Cyber Incident Victim: Democratic National Committee
Date:
Jun 2015
Location:
United States of America
Summary
The Democratic National Committee was compromised by Russian civilian and military intelligence services through two distinct cyber operations. APT29 infiltrated the organization via spearphishing campaigns delivering malware, establishing persistent access, escalating privileges, and exfiltrating email communications. APT28 later breached the same entity using credential-harvesting spearphishing tactics, stealing content that led to unauthorized disclosures of sensitive information. Both threat actors employed infrastructure designed to mimic legitimate services, utilized stolen data to refine subsequent targeting, and conducted ongoing malicious activities including additional spearphishing operations post-intrusion. The incidents involved systematic data theft aimed at intelligence gathering and public influence through leaked materials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In summer 2015, the Democratic National Committee (DNC) was compromised by Advanced Persistent Threat 29 (APT29), a threat actor associated with Russian civilian and military intelligence services (RIS). APT29 executed a spearphishing campaign targeting over 1,000 recipients, including U.S. government personnel, using emails containing malicious links to malware hosted on operational infrastructure. The attackers leveraged legitimate domains, including those affiliated with U.S. organizations and educational institutions, to distribute malware and conduct spearphishing operations. At least one targeted individual within the DNC activated these malicious links, enabling APT29 to deliver malware, establish persistence, escalate privileges, and enumerate active directory accounts. The group exfiltrated email data from multiple accounts through encrypted connections back to their infrastructure. This initial breach provided APT29 with intelligence value, which they used to craft subsequent highly targeted spearphishing campaigns. The compromise persisted undetected for months, allowing extensive data collection. APT29 historically targeted government entities, think tanks, universities, and corporations globally using similar tactics, including Remote Access Tools (RATs) and evasion techniques to avoid detection. The U.S. government later confirmed APT29’s involvement through technical indicators from intelligence community analysis and partner entities.
In spring 2016, a second RIS-associated group, APT28, breached the same political party through a separate spearphishing operation. APT28 employed domains mimicking legitimate organizations to trick recipients into entering credentials on fake webmail domains hosted on their infrastructure. Using stolen credentials, APT28 gained access to DNC systems, exfiltrating content from multiple senior party members. The U.S. government assessed that this theft led to information leaks to the press, resulting in public disclosures. APT28 historically relied on shortened URLs in spearphishing campaigns and infrastructure masquerading as third parties to obscure attribution. Both APT28 and APT29 established operational infrastructure to obfuscate source locations, host malicious domains, establish command-and-control nodes, and harvest credentials. RIS actors continued spearphishing campaigns targeting U.S. entities as recently as November 2016, days after the election. The U.S. government attributed these activities to RIS based on technical evidence, including malware signatures, network indicators, and tradecraft analysis, designating the campaign as GRIZZLY STEPPE. The Department of Homeland Security and FBI released a Joint Analysis Report (JAR-16-20296A) detailing technical indicators of compromise, including IP addresses, file hashes, and Yara signatures, to assist network defenders in identifying related malicious activity. The report confirmed the exfiltration of sensitive political data but did not quantify the total volume of data stolen or specify all affected entities beyond the DNC.