B (3:12)

That's right, the gru, or it's technically known as the GU these days, but everyone still seems to call it the gruff deep roots going back many decades. Unlike some of the other Soviet spy services, the kgb, which get renamed and the KGB becomes the FSB domestically in the security service and the SVR becomes the foreign bit of the KGB, which is your classic spy service like CIA or MI6. The GRU are the tough guys of military intelligence. They are doing classic espionage, trying to get military secrets, but they also are engaged in things like sabotage, assassination, active measures in terms of information warfare. Again with this continuity, never disbanded from the days of the Soviet Union and then continuing. And they are the ones who are going to do some of the most aggressive operations against the West. You think about the poisoning of Sergei Skripal in Britain in 2018 with Novichok, a former GRU officer himself, but poisoned by the gru. So they tend to have more military targets, but they are the. I think you're right. Maybe one of the more sinister Russian intelligence services.

A (4:28)

I would say exhibit a in the GRU's sinister ness is the seal of the GRU, which you can see there's a great picture that I've put into the notes here. I don't know if we could, you know, put it up somewhere on the video, but it shows President Putin on a visit to GRU headquarters at a building known as the Aquarium, walking across the seal of the GRU in the bad lobby. And the seal is a sinister looking black bat that is covering most of the globe. And it reminds me, Gordon, of the. The Mitchell and Webb sketch where they're wearing, you know, the death's head skull SS uniforms and wondering like if they're the baddies. You have to wonder what the GRU guys think they're doing in an organization that has an evil looking black bat with its wings covering the entire world.

B (5:22)

Very impressive knowledge of British humor, by the way, to cite Mitchell and Webb. David, I'm very. We'll get into Number Wang next time maybe, if you don't know that. But back to back.

A (5:31)

Well, people who listened to our last series will know that I sampled Monster Munch for the first time whilst I was in London, Gordon. And, and you know, it's gone to the brain. What can I say? Let's go back to the gru. So wild place. You mentioned the the poisoning of Sergei Skripal, the GRU behind kind of the initial invasion of Crimea, parcel bombings across Europe, the poisoning of Alexei Navalny, a campaign to provide money to Taliban linked militants in Afghanistan going after foreign forces, a failed coup attempt in Montenegro in 2016 to try to topple the government of Montenegro, poisoning a Bulgarian arms dealer, among many other insane operations. So I think it's safe to say, Gordon, that the GRU alone might keep our podcast in business for a very long time.

B (6:21)

Plenty of stories there, and one of the things they do is a lot of hacking. This episode is sponsored by hp. Most people are not counterespionage experts, but that won't stop them getting targeted by cybercriminals seeking to extract their secrets.

A (6:42)

HP understands that approximately 4 in 10 UK businesses have reported cyber breaches in the past 12 months alone. That's why HP Business laptops, desktops and workstations bought directly on HP Store are secure, straight out of the box with their endpoint security.

B (6:59)

No more stressing about dodgy emails or unexplained pop ups. HP's independently verified Wolf Pro Security Security works alongside your existing security tools to protect your business users and reputation from malware and evolving cyber threats. With your first click, you don't need

A (7:17)

an alias or a secret hideout to stay safe, just Wolffpro Security working tirelessly to protect your hard work. It's security that's built in, not bolted on.

B (7:26)

Find out more about how HP can protect Your business@hp.com podcast listeners benefit from a 10% discount on all business PCs, printers and accessories using the code TRIC10. Terms and conditions apply.

C (7:45)

This podcast is brought to you by Carvana. Car shopping shouldn't feel like preparing for a marathon of paperwork. That's why Carvana makes buying and financing your car easy from start to finish. Search thousands of vehicles with great prices, all online, all on your time. And when you're ready, your new car shows up right at your door. It doesn't get better than that. Buy your car the easy way on Carvana. Delivery fees may apply. Close your eyes, exhale, feel your body

A (8:18)

relax and let go of whatever you're carrying today.

C (8:23)

Well, I'm letting go of the worry that I wouldn't get my new contacts in time for this class. I got them delivered free from 1-800-contacts. Oh my gosh, they're so fast.

A (8:31)

And breathe.

C (8:32)

Oh, sorry. I almost couldn't breathe when I saw the discount they gave me on my first order. Oh, sorry.

D (8:38)

Namaste Visit 1-800-contacts.com today to save on your first order.

B (8:43)

1-800-contacts. So Russian hacking has got a deep history. I mean, the first case I know of is in the 1980s when the KGB hire some East German teenagers to hack into the early US research Internet. By the 1990s, Russian hackers are running a campaign called Moonlight Maze, which is the first real state backed espionage campaign the US sees against its secrets. All of this is espionage though, and I think it's important that we draw this distinction between different types of behavior, including in cyberspace. Classic espionage is stealing secrets. And that's what a lot of people thought cyber hacking was all about. When it came to state intelligence agencies, they thought it was about hackers often working for the state or employed by the state covertly breaking into maybe military research networks, maybe defence networks, stealing the secrets, doing what spies have always done. But it is also worth saying that there is an element which is going to grow of active measures of influence operations and even of sabotage which is going to be taking place in cyberspace. And the GRU's hackers are at the leading edge of that. We start to see some of the deployment of hacking alongside military operations. 2008, when there's a brief conflict between Russia and Georgia and the US starts to see these hacking groups and US security researchers start giving them names for what are called APTs, Advanced Persistent Threat Groups. Famously, APT28 will become known as Fancy Bear and be linked to the gru. Bears are the terminology for Russian hackers, as opposed to things like Pandas, which are the Chinese and so on. This is CrowdStrike, which is an interesting cybersecurity company, came up with this. It was a great marketing wheeze, very

A (10:45)

successful also potentially, why it's hard to take some of this stuff seriously because you think, oh well, you know, it's just, it's a group called Fancy Bear that is seeking to undermine US democracy, you know, and it's like, yeah, well, how bad?

B (10:59)

It's even worse because the SVR, so the main foreign intelligence services hackers are APT 29 and they're known as Cozy Bear, which sounds even more kind of, you know, like comforting, like I'll just go hug a cozy bear. I mean it's, yeah, I'm not quite sure. And funnily enough, these are western terms for these hackers, but some of them adopt it themselves and they start creating logos using these names. But APT29, Cozy Bear, SVR, they're quieter, they're doing the espionage. But the GRU's hackers are noisier. You start to see them picking up activity around Ukraine. We talked last time a bit about how Ukraine was the test bed for a lot of Russian operations, information operations, but also cyber operations. After the 2014 overthrow of the pro Russian government, Russia starts to try and subvert them. There's a really interesting case in May and June 2014 when word comes out that the GRU has penetrated the Ukrainian electoral commission's network. And it's a really complicated, interesting operation. We won't go into all the details of it, but they're doing things like destroying parts of the files and the systems, and also in late May, trying to fiddle with the results of the election. So if it hadn't been discovered, the software that they'd installed was designed to effectively fake the election result and make out that a nationalist leader had won with 37% of the vote rather than another candidate. Interestingly enough, a Russian TV channel that evening airs a bulletin declaring that the candidate with 37% of the vote had got 37% of the vote, even though the cyber operation had kind of failed, which shows that they were planning to declare on Russian TV the victory, that they'd also used the hackers to try and install or infiltrate into the electoral commission system. So it was a pretty complex operation which didn't really work and was discovered.

A (13:02)

But.

B (13:02)

But to try and mess with those elections in Ukraine in 2014, which should have been a warning sign, shouldn't it, that they were thinking of doing that.

A (13:12)

Yeah, I think listeners should think of Ukraine as a kind of petri dish. Ukraine of 2014 and 2015 is kind of a petri dish for the kinds of things that the Russians will end up doing in the US because the sort of active measures hacking disinformation playbook that ends up being exported to the States is really on display in Ukraine. I mean, you even had, you know, the GRU hacking and essentially tampering with critical infrastructure. Right. I mean, there was famously sabotage conducted and led by the GRU against Ukraine's electricity grid in December of 2015. And actually hundreds of thousands of people lost power for a good part of a day during the frigid winter as a result of a GRU hacking operation. So I think it was understood what. What was happening in Ukraine at the time by the West. But the idea that those tools, those active measures, would be exported onto the states was something that was not. Not grasped at the time. And interestingly, I mean, you start to see little hints of this kind of cyber espionage. Drifting toward active measures in the US in late 2014. There's a group called the Cyber Caliphate that is claiming to be linked to the Islamic State. They actually compromise U.S. central Command, Social media accounts, post things like, American soldiers, we're coming. Watch your back. Signed isis. And it's actually the Russians, you know, and it's all. It's all seen as a little bit strange at the time. I think you actually covered a lot of this in your former life, Gordon, as a BBC journalist.

B (14:55)

Yeah, particularly one of the most interesting campaigns was they infiltrated a French TV channel, TV Saint Monde. And I went to Paris to see the aftermath of this attack and met the head of the TV station. It was, I think, early 2015, when they took over the TV channel, they basically wiped its systems. And it was lucky that some of the engineers could see what was happening and pulled the plug on the systems before they could take down everything. But the potential was they would have destroyed that TV channel. I mean, wiped its systems to the point where they couldn't broadcast anymore. And again, they claimed the hackers, they were linked to this Cyber Caliphate, when again, it was the gru, it was Russian military intelligence. And it was only in hindsight, I think people really understood that they were road testing some of these cyber attack capabilities because this wasn't a particularly big French TV channel and it wasn't a particularly sensitive time. It was a sign that they were exploring Russian hackers, what they could do, how far they could go, how successful they could be, including at shutting down parts of the information space. So we've talked about them trying to interfere with an election in Ukraine, now shutting down a European or a French TV channel. So you can see them just pushing the boundaries in this period. But again, I don't think it was. It was fully appreciated how far they go.

A (16:19)

No. And a lot of the story that we're going to tell focuses on these kind of shadowy hacks. And I think behind the strange names of Fancy Bear, it's important to remember that this is an intelligence operation. There are humans, intelligence officers, working inside the gru, who are employed by the Russian state and who are conducting these hacks for political purposes, and the purposes, of course, of an intelligence service to collect information. Right. So maybe, I think, good to set up a bit of, like, who's actually doing this stuff. And there's some good detail on this again in Michael Isakoff and David Corin's book, Russian Roulette. So GRU has a unit numbered 26165 GRU units. They do have names, but they also have these numerical signals, I guess, that Western intelligence agencies know them by. So unit 26165, during the cold War, it was a unit that specialized in breaking encryption. And by the mid-2000s, it has become, in the kind of digital age, one of the GRU's principal computer network exploitation units. So an offensive cyber unit that hacks computer networks overseas. It's housed in buildings owned by the Ministry of Defense. We talked about this a bit, Gordon, when we did the the series on the North Korean cyber bank robberies, where if you think of a bunch of people eating Pop Tarts in the basement of their mother's house, this is not what we're talking about.

B (17:59)

It's a military unit.

A (18:00)

It's a military unit. And although some of these guys in the pictures that have come out look like they do spend a decent amount of their time eating Pop Tarts in the basement of their mother's home, this unit is a very prestigious place to work. Right. A former chief of the unit winds up becoming deputy chief of the entire GRU. Like this is. This is a centerpiece of the GRU's capabilities. The commander of unit 26165 is a guy named Victor Natishk. How would you pronounce this name?

B (18:30)

Gordon?

A (18:31)

Natiksho. Natiksho.

B (18:33)

Natick Show.

A (18:34)

So, Mr. Natick Show. He's a software engineer trained as a mathematician. He's published several articles on probabilistic functions and neural networks. Gordon.

B (18:45)

Wow.

A (18:45)

And he has two junior officers working for him who are going to be very important to the hack and leak operation underneath this active measure. One of them is named Alexei Lukashev. He's 25 years old, he's blond, he's thin, he's got close set brown eyes. And for about three years, Gordon, he's been working under the COVID of a Persona that he uses for American and Russian social media accounts of Den Kattenberg. And apparently, according to the issacharfid Court account, the picture that Lukashev chose showed a much more muscular young Russian man of his own age. So he made himself look.

B (19:25)

It's a dating profile.

A (19:26)

Yeah, in his Persona. So what Lukashev is quite good at is crafting email bait that looks like Google security warnings, but in reality are ways to trick victims into revealing their passwords. So a helpful skill if you're a hacker. The second noteworthy guy is Ivan Yov. He's got bangs. Gordon, if you're, if you're curious about his hairstyle.

B (19:52)

What are dark bangs?

A (19:54)

What are bangs yeah.

B (19:55)

Should I know what they are? I'm looking around.

A (19:57)

You don't know what bangs are? Bangs are like. Yeah. Hair that comes down.

B (20:02)

Okay.

A (20:02)

Hangs kind of down here. Off on your forehead. That's what a bang is. Okay. That's, you know. Gordon, come on. Remember? So when we did the Bulgarian Minions episodes, remember I did all that research on lashes and stuff like that because one of them was a beautician. Yeah.

B (20:17)

So I should have done some research for this.

A (20:18)

Sorry, get with the program there.

B (20:19)

I was researching cyber capabilities. I should have been researching haircuts. But anyway, back to Ivan with his dark bangs.

A (20:27)

Back to Yermakov. Yermakov, for some reason, prefers female pseudonyms. One of them is called Kate S. Milton, which he has on a Twitter profile and a blog. There's a picture that accompanies that, which is of a Canadian actress. And what Kate, quote, unquote, likes to do is privately approach security researchers. And he apparently also claims to work for the. The security firm Kaspersky, although that's not true. Now, the unit they work for, 26165, it is. It's pretty big unit, and I think. I think it's fair to say, Gordon, willing to take a certain amount of risk in its operations. It has a vast number of people and organizations and countries that it has targeted, and it has been, I think, turning its focus more and more on the United States and in particular, on political targets. Because in 2016, of course, it is a presidential election year in the United states, and unit 26165 of the GRU is going to get itself quite purposely embroiled in what is going to become one of the most brutal and toxic elections in US History. So maybe there, Gordon, we take a break and we come back. We will see how the GRU begins to meddle in this election.

E (21:52)

This episode is brought to you by Nordstrom. Ready to refresh your wardrobe? Nordstrom has all the latest styles for spring, from elevated dresses and denim to standout tops and accessories. Discover the trends and essentials you'll reach for again and again. We've got brands you love, like Waif, Princess Polly, Mango, Adidas, and Favorite Daughter. Plus free shipping, free returns, and quick order pickup. Make updating your closet effortless. Shop in stores@nordstrom.com or download our app.

F (22:22)

This episode is brought to you by White Claw Surge. Nice choice hitting up this podcast. No surprises. You're all about diving into tastes everyone in the room can enjoy. Just like White Claw Surge, it's for celebrating those moments when connections have been made. And the night's just begun. With bold flavors and 8% alcohol by volume. Unleash the night. Unleash White Claw Surge. Please drink responsibly. Hard seltzer with flavors, 8% alcohol by volume. White Claw Seltzer Works, Chicago, Illinois.

B (22:57)

Well, welcome back. During that break, David, I did try and understand what bangs were. And I've learned that it's basically a fringe, which like Claudia Winkelmann. Do you know Claudia? I think she has a fringe. It's, that's, I think now I know what that means. But anyway, enough about haircuts.

A (23:14)

So fringe is a, is a British word for bangs.

B (23:17)

That's what I'm told. That's what I'm told.

A (23:20)

I'm told.

B (23:21)

But I don't really know that much. I was exclusive. Reaching the limits of could we go back to the US Presidential election rather than my lack of knowledge about hairstyles because I feel like I'm on safer ground there.

A (23:31)

Well, that's true. You are. When I hear fringe, what I think of is someone who's very bald on the top of their head, but then has the stuff on the sides and maybe a little too long. But that's not a fringe.

B (23:42)

No.

A (23:42)

In the United Kingdom. Okay. Well, we've solved at least one mystery on this program. Back to the U.S. election.

B (23:49)

So, David, last time we talked about how much Vladimir Putin really despised Hillary Clinton, who'd been President Obama's secretary of state. He blames Secretary Clinton for triggering or supporting some of those protests against his return to power, 2011, 2012. And by the time we get to 2015, it's looking like she is very likely to be the Democrat nominee for the 2016 presidential election.

A (24:20)

Well, that's right. In, in June of 2015, which is going to be an important month for the other big name in the story, Donald Trump, who announces his candidacy that month. But in, in the summer of 2015, Hillary Clinton is way ahead of Bernie Sanders in the polls. Looking at who's going to represent the Democrats, I mean, she's ahead. I think there's a poll in June of 15 that showed that Clinton was the first choice for nominee of about 75% of the party. Bernie Sanders is way behind at 15%. And polls that same month show Clinton beating the sort of then presumptive Republican nominee, former Florida governor Jeb Bush. Clinton beating him 48% to 40%. So why are we talking about this? The point is, is that any Ford intelligence service, Russia among them, is going to look at these polls, see them digest them in some way. And their base case at this point is going to be that Hillary Clinton is going to be the next president. But that same month of June, another Republican hopeful has announced his bid. And this is, of course, when Trump descends the golden escalator at Trump Tower in New York City. He's not even mentioned in that poll. Now, at this point in the active measure, Trump almost certainly doesn't figure at all. But I think it's, I think it's worth briefly examining how Moscow would have perceived Trump in relation to Clinton, because Trump is of course, going to very quickly gain ground in polling in the summer and fall of 2015 after he announces and really never look back. We're going to talk a little bit about the Trump Russia kind of connection here or how the Russians would perceive Trump. And this is going to be fact based. So you don't have to go nuts here. You don't have to be upset. We're not talking about Trump policy thinking regarding Russia. We're not talking about collusion or anything like that. This is just setting up how the Russians perceive Trump or are likely to perceive Trump as he enters the presidential race. Although we will say, Gordon, we have a special miniseries for club members that we are doing that goes deep into the facts and the chronology of Trump's connections to Russia and the connections between Russia and his campaign and all of the drama around that. We're going deep in a miniseries on that. So if you are interested in exploring that, go and join the declassified club@the restisclassified.com but stepping back, I think just a bit in time to set up. Okay. How would the Russians see Trump? Right. So unlike Hillary Clinton, who has interacted with Putin and Russia as first lady in the 1990s and then as secretary of state from 2008 to 2012 and who Putin loathes, I think it's fair to say, Gordon, Trump has approached Putin by this point and Russia more broadly through a really kind of commercial lens. There's this very interesting statement in 2007, which is when Time magazine selects Mr. Putin as its man of the Year. Trump writes him a letter congratulating him and writing, as you probably heard, I'm a big fan of yours, Trump writes in that letter. Now, Trump had long sought to develop business opportunities in Russia. By the time of his campaign announcement, his most recent venture was an attempt to build a Trump Tower in Moscow. Now, that actually continues through much of the campaign, and it's an effort led by one of one of Trump's lawyers to actually develop a Trump Tower in the Russian capital. But by 2014, you know, Trump is visiting Russia for the Winter Olympics at Sochi. And afterwards, the press note that there's, there's progress on developing a Trump Tower in Moscow. There's actually a letter of intent that gets signed. Don Jr. Trump's son, is put in charge of the project. Ivanka actually goes to his daughter, goes to Moscow to scope out sites. Trump tweets about it saying, trump Tower, Moscow is next. But all of that falls apart amid sanctions on Russia following the seizure of Crimea and the kind of hybrid war that the Russians unleash in Ukraine in 2014. So the deal dies. Now, the Trump Organization blames kind of vaguely quote, unquote, business reasons for the deal collapsing. But it is probably more than that, because a bank key to the deal ends up getting sanctioned and financing dries up. Point is, by the spring of 2016, Trump is narrowly leading the Republican field in the polls. He's won the primaries in South Carolina and Nevada. He is the Republican frontrunner. And any Russian analyst worth their salt, really, any foreign government at all by that point in the spring of 2016 is going to assume the contest will be Clinton versus Trump. We were talking earlier about how the GRU had been going after political targets in the west and in the. In the US in particular. And who do you hit, Gordon, in an election year? Well, it'd be interesting to know what's going on inside the Democratic National Committee and the Republican National Committee. And in fact, the GRU is going after both.

B (29:38)

It's worth saying, though, it's not even just the GRU, because also the SBIR are actually hacking into US political systems. And even as early as 2015, they're going after the DNC. I think the first signs that they are getting into the Democratic systems to spy, though. And it's worth going back to that distinction between spying and active measures, because the SVR hackers, who are known as Cozy Bear, are getting into the DNC systems from 2015 to steal information to do what intelligence agencies normally do, which is find out what's happening, what are their policy papers or position papers, who's up, who's down, who's likely to get jobs in administration. But what's different is while that activity is going on by one bit of Russian intelligence, the GRU are also going to get involved with a very different purpose of getting inside for an influence operation, for an active measure. And it's particularly the dnc, which is the one which is going to be targeted for this idea of hack and leak which we've set up different from the espionage campaign which is already underway at this point.

A (30:45)

And I guess it's also worth saying hat tip here to a number of wonderful books that have been written on, on this hack and on the broader active measure. We've mentioned Russian roulette. There's a wonderful book called Active Measures by Thomas Ridd that also gets at this historical context of active measures going back to Czarus times, Gordon and the KGB years. And then there's also, there's a wonderful book called the Apprentice by Greg Miller, who's a Washington Post Reporter, also the U.S. senate Intel Committee. Gordon has put together a thousand, a thousand page document on everything that happened this year. So there's, there's, there really is a rich amount of information out there on, on this story. Now it's, it's not abnormal for an adversaries to target a political campaign. We talked about some of the KGB attempts to do that during the Cold War in our first episode. But as recently as 2008, the FBI had discovered that Chinese government hackers had infiltrated the campaigns of Barack Obama and John McCain. So again, do you think for an espionage service it would be malpractice to not attempt to get into the files and the documents, you know, in the sort of research of, of a presidential campaign?

B (32:04)

Yeah, it's seen, it's seen as almost normal, as par for the course. And in fact, when some of the first warnings come into the DNC, I think from the FBI in 2015, that someone might be in their systems, the kind of DNC barely reacts to it. They don't even take it seriously. They at first think it might be a kind of fake, a fake call into them and kind of ends up with computer support. The dnc, this issue of espionage against campaigns, A, campaigns didn't take it seriously and B, it was seen as just something that states do. And maybe the kind of secrets or information in a campaign was not necessarily top secret in the traditional way. But we are entering this new era where the GRU is getting more involved. And it is interesting because if you step back this 2015, 2016 era, unit 26165 is getting more involved. We talked about it taking down a French TV channel in 2015, but also they're going to hack German parliament emails that year, take a ton of data, including some material belonging to the German Chancellor Angela Merkel. So you can start to see that in this period the GRU is getting noisier and is looking for interesting, valuable data. Still haven't seen it leaked yet, but they're certainly collecting. And part of that will be collecting against the DNC and against specific individuals associated with the Clinton campaign.

A (33:33)

Yeah, I think the wide net point is important because there were hundreds of officials targeted in the US including many sort of current and past military and diplomatic officials. I mean, there were attempts made on Secretary of State John Kerry, former Secretary of State Colin Powell, Michael McFaul, who'd been an ambassador to Russia. And there were over a hundred Democratic targets. Right. The Clinton campaign's communications director, other longtime Clinton aides and confidants. All of them are getting blasted with these phishing emails. And you figure if you're the gru, why not cast a wide net, Right. The worst someone's going to do is just delete the thing and not interact with it. But you might also get lucky. And so you cast this very wide net. I mean, even they'd even gone after the Clinton foundation and the center for American Progress, which is a, a progressive think tank that was at that point very close to Hillary Clinton. So they are going broadly, but what they're going to land in the spring of 2016 is the GRU will get a very, very big score. They're going to get someone who's very much at the top of the Clinton campaign. And it's maybe good to situate this in Timecord. And so mid March of 2016, GRU unit 26165, which is run by this Natiksho guy, one of his hackers talked about Lukashev, is he's sending out these kind of booby trapped emails, malware embedded emails to 50 different addresses every working day. So this is kind of a volume game to some degree to see where you can get bytes. And most of these just fail. Some of the addresses are obsolete. Again, people don't interact with them. And the Clinton campaign, their kind of default email security settings required more than just a password to get in. So a lot of, a lot of the staff are protected from these things. Now, you mentioned we're in the FBI knowing that something's going on. And there had actually been a meeting at Hillary Clinton's campaign headquarters in Brooklyn back in March. There's Clinton staffers there, including Clinton campaign manager. As you said there, there's weirdly, they're kind of suspicious of the FBI because there happens to be an investigation ongoing into Hillary Clinton's use of a private server for email traffic, which we'll talk,

B (36:03)

we'll come back to that In a moment.

A (36:05)

Yes.

B (36:05)

Yeah.

A (36:06)

And the, the FBI at the time in March is offering these kind of cryptic warnings that the campaign is being targeted by a very sophisticated spear phishing campaign. But again, there's no reference there to by whom and there's no reference to the concurrent investigation into intrusions in the DNC's computers. And so the Clinton campaign has at this point is kind of thinking, you know, to your point earlier, this is kind of what happens to presidential campaigns. You know, you're going to be the target of foreign intelligence services. The Clinton campaign has already kind of heightened its cybersecurity posture and they don't quite know what to make of the FBI warnings. But on 18 March, Lukashev's team inside unit 26165 changes tactics and they decide to go after private email accounts instead of the official campaign email accounts on the theory that those private accounts will be more vulnerable.

B (37:02)

People's Gmail, basically, things like that.

A (37:04)

Yeah, yeah, exactly. And the next day, just before lunch, I'm sure, a hearty lunch in Moscow. I wonder what the GRU canteen is like.

B (37:14)

Dumplings and borscht. Dumplings.

A (37:17)

That's very stereotypical of you, Gordon. Sorry. After a lunch of borscht, Lukashev and his team sends another batch of booby trapped emails to another 70 targets. You get the sense that these guys are like, they've got to be kind of bored, don't they? I mean this sounds, this sounds like when you, when you hear hacker, you think it's going to be cool and you can, you know, eat Pop Tarts all day, but it feels like they've got a quota. Yeah, they send out, you know, 74 emails including they, they go after nine senior Democratic political operatives, again on the personal Gmail accounts. Now one of them is John Podesta, who is the chairman at the time of Hillary Clinton's campaign. The message reads like this and it looks like it's from Google. Someone has your password. Okay, that's where it starts. It says, hi John, someone just used your password to try to sign into your Google account. John.podestamail.com Then it goes to details. It's got, you know, it's Saturday, 19th, March, 8:34. It's got the IP address.

B (38:21)

So it looks credible.

A (38:22)

Yeah, it looks credible.

B (38:24)

It looks like the kind of email you might get.

A (38:26)

Yeah, exactly. Gordon's cutting me off before I can read the entirety of the robotic script. That was well done, Gordon, because I was going to finish reading it. You were, you were your instincts Your instincts were right. But so, but the details are all made up, right? Even though the email looks credible now Podesta's staff have access to his email account. And when they see the security warning, they forward it on to the Clinton campaign's IT help desk. And in a few minutes the IT help desk responds and they say, okay, we got it. And they recommend that Podesta changes his password and that he turns on an advanced security feature. And the IT guy writes, you know, this is a legitimate email. John needs to change his password immediately. But, but, but they misunderstand the email and they click on the booby trapped link that the GRU had sent instead of the safe Google link that had been provided by the IT help desk. So when they click on that, there's a malicious URL that is sitting behind this change password link that they cannot see, but they've clicked on it and that they're in trouble. Now the link takes Podesta's staff to this forged Google login page, which looks exactly like the real Google page. And it's very crafty because it even has John Podesta's actual profile picture right there set against the, this background. It looks right, okay. And his staff, who are thinking that they're following the Clinton campaign's IT help desk's guidelines and interacting with legitimate Google password change his staff, enter the password and they're in. And this is a big problem because two days later, Lukashev, in an office just reeking of borscht and pop tarts, has downloaded more than 50,000 emails. This is five gigs of data. He's taken all this stuff out of Podesta's inbox and the GRU has absolutely struck gold. And now, Gordon, time for a word from our sponsors at NordVPN.

B (40:42)

We should have got them to sponsor this episode. We should have called, got a few cybersecurity firms to sponsor this episode because this is basically telling you what you need to be careful of, which is think before you click.

A (40:57)

Don't. Just don't click on anything, right?

B (41:00)

Don't click on anything. That's not going to help. You have to click on something because otherwise you're not going to do anything online.

A (41:09)

What you should do is click on over to the restisclassified.com and if you join the declassified club, your emails will be, will be hoovered up by, by 261655 goal hanger. Yeah, by gohanger. That's right, that's right. A, a technician that doesn't Smell of borscht, but, but monster munch most like.

B (41:31)

Yeah, so they have. In the office here.

A (41:33)

That's right. Okay, so this is a major problem, but it just, it just keeps going. So the gru, throughout March, they just, they just keep going after, after the Democrats, right? Lukashev's unit, they go after DNC staffers, they're going after the Clinton campaign. They continue sending out the bait emails even as they've. They've hoovered up all this stuff from, from Podesta's email account. Now, on April 6, a few weeks later, the GRU succeeds in tricking an employee of the Democratic Congressional Campaign Committee, the dccc, Gordon. Bam. An organization that supports Democrats in the House of Representatives. Now, the DCCC employee had inadvertently given away her login credentials. So unit 26165 had been able to get inside not just individual email accounts, because keep in mind Podesta's emails, that's his personal email. But now with the DCCC hack, unit 26165 is inside a major political organization. So what do they do? The GRU installs a hacking tool called the X Agent Kit. I don't know if NORDVPN protects you

B (42:47)

from that, but it's a good name.

A (42:49)

X Agent Kit, but it's a good name. And they get that on at least 10 computers at the DCCC. Now, this kit is going to allow them to record and to intercept all of the activity that happens on a particular computer. So essentially, it is taking everything. It's like a keystroke logger. Everything a user types or sees over an entire workday. The X Agent Kit will hoover up. And you, Gordon, you know a thing or two, don't you, about the X Agent Kit?

B (43:18)

No. Well, I was looking into X Agent. I mean, it's a great name for a bit of malware, but it looks like it's created and customized by the GRU itself. So they've developed this bit of kit to move from. From machines and through a network, activate the microphones, record the audio, collect the text messages, also geo locate people when it gets onto people's phones, for instance, of where they are. And you first see it again in Ukraine around 2015, where it's being used to geolocate people. So again, it's. The Ukraine is a test bed for the gru, developing some of its more advanced cyber capabilities, which now they're deploying 2016 against the US more.

A (43:58)

Well, it, it had been customized also, Gordon, to communicate with a relatively inconspicuous server out in Arizona. That had been. Had been leased by GRU unit 26165. And that machine in Arizona was running a control panel that would allow the GRU officers to kind of manipulate the X Agent Kit and their implants, essentially on the network in Washington. Right. So in the case of one particular DCCC staffer, the GRU was. I mean, was quite literally, I guess not literally, Gordon, but digitally able to watch over her shoulder as she's handling personal banking information and things like that from inside her office at the dccc. Now, what's valuable to the Russians inside the DCCC stuff? Well, the DCCC has a bunch of opposition research on Republican candidates, right? So what you see is the Russians are going after oppo research on Ted Cruz and on Donald Trump. And after a week of trying to make sense of this information, on April 18th, the GRU gets lucky because they intercept the login and password credentials of another DCCC employee who was authorized to log into the network of the Democratic National Committee. So the GRU can now pivot from the DCCC network, which I think is ultimately less interesting to them, over to the national DNC.

B (45:33)

Amusingly enough, the SVR's team are already in the DNC and have been in there. I just Love this. The SVR's quiet, cozy bear hackers have been secretly inside the DNC's networks for a few months, exfiltrating data. And you could imagine them suddenly realizing, oh, here come those loud guys from the gru. Their hackers are now in as well because they're competing. They're not even talking to each other. And it's the loud hackers of the GRU who are really going to draw attention to what's going on, because they've now got access, the GRU to the dccc, the dnc, and individuals from the Clinton campaign. So they've got this amazing coverage across the democratic side in 2016.

A (46:15)

And what I also think is great is that not only did the SVR already already have access inside the dnc, but later on it'll leak out that the SVR guys thought that the GRU guys did a really crappy job with, with the hack. And as we'll see in the next episode, the sort of cozy bear guys over at SVR do have a point, because the guys who are working at the organization that have the bat logo covering the entire world are surprised, a little bit clumsy with how they pull this thing off and willing to break a whole bunch of stuff and do it in kind of a roughshod way.

B (46:53)

Yeah, is it clumsy or they just don't care? I mean, that's what's interesting about the gru. If you look at GRU operations, things like the Salisbury poisoning with Novichok, they're aggressive, they're loud, they're noisy, and sometimes it feels like they don't care. So it is the difference, I think, between the way the GRU and the SVR operates. But yeah, now they are both in the network and it's the GRU which is going to do something extraordinary, isn't it? Because it's in the network. But it's not just going to take the information, it's going to steal it and publish it. It's not just going to hack, it's going to leak.

A (47:26)

That sounds like a cliffhanger to me, Gordon. I think we should end the episode there and next time we come back, we we'll see how that leak absolutely shakes the election up. But Gordon, you don't have to wait, listeners.

B (47:40)

No, you don't.

A (47:41)

If you want to listen to this entire series right now, plus that really fascinating exclusive miniseries we're doing on the Trump Russia connection, just go and join the declassified club@therestisclassified.com. we'll see you next time.

D (48:03)

My dad taught me a lot, including how easy it is to forget to cancel things. So I downloaded Experian, my bff. Big Financial Friend. Experian could help me cancel my unused subscriptions and lower my bills, saving me hundreds a year. Get started with the Experian app today. Your big financial friends here to help you save smarter. Results will vary. Not all bills or subscriptions eligible. Savings not guaranteed $631 a year average savings with one plus net negotiations and OnePlus cancellations paid membership with connected payment account required. See experian.com for details.

B (48:31)

Experian do you want to know what really happens inside MI5?

A (48:37)

Or what we chat about when the cameras aren't rolling?

B (48:40)

If you love the show and you want to come behind the scenes with us, who better to join than our producer, Becky? From now on, she'll be writing a free newsletter every week, taking you behind the mic. The rest is happening.

A (48:53)

Make sure to subscribe via the link in the episode description to be the first to read the latest classified insider or head to therestisclassified.com to find out more.