CrowdStrike assessed that COZY BEAR had breached the system in 2015 and had been engaged in gathering data for a year. They then found that a second group, FANCY BEAR had breached the server in April of 2016. They managed to penetrate through spear-phishing, the technique of sending a false email to a victim, who would subsequently click on a link in the email, connecting them to a hacker’s server. In this case, one of the spear-phishing attacks used a fraudulent site with the deliberately misspelled URL “misdepatrment.com.” The link was supposed to connect the target to the MIS Department. Instead sent the user to an identical, but fake site called a watering hole, that downloaded a malware kit on the victim’s computer. The malware contained additional modules to disseminate the computer virus widely throughout the DNC’s servers.

CrowdStrike discovered that COZY BEAR used a malware kit identified as “SeaDuke” (also called “SeaDaddy”), a backdoor module that was installed in the file “pagemgr.exe.”⁵ It was noted by F-Secure that SeaDuke was written in the Python coding language, which indicated that COZY BEAR knew the operating system might be based on Linux.

In order to evade the security systems, the attackers would update their modules or the location of their C2 servers. The report said the second attack group was APT28, FANCY BEAR. It used a module named “X-Agent” to enable it to send remote commands, watch every keystroke through keylogging, and transfer files via the C2 server. The group also used “X-Tunnel” malware to give them the ability to send even more remote commands to the servers. The X-Tunnel was set to 45.32.129.185, revealing that it was built specifically for this hack, giving it the ability to extract passwords and create its own encrypted private network to operate covertly.

Several cyber security firms have examined the related metadata to the ATP 28 FANCY BEAR infections. They have nearly unanimously found that several combinations of factors tie this group to a large group of similar infections since 2007. In particular, the Internet Protocol or IP address like 176.31.112.10, used for its command and control sever (C2) shows up repeatedly in other cyber warfare campaigns.⁶ This IP was linked to the breaches at the German Bundestag, the DNC, and the DCCC. Additionally, both IPs are associated with the watering hole attacks and the C2 servers on the DNC and DCCC hacks, revealing their past associations. Another key indicator is the time zone associated when compiling the malware. Russian threat actors like APT28 work most commonly at UTC+4 time zone. While compiling the data about the hack, several firms noted that the operating system used to develop the malware was set to Cyrillic, Russian language text, during some of the development, but not in all.

The firms also noted Russia’s association the ATP-29 COZY BEAR malware, also called “SeaDaddy” or “SeaDuke,” because it had already been extensively tracked by several cyber security firms and associated with Russian Intelligence. As with APT 28, indicators embedded within the metadata pointed to Russia as the source of this malware. This also included the C2 server IPs reused from past operations known to be Russian. The operational time of module compilation and the targets they struck were beneficial only to Russian interests.

Another indicator of professional intelligence agency involvement was the way they performed OpSec or Operational Security. OpSec was the methodology the operators used to evade detection and cover their tracks. CrowdStrike was impressed and called it “superb.” They noted that they demonstrated a “live off the land” approach to evading security. In fact, just one year before the DNC hack was revealed, the firm found COZY BEAR responsible for hacks of the White House, the State Department, and the U.S. Joint Chiefs of Staff.

“We have identified no collaboration between the two actors, or even an awareness of one by the other,” Dmitri Alperovitch wrote in a blog post. “Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials.”⁷ Alperovitch wrote this is “not an uncommon scenario” in Russia, where the primary domestic and foreign intelligence agencies—the FSB and SVR, respectively—have a competitive and even adversarial relationship.

The hackers frequently cleared out the logs that would reveal their activities or reset the timestamp of files so it appeared that they were never opened or tampered with.⁸ However, some additional breadcrumb trails lead many cyber security firms and intelligence agencies to conclude that this was the work of the CYBER BEARS or one of its hired hacker hit squads.

Another critical bit of evidence was the use of a specific Command and Control server in the attack. It was traced back to the IP address of 176.31.112.10 and it had been seen before. This same IP came up during the investigation on the German Bundestag spear-phishing. That attempt was believed to have been carried out by Russian intelligence.⁹

By May 18, 2016, The Director of National Intelligence, James R. Clapper Jr. spoke at the Bipartisan-Policy Center in Washington and said there were “indications” of attempted cyberattacks in the 2016 presidential campaign without specifying either attempted intrusions or on suspected foreign or domestic hackers.¹⁰ Brian P. Hale, director of public affairs for the Office of the Director of National Intelligence, backed Clapper up stating, “we’re aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations, from philosophical differences to espionage, and capabilities, from defacements to intrusions,” and, “we defer to FBI for specific incidents.”¹¹

On June 15, 2016 a Wordpress page appeared with links to the stolen DNC Documents. It was posted by Guccifer 2.0 and came with a list of Frequently Asked Questions.