The story started, as many do, with our own confusion. The most unusual of presidential elections — one marred by Russian trolls, a digital Watergate-style break-in and the winning candidate’s dire warnings of a “rigged election” — was followed by the most unusual period of acceptance. In the immediate aftermath of the 2016 election, government officials, the Clinton campaign, intelligence analysts, and civic and legal groups all appeared to calmly accept claims that votes had not been hacked. I had been on the cyber beat for six years and had grown accustomed to deep, often lengthy digital forensics analyses of cyberattacks against a wide range of targets: Silicon Valley start-ups, multinational conglomerates, government agencies and our own Times breach by Chinese government hackers. In the vast majority of cases, it takes investigators months or years to discover that hackers had indeed been lurking undetected on victims’ machines.
Yet American intelligence officials were adamant in a report in January — just two months after Election Day — that vote tallies had not been hacked. This despite the broad consensus among United States intelligence agencies that Russia interfered in the 2016 election through an extensive disinformation and propaganda campaign, as well as the hacking of electoral databases and websites, the Democratic National Committee and the Democratic Congressional Campaign Committee.
My colleagues Michael Wines, Matthew Rosenberg and I set out to find out how government officials had nixed the possibility of vote hacking so readily. It was especially unclear to us given that officials at the Department of Homeland Security testified last fall that Russian hackers probed election systems in 21 states, with varying degrees of success, and that months later, a National Security Agency report found that Russian hackers had indeed successfully infiltrated VR Systems, an election service provider in eight states, including the battlegrounds North Carolina, Florida and Virginia.
… The more places we looked, the worse things looked. In fact, we discovered that VR Systems was not the only back-end supplier of election services that was hacked by Russians ahead of Election Day. Two more vendors that provide critical election services were also hacked.