And you know this how?
I know it for two reasons: a) I have read the reverse engineering reports published by multiple cybersecurity organizations and b) I have looked at some of the code
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
http://www.threatgeek.com/2016/06/dnc_update.html