The story of Russian interference in the 2016 presidential elections is a complicated one, made no easier to understand by the volumes written about it. By most accounts, the alleged operation was a shocking, landmark intervention: The New York Times called it the “Pearl Harbour of the stealth cyber age”.

This time around, as the US enters the final stages of another election cycle, there can be little talk of shock or surprise. In July, the US Department of Justice published a report that suggested it was not a matter of if, but how, where and when Russia and other foreign actors would try to meddle in the midterms. The same month, a poll suggested nearly six in 10 Americans agreed.

But despite years of worry and warning, experts surveyed by The Independent say US election systems remain woefully vulnerable to attack. Much of the voting technology remains as it was decades ago, while hostile agencies have steadily improved their stealth capacities.

Aside from charging 13 Russians, Robert Mueller’s indictments detailed two main channels of alleged Russian cyber operations in 2016.

The first was straightforward enough: Russian hackers aligned to the security agencies went after Hillary Clinton – reviled by Vladimir Putin for her part in supporting democratic revolutions around Russia’s borders – and her party. They got into the computers of the Democratic National Committee and published compromising material on a website called DC leaks.

The second channel was more complicated: a campaign of influence and manipulation by quasi-state actors, using the latest social media tools. Most obviously, this was St Petersburg’s infamous “troll farm,” aka the Internet Research Agency, reportedly funded by Yevgeny Prigozhin, a courtier to the Russian leadership.

Mr Prigozhin’s trolls used many of the techniques seen in Russian propaganda – embracing conspiracy theories, fake news, and promoting divisive themes – to sabotage the Clinton campaign, and logic more generally.

Most of the vulnerabilities present in 2016 remain.

The midterms will be administered in the same way as presidential elections, that is to say by each state and, often, counties within states. That is good and bad news, says Andrew Grotto, former senior director for cybersecurity policy in the Obama and Trump administrations. Decentralised elections are a “source of resilience against large-scale attacks, but it also means that resources are spread thinner.

“No state is where I would prefer them to be, though some are better placed than others,” he told The Independent.

Russian intelligence agencies can pick from any number of hardware and software vulnerabilities, says Harri Hursti, founding partner of Nordic Innovations Labs.

Only a minority of states have replaced voting machines in response to the new risks. But of most concern are the five states who will be relying on electronic voting devices without an auditable paper trail, said Mr Hursti. Paper ballots are not infallible either: the scanners that register votes can be hacked; and only a few states employ robust audit systems.

Other obvious vulnerabilities include election back office systems – usually connected to the internet – and new “completely unregulated” electronic electoral registers. Mr Hursti said he was not aware of any proven breach, but cyber attacks remained at unprecedented levels: “Everyone’s activity is up, but it’s hard to tell what part of it are human attacks, and what part are malware.”

If Russian security services were to tamper with the hardware or software of any of those systems, they would probably succeed, said Mr Grotto, adding it was “unreasonable” to expect a county official to go head-to-head with an intelligence agency.

Such breaches would usually be identified “immediately or never”.

Twitter and Facebook, unwitting importers of Russian news standards, hardly seem better placed. Both have tried to clean up the political space by deleting thousands of accounts and millions of images and posts. Twitter has embraced full disclosure, releasing on Wednesday a data trove of Russian and Iranian foreign intelligence campaigns and identifying 3,841 accounts linked to Prigozhin’s Internet Research Agency.

That is likely to be just the tip of a much bigger iceberg. The blank stares of Mark Zuckerberg as he gave testimony to the US Congress in April, spoke of the scale of this unexpected new threat.

Lyudmila Savchuk, who spent several months in 2015 working undercover at Prigozhin’s agency, said the work of the big social media companies has been – necessarily – reactive. She was “happy” Twitter and Facebook were making an effort to filter out “criminal” content, but was certain the troll factory’s “whizzkid technicians” would find a way around restrictions: “They live in social media like fish live in water. They’ll always be able to open new accounts.”

Ms Savchuk, who continues to monitor the Russian organisation from afar, says its management has been forced to adapt to worldwide publicity and media interest. It used to be easy to become a troll. Adverts were plastered across the internet, offering great wages and conditions, and the job was subject to the most basic security clearance – in her case, a few interview questions. Now, workers are obliged to undergo a lie detector test and are closely controlled.

What that does not mean is that the agency, and other outsourced operations like it, have gone away. Quite the contrary, the Internet Research Agency has just upgraded to more comfortable, and larger premises. It is unclear how much of its work is focused on foreign operations – the agency works on Russian projects too – but it is safe to assume the Kremlin will not easily give up on one of its institutions that has been proven to have a disruptive effect on adversaries.

Beto O'Rourke rips into 'liar' Ted Cruz in final debate before midterm elections

“They are immune to publicity and criticism, even when they are caught lying – it just doesn’t stop them,” said Ms Savchuk. “They continued to meddle in the US elections even after my investigation was published in 2015. I think you can be sure there will be attempts to influence these elections too.”

Mr Grotto agreed the Kremlin was unlikely to rein in cyber operations over bad publicity as the Russian president “did not care” whether the world’s eyes are on him. It had “not stopped him” in Georgia, Ukraine or Syria, said Mr Grotto. There was likely to be “some” meddling in the midterms, but the “more sophisticated new tradecraft” was probably reserved for the European elections next year, he added.

Hackers will, indeed, continue to hack, said influential commentator Maxim Trudolyubov. But one result of the recent negative publicity is Moscow may turn more towards private contractors, such as the Internet Agency. That would be a way of increasing plausible deniability, he told The Independent; the Kremlin has always looked to outsource dirty operations when it can.

The extent of Russian involvement in these elections will, however, depend less on what happens in Moscow than in Washington, said Mr Trudolyubov.