It was the day before the 2016 presidential election, and at the Volusia County elections office, near Florida's Space Coast, workers were so busy that they had fallen behind on their correspondence.
Lisa Lewis, the supervisor of elections, stumbled on an important email sent to her and three others in the office, by then a week old, that appeared to be from VR Systems, the vendor that sells electronic voter list equipment to nearly every county in the state. "Please take a look at the instructions for our modernised products," it said, using British spelling and offering an attachment. Something about the email seemed off.
"It was from Gmail," Ms. Lewis said. "They don't have Gmail."
Ms. Lewis, it turned out, was right to be suspicious. Though it had VR Systems' distinctive logo, with a red V and a blue R, the email contained a malicious Trojan virus, and it originated not from the elections vendor but from the Russian military intelligence unit known as the G.R.U. The email had been sent to 120 elections email accounts across Florida.
Also buried in Ms. Lewis's inbox was a warning from VR's chief operating officer, flagging the dangerous spearphishing attempt and warning all his customers not to click on it.
But, it now appears, someone did.
Slipped into the long-anticipated special counsel report on Russian interference in the 2016 election last week was a single sentence that caused a stir throughout the state and raised new questions about the vulnerability of the nation's electoral systems.
Although the spearphishing attempt in Florida had first been brought to light nearly two years ago when The Intercept cited a secret National Security Agency report, state officials said they were certain no elections computers had been compromised. The Mueller report turned that assertion on its head. "The F.B.I.," it said, "believes that this operation enabled the G.R.U. to gain access to the network of at least one Florida county government."
In an interview on Friday, Senator Marco Rubio of Florida took it one step further, saying that Russian hackers not only accessed a Florida voting system, but were "in a position" to change voter roll data.
The report has sent Florida officials scurrying once again for specifics. Which county? Could there have been more than one?
"They won't tell us which county it was. Are you kidding me?" an exasperated Ron DeSantis, Florida's Republican governor, said at a news conference in Miami on Thursday. "Why would you have not said something immediately?"
The Florida Secretary of State's office in Tallahassee said it had been unable to learn which county it was. "The department reached out to the F.B.I. and they declined to share that information with us," said Sarah Revell, a department spokeswoman. "No county has come forward." The secretary of state who was running the department at the time, Ken Detzner, did not respond to requests for comment.
Mr. DeSantis, who took office in January, is scheduled to meet with the F.B.I. in the coming weeks, and has promised to make the information public, if it is not classified.
VR Systems' chief executive, Ben Martin, said his company was aware of only a "small number of customers" who had received the fraudulent email, and of those, none had notified VR Systems that they had clicked on the attachment or were compromised.
Mr. Rubio said in the interview that there was, in fact, an intrusion, but the target or targets were never notified. The information was gleaned through an intelligence operation, not a criminal investigation, said Mr. Rubio, a Republican member of the Senate Intelligence Committee. In order to protect intelligence methods, he said, national security officials chose to issue a general warning to everyone.
"Everybody has been told what it is they need to do to protect themselves from the intrusion," Mr. Rubio said. "I don't believe the specific victims of the intrusion have been notified. The concern was that in a number of counties across the country, there are a couple of people with the attitude of: 'We've got this; we don't need your help. We don't think we need to do what you are telling us we need to do.'"
Mr. Rubio said he was constrained as a member of the intelligence committee as to how much he could tell his constituents.
"When someone you know had a problem, but you can't tell them they had a problem, it becomes tense," he said.
The hackers, he added, were "in a position" to change voter roll data, but it does not appear they ever acted on it.
Such an intrusion could have been devastating, he said. "My biggest concern is that on Election Day you go vote and have mass confusion because voter registration information has been deleted from the systems."
Mr. Rubio and Florida's former Democratic senator, Bill Nelson, wrote a letter last year to the state's top elections official encouraging him "in the strongest terms" to take advantage of federal services to secure election systems.
"I have repeatedly voiced concerns about overconfidence of some #Florida elections officials," Mr. Rubio said on Twitter this week.
And he noted in the interview that he had first issued a warning about the intrusion in 2018.
Mr. Nelson, who lost his bid for re-election and left office at the end of 2018, said he could not share classified information on the purported intrusion.
"The Senate Intelligence Committee Chairman and Vice Chairman asked Senator Rubio and me in June 2018 to send a letter to the 67 county Supervisors of Election to warn them of Russian intrusion in Florida," Mr. Nelson said in a statement. "The Mueller Report makes clear why we had to take that important step as well as my verbal warnings thereafter."
At the time, Mr. Nelson's warnings did not appear to be taken seriously, and in fact were widely criticized.
"When Bill Nelson said that, Republicans ripped him apart," said Ion Sancho, the longtime supervisor of elections in Tallahassee, who recently retired. "'You senile old man!' Guess what, he might have been right."
The F.B.I. did hold a conference call warning all Florida elections supervisors of a cyber threat two months before the 2016 election, but officials declined to say this week whether the bureau ever told elections supervisors from the county that had been hacked about the breach.
An official with the Department of Homeland Security, who spoke on the condition of anonymity because of the sensitivity of the matter, said that whenever the authorities discover a successful case of hacking, targets are notified by the F.B.I. Identities are kept secret in an effort to maintain positive working relationships with hacking victims.
"We believe it is their purview to talk about the possible incident, how it impacted them and when," the official said.
The official stressed that elections computer systems in 48 of 50 states are now equipped with "Albert sensors," devices affixed to networks to detect cyber intrusions. No foreign government has been found to be trying to penetrate, the official said, and the process of hardening security has vastly improved information-sharing between county, state and federal agencies.
Paul Lux, the president of the Florida State Association of Supervisors of Elections, said elections supervisors across the state still have not been made aware of exactly what happened.
Most said they had received no specific reports. "I have not heard a whisper of such a thing," said Mr. Lux, who runs elections in Okaloosa County, in northwest Florida. But he isn't necessarily surprised. "If you had a neighbor's house broken into, the police aren't going to knock and say, 'Hey, just to let you know, Fred down the street got broken into, so be careful.'"
He and other elections officials parsed the language in the Mueller report, wondering whether the semantics offered hints. "We understand the F.B.I. believes that this operation enabled the G.R.U. to gain access to the network of at least one Florida county government," the report said.
"Accessing can be like sneaking into an apartment building behind someone, but you can't get the code for the elevator, so you are stuck in the lobby and get bored and leave," Mr. Lux said.
Elections officials throughout the state insisted that even if systems were penetrated, it likely would have been the voter registration rolls, where a hacker could potentially wreak havoc on Election Day by changing addresses and precincts — but would not be able to gain access to vote tabulations.
"They'd have to knock me out, steal the key and passcodes — in front of multiple cameras," said Todd Putnam, the systems administrator for Lee County Supervisor of Elections, near Fort Myers.
In the end, it appeared that most counties successfully fended off the attack. In response to a public record request from a reporter, officials in Broward County, who had initially denied they had been the target of any spearphishing attempt, reported that at least three people there had been targeted with the fake VR email. It had been blocked by spam filters, they said.
"Did we get hacked? No. We did get phished," said Steve Vancore, a spokesman for the Broward elections office. "A rock was thrown at the window, the window didn't break. The rock bounced off."
New York Times, April 26, 2019.
April 28, 2019
Voices4America Post Script. The redacted Mueller Report made clear 1) Manafort shared Trump polling data on PA, MI, & WI; 2) FL voting was attacked. Now Senator Rubio has confirmed the FL attack. How is Trump not illegitimate? And what happens in 2020? #PutinsPuppet