The Rest Is Classified – Episode 131: How Russia Made Trump: Stealing Washington’s Secrets (Ep 2)

Podcast Hosts: David McCloskey (former CIA analyst, spy novelist), Gordon Corera (veteran security correspondent)
Date: February 25, 2026
Episode Focus: The Russian “hack and leak” operations against the United States during the 2016 election, with a deep dive into the tactics, actors, and historical context behind Russia’s interference, especially the role of the GRU.

Episode Overview

This episode continues the series exploring Russia's covert interference in the 2016 US presidential election. The hosts dissect how Russian intelligence agencies, particularly the GRU, evolved from traditional espionage to aggressive cyber operations that would ultimately shake American democracy. The conversation blends historical context, firsthand insights, profiles of specific GRU operatives, and the granular details of the infamous "hack and leak" incidents targeting the DNC and Clinton campaign.

Key Discussion Points & Insights

1. Active Measures and the Evolution of Russian Information Warfare

• Historical Roots: McCloskey and Corera open by tracing active measures (disinformation, manipulation) from KGB times through to Putin’s Russia ([01:06]).
  • "Back to the story is the desire to influence, to undermine, often using information as a weapon." — Corera ([01:06])
• The Hack and Leak Model: Combining real and fake materials, then disseminating them to the press. Faster, more global impact thanks to the internet ([01:51]).

2. The GRU: Russia’s Military Intelligence Powerhouse

• The GRU (also called GU) has a legacy of aggressive, sometimes reckless, operations, including espionage, sabotage, and assassinations ([03:12]).
  • "...one of the more insane spy organizations operating today in the world." — McCloskey ([02:55])
  • Operations cited: Skripal poisoning (UK), Crimea invasion, attempted coup in Montenegro, poisoning Navalny, parcel bombings, funding Taliban-linked militants, attacks on Ukrainian infrastructure ([05:31]).
• Iconography and Internal Culture: The GRU’s black bat insignia and its “baddie” image discussed with British humor.
  • "You have to wonder what the GRU guys think they're doing in an organization that has an evil looking black bat with its wings covering the entire world." — McCloskey ([04:28])

3. Rise of Russian Cyber Warfare

• From 1980s KGB to Modern APTs: Early cyber-espionage cases (KGB hiring East German teenagers) through to state-backed campaigns like Moonlight Maze ([08:43]).
• Differentiating classic espionage (stealing secrets) from emerging active measures and sabotage ([09:25]).
• APT Groups Explained:
  • APT28/Fancy Bear: GRU hackers; aggressive, noisy, operationally bold.
  • APT29/Cozy Bear: SVR hackers; quieter, focused on long-term espionage ([10:45]).
  • "The main foreign intelligence services hackers are APT 29 and they're known as Cozy Bear, which sounds even more kind of, you know, like comforting..." — Corera ([10:59])
• GRU's hackers cut their teeth with cyberattacks tied to military operations—Ukraine as a testbed for sabotage and election interference ([13:02]-[13:12]).

4. Ukraine: The Cyber Proving Ground

• GRU meddling with Ukraine’s 2014 elections and sabotaging the power grid in 2015. Western governments understood the threat but failed to anticipate it would be exported to the US ([13:12]-[14:55]).
• Examples of real and pretend hacktivist groups (“Cyber Caliphate”) as Russian cover operations ([13:12]-[14:55]).
  • "There is an element which is going to grow of active measures of influence operations and even of sabotage which is going to be taking place in cyberspace. And the GRU's hackers are at the leading edge of that." — Corera ([09:25])

5. Inside the GRU: Unit 26165 and Its Operators

• Unit 26165: The GRU's elite cyber unit, evolved from codebreaking to offensive hacking. Housed in military buildings in Moscow, not casual teenage hackers ([16:19]).
• Personnel:
  • Commander: Victor Natiksho (software engineer, mathematician).
  • Key Hackers:
    • Alexei Lukashev (adept at phishing, posing online as “Den Kattenberg”)
    • Ivan Yermakov (prefers female pseudonyms like “Kate S. Milton”, masquerading as a Kaspersky employee) ([18:30]-[20:27]).
  • "This unit is a very prestigious place to work. Right. A former chief of the unit winds up becoming deputy chief of the entire GRU." — McCloskey ([18:00])
• The unit’s broad targeting approach: hundreds of US political, military, and diplomatic figures hit by phishing campaigns in 2015-16 ([33:33]).

6. Prelude to the 2016 Election Hacks

• Russian Analysis of US Politics: By early 2016, Russian intelligence analysts assumed Clinton would be the nominee; brief on Trump’s less adversarial, business-focused Russian ties ([23:49]-[29:38]).
  • "Trump has approached Putin by this point and Russia more broadly through a really kind of commercial lens." — McCloskey ([25:29])
• Russian intelligence targeted both Democratic and Republican committees; SVR mainly for information (espionage), GRU for aggressive influence operations ([29:38]-[30:45]).
  • Not abnormal for foreign services to target US campaigns; Chinese intelligence had targeted Obama and McCain in 2008 ([30:45]).
  • DNC’s initial indifference to FBI warnings reflects normativity of cyberespionage, but GRU’s goals are different—active measures ([32:04]).

7. The DNC and Podesta Hacks: Anatomy of the Breach

• March 2016: Lukashev targets personal Gmail accounts. Phishing succeeds after Clinton campaign IT staff misidentify a spoofed Google account warning as legitimate ([37:02]-[38:26]).
  • "The IT guy writes, you know, this is a legitimate email. John needs to change his password immediately. But they misunderstand the email and they click on the booby trapped link that the GRU had sent..." — McCloskey ([38:24])
• GRU exfiltrates over 50,000 emails (5GB) from John Podesta, Clinton’s campaign chairman ([39:45]).
  • "And this is a big problem because two days later Lukashev... has downloaded more than 50,000 emails. This is five gigs of data. He's taken all this stuff out of Podesta's inbox and the GRU has absolutely struck gold." — McCloskey ([39:45])

8. From the DCCC to the DNC: Widening the Infiltration

• April 2016: GRU leverages initial hacks to penetrated DCCC networks, install “X Agent Kit” (custom GRU malware)[42:47]-[43:58].
  • Kit allows near-total surveillance, data extraction, geolocation, and activation of microphones.
    • "Everything a user types or sees over an entire workday, the X Agent Kit will hoover up." — McCloskey ([42:49])
• DCCC hack enables the GRU to pivot into the DNC through captured credentials ([45:33]).
• Cozy Bear/SVR Already There: Two Russian agencies hacking the same targets, but with different aims and styles. The GRU’s noisy methods contrast with SVR’s quiet exfiltration ([45:33]-[46:15]).
  • "The SVR's quiet, cozy bear hackers have been secretly inside the DNC's networks for a few months, exfiltrating data. And you could imagine them suddenly realizing, oh, here come those loud guys from the gru." — Corera ([45:33])

Notable Quotes & Memorable Moments

• "You seed that information, you take real things and you take some fake stuff and you mix it together and then you seed it to an unsuspecting or sort of gullible journalist, as the KGB did throughout the Cold War." — McCloskey ([01:55])

• "Exhibit A in the GRU's sinisterness is the seal of the GRU... a sinister looking black bat that is covering most of the globe..." — McCloskey ([04:28])

• On GRU's hacking evolution:
  "We are entering this new era where the GRU is getting more involved." — Corera ([32:04])

• On the Podesta phish:
  "When they click on that, there's a malicious URL behind this change password link... the Clinton staff, thinking they're following IT guidelines, interact with the malicious link. The GRU has absolutely struck gold." — McCloskey ([39:45])

• "The GRU's hackers are noisier... They are exploring, Russian hackers, what they could do, how far they could go, how successful they could be, including at shutting down parts of the information space." — Corera ([15:10])

• "Is it clumsy or they just don't care? That's what's interesting about GRU. If you look at GRU operations... they're aggressive, loud, noisy, and sometimes don't care." — Corera ([46:53])

Important Timestamps

• 00:38: Introduction to episode focus: Russian interference, hack-and-leak concept defined
• 03:12: GRU’s roots, comparison to other Russian agencies
• 08:43–10:59: Primer on history of Russian cyber operations, explanation of APT groups
• 13:02–14:55: Ukraine as the “petri dish” for Russian cyberwarfare, 2014–2015 operations
• 16:19–21:52: In-depth on GRU Unit 26165 and their key operatives
• 23:49–29:38: Russian analysis of the US election landscape and motives
• 33:33–36:03: Breadth of hack targets—hundreds of US officials
• 37:02–39:45: The spear-phishing attack that led to Podesta’s hack
• 42:47–45:33: The DCCC intrusion, deployment of X Agent Kit, escalation to wider DNC breach
• 45:33–47:26: Two Russian agencies inside DNC, contrast of GRU and SVR methods
• 47:26: Cliffhanger—GRU prepares to leak the stolen material

Conclusion & Teaser for Next Episode

The hosts close on the cliffhanger: having infiltrated the DNC and Clinton’s emails, the GRU is about to do something "extraordinary"—not just steal, but leak information to dramatically influence the election. For a deep dive into how the hack and leak campaign unfolded and its consequences, listeners are urged to tune in next time.

For More

• Full series and bonus miniseries available to “Declassified Club” members at therestisclassified.com.

Summary prepared to reflect the tone, detail, and attribution of the original podcast content. All non-content sections and ads have been omitted per instructions.