So, it’s been a couple of days, and I’m hesitating to post right now as any signal produced will likely be lost in the wash of noise generated by Syria and the natural rhythm of the weekend. But on consideration, it’s probably better to get something up about this sooner rather than later. Syria is a transient, Russia is a trend, and I’ll stick with surfing the trend.

I said “get this up”. So what is “this” anyway? Well I’ve been interested in the Alfa-bank/Trump Server/Spectrum Health story since Franklin Foer first reported it in the waning days of October. It never had the impact it should have, and it seems there is increasing interest of late in the unusual activity recorded in DNS logs recording both Alfa’s and Spectrum’s queries of the Trump mail server. See here and here.

I am a data jockey by trade and there’s never been a time series data set that couldn’t pique my interest somehow, so I thought I’d take a crack at this set, as it’s widely available and as noted above, it’s damn weird.

Specifically what I wanted to see was if there was any clear temporal relationship between the Spectrum pings and the Alfa pings. Clearly there isn’t a 1-1 relationship between the two. The analyses linked above indicate as much. But is there temporal correlation between the two servers? If so, is it simple, or is it causative?

To get at this problem, I began to play around with a tool from quantitative neuroscience called a “peri-stimulus time histogram” (PSTH) which uses a stimulus signal as a trigger to begin collecting the firing times of individual neurons in the brain in response to (or more precisely *in relation to*) that stimulus. It’s a good way to quantify a relationship between stimulus and a downstream effect. So in this analysis I took the Spectrum lookups of the Trump server (henceforth TS) as a trigger, and began to collect Alfa lookups of TS in the interval following the Spectrum lookups. I did this for a long term data set (5 months) as well as a much shorter data set.

May-June-July DNS Lookups 5 Months of DNS Lookups

In both cases there is clear evidence that the Spectrum signal and the Alfa signal are related. If there were no relationship at all, you’d expect the bars of the plot to fall around the red lines marking the mean and 2 standard deviation marks on the plot (curvature due to a second order ploynomial fit to a shuffled data set, if you care). But they are way outside that.

So it’s possible that the signals are being coordinated, or they could both, for some reason be querying on the TS like clockwork, which would be a strange thing to do given that Spectrum and Alfa have both offered orthogonal explanations that amount to “it’s an unfortunate coincidence”, or “hackers did it”.

Regardless, at the moment I’m more interested in evidence of *causality*. That is to say: is one of these two signals driving the other? That’s a really fraught question in time series analysis. You know, the old saw “correlation is not causation”? It’s good to remember that cliche…it’s a cliche because it’s true. And the PSTH does not really get at that question at all, indeed you can see significant (but clearly non-periodic) activity prior to the onset of the Spectrum trigger signal if you extend the window on the graph (I did not show this for the sake of simplicity, but trust me, it’s there). So it’s really unclear if the Alfabank server is driving the Spectrum server, or vice versa.

But there are ways to get at causation, at least a little bit, from time series data. We can use these approaches to exclude certain relationships as causal and to come a little closer to understanding the flow of events. I’ll go over these techniques in my next post, and maybe, if we’re lucky, get some answers.

But for now, I think it’s safe to say that both the Alfabank server and the Spectrum server have an unusual and very REGULAR interest in the Trump server. A friend suggested that maybe “Somebody at Trump Tower is spamming Alfa bank and Spectrum health with emails that link to the TS (for some reason) at the exact same intervals.. And then somebody is opening them *immediately*, and loading images from the TS at both Alfa Bank and Spectrum?”

That’s possible, I guess. It’s a bit contrived as an explanation, and the coordination between Alfa and Spectrum with respect to opening the emails seems hugely unlikely. But either way, it isn’t the explanation these companies have advanced.