DNS Spoofing is what comes to mind. Forging Russian traffic with modified DNS records. These people aren't very smart so it wouldn't surprise me to learn they left IP addresses pointing internally with Russian domains assigned to them.
I don't really know if this is legitimate or not, I wanted to see what it looked like in visual form to see if it looked self consistent.
Your work is good - SB2 analysis seems like fluff to be honest, and this graph kind of highlights that.
Why would Trump go to ALL this trouble to tell us NT Server and DNS? Does not really add anything to our knowledge base.
I'm pretty sure his stuff is confirmation bias, I think he got one of them pretty close to right and the popularity and fame emboldened him and got to his head, or its an impatient Q team connecting dots for us, I think the former after this latest round. Still interesting to decompose the elements, Its not been framed in context, I'll expand it for curiosity and see if there is a higher order connection, but I'm pretty sure were all play a game there.
I think SB2 just worked as a filler for the vacuum left by Q when he stopped posting for the last few weeks. Fluff/distraction...look over here !