At the nation state level, I don't think it operates the same way. That is, I don't think they rely on a few dumb operators. Looking at what the NSA does, they're able to attack the supply lines and send you pre-compromised hardware. They have advanced exfiltration systems that don't need to touch your network at all. They have malware that cannot be decrypted by any machine other than the target that makes you think there's nothing wrong. It's also custom, just for you, so AV programs aren't going to see it.
Those statements are mostly true, but only to a certain extent.
The APT teams aren't operating at a nation-state level. They are nation-state funded, but they're still operating more like an experiment, mostly due to the lack of available expertise in the field. Think more along the lines of the Manhattan Project. A very small number of people are doing the real work, and a lot of people figuring out how to apply this new weapon strategically.
Yes, the intelligence agencies have lots of fancy tools, and they're shared among the APT teams as needed, but usually the attacks are boring script-kiddy stuff. Most of the time, pass-the-hash and Word macros will get the job done, so there's no reason to risk exposing the elite tools and zero-day vulnerabilities.
I know they labeled the DNC hack as an APT, but it appears to be an ordinary criminal gang. It simply doesn't match the profile of nation state level attacks. They want long-term access without getting caught. Sending an email like the one to Podesta got someone ~2 days of access, as best we can tell. Enough to download a few emails, only to end up locked out. When nation states do spear phishing, they have a custom written piece of malware disguised as a legitimate attachment. It won't be noticed by any AV programs. They will use that to make sure they have long-term access to your systems.
The Podesta hack and the DNC hacks were separate events, by related teams. They used different tactics, but shared some (but not all) infrastructure. Both teams were involved in the DNC hack, but apparently weren't aware of each other's presence, since they'd attack servers that the other team had already penetrated.
In the DNC hack, they did have long-term access. One group had been active on the network for over a year, and the other was sloppier, and was detected after only a month of activity.
The Podesta attack wasn't particularly specialized. It was a wide attack using automated tools. There was no attachment, just a link to a bit.ly-shortened URL that wouldn't be caught by the spam filter. There was nothing downloaded from the phishing site, either. It just decrypted the Base64-encoded parameter in the emailed URL, and displayed that. Again, don't fall into the mental trap that nation-state attacks must be highly-sophisticated next-generation hacks. In hacking, if it's stupid and it works, then it isn't stupid.
They just don't operate the same way because they don't have the same goals. It's not like Russia is the only possible culprit here, either.
Russia isn't the only possible culprit, but they are the only likely culprit. Their same infrastructure (bit.ly account, phishing site host, and mail-sending botnet) had previously been used to attack 1800 accounts in 2015. Those accounts were overwhelmingly non-Russian military personnel. There's a great analysis of the hack by pwnallthethings on Twitter. I highly recommend expanding the thread and reading.
As for goals, the goal is simple: Gather any useful access. Hacking Podesta's email was probably a lucky stroke for the attackers, but they were more likely looking for anything useful. If not Podesta, then someone else might have made a good victim. If they got someone's account, but it wasn't particularly useful at the time, they don't care. The automated tool is cheap and easy to run. In fact, the campaign that hit Podesta targeted around 4,000 GMail accounts over the course of eight months.
I wouldn't be surprised if they had hacked such a soft, juicy target like this--no doubt along with many other countries--but it seems like a crazy risk. There was nothing in there that looked like it would sway the election. So why risk all those state sanctions on a long-shot like Trump?
The sanctions are an interesting development, as they're the most severe repercussions we've seen yet for a hack. I expect the same phishing emails went out to hundreds or thousands of government officials, and Podesta happened to be the one that took the bait. No, none of his leaked messages were particularly damaging, but it's probably the best that the attackers got. To use their information to possibly get an ally in the White House is worth a risk, especially if they didn't expect the sanctions. Without the sanctions on the table, if their favored candidate lost the race, it didn't really cost them anything to try.