traffic enters Russia, belongs to the same service provider used by one of the servers hosting Wikileaks.org.”

The server, Eib said, “was established approximately one week before the Podesta emails were released, and is located in Moscow, with IP location tools showing both the Trump subdomain traffic transiting through and Wikileaks hosted in a building located near the Kremlin.”

Additionally, “there are [AlienVault] OTX records of filenames referencing inappropriate content being on these servers,” Eib wrote. 

Calling it “inexcusable” for the shadow domains not to be found by the Trump Organization's IT department, the security he contended, “Any basic security audit would show the existence of these subdomains, and what servers they're leading to.”

Said Eib, “This is sloppy at best, and potentially criminally negligent at worst, depending on the traffic that is being run through these servers.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.