Just when the cybersecurity world thinks it's found the limits of how far Russian hackers will go to meddle in foreign elections, a new clue emerges that suggests another line has been crossed.

Even now, nearly a year after news first broke that Russian hackers had breached the Democratic National Committee and published its internal files, a leaked NSA document pointing to Russian attempts to hack a voting-tech firm has again redefined the scope of the threat. Taken with the recent history of Russia's digital fingerprints on foreign elections, it points to a disturbing trend: Moscow's habit of hacking democratic processes has only gotten more aggressive and technically focused over time.

This week, the national-security-focused news outlet the Intercept published a top-secret NSA file outlining how Russian hackers, believed to have been part of the country's GRU military agency, attempted to phish the credentials of employees at VR Systems, a Florida-based tech firm that sells equipment and software used in voting registration. The leak represents the first solid evidence that Russian election hacking has escalated beyond mere political leaks and disinformation to threaten the core systems of America’s voting apparatus.

"We were all kind of hoping that the election hacking was at the cognitive level: propaganda, doxing, influence operations. But this is proof that they were actually closer to the tactical, technical level," says Kenneth Geers, an ambassador to NATO's Cyber Center who has long followed Russian hacking campaigns. “They were closer to the guts, to the operating system of our democracy, than we knew.”

For Geers and his fellow digital Kremlinologists, the VR Systems attack represents only the latest in a progression of either confirmed or presumed Russian election-hacking tactics they've tracked for years. (And that progression doesn't even necessarily include the Kremlin's regular doses of bot-driven propaganda and misinformation---not true hacking, but disruptive nonetheless.) Here's what we know---and suspect---about Russia's digital attacks on the clockwork of democracy over the last decade.

DDOS Attacks

The crudest tool at Russia's disposal for election interference has been to simply knock the opposition's website off the internet. Starting in the late 2000s, pro-Russian hackers bombarded the sites of opposition leaders like Garry Kasparov in the midst of his 2007 campaign for president, keeping Kasparov's site offline or sluggish at key moments during the campaign season. In Russia's 2011 election, the target list expanded to include opposition media outlets like the Moscow Echo, and the election monitoring group Golos.

In all those cases, armies of malware-infected computers flooded the targets with junk traffic, overwhelming the servers that hosted the sites. Around the same time, attacks timed to political campaigns struck the websites of opposition politicians in former Soviet states where Russia maintains deep influence, like Belarus and Ukraine. As with most DODS attacks, it's been tough to definitively trace the original source of those attacks, or prove any government involvement.

Spoofed Results

In 2014, one pro-Russian hacker group tried a more fine-tuned approach to political web-hacking. A Russian-speaking hacker operation calling itself CyberBerkut compromised the website of Ukraine's Central Election Commission, and changed the election results it was set to display to declare the winner as ultra-right candidate Dmytro Yarosh. Commission officials spotted the attack less than an hour before the results were set to be released, and prevented the fraudulent version from being shown publicly. Russian state media, apparently coordinating with CyberBerkut, broadcast the fake results regardless.

Aside from that apparent coordination, more recent hints have tied CyberBerkut to the GRU hacker group known as APT28, or Fancy Bear. Cybersecurity researchers at the University of Toronto group Citizen Lab performed an analysis of another CyberBerkut operation last year, this one targeting investigative journalist David Satter. They found that the an account that created the phishing link used in that attack had also likely created URLs that security firms ThreatConnect and FireEye previously tied to Fancy Bear.

Targeted Leaks

Despite repeated statements from President Trump and his surrogates to the contrary, intelligence agencies and the cybersecurity community today agree almost unanimously that Russian government hackers stole and leaked a series of Democratic targets in 2016. Those targets included the Democratic National Committee, the Democratic Congressional Campaign Committee, and the emails of Clinton campaign manager John Podesta. The resulting leaks were published under the fake hacker handle Guccifer 2.0, sent to GOP operatives, and most effectively, shared with WikiLeaks, which trickled them out during key weeks of the campaign.