America’s Overton window opened a little wider last month, when President Trump refused to confirm that he would report offers of outside assistance for his 2020 re-election campaign to the FBI. When pressed, he described hacked data as “opposition research,” concluding “I think I’d take it.” In response, Federal Election Commission chairwoman Ellen Weintraub issued a public reminder that all candidates are forbidden from accepting help from foreign governments.

Although campaign gifts of any value from external parties are banned under US law, conclusive attribution of data dumps is difficult, aiding impunity. Potential beneficiaries of stolen information might solicit intervention, but advancing technological breakthroughs enable nearly traceless digital sabotage.

On 20 June, the cybersecurity firm Symantec revealed that Waterbug, also known as Turla, a hacking group linked to Russia’s FSB intelligence service, had initiated three new operations since early 2018, successfully targeting government ministries and corporations in South America, Europe, the Middle East and South Asia. Most strikingly, the group appeared to have penetrated and leveraged the toolkit of another state-backed hacking group, Iran’s OilRig, also known as APT34. This is believed to be the first known instance of one state-sponsored hacking group deploying the tools of another against a third party, an unnamed Middle Eastern government. Waterbug also doxxed the members of OilRig, possibly in a bid to confuse analysts looking for evidence of collaboration between the two parties.

Experts agree that governments and electoral systems remain outmatched by hackers seeking to undermine their integrity. In 2020, proving collusion is only going to get harder.