Cybersecurity officials watched with growing alarm in September as Russian state hackers started prowling around dozens of American state and local government computer systems just two months before the election.
The act itself did not worry them so much — officials anticipated that the Russians who interfered in the 2016 election would be back — but the actor did. The group, known to researchers as “Dragonfly” or “Energetic Bear” for its hackings of the energy sector, was not involved in 2016 election hacking. But it has in the past five years breached the power grid, water treatment facilities and even nuclear power plants, including one in Kansas.
It also hacked into Wi-Fi systems at San Francisco International Airport and at least two other West Coast airports in March in an apparent bid to find one unidentified traveler, a demonstration of the hackers’ power and resolve.
September’s intrusions marked the first time that researchers caught the group, a unit of Russia’s Federal Security Service, or F.S.B., targeting states and counties. The timing of the attacks so close to the election and the potential for disruption set off concern inside private security firms, law enforcement and intelligence agencies.
“One possible explanation is that they are calling in the real pros — the A Team — who is used to operating in this really sensitive critical infrastructure where you want to keep quiet until you don’t,” said Suzanne Spaulding, the former under secretary for cybersecurity and critical infrastructure at the Department of Homeland Security.
In 2016, Russian hackers from other groups were unusually noisy in their efforts to penetrate some state election databases. “You could argue they didn’t care about being quiet,” Ms. Spaulding said. But now that Russia has been called out and punished for interfering in the election, President Vladimir V. Putin “may want to keep this quiet until the circumstances are set for their use in information operations,” she added.
American officials described the hackings in an advisory on Thursday as “opportunistic,” rather than a clear attack on election infrastructure, but conceded the group had targeted dozens of state and local systems and stolen data from at least two targets’ servers.
Keep up with Election 2020
“They’re broadly looking to scan for vulnerabilities and they’re working opportunistically,” said Christopher C. Krebs, the director of the Cybersecurity and Infrastructure Security Agency, which issued the warning along with the F.B.I.
That hardly reassured researchers who have tracked Energetic Bear for years. “This appears to be preparatory, to ensure access when they decide they need it,” said Adam Meyers, the head of threat intelligence at CrowdStrike, a security firm that has monitored the group.
Energetic Bear typically casts a wide net, then zeros in on a few high-value targets. In Germany and the United States, the group has infected websites popular in the energy sector, downloading malware onto the machines of anyone who visited the sites, then searching for employees with access to industrial systems.
In other attacks, it has hijacked the software updates for computers attached to industrial control systems. It has also blasted targets with phishing emails in search of employees, or co-workers, who might have access to critical systems at water, power and nuclear plants.
And it has done so with remarkable success. A disturbing screenshot in a 2018 Department of Homeland Security advisory showed the groups’ hackers with their fingers on the switches of the computers that controlled the industrial systems at a power plant.
The group has thus far stopped short of sabotage, but appears to be preparing for some future attack. The hackings so unnerved officials that starting in 2018, the United States Cyber Command, the arm of the Pentagon that conducts offensive cyberattacks, hit back with retaliatory strikes on the Russian grid.
Some called the counterattacks the digital era’s equivalent of mutually assured destruction. But any hope that American officials had that their strikes would deter Russia dissipated when the group started targeting American airports in March.
Officials at San Francisco International Airport discovered Russia’s state hackers had breached the online system that airport employees and travelers used to gain access to the airport’s Wi-Fi. The hackers injected code into two Wi-Fi portals that stole visitors’ user names, cracked their passwords and infected their laptops.
The attack began on March 17 and continued for nearly two weeks until it was shut down. By then, officials at two other airports discovered their Wi-Fi portals had also been compromised. Researchers would not name the other victims, citing nondisclosure agreements, but said they were on the West Coast.
As pervasive as the attacks could have been, researchers believe Russia’s hackers were interested only in one specific person traveling through the airports that day.
“Ostensibly, hundreds of thousands of people could have been compromised,” said Eric Chien, a cybersecurity director at Symantec, who examined the attack. “But only 10 were.”
Mr. Chien’s team discovered that the hackers were “fingerprinting” the machines of anyone who logged onto the Wi-Fi network in search of one older version of Microsoft’s Internet Explorer browser. If they found a match, the hackers infected those laptops. If the Wi-Fi visitors used any other browser, the hackers left them alone.
“From what we could see, they were going after a specific individual,” Mr. Chien said.
In the government alert on Thursday, officials said that the Russian group was again targeting aviation systems. It did not name the targets but did suggest in some technical language that one could have been the airport in Columbus, Ohio.
In a previous homeland security warning about the group, officials said it “targets low security and small networks to gain access and move laterally to networks of major, high-value asset owners within the energy sector.”
Security researchers warned that the spate of attacks on American state and local systems could mirror the trajectory of those attacks: Russia’s hackers using their foothold in seemingly random victims’ networks to mine for more interesting targets closer to the election on Nov. 3. They could take steps like pulling offline the databases that verify voters’ signatures on mail-in ballots, or given their particular expertise, shutting power to key precincts.
“The most disconcerting piece is that it demonstrates Russia’s intent and ability to target systems near and dear to us, but that shouldn’t surprise us,” said Frank Cilluffo, the director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.
By deputizing the F.S.B.’s stealthiest infrastructure hackers to target state and local systems, some security experts believe Russia may be hedging its bets.
If, for example, Mr. Putin believes President Trump will be re-elected and wants to forge a better relationship with the United States, he may want to limit the degree to which Russia is seen as interfering.
Likewise, the experts said, if former Vice President Joseph R. Biden Jr., the Democratic nominee, is elected, Russia may try to use its foothold in the systems to weaken or delegitimize him, or it may hold back so as not to provoke the new administration.
“By doing this more quietly, you give yourself more options,” Ms. Spaulding said.