Consider this a link dump and not a full analysis. I decide to make this post here since few other subreddits would have as much interest or would allow a text post.

From what is currently available it is very likely that the attackers are Russian and are focused on intelligence collection with government and non-profit targets (suggesting, although not proving government ties and objectives). The related groups very likely operate as proxies the Russian government, giving them plausible deniability (I am basing this off of the shared conclusions of the researchers below).

Coinciding with the recent expulsion of Russian Diplomats, the FBI and Department of Homeland Security released the report: GRIZZLY STEPPE - Russian Malicious Cyber Activity

This document is the result of a Joint Analysis by the FBI and DPHS and makes no attempt to prove an association between Grizzly Steppe and the Russian Civillian and Military Intelligence Services. It covers two attacks, the Summer 2015 attacks by "APT29" and the Spring 2016 attacks by "APT28", both regarded as aliases for the same organization.

The association between APT28 and the RIS is assumed based on earlier investigations and reports by third party researchers like FireEye, SecureWorks, and ThreatConnect (The affiliation is generally considered generally a "sponsorship", and the APT28 is likely a Russian based proxy group). There are likely unreleased investigations on the affiliation by government departments as well. The report focuses on the methods of attack and recommendations to government departments on how to avoid future attacks.

I will not bother to lay out the details of the attack, but here are some noteworthy quotes from the SecureWorks report:

The Hillary Clinton email leak was the center of the latest scandal in the news caused by Threat Group-4127[1] (TG-4127). SecureWorks® Counter Threat Unit™ (CTU) researchers track the activities of Threat Group-4127, which targets governments, military, and international non-governmental organizations (NGOs). Components of TG-4127 operations have been reported under the names APT28, Sofacy, Sednit, and Pawn Storm. CTU™ researchers assess with moderate confidence that the group is operating from the Russian Federation and is gathering intelligence on behalf of the Russian government.

FireEye also concluded that both APT28 and APT29 hackers are in Russia based on activity in Russian time zones, and are known to speak Russian and possibly English due to Russian language in malware and attempts to access English documents from journalists (see first Fireye Link for APT28, and this report on HAMMERTOSS for APT29). The relationship between the APT groups are primarily based on their similar location, targets, and methods. There is enough variation in methods to suggest that they are distinct but all sophisticated.

From FireEye's HAMMERTOSS report on APT29:

APT29 has been operating in its current form since at least late 2014. We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and their work hours seem to align with the UTC +3 time zone, which contains cities such as Moscow and St. Petersburg.

While other APT groups try to cover their tracks to thwart investigators, very few groups show the same discipline and consistency. APT29

Similarly, few groups display the ability to adapt to network defenders’ attempts to mitigate its activity or remove it from victim networks. For example, APT29 almost always uses anti-forensic techniques, and they monitor victim remediation efforts to subvert them. Likewise, the group appears to almost solely uses compromised servers for CnC to enhance the security of its operations and maintains a rapid development cycle for its malware by quickly modifying tools to undermine detection. These aspects make APT29 one of the most capable APT groups that we track.