The Rest Is Classified - 131. How Russia Made Trump: Stealing Washington’s Secrets (Ep 2)
Episode Date: February 25, 2026Donald Trump is gaining ground in the 2016 presidential race, but what does his rise mean for Russian hackers desperate to take down Hillary Clinton? In the second episode of our series on Russian ...interference in the 2016 US presidential election, David and Gordon delve inside the Russian active measures campaign to hack the campaigns of the Democratic and Republican candidates. ------------------- Sign-up for our free newsletter where producer Becki takes you behind the scenes of the show: https://mailchi.mp/goalhanger.com/tric-free-newsletter-sign-up ------------------- Join the Declassified Club to go deeper into the world of espionage with exclusive Q&As, interviews with top intelligence insiders, regular livestreams, ad-free listening, early access to episodes and live show tickets, and weekly deep dives into original spy stories. Members also get curated reading lists, special book discounts, prize draws, and access to our private chat community. Just go to therestisclassified.com or join on Apple Podcasts. ------------------- Get a 10% discount on business PCs, printers and accessories using the code TRIC10. Visit https://HP.com/CLASSIFIED for more information. T&C's apply. ------------------- EXCLUSIVE NordVPN Deal ➼ https://nordvpn.com/restisclassified Try it risk-free now with a 30-day money-back guarantee ------------------- Email: therestisclassified@goalhanger.com Instagram: @restisclassified Video Editor: Joe Pettit Social Producer: Emma Jackson Assistant Producer: Alfie Rowe Producer: Becki Hills Head of History: Dom Johnson Exec Producer: Tony Pastor Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
For exclusive interviews, bonus episodes, ad-free listening, early access to series,
first look at live show tickets, a weekly newsletter, and discounted books.
Join the declassified club at the rest is classified.com.
Donald Trump is gaining ground in the 2016 presidential race.
But what does his rise mean for Russian hackers desperate to take down Hillary Clinton?
Well, welcome to the rest is classified.
I'm Gordon Carrera.
And I'm David McCloskey.
And this is the second part of our series looking at Russia interfering in the US 2016 election.
Last time, David, we looked at this concept of the active measure, something which goes back
to KGB days.
Or before, before I remember you edited, you edited out my deep historical context, Gordon.
Let's just say it goes back a long way.
We're 20 seconds into the episode.
I'm already angry again about your vicious editing.
It's about the active measure.
Back to the story is the desire to influence, to undermine, often using information as a weapon.
And last time we looked at how under Vladimir Putin, he, the Russian leader, came to view the West as weaponizing information against him, and he's determined to use his own methods to fight back.
And one of these methods, David, will be something which is known as hack and leak.
Well, that's right, Gordon.
You know, last time we looked at how often very real documents and fake material can be kind of swizzled together and then pushed at journalists who were always, Gordon, of course, as you know, just keen to report whatever comes into their hands.
Subject to manipulation by malicious spies, you mean.
That's right.
But you seed that information.
You take real things and you take some fake stuff and you mix it together and then you seed it to an unsuspecting or.
sort of gullible journalist as the KGB did throughout the Cold War. And we talked about Operation
Denver, where the KGB promulgated the falsehood that the CIA was behind the creation of the AIDS
virus. And it took years after that story had been planted to really get out and spread. And
we're going to see that as we approach 2016, some of these old methods of stealing information
and then leaking it out.
While they're still here, but it's going to be a lot easier to get it out.
It's going to be a lot quicker to get the message out thanks to the Internet.
And this is going to be called a hack and leak.
The hack is, of course, how you get this stuff,
and then the leak is how you disseminate it.
And this piece of the active measure in 2016 is going to be led by the GRU,
the main directorate of the general staff of the armed forces of the Russian Federation,
Gordon, also known as Russian military intelligence. And, you know, I would say one of the more
insane is spy organizations operating today in the world. That's right. The GRU, or it's
technically known as the GU these days, but everyone still seems to call it the GRU.
Deep roots, going back many decades, unlike some of the other Soviet spy services, the KGB,
which get renamed and the KGB becomes the FSB domestically in the school.
Security Service and the SVR becomes the foreign bit of the KGB, which is your classic spy service like CIA or MI6.
The GRU are the tough guys of military intelligence.
They are doing classic espionage, trying to get military secrets, but they also are engaged in things like sabotage, assassination, active measures in terms of information warfare.
again with this continuity, never disbanded from the days of the Soviet Union and then continuing.
And they are the ones who are going to do some of the most aggressive operations against the West.
You think about the poisoning of Sergei Scrippal in Britain in 2018 with Novichok,
a former GRU officer himself, but poisoned by the GRU.
So they tend to have more military targets, but they are the, I think you're right,
maybe one of the more sinister Russian intelligence services.
I would say Exhibit A in the GRU's sinisterness is the seal of the GRU, which you can see.
There's a great picture that I've put into the notes here.
I don't know if we could put it up somewhere on the video, but it shows President Putin on a visit to GRU headquarters at a building known as the aquarium,
walking across the seal of the GRU in the Bade Lobby,
and the seal is a sinister-looking black bat
that is covering most of the globe.
And it reminds me, Gordon, of the Mitchell and Webb sketch
where they're wearing the Death's-Head skull SS uniforms
and wondering, like, if they're the baddies.
You have to wonder what the GRU guys think they're doing
at an organization that has an evil-looking black bat
with its wings covering the entire world.
Very impressive knowledge of British Schumer, by the way, to cite Mitchell and Webb, David.
I'm very, we'll get into number wang next time, maybe, if you don't know that.
But back to the back.
Well, people who listened to our last series will know that I sampled Monster Munch for the first time.
Whilst I was in London, Gordon, and, you know, it's gone to the brain.
What can I say?
Let's go back to the GRU.
So Wild Place, you mentioned the poisoning of Sergei Skripal, the GRU behind kind of
of the initial invasion of Crimea,
parcel bombings across Europe,
the poisoning of Alexei Navalny,
a campaign to provide money
to Taliban linked militants in Afghanistan
going after foreign forces,
a failed coup attempt in Montenegro
in 2016,
trying to topple the government of Montenegro,
poisoning a Bulgarian arms dealer,
among many other insane operations.
So I think it's safe to say, Gordon,
that the GRU alone might keep our podcast
in business for a very long time.
Plenty of stories there, and one of the things they do is a lot of hacking.
This episode is sponsored by HP.
Most people are not counter-espionage experts,
but that won't stop them getting targeted by cybercriminals
seeking to extract their secrets.
HP understands that approximately four in 10 UK businesses
have reported cyber breaches in the past 12 months alone.
That's why HP business laptops, desktops, and workstations
bought directly on HP Store are secure straight out of the box with their endpoint security.
No more stressing about dodgy emails or unexplained pop-ups.
HPs independently verified Wolf Pro Security works alongside your existing security tools
to protect your business users and reputation from malware and evolving cyber threats with your first click.
You don't need an alias or a secret hideout to stay safe.
Just Wolf Pro Security working tirelessly to protect your hard work.
It's security that's built in, not bolted on.
Find out more about how HP can protect your business at HP.com forward slash classified.
Podcast listeners benefit from a 10% discount on all business PCs, printers and accessories
using the code TRIC10, Terms and Conditions, Supply.
So Russian hacking has got a deep history.
I mean, the first case I know of is in the 1980s when the K-GGs,
when the KGB hire some East German teenagers to hack into the early US research internet.
By the 1990s, Russian hackers are running a campaign called Moonlight Maze,
which is the first real state-backed espionage campaign, the US sees against its secrets.
All of this is espionage, though.
And I think it's important that we draw this distinction between different types of behavior,
including in cyberspace.
Classic espionage is stealing science.
secrets. And that's what a lot of people thought cyber hacking was all about when it came to
state intelligence agencies. They thought it was about hackers, often working for the state or
employed by the state, covertly breaking into maybe military research networks, maybe defense
networks, stealing the secrets, doing what spies have always done. But it is also worth saying
that there is an element which is going to grow of active measures, of influence operations,
and even of sabotage, which is going to be taking place in cybers.
And the GRU's hackers are at the leading edge of that.
We start to see some of the deployment of hacking alongside military operations,
2008 when there's a brief conflict between Russia and Georgia,
and the US starts to see these hacking groups
and US security researchers start giving them names
for what are called APTs, advanced persistent threat,
groups, famously APT-28, will become known as Fancy Bear and be linked to the GRU.
Bears are the terminology for Russian hackers as opposed to things like pandas, which are the
Chinese and so on.
This is Crowdstrike, which an interesting cybersecurity company came up with this.
It was a great marketing we.
It's very successful.
Also, potentially why it's hard to take some of this stuff seriously, because you think,
oh, well, you know, it's just, it's a group called Fancy Bear that is.
seeking to undermine U.S. democracy, you know, and it's like, yeah, well, how bad could it be?
It's even worse. Because the SVR, so the main foreign intelligence services hackers are APT-29,
and they're known as Cozy Bear, which sounds even more kind of, you know, like comforting,
like I'll just go hug a Cozy Bear. I mean, it's, yeah, I'm not quite sure.
And funnily enough, these are Western terms for these hackers, but some of them adopt it
themselves that they start creating logos using these names. But APT-29, Cozy Bear, SVR,
They're quiet and they're doing the espionage, but the GRUs hackers are noisier.
You start to see them picking up activity around Ukraine.
We talked last time a bit about how Ukraine was the testbed for a lot of Russian operations,
information operations but also cyber operations after the 2014 overthrow of the pro-Russian government.
Russia starts to try and subvert them.
There's a really interesting case in May and June 2014 when we're,
Word comes out that the GRU has penetrated the Ukrainian electoral commissions network.
And it's a really complicated, interesting operation.
We won't go to all the details of it.
But they're doing things like destroying parts of the files and the systems
and also in late May trying to fiddle with the results of the election.
So if it hadn't been discovered, the software that they'd installed was designed to affect
fake the election result and make out that a nationalist leader had one with 37% of the vote
rather than another candidate. Interestingly enough, a Russian TV channel that evening airs a bulletin
declaring that the candidate with 37% of the vote had got 37% of the vote, even though
the cyber operation had kind of failed, which shows that they were planning to declare on Russian
TV the victory that they'd also used the hackers to try and install.
or infiltrate into the electoral commission system. So it was a pretty complex operation, which didn't
really work and was discovered, but to try and mess with those elections in Ukraine in 2014,
which should have been a warning sign, shouldn't it, that they were thinking of doing that.
Yeah. I think listeners should think of Ukraine as a kind of petri dish. Ukraine of 2014 and 2015
is kind of a petri dish for the kinds of things that the Russians will end up doing.
in the U.S. because the sort of active measures hacking disinformation playbook that ends up being
exported to the states is really on display in Ukraine. I mean, you've even had, you know,
the GRU hacking and essentially tampering with critical infrastructure, right? I mean,
there was famously sabotaged, conducted and led by the GRU against Ukraine's electricity
grid in December of 2015. And actually hundreds of thousands of people lost power.
for a good part of a day during the frigid winter as a result of a GRU hacking operation.
So I think it was understood what was happening into Ukraine at the time by the West.
But the idea that those tools, those active measures would be exported onto the states was something that was not grasped at the time.
And interestingly, I mean, you start to see little hints of this kind of cyber espionage drifting.
toward active measures in the U.S. in late 2014, there's a group called the Cyber Caliphate
that is claiming to be linked to the Islamic State. They actually compromise U.S. Central
Command, social media accounts, post things like American soldiers, we're coming, watch your back,
signed ISIS, and it's actually the Russians, you know, and it's all seen as a little bit
strange at the time. I think you actually covered a lot of this in your former life, Gordon,
as a BBC journalist.
Yeah, particularly one of the most interesting campaigns was they infiltrated a French TV
channel, TV Saint-Mond, and I went to Paris to see the aftermath of this attack and met the
head of the TV station.
It was, I think, early 2015, when they took over the TV channel, they basically wiped its
systems.
And it was lucky that some of the engineers could see what was happening and pulled the plug on
the systems before they could take down everything.
but the potential was they would have destroyed that TV channel,
I mean, wiped its system to the point where they couldn't broadcast anymore.
And again, they claimed the hackers they were linked to this cyber-calford,
when again it was the GRU, it was Russian military intelligence.
And it was only in hindsight, I think people really understood
that they were road testing some of these cyber attack capabilities
because this wasn't a particularly big French TV channel
and it wasn't a particularly sensitive time.
It was a sign that they were exploring Russian hackers what they could do, how far they could go,
how successful they could be, including at shutting down parts of the information space.
So we've talked about them trying to interfere with an election in Ukraine,
now shutting down a European or a French TV channel.
So you can see them just pushing the boundaries in this period.
But again, I don't think it was fully appreciated how far they're going.
No, and a lot of the story that we're going to tell focuses on these kind of shadowy hacks.
And I think behind the strange names of Fancy Bear, it's important to remember that this is an intelligence operation.
There are humans, intelligence officers working inside the GRU who are employed by the Russian state and who are conducting these hacks for
political purposes and the purposes, of course, of an intelligence service to collect information,
right? So maybe I think good to set up a bit of like who's actually doing this stuff. And there's
some good detail on this again in Michael Isikoff and David Corrin's book, Russian roulette. So
GRU has a unit numbered 26165 GRU units. They do have names, but they also have these
numerical signals, I guess, that Western intelligence agencies know them by. So unit 261
165 during the Cold War, it was a unit that specialized in breaking encryption. And by the mid-2000s,
it has become, in the kind of digital age, one of the GRU's principal computer network exploitation
units. So an offensive cyber unit that hacks computer networks overseas. It's housed in
buildings owned by the Ministry of Defense. We talked about this a bit, Gordon, when we did the
the series on the North Korean cyber bank robberies where if you think of a bunch of people
eating pop tarts in the basement of their mother's house, this is not what we're talking about.
It's a military unit. It's a military unit. And although some of these guys in the pictures that have
come out look like they do spend a decent amount of their time eating pop tarts in the basement
of their mother's home, this unit is a very prestigious place to work, right? A former chief of the unit
and winds up becoming deputy chief of the entire GRU.
This is a centerpiece of the GRU's capabilities.
The commander of Unit 26165 is a guy named Victor Nittishk.
How would you pronounce this name, Gordon?
Nittik Show.
Nittik Show.
So, Mr. Nittick Show.
He's a software engineer, trained as a mathematician.
He has published several articles on probabilistic functions and neural networks, Gordon.
Wow.
And he has two junior officers working for him who are going to be very important to the hack and leak operation underneath this active measure.
One of them is named Alexei Lukashv.
He's 25 years old.
He's blonde.
He's thin.
He's got close set brown eyes.
And for about three years, Gordon, he's been working under the cover of a persona that he uses for American and Russian social media accounts of Den Kattenberg.
And apparently, according to the Isikov and court account, the picture that Lukashv chose
Joe did a much more muscular young Russian man of his own age.
So he made himself look.
It's a fencing profile.
Yeah.
In his persona.
So what Lukashv is quite good at is crafting email bait that looks like Google security warnings.
But in reality are ways to trick victims into revealing their passwords.
So a helpful skill if you're a hacker.
The second noteworthy guy is Ivan Yermakov.
He's got bangs, Gordon, if you're curious about his hairstyle.
What are dark bangs?
What are bangs?
Yeah.
Should I know what they are?
You don't know what bags are?
Banks are like, yeah, hair that comes down.
Okay.
Bangs kind of down here on your forehead.
That's what a bang is.
Okay.
You know, Gordon, come on.
Remember, so when we did the Bulgarian Minions episodes,
remember I did all that research on lashes
and things like that because one of them was a beautician.
I should have done some research for this.
Sorry.
Get with the program.
There I was researching cyber capabilities.
I shouldn't be researching haircuts.
But anyway, back to Ivan with his dark bangs.
Back to Yermakov.
Yermakov, for some reason, prefers female pseudonyms.
One of them is called Kate S. Milton, which he has on a Twitter profile and a blog.
There's a picture that accompanies that, which is of a Canadian actress.
and what Kate, quote unquote, likes to do is privately approach security researchers,
and he apparently also claims to work for the security firm Kaspersky, although that's not true.
Now, the unit they work for, 26165, it is, it's a pretty big unit.
And I think it's fair to say, Gordon, willing to take a certain amount of risk in its operations.
It has a vast number of people and organizations and countries that it has targeted,
and it has been, I think, turning its focus more and more on the United States and in particular on political targets.
Because in 2016, of course, it is a presidential election year in the United States.
and Unit 26165 of the GRU is going to get itself quite purposely embroiled in what is going to become one of the most brutal and toxic elections in U.S. history.
So maybe there, Gordon, we take a break and when we come back, we will see how the GRU begins to meddle in this election.
Well, welcome back. During that break, David, I did try and understand what bangs were.
and I've learned that it's basically a fringe, which like Claudia Wincombe, do you know,
Claudia, I think she has a fringe.
It's, that's, I think, now I know what that means, but anyway, enough about haircuts.
So fringe is a, is a British word for bangs.
That's what I'm told.
That's what I'm told.
I don't really know that much.
I'm reaching the limits of, can we go back to the US presidential election rather than my
lack of knowledge about hairstyles?
Because I feel like I'm on safer ground there.
Well, that's true.
you are. When I hear fringe, what I think of is someone who's very bald on the top of their head,
but then has the stuff on the sides and it's maybe a little too long. But that's not a fringe
in the United Kingdom. Okay. Well, we've solved at least one mystery on this program. Back to
the U.S. election. So, David, last time we talked about how much Vladimir Putin really
despised Hillary Clinton, who'd been President Obama's Secretary of State. He blames
Secretary Clinton for triggering or supporting some of those protests against his return to power, 2011, 2012.
And by the time we get to 2015, it's looking like she is very likely to be the Democrat nominee for the 2016 presidential election.
Well, that's right. In June of 2015, which is going to be an important month for the other big name in the story, Donald Trump, who announces his candidacy that month.
But in the summer of 2015, Hillary Clinton is way ahead of Bernie Sanders in the polls looking at who's going to represent the Democrats.
I mean, she's ahead.
I think there's a poll in June of 15 that showed that Clinton was the first choice for nominee of about 75% of the party.
Bernie Sanders is way behind at 15%.
And polls that same month show Clinton beating the sort of then presumptive Republican nominee, former Florida governor,
Jeff Bush, Clinton beating him 48% to 40%.
So why are we talking about this?
The point is, is that any Ford Intelligence Service, Russia among them, is going to look
at these polls, see them, digest them in some way.
And their base case at this point is going to be that Hillary Clinton is going to be
the next president.
But that's a month of June.
Another Republican hopeful has announced his bid.
And this is, of course, when Trump descends the golden escalator at Trump Tower in New
York City. He's not even mentioned in that poll. Now, at this point in the active measure,
Trump almost certainly doesn't figure at all. But I think it's worth briefly examining
how Moscow would have perceived Trump in relation to Clinton because Trump is, of course,
going to very quickly gain ground in polling in the summer and fall of 2015 after he announces
and really never look back. We're going to talk a little bit about,
the Trump-Russia kind of connection here, or how the Russians would perceive Trump.
And this is going to be fact-based. So you don't have to go nuts here. You don't have to be upset.
We're not talking about Trump policy thinking regarding Russia. We're not talking about collusion or anything like that.
This is just setting up how the Russians perceive Trump or are likely to perceive Trump as he enters the presidential race.
Although we will say, Gordon, we have a special mini-series.
for club members that we are doing
that goes deep into the facts
and the chronology of Trump's
connections to Russia and the connections
between Russia and his campaign
and all of the drama around that.
We're going deep in a miniseries on that.
So if you are interested in exploring that,
go and join the Declassified Club
at the rest is classified.com.
But stepping back, I think just a bit in time
to set up, okay, how would the Russians see Trump?
Right. So unlike Hillary Clinton, who has interacted with Putin and Russia as first lady in the 1990s and then as Secretary of State from 2008 to 2012 and who Putin loads, I think it's fair to say, Gordon, Trump has approached Putin by this point and Russia, more broadly, through a really kind of commercial lens. There's this very interesting statement in 2007, which is when Time magazine selects Mr. Putin as its man of the year. Trump writes him a letter.
congratulating him and writing, as you probably heard, I'm a big fan of yours.
Trump writes in that letter. Now, Trump had long sought to develop business opportunities in Russia.
By the time of his campaign announcement, his most recent venture was an attempt to build a Trump Tower in Moscow.
Now, that actually continues through much of the campaign.
And it's an effort led by one of Trump's lawyers to actually develop a Trump tower in the Russian capital.
But by 2014, you know, Trump is visiting Russia for the Winter Olympics at Sochi.
And afterwards, the press note that there's progress on developing a Trump Tower in Moscow.
There's actually a letter of intent that gets signed.
Don Jr., Trump's son is put in charge of the project.
Devonka actually goes to his daughter, goes to Moscow to cite.
Trump tweets about it saying Trump Tower Moscow is next.
But all of that falls apart amid sanctions on Russia following the seizure of Crimea.
and the kind of hybrid war that the Russians unleash in Ukraine in 2014, so the deal dies.
Now, the Trump organization blames kind of vaguely, quote-unquote, business reasons for the deal collapsing.
But it is probably more than that because a bank key to the deal ends up getting sanctioned and financing dries up.
Point is, by the spring of 2016, Trump is narrowly leading the Republican field in the polls.
He's won the primaries in South Carolina and Nevada.
He is the Republican frontrunner.
And any Russian analyst worth their salt, really any foreign government at all, by that point in the spring of 2016, is going to assume the contest will be Clinton versus Trump.
We were talking earlier about how the GRU had been going after political targets in the West and in the U.S. in particular.
and who do you hit, Gordon, in an election year?
Well, it'd be interesting to know what's going on inside the Democratic National Committee
and the Republican National Committee.
And in fact, the GRU is going after both.
It's worth saying, though, it's not even just the GRU,
because also the SBR are actually hacking into US political systems.
And even as early as 2015, they're going after the DNC,
I think the first signs that they are getting into.
into the democratic systems, to spy, though.
And it's worth going back to that distinction between spying and active measures, because
the SVR hackers, who are known as Cozy Bear, are getting into the DNC systems from 2015
to steal information, to do what intelligence agencies normally do, which is find out what's
happening, what are their policy papers or position papers, who's up, who's down, who's
likely to get jobs in administration.
But what's different is, while that activity is going on by one bit of Russian intelligence,
the GRU are also going to get involved with a very different purpose of getting inside for an influence operation, for an active measure.
And it's particularly the DNC, which is the one which is going to be targeted for this idea of hack and leak, which we've set up, different from the espionage campaign, which is already underway at this point.
And I guess it's also worth saying, hat to appear to a number of wonderful.
books that have been written on this hack and on the broader active measure. We've mentioned
Russian roulette. There's a wonderful book called Active Measures by Thomas Ridd that also gets
at this historical context of active measures going back to Tsarist Times, Gordon, and the KGB
years. And then there's also, there's a wonderful book called The Apprentice by Greg Miller,
who's a Washington Post reporter. Also, the U.S. Senate Intel Committee, Gordon,
has put together a thousand, a thousand page document on everything that happened this year.
So there really is a rich amount of information out there on this story.
Now, it's not abnormal for an adversaries to target a political campaign.
We talked about some of the KGB attempts to do that during the Cold War in our first episode.
But as recently as 2008, the FBI had discovered that Chinese government hackers had infiltrated the campaigns of Barack Obama
and John McCain. So again, do you think for an espionage service, it would be malpractice
to not attempt to get into the files and the documents, you know, in the sort of research
of a presidential campaign? Yeah, it's seen as almost normal as par for the course. And in fact,
when some of the first warnings come into the DNC, I think from the FBI in 2015, that someone
might be in their systems, the kind of DNC barely reacts to it. They don't even take it seriously.
At first think it might be a kind of fake call into them and kind of ends up with computer support, the DNC.
This issue of espionage against campaigns, A, campaigns didn't take it seriously and B, it was seen as just something that states do and maybe the kind of secrets or information in a campaign was not necessarily top secret in the traditional way.
But we are entering this new era where the GRU is getting more involved.
And it is interesting because if you step back, this 2050,
2016 era, Unit 26165 is getting more involved. We talked about it taking down a French TV channel
in 2015, but also they're going to hack German parliament emails that year. Take a ton of data,
including some material belonging to the German Chancellor, Angela Merkel. So you can start to
see that in this period, the GRIU is getting noisier and is looking for interesting, valuable data.
still haven't seen it leaked yet, but they're certainly collecting, and part of that will be
collecting against the DNC and against specific individuals associated with the Clinton campaign.
Yeah, I think the wide net point is important because there were hundreds of officials targeted
in the U.S., including many sort of current and past military and diplomatic officials.
I mean, there were attempts made on Secretary of State John Kerry, former Secretary of State Colin Powell, Michael McFall, who'd been an ambassador to Russia.
And there were over 100 Democratic targets, right?
The Clinton campaign's communications director, other longtime Clinton aides and confidants, all of them are getting blasted with these fishing e-mails.
And you figure, if you're the GRU, why not cast a wide net, right?
the worst someone's going to do is just delete the thing and not interact with it,
but you might also get lucky. And so you cast this very white. I mean,
they'd even gone after the Clinton Foundation and the Center for American Progress,
which is a progressive think tank that was at that point very close to Hillary Clinton. So
they are going broadly, but what they're going to land in the spring of 2016 is the GRU will get a very,
very big score. They're going to get some. They're going to get some.
one who is very much at the top of the Clinton campaign. And it's maybe good to situate this
in time, Gordon. So mid-March of 2016, GRU Unit 26165, which is run by this Natick Show guy,
one of his hackers talked about Lukashv, is he's sending out these kind of booby-trapped emails,
malware-embedded emails, to 50 different addresses every working day. So this is kind of a volume
game to some degree to see where you can get bites.
And most of these just fail.
Some of the addresses are obsolete.
Again, people don't interact with them.
And the Clinton campaign, their kind of default email security settings,
required more than just a password to get in.
So a lot of the staff are protected from these things.
Now, you mentioned who were in the FBI knowing that something's going on.
And there'd actually been a meeting at,
Hillary Clinton's campaign headquarters in Brooklyn back in March. There's Clinton staffers there,
including Clinton campaign manager. As you said, there's weirdly, they're kind of suspicious of the FBI
because there happens to be an investigation ongoing into Hillary Clinton's use of a private server
for email traffic, which will talk about in a moment. Yes. And the FBI at the time in March is
offering these kind of cryptic warnings that the campaign is being targeted by.
a very sophisticated spearfishing campaign. But again, there's no reference there to by whom,
and there's no reference to the concurrent investigation into intrusions in the DNC's computers.
And so the Clinton campaign has this point is kind of thinking, you know, to your point earlier,
this is kind of what happens to presidential campaigns. You know, you're going to be the target
of foreign intelligence services. The Clinton campaign has already kind of heightened its cybersecurity
posture and they don't quite know it to make up the FBI warnings. But on the 18th of March,
Lukashv's team inside Unit 26165 changes tactics and they decide to go after private email accounts
instead of the official campaign email accounts on the theory that those private accounts will be
more vulnerable. People's Gmail, basically, things like that. Yeah, exactly. And the next day,
just before lunch, I'm sure a hearty lunch in Moscow, I wonder what the GRE you,
you canteen is like.
Dumplings and borsh.
Dumplings and borsh.
Yeah.
That's very stereotypical of you, Gordon.
It's shame on you.
After a lunch of borsh,
Lukashev and his team sends another batch of booby-trapped emails to another 70 targets.
You get the sense that these guys are like, they've got to be kind of bored, don't they?
I mean, this sounds like when you hear hacker, you think it's going to be cool and you can,
you know, eat pop tarts all day.
But it feels like they've got a quota.
Yeah.
They sent out 70 bore emails, including they go after nine senior Democratic political
operatives, again, on the personal Gmail accounts.
Now, one of them is John Podesta, who is the chairman at the time of Hillary Clinton's
campaign.
The message reads like this, and it looks like it's from Google.
Someone has your password.
Okay.
That's where it starts.
It says, hi, John.
Someone just used your password to try to side into your.
a Google account, John.podesta at gmail.com. Then it goes to the details. It's got, you know,
it's Saturday, 19 March, 834. It's got the IP address. So it looks credible. Yeah, it looks
credible. It looks like the kind of email you might get. Yeah, exactly. Gordon's cutting me off
before I can read the entirety of the robotic script. That was well done, Gordon, because I was going to
finish reading it. You were, your instincts were right. But so, but the details are all made up,
right, even though the email looks credible.
Now, Podesta's staff have access to his email account.
And when they see the security warning, they forward it on to the Clinton campaign's IT help desk.
And in a few minutes, the IT help desk responds and they say, okay, we got it.
And they recommend that Podesta changes his password and that he turns on an advanced security feature.
And the IT guy writes, you know, this is a legitimate email.
needs to change his password immediately.
But, but, but they misunderstand the email and they click on the booby-trapped link that the
GRU had sent instead of the safe Google link that had been provided by the IT help desk.
So when they click on that, there's a bellicious URL that is sitting behind this change
password link that they cannot see, but they've clicked on it.
and that they're in trouble.
Now, the link takes Podesta's staff to this forged Google login page,
which looks exactly like the real Google page.
And it's very crafty because it even has John Podesta's actual profile picture right there
set against this background.
It looks right.
Okay.
And his staff,
who are thinking that they're following the Clinton campaign's IT,
helpdesks, guidelines, and interacting with legitimate Google password change,
his staff enter the password.
And they're in.
This is a big problem because two days later,
Lukashev, in an office just reeking of borsht and pop tarts,
has downloaded more than 50,000 emails.
This is five gigs of data.
He's taking all this stuff out of Podesta's inbox.
And the GRU has absolutely struck gold.
And now, Gordon, time for.
a word from our sponsors at NordVPN.
We should have got them to sponsor this episode.
We should have got a few cybersecurity firms to sponsor this episode because this is basically telling you what you need to be careful of, which is think before you click.
Don't just don't click on anything, right?
Don't click on anything.
That's not going to help.
You have to click on something because otherwise you're not going to do anything online.
What you should do is click on over to the rest is classified.com.
And if you join the declassified club, your emails will be, will be hoovered up by
by Units, 161, 65, by goalhanger.
Yeah, by goalhanger.
That's right.
That's right.
A technician that doesn't smell of borsh, but monster munch, most likely.
Yeah, that's what they have in the office here.
That's right.
Okay.
So this is a major problem, but it just keeps going.
So the GRU throughout March, they just keep going after the Democrats, right?
Lukashib's unit, they go after DNC staffers, they're going after the Clinton campaign,
they continue setting out the bait emails, even as they've hoovered up all this stuff from,
from Podesta's email account.
Now, on April 6th, a few weeks later, the GRU succeeds in tricking an employee of the Democratic
congressional campaign committee.
The D-Triple-C, Gordon,
bam, an organization
that supports Democrats
in the House of Representatives.
Now, the D-Triple-C employee
had inadvertently given away her login
credentials. So
Unit 26165
had been able to get inside
not just individual
email accounts, because keep in mind,
Podesta's emails, that's his personal email.
But now with the D-T-T-C
hack, Unit 2616-165,
five is inside a major political organization.
So what do they do?
The GRU installs a hacking tool called the X-Agent kit.
I don't know if NordVPN protects you from that.
It's a good name, ex-agent, isn't it?
But it's a good name.
And they get that on at least 10 computers at the D-Tri-C.
Now, this kit is going to allow them to record and to intercept all of the activity that happens
on a particular computer.
So essentially it is taking everything.
It's like a keystroke logger, everything the user types or sees over an entire workday, the X-Agent kit will hoover up.
And you, Gordon, you know a thing or two, don't you, about the X-Agent kit.
No, well, I was looking into X-Agent.
I mean, it's a great name for a bit of malware.
But it looks like it's created and customized by the GRU itself.
So they've developed this bit of kit to move from machines and through a network, activate them,
microphones, record the audio, collect the text messages. Also, geolocate people when it gets onto
people's phones, for instance, of where they are. And you first see it again in Ukraine around
2015, where it's being used to geolocate people. So again, it's that Ukraine is a test bed for the
GRU developing some of its more advanced cyber capabilities, which now they're deploying
2016 against the US more. Well, it had been customized also going to communicate with a
relatively inconspicuous server out in Arizona that had been had been leased by GRU unit 26165.
And that machine in Arizona was running a control panel that would allow the GRU officers to kind of manipulate the ex-agent kit and their implants essentially on the network in Washington.
So in the case of one particular D-Tri-C staffer, the GRU was, I mean, was quite literally
I guess not literally Gordon, but digitally able to watch over her shoulder as she's handling
personal banking information and things like that from inside her office at the DCCC.
Now, what's valuable to the Russians inside the DCC stuff?
Well, the DCC has a bunch of opposition research on Republican candidates, right?
So what you see is the Russians are going after APO research on Ted Cruz and on Donald Trump.
and after a week of trying to make sense of this information on April 18th, the GRU gets lucky
because they intercept the login and password credentials of another D-TCC employee
who was authorized to log in to the network of the Democratic National Committee.
So the GRU can now pivot from the D-Triple-C network, which I think is ultimately less interesting to them,
over to the national DNC.
Amusingly enough, the SVR's team already in the DNC and have been in there.
I just love this.
The SVR's quiet, cozy bear hackers have been secretly inside the DNC's networks for a few months,
exfiltrating data.
And you could imagine them suddenly realizing,
oh, here come those loud guys from the GRU.
Their hackers are now in as well, because they're competing.
They're not even talking to each other.
And it's the loud hackers of the GRU who are really going to draw attention to what's going on.
Because they've now got access the GRU to the D-Triple-C, you know, the DNC and individuals from the Clinton campaign.
So they've got this amazing coverage across the Democratic side in 2016.
And what I also think is great is that not only did the SVR already have access inside the DNC,
but later on it'll leak out that the SVR guys thought that the GRU guys thought that the GRU guys,
did a really crappy job with the hack.
And as we'll see in the next episode,
the sort of cozy bear guys over at SVR do have a point
because the guys who are working at the organization
that have the bat logo covering the entire world
are as it turns out a little bit clumsy
with how they pull this thing off
and willing to break a whole bunch of stuff
and do it in kind of a roughshod way.
Yeah, is it clumsy or they just don't care?
I mean, that's what's interesting.
about the GRU. If you look at GRU operations, things like the Saldsbury poisoning with Novichok,
they're aggressive, they're loud, they're noisy, and sometimes it feels like they don't care.
So it is the difference, I think, between the way the GRU and the SVR operates.
But yeah, now they are both in the network, and it's the GRU, which is going to do something
extraordinary, isn't it? Because it's in the network, but it's not just going to take the information.
It's going to steal it and publish it. It's not just going to hack, it's going to leak.
That sounds like a cliffhanger to me, Gordon.
I think we should end the episode there.
And next time we come back, we'll see how that leak absolutely shakes the election up.
But Gordon, you don't have to wait.
Listeners, if you want to listen to this entire series right now,
plus that really fascinating exclusive mini-series we're doing on the Trump-Russia connection,
just go and join the Declassified Club at the Rest Is Classified.com.
We'll see you next time.
Do you want to know what really happens inside MI5?
Or what we chat about when the cameras aren't rolling?
If you love the show and you want to come behind the scenes with us, who better to join
than our producer, Becky?
From now on, she'll be writing a free newsletter every week taking you behind the mic
that the rest is classified.
Make sure to subscribe via the link in the episode description to be the first to read the latest
classified insider or head to the rest is classified.com to find you.
find out for it. Hi guys, it's Katty K. and Anthony Scaramucci here from The Rest
is Politics U.S. We have just recorded a four-part series that's all about Donald Trump
becoming the global phenomenon we know him as today. You know, Katty, I knew Donald Trump
since 2005. So in this series, we rewind the clock right back and dig into the people, the events,
and the scandals that built him. Yeah, we're going to take you from his days in military school,
what he learned there, how he actually weirdly thrived there, to his father's ties to the Clu Klux Klan,
his days as a business mogul in New York and how that really shaped his worldview and his way
of doing business. And we're going to explore parts of the Trump story that you might never have
even heard of. Not to mention, Katty, the nefarious trickster, Roy Kohn. Where's my Roy Kohn?
I heard him say that so many times. I mean, I was only there for 11 days, Katty. Where's my
Roy Kohn? Well, let me tell you something. If you want to know who Roy Kohn
was, you're going to tune into this series.
With all the headlines that come out of Trump world every single day, we just felt
there'd never really been a more important time to try to understand the America that
created Donald Trump.
To listen to episode one of becoming Trump, head over to the rest is politics, US, wherever
you get your podcast.