threatintel
actor tracker
Named attack · kill-chain walkthrough

DNC Hack

Two GRU/SVR intrusions, one election-interference operation

Fancy Bear (GRU Unit 26165) + Cozy Bear (SVR)Summer 2015 – June 2016 (disclosure)High confidence

Two distinct Russian intelligence services operated concurrently on the DNC network. APT29 (Cozy Bear), attributed to Russia's SVR, began its intrusion in summer 2015 and focused on long-term, low-tempo espionage. APT28 (Fancy Bear), attributed to GRU Unit 26165, arrived in March 2016 with a faster operational tempo aimed at theft for public release. The U.S. Intelligence Community Assessment (January 6 2017) and the Mueller Report (March 2019) both confirm dual-actor attribution. Twelve named GRU officers from Units 26165 and 74455 were indicted by a U.S. federal grand jury on July 13 2018.

In summer 2015 Russia's SVR (Cozy Bear / APT29) quietly penetrated the Democratic National Committee network and sustained near-invisible access for almost a year. In March 2016 GRU Unit 26165 (Fancy Bear / APT28) forced its own way in through spear-phishing — including a credential-harvesting email that successfully compromised Clinton campaign chairman John Podesta's Gmail account. The GRU team deployed X-Agent (CHOPSTICK) on DNC hosts and X-Tunnel for encrypted exfiltration, ultimately stealing tens of thousands of emails. CrowdStrike disclosed the breach on June 14 2016; the next day the persona 'Guccifer 2.0' emerged claiming credit and releasing documents. WikiLeaks subsequently published the stolen archives. The operation became the most consequential cyber-enabled influence campaign in U.S. electoral history.

scene 00 / 07
Two independent intrusions — SVR (summer 2015) and GRU (March 2016)APT29 / Cozy BearSVR · summer 2015spear-phish → DNC mail serverslow-tempo espionage · >9 mo dwellT1566.001 · T1566.002APT28 / Fancy BearGRU Unit 26165 · Mar 2016spear-phish → DCCC → DNC pivotfast tempo · aimed at public leakT1566.002 · T1078DNC NetworkWashington, DCmail servers · workstationsalso: DCCC (shared infra)MITRE G0016 (APT29) · G0007 (APT28)Podesta Spear-Phish — Mar 19 2016Fake Google security-alert email · shortened URLtarget: John Podesta (Clinton campaign chairman)credentials captured · ~50,000 Gmail messages accessibleT1566.002 · T1598.003 · T1056.003creds harvestedaccounts-google.comtyposquat domainSecureworks CTUX-Agent (CHOPSTICK) — MITRE S0023keylogging · remote shell · file browsing · process enumreg run-key + scheduled task persistence · survives rebootsGRU officer Nikolay Kozachek ('kazak') — X-Agent developerT1547.001 · T1053.005 · T1056.001 · T1059.003GRIZZLY STEPPEJAR-16-20296ADHS/FBI Dec 2016Collection & StagingDNC emails · opposition research · donor listsPodesta Gmail: ~50,000 messages staged via IMAP exportfiles compressed + written to temp dirs on DNC hostsT1114.002 · T1005 · T1560.001 · T1074.001~50,000Podesta emails+ DNC serversX-Tunnel Exfiltration — MITRE S0117HTTPS-encapsulated encrypted channel · mimics web trafficGRU-leased servers: Arizona (DNC data) · Illinois (DCCC data)servers rented via cryptocurrency · false identitiesT1048.002 · T1071.001 · T1090 · T1583.003GRU serverArizona / IllinoisMueller indictmentCounts 2–9Guccifer 2.0 — Jun 15 2016GRU persona · claims to be Romanian hackerreleases DNC documents to discredit attributionMueller: GRU Unit 74455 officer Anatoliy KovalevT1583.006 · T1586.002 · T1608.005WikiLeaks PublicationDNC emails: Jul 22 2016 (3 days pre-DNC convention)Podesta emails: Oct 7 – Nov 8 2016 (election period)releases timed to news cycles · ICA: directed by KremlinICA-2017-01D · Mueller Report Vol. Ifeeds docsCrowdStrike "Bears in the Midst" · Jun 14 2016ODNI ICA-2017-01D — high confidence: Putin directed campaign · Jan 6 2017Mueller: 12 GRU officers indicted (Units 26165 + 74455) · Jul 13 2018Netyksho · Antonov · Badin · Yermakov · Lukashev · Morgachev
  1. Phase 01 · Initial Access — Cozy Bear (SVR)TA0001

    APT29 spear-phished its way into the DNC in summer 2015 and stayed silent for nearly a year

    • APT29 (Cozy Bear) gained initial access to the DNC network in summer 2015 via spear-phishing emails targeting DNC staff — consistent with the SVR's established tradecraft of low-volume, carefully crafted lures.
    • Once inside, APT29 established persistent, stealthy access and began collecting email and chat communications; its dwell time exceeded nine months before CrowdStrike's June 2016 discovery.
    • The SVR intrusion was characterized by deliberate low operational tempo — slow exfiltration, minimal lateral noise — consistent with long-term strategic intelligence collection rather than theft for public release.
    • The ODNI Intelligence Community Assessment (January 6 2017) and Mueller Report (Vol. I) both identify APT29 as the first actor on the DNC network, distinct from and uncoordinated with the GRU intrusion that followed.
    • The DCCC (Democratic Congressional Campaign Committee) was also breached by APT28 using the same tooling; APT29 access to DNC predated the GRU's DCCC operations.
    Techniques
    T1566.001 · Phishing: Spearphishing AttachmentT1566.002 · Phishing: Spearphishing LinkT1078 · Valid Accounts
    Sources
  2. Phase 02 · Initial Access — Fancy Bear (GRU)TA0001

    GRU Unit 26165 spear-phished Podesta's Gmail and forced entry to the DNC in March 2016

    • On March 19 2016, GRU officers sent John Podesta, chairman of the Clinton presidential campaign, a spear-phishing email designed to look like a Google security alert, containing a shortened URL that redirected to a credential-harvesting page. Podesta's credentials were captured.
    • The Podesta phish was part of a broad GRU spear-phishing campaign (Operation FANCY BEAR) that targeted hundreds of Clinton campaign and DNC personnel from March through May 2016, as documented in the Mueller indictment (Count 11).
    • Secureworks' Counter Threat Unit linked the shortened URLs used in the campaign to a Bitly account operated by GRU-affiliated infrastructure — the same infrastructure sent thousands of phishing links to targets across U.S. political organizations.
    • GRU Unit 26165 also gained access to the DNC network directly through the DCCC, which shared network resources; the Mueller indictment (Counts 2–9) details intrusions beginning around the same timeframe.
    • The GRU's March 2016 entry occurred while APT29 (SVR) already had persistent access; the two services operated independently and were apparently unaware of each other's presence.
    Techniques
    T1566.002 · Phishing: Spearphishing LinkT1598.003 · Phishing for Information: Spearphishing LinkT1056.003 · Input Capture: Web Portal Capture
    Indicators
    accounts-google.com — Typosquat domain used in GRU credential-harvesting infrastructure — cited in Mueller indictment and Secureworks CTU research
    Sources
  3. Phase 03 · Persistence & ExecutionTA0003

    X-Agent (CHOPSTICK) implanted on DNC hosts delivered keylogging, file access, and remote shell

    • GRU Unit 26165 deployed X-Agent (also known as CHOPSTICK or Sednit) on multiple DNC workstations and servers. X-Agent is a modular implant attributed exclusively to APT28; MITRE tracks it as S0023.
    • X-Agent provided keylogging, remote command execution, file browsing, and process enumeration — enabling persistent hands-on access to the DNC network without requiring repeated exploitation.
    • X-Agent communicated with GRU-controlled command-and-control infrastructure over encrypted channels. The Mueller indictment identifies GRU Unit 26165 officers, including Nikolay Kozachek (a.k.a. 'kazak'), as responsible for developing and operating the X-Agent malware.
    • US-CERT's Joint Analysis Report JAR-16-20296 (December 2016) — released under the codename GRIZZLY STEPPE — described X-Agent and related implants used by the GRU actors and provided indicators for detection.
    • Registry run-key and scheduled-task persistence mechanisms allowed X-Agent to survive reboots and maintain long-term access across the DNC network.
    Techniques
    T1547.001 · Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1053.005 · Scheduled Task/Job: Scheduled TaskT1059.003 · Command and Scripting Interpreter: Windows Command ShellT1056.001 · Input Capture: Keylogging
    Indicators
    X-Agent / CHOPSTICK — APT28 modular implant — MITRE S0023; indicators in US-CERT JAR-16-20296 (GRIZZLY STEPPE)
    Sources
  4. Phase 04 · CollectionTA0009

    Thousands of DNC emails and Podesta's full Gmail archive systematically staged for theft

    • GRU operators used X-Agent's keylogging and file-access modules to collect email content, internal DNC communications, opposition research, and donor data from DNC servers.
    • Podesta's Google account, compromised via the March 19 phishing email, yielded approximately 50,000 emails — subsequently released in batches by WikiLeaks from October 2016 onward.
    • The GRU's collection on the DCCC network extended to strategic documents, call sheets, and internal campaign polling; the Mueller indictment details collection of files specifically sought for their political intelligence value.
    • Collected files were compressed and staged in temporary directories on compromised hosts before exfiltration, consistent with the staging sub-technique of the Collection tactic.
    • APT29 (SVR), operating separately on the same DNC network, also collected email and chat traffic from senior DNC officials, though its collection was not publicly released.
    Techniques
    T1114.002 · Email Collection: Remote Email CollectionT1005 · Data from Local SystemT1560.001 · Archive Collected Data: Archive via UtilityT1074.001 · Data Staged: Local Data Staging
    Sources
  5. Phase 05 · ExfiltrationTA0010

    X-Tunnel encrypted the data channel; GRU-controlled servers in Arizona and Illinois received the stolen files

    • GRU Unit 26165 used X-Tunnel (MITRE S0117) — a dedicated encrypted tunneling tool developed by APT28 — to exfiltrate collected files over HTTPS-encapsulated channels to GRU-controlled servers, making traffic difficult to distinguish from legitimate web traffic.
    • The Mueller indictment identifies a GRU-leased server in Arizona that received exfiltrated DNC data, and a separate server in Illinois used for DCCC-related operations.
    • Fidelis Cybersecurity and ThreatConnect independently corroborated CrowdStrike's findings, identifying the same X-Agent and X-Tunnel infrastructure and confirming exfiltration pathways.
    • The operational security of the exfiltration relied on leasing servers through third-party hosting providers using cryptocurrency and false identities — tradecraft detailed in the Mueller indictment's Counts 2–9.
    • Podesta's emails were exfiltrated directly from Google's servers after credential compromise, using Google's own IMAP export functionality — no implant or tunneling tool was required for that collection path.
    Techniques
    T1048.002 · Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1071.001 · Application Layer Protocol: Web ProtocolsT1090 · ProxyT1583.003 · Acquire Infrastructure: Virtual Private Server
    Indicators
    X-Tunnel — APT28 encrypted tunneling tool — MITRE S0117; used for encrypted exfiltration from DNC/DCCC hosts
    Sources
  6. Phase 06 · Influence OperationsTA0040

    'Guccifer 2.0' emerged June 15 2016 as a Romanian hacker — a GRU persona that released documents and fed material to WikiLeaks

    • One day after CrowdStrike's public disclosure (June 14 2016), the persona 'Guccifer 2.0' appeared online, claiming to be a lone Romanian hacker who had breached the DNC independently. The persona released DNC documents to establish cover and discredit the Russian attribution.
    • The Mueller indictment (Count 10–11) identifies Guccifer 2.0 as a GRU operation. GRU officer Anatoliy Kovalev (Unit 74455) is among those indicted in connection with the persona's online operations and document releases.
    • Guccifer 2.0 communicated directly with WikiLeaks and transferred stolen DNC and Podesta files; WikiLeaks began publishing DNC emails on July 22 2016 — three days before the Democratic National Convention — and released Podesta emails from October 7 2016 through Election Day.
    • The timing of WikiLeaks releases was strategically aligned with news cycles damaging to the Clinton campaign, consistent with an influence operation rather than a whistleblowing action.
    • The ODNI ICA (January 6 2017) assessed with high confidence that Russia's military intelligence (GRU) conducted the cyber operations and that Russian leadership directed the resulting influence campaign.
    Techniques
    T1583.006 · Acquire Infrastructure: Web ServicesT1586.002 · Compromise Accounts: Social Media AccountsT1608.005 · Stage Capabilities: Link Target
    Sources
  7. Phase 07 · Attribution & IndictmentTA0040

    Mueller's grand jury named twelve GRU officers by name; the ICA assessed Russian presidential-level direction

    • On July 13 2018, a federal grand jury indicted twelve named GRU officers: Viktor Netyksho, Boris Antonov, Dmitriy Badin, Ivan Yermakov, Aleksey Lukashev, Sergey Morgachev, Nikolay Kozachek, Pavel Yershov, Artyom Malyshev, Aleksandr Osadchuk, Aleksey Potemkin, and Anatoliy Kovalev — spanning GRU Units 26165 and 74455.
    • The indictment charged the officers with conspiracy to commit computer fraud, aggravated identity theft, and conspiracy to commit money laundering, covering the DNC, DCCC, and Clinton campaign intrusions.
    • The ODNI Intelligence Community Assessment of January 6 2017 assessed with high confidence that Russian President Vladimir Putin ordered the influence campaign, and that the GRU-linked intrusions were a direct component of that campaign.
    • CrowdStrike's June 14 2016 'Bears in the Midst' blog post by Dmitri Alperovitch was the first public attribution, predating the ICA by seven months and the Mueller indictment by over two years — its technical findings were corroborated by Fidelis, ThreatConnect, and Secureworks.
    • The U.S. Treasury OFAC designated Russian individuals and entities under Executive Order 13694 on December 28–29 2016 in response to the election interference operations, the first formal government sanctions tied to the DNC breach.
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Fancy Bear (GRU Unit 26165) + Cozy Bear (SVR)
Capability
  • T1566.001
  • T1566.002
  • T1078
  • T1598.003
  • T1056.003
  • +1 more
Infrastructure
  • accounts-google.com
Victim
  • See narrative above
Primary sources