If you look at all the inflammatory headlines it's always "Hackers used Zero day"* but if you actually read the story, it's always a variation of "The hacking group that hacked the DNC has been known to use Zero days before".
The FBI report was pretty clear.
"In summer 2015, an APT29 spearphishing campaign directed emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims. APT29 used legitimate domains, to include domains associated with U.S. organizations and educational institutions, to host malware and send spearphishing emails.
In the course of that campaign, APT29 successfully compromised a U.S. political party. At least one targeted individual activated links to malware hosted on operational infrastructure of opened attachments containing malware. APT29 delivered malware to the political party’s systems, established persistence, escalated privileges, enumerated active directory accounts, and exfiltrated email from several accounts through encrypted connections back through operational infrastructure.
In spring 2016, APT28 compromised the same political party, again via targeted spearphishing.
This time, the spearphishing email tricked recipients into changing their passwords through a fake webmail domain hosted on APT28 operational infrastructure. Using the harvested
credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members.
The U.S. Government assesses that information was leaked to the press and publicly disclosed."
In simple terms, they sent out emails saying "Your passwords are compromised.* Click here to input new password"...and they sent it out to everybidy, not just the Democrats....and the links directed them to websites that the Russians controlled.
*I guess if you can say they did use Zero Days.....and those Zero Days were named Podesta and the ITs that the DNC employed.