At least 195 websites belonging to U.S. President Donald Trump, his family, or businesses he is involved with were victims of DNS hijacking in 2013, with the last of them repaired only last week, the Associated Press (AP) reported Saturday.
The Trump Organization denied the domain names were compromised, AP reports, but records reviewed by AP and cybersecurity experts reportedly redirected website visitors to servers in St. Petersburg, Russia, containing malware. Affected domains were repaired within days of AP contacting the Trump Organization about the hacks.
The connection to Russia raises the spectre of alleged Russian hacking activities during the U.S. Presidential campaign.
The affected domain names, which were attacked in two waves in August and September 2013, include donaldtrump.org, donaldtrumpexecutiveoffice.com, donaldtrumprealty.com and barrontrump.com. The Trump Organization and its affiliates own at least 3,300 domain names, many of which are not in use, including some of those hacked.
At least 250 “shadow” subdomains were created by hackers, Mother Jones reports. IP addresses associated with the subdomains are also associated with an IP address for one or more domain previously used to deploy an exploit kit. The servers were hosted by the Petersburg Internet Network, which has drawn criticism for hosting malicious actors.
“If Cogent started blocking routes from the Petersburg Internet Network Ltd.(AS44050) until they clean up their act, it might save everyone a lot of hassles,” a Dyn blog suggested in 2015.
Mother Jones reports it was informed of the subdomains by “a computer security expert” in mid-October.
The security experts told AP that domain registration records held by GoDaddy were altered by hackers, and GoDaddy spokesman Nick Fuller said the company was not breached in 2013, and had systems in place to detect malicious activity.
Cybersecurity experts speculated to AP that there is a small chance the attack could be a probe to test security or prepare for subsequent information gathering, but said that there was no evidence that hackers accessed Trump Organization servers.
The persistence of the publicly visible shadow subdomains indicates that the Trump Organization’s cybersecurity was inadequate, according to many cybersecurity experts, but there is no evidence of their purpose, or whether they were used for any purpose at all.
Steve Lord of Raw Hex told Mother Jones: “Either they set up their own domain records to point at servers hosted in St. Petersburg, Russia…or someone else did. In either case, the question is why.”