Cybersecurity officials watched with growing concern in September as Russian state hackers roamed dozens of US state and local government computer systems just two months before the elections.
They didn't worry that much about the act itself – officials expected the Russians who meddled in the 2016 election to be back – but the actor did. The group known to researchers as the "Dragonfly" or "Energetic Bear" for their hacking attacks on the energy sector was not involved in election hacking in 2016. But it has hurt the power grid, water treatment plants, and even nuclear power plants, including one in Kansas, for the past five years.
In March, Wi-Fi systems at San Francisco International Airport and at least two other airports on the west coast were also hacked in an attempt to find an unidentified traveler. This is a demonstration of the hackers' power and determination.
The interventions in September were the first time that researchers caught the group, a unit of the Russian Federal Security Service [F.S.B.], which was directed against states and counties. The timing of the attacks so close to the election and the potential for disruption caused concern among private security firms, law enforcement and intelligence agencies.
"One possible explanation is that they are bringing in the real professionals – the A-Team – who are used to working in this really sensitive critical infrastructure where you want to stay calm until you don't," said Suzanne Spaulding , the former Under-Secretary of State for Cybersecurity and Critical Infrastructure for the Department of Homeland Security.
In 2016, Russian hackers from other groups were unusually loud in their efforts to break into some databases for state elections. "You could argue that they didn't care to be quiet," said Ms. Spaulding. But now that Russia has been called and punished for meddling in the elections, President Vladimir V. Putin "may wish to keep this quiet until the circumstances are established for their use in information operations," she added.
American officials in a report on Thursday described the hacking attacks as "opportunistic" rather than an outright attack on election infrastructure, but admitted that the group targeted dozens of state and local systems and stole data from at least two target servers.
"By and large, they're looking for vulnerabilities and working opportunistically," said Christopher C. Krebs, the agency's director of cybersecurity and infrastructure security who shared the alert with the F.B.I.
That hardly reassured researchers who have followed Energetic Bear for years. "This appears to be preparatory to ensure access if they decide they need it," said Adam Meyers, threat intelligence director at CrowdStrike, a security firm that has been monitoring the group.
Energetic Bear usually casts a wide net and then zeroed some high quality goals. In Germany and the USA, the group infected websites popular in the energy sector, downloaded malware onto the machines of all visitors to the websites and then searched for employees with access to industrial systems.
Other attacks have hijacked software updates for computers connected to industrial control systems. It has also blown targets with phishing emails looking for employees or employees who may have access to critical systems in hydro, power and nuclear power plants.
And with remarkable success. A disturbing screenshot in a 2018 report by the Department of Homeland Security showed the hackers in the groups with their fingers on the switches of the computers that controlled the industrial systems of a power plant.
The group has so far stopped shortly before the sabotage, but appears to be preparing for a future attack. The hackers were so unsettled that the United States Cyber Command, the arm of the Pentagon that carries out offensive cyber attacks, retaliated against the Russian network from 2018 onwards.
Some called the counterattacks the digital age equivalent of mutually assured destruction. But any hope American officials had that their strikes would scare Russia off when the group began attacking American airports in March.
Officials at San Francisco International Airport found that Russia's state hackers had breached the online system that allowed airport employees and travelers to access the airport's WiFi. The hackers injected code into two Wi-Fi portals that stole visitors' usernames, cracked their passwords and infected their laptops.
The attack began on March 17 and lasted almost two weeks before being discontinued. By then, officials at two other airports found that their Wi-Fi portals had also been compromised. The researchers did not name the other victims, citing nondisclosure agreements, but said they were on the west coast.
As ubiquitous as the attacks may have been, researchers believe that on that day, Russia's hackers were only interested in one specific person traveling through the airports.
"Allegedly hundreds of thousands of people could have been compromised," said Eric Chien, director of cybersecurity at Symantec, who investigated the attack. "But only 10 were."
Mr. Chien's team found that the hackers had fingerprinted the machines of everyone who logged on to the Wi-Fi network in search of an older version of Microsoft's Internet Explorer browser. When they found a match, the hackers infected those laptops. If the Wi-Fi visitors used a different browser, the hackers left them alone.
"As far as we could see, they were following a specific person," Chien said.
In Thursday's government warning, officials said the Russian group was again targeting flight systems. It did not name the destinations, but suggested in a jargon that the airport in Columbus, Ohio could have been.
In an earlier homeland security warning about the group, officials said it "targets low security and small networks to gain access and sideways to networks of large, high quality asset owners within the energy sector".
Security researchers warned that the spate of attacks on American state and local systems could mirror the course of those attacks: Russia's hackers are using their foot in seemingly random victim networks to look for more interesting targets closer to the November 3 election in Leading For example, take steps to take offline the databases that verify voter signatures on postal ballot papers, or give power to key districts based on your expertise.
"The most worrying thing is that it demonstrates Russia's intent and ability to have systems near and around us, but that shouldn't surprise us," said Frank Cilluffo. the Director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University.
Some of the security experts who hacked the F.S.B. as representatives of state and local systems believe that Russia could hedge its bets.
For example, if Putin believes President Trump will be re-elected and wants to build a better relationship with the United States, he may want to limit the extent to which Russia is viewed as disruptive.
Likewise, the experts said that if former Vice President Joseph R. Biden Jr., the Democratic candidate, is elected, Russia could try to gain a foothold in the systems to weaken or delegitimize it, or it could hold back in order not to to provoke the new administration.
"By doing this more quietly, you are giving yourself more options," said Ms. Spaulding.