The first hints came in May, after committee officials noticed unusual activity in their network. They hired the cybersecurity company CrowdStrike to investigate, and its experts quickly
found the source of the activity: a group of hackers had, in late April,
gained access to the systems of the committee’s opposition-research team, from which the group had stolen two files containing information on Donald J. Trump, who would eventually
become the Republican nominee for president.
The investigators determined that the hackers were part of APT 28, a group well-known among cybersecurity experts. The name is short for advanced persistent threat, which usually refers to government hackers. Security firms and law enforcement officials have also used the name Fancy Bear, a reference to a widespread belief that the group is run by Russia’s military intelligence agency, the G.R.U.
The investigation might have ended there, but CrowdStrike discovered another, better-hidden infiltrator in the computers of the Democratic committee: A group known as APT 29, or Cozy Bear, which is considered more skillful and has been linked to the F.S.B., the main successor to the K.G.B.
Cozy Bear, it seemed, had had complete access to the committee’s systems for almost a year. (Subsequent
investigations by two other cybersecurity firms confirmed CrowdStrike’s findings.)...
For example, the first group, APT 28, often uses the same tactic: registering a domain whose name is similar to that of its target, to trick users into disclosing their passwords when logging into the wrong site. In this case, hackers set up misdepatrment.com — switching two letters — to target users of MIS Department, which manages networks for the Democratic committee.
More tellingly, the hackers linked this domain to an IP address they had used in previous breaches, giving investigators a way to look for patterns. They also used the same malware tools, which sometimes included unique security or encryption keys, a kind of digital fingerprint. Those fingerprints were found in other attacks, like a 2015 breach at Germany’s Parliament, which German intelligence officials
said Russia, specifically APT 28, had probably carried out.
Both APT 28 and APT 29 use methods “consistent with nation-state level capabilities,” according to a CrowdStrike
report, and they target foreign militaries and military contractors in a pattern that “closely mirrors the strategic interests of the Russian government.”
Another
report, issued by the security firm FireEye in July 2015, pointed out that the hackers had seemed to go offline on Russian state holidays, and had appeared to operate during hours consistent with the Russian workday.