According to the FBI and the forensic team at Crowdstrike, the DNC hack began in September 2015. The GRU working through the APT most commonly referred to as APT29 or CozyDukes began to penetrate and exfiltrate information from DNC servers first but by early 2016, the FSB working through APT28 (also known as Sofacy, Sednit, Strontium, Pawn Storm) or “Fancy Bear” was fully engaged in stealing party secrets. When the unusual activity was detected on the server, they called for a reputable firm in the DC area. Crowdstrike, a cyber threat intelligence firm, observed the activity before they disrupted the effort, essentially busting them in the act.

Advanced Persistent Threat or APT
The term is used to identify malware that requires more resources and typically the sign of a belligerent threat. In cyber security, these are commonly referred to as “threat actors” and an APT is a one that is more “advanced” in its development, “persistent” regarding its targets and focus and thus a “threat” that could indicate state-actors or a well funded criminal organization. Advanced scripting would likely indicate team development or institutional memory are available. Crowdstrike found that some of the downloaded scripts were likely customized on the spot to adjust to the server’s detection systems.

When it comes to APTs used by nation states and well funded criminal organizations, the indicators of compromise, command and control servers, targets, and what is stolen can lead investigators to determine the modus operandi of the group along with the actual code.

In the case of APT28 and APT29, the targets have been government departments or military offices of Russian adversaries, think tanks focused on national security or Russia, journalists covering Russian activities.

When looking at the hacking of the DNC, DCCC, John Podesta’s emails and other cases tied to APT28, the methodology, the targets, the C2 overlaps, compiling time for code and redundant activities have drawn investigators from the cyber security community to conclude the efforts are those of the Russian government via the GRU and FSB. This is without working with the highly specialized tools of the NSA or HUMINT resources of the CIA and other agencies.