In the thick of the presidential race last summer — Donald Trump was attacking Hillary Clinton over Benghazi; Clinton was widening her lead in the polls — FBI agents uncovered something odd.
On June 28, federal cyber experts noticed that the network credentials of an Arizona county elections worker had been posted on a site frequented by suspected Russian hackers. The password and username discovered by the FBI could let someone access the state’s voter registration system.
Two weeks later, Illinois’ state Board of Elections IT staff noticed a startling spike in activity involving their voter registration system. Malicious queries were hitting it 5 times per second, 24 hours a day, looking for a way to break in.
The Illinois state officials took their website offline. They discovered to their surprise that the attack had begun three weeks earlier and originated from somewhere overseas.
Both incidents were a wake-up call for an increasingly nervous cybersecurity and elections community. A couple of weeks before, hackers tied to the Russian government broke into the Democratic National Committee’s computer system and stole thousands of sensitive documents.
The U.S. intelligence community determined that Russian intelligence gave them to WikiLeaks, which then released them to the public. The resulting controversy helped lead to the resignation of DNC chairwoman Debbie Wasserman Schultz, and kicked off a summer of much more cyber-intrigue.
For all the focus on the public saga over the Democrats, Clinton’s campaign chairman John Podesta and other cyberattacks that dominated the 2016 election, less attention was paid to what was happening in states such as Arizona and Illinois.
In both cases, state and federal officials say that the foreign attacks ultimately didn’t compromise any voter records — although in Illinois, hackers did gain access to the personal information of almost 76,000 registered voters before the state installed new security.
But the precise details about what did take place in the states attacked by Russia’s intelligence services aren’t fully known. Federal agencies, along with state and local election officials, struggled over the following months to figure out how to protect the American voting process from tampering, and to keep public confidence in elections from eroding.
Here’s a look at what is known about how events unfolded over an election like no other.
Early August: President Obama and three top aides receive a top secret report from the CIA detailing a plan by Russian President Vladimir Putin to disrupt the U.S. election, including the use of cyberattacks. The president directs aides to look into vulnerabilities in election systems and what can be done to protect against tampering.
Aug. 3: Department of Homeland Security Secretary Jeh Johnson tells reporters that he’s considering designating elections as “critical infrastructure.” This would give the agency more leeway to provide cybersecurity assistance and intelligence information to state and local election officials. But state officials worry this might lead to more federal involvement in elections, which are traditionally run by state and local governments.
Aug. 5: The National Association of Secretaries of State, which represents top election officials in most states, releases a statement assuring voters that “hacking of the election is highly improbable due to our unique, decentralized process.” They also note extensive security measures states have already taken to prevent hacking of voting equipment.
Aug. 15: Amid growing concerns that Russians are tampering with the election, DHS Secretary Johnson holds a conference call with state election officials. He offers more security assistance, but states are increasingly nervous that the federal government will try to tell them how to run their elections. It’s a tense relationship that continues well into 2017.
Aug. 18: The FBI issues a flash alert telling election officials and vendors to be on the lookout for hacking attempts coming from a list of IP addresses involved in the Arizona and Illinois attacks. States start checking their computer systems for evidence of unauthorized intrusions. It’s later determined that at least 21 states were targeted.
Aug. 24: Hackers, later linked to Russian military intelligence, launch a cyberattack against a Florida-based elections software vendor, VR Systems. The company provides voter registration systems to local election offices. According to a National Security Agency report leaked the following June, the hackers try to gain the email credentials of several VR Systems employees. The company says they did not succeed, although the NSA says it’s “likely that at least one account was compromised.”
Aug. 31: DHS sets up an Election Infrastructure Cybersecurity Working Group with state officials to share threat information and advice on countering efforts to tamper with their election systems.
Sept. 28: The bipartisan leadership of the House and Senate sides with local election officials by coming out against the DHS plan to designate elections as critical infrastructure. “For over 200 years the states have overcome every challenge to ensure the smooth function of our democracy,” they wrote.
Sept. 30: The FBI holds a conference call with the supervisors of all 67 Florida counties to warn of hacking attempts involving a local vendor. This appears to be a reference to VR Systems, which provides services throughout the state.
Oct. 7: DHS and the Office of the Director of National Intelligence issue a joint statement confirming that the Russian government is behind the recent hacks of DNC and other party computer systems. They also say that recent scanning and probing of state election systems “originated from servers operated by a Russian company,” although they add that they are not ready “to attribute this activity to the Russian Government.”
Oct. 10: DHS announces that 33 states, as well as some local election agencies, have asked for cybersecurity assistance, but Secretary Johnson warns others that they should seek help soon. “Time is a factor,” he said. “There are only 29 days until Election Day.”
Oct. 27: Hackers linked to Russian military intelligence create a fake email account, pretending to be from elections software vendor VR Systems. They then use that account to send emails containing malicious software to up to 122 local government offices involved in managing voter registration systems. The NSA finds no evidence that any of the phony emails are opened.
Nov. 8: Federal intelligence and security officials monitor voting from a command center in Washington, D.C. They have a detailed response plan in the event that a severe cyberattack disrupts the election. It involves such drastic steps as sending in military forces to secure facilities, if necessary. But there’s no need. Voting proceeds without serious incident. Although in Durham County, N.C., electronic pollbooks used to check in voters malfunction and the county decides to use paper registration lists instead.
Dec. 9: The Washington Post reports that the CIA has concluded that Russia interfered in the 2016 election to help get Trump elected, not merely to undermine public confidence. The president-elect’s transition team dismisses the findings, saying in a statement, “It’s now time to move on and ‘Make America Great again.'” President Obama orders the intelligence community to review all election-related hacking incidents and report back to him before he leaves office.
Dec. 29: The Obama administration issues new sanctions against Russia for interfering in U.S. elections, and orders the expulsion of 35 Russian operatives.
Jan. 6: The U.S intelligence community releases a report detailing its assessment of Russian interference in the elections by sowing misinformation and hacking into computer networks. After being briefed, President-elect Trump notes that “there was no tampering whatsoever with voting machines.” Despite continued opposition from state officials, DHS Secretary Johnson designates elections as critical infrastructure.
March 20: FBI Director James Comey and National Security Agency Director Mike Rogers tell the House Intelligence Committee that there’s no evidence of any votes being changed by Russian hackers. But both men say they fully expect the Russians will attempt to influence future U.S. elections. “I think we have to assume they’re coming back,” says Comey.
June 5: The online news site, The Intercept, reveals the NSA report concluding that Russian military intelligence attempted to hack into VR Systems and launched a spear-phishing campaign involving more than 100 local election offices. NSA contractor Reality Winner is arrested for releasing the document to the news site. State election officials express anger that they learned about the cyberattack from the news media, and not from federal authorities.
June 21: Appearing before the Senate Intelligence Committee, DHS official Samuel Liles says his agency determined in September 2016 that election-related systems in 21 states were targeted by Russia. Again, he says there’s no evidence any votes were changed, but lawmakers express frustration that federal agencies have released few details about the hacking attempts to the public, including the identifies of the targeted states. State officials testify that they are unaware if they are on the list.