WASHINGTON -- In the closing days of 2015, the lights went out across a swath of Ukraine as Russian hackers remotely took over an electric utility's control center and flipped off one power station after another, while the company's operators stared at their screens helplessly.
The next year, the same thing happened, this time around Kyiv, the capital.
Now the United States and Britain have quietly dispatched cyberwarfare experts to Ukraine in hopes of better preparing the country to confront what they think may be the next move by President Vladimir Putin of Russia as he again menaces the former Soviet republic -- not an invasion with the 175,000 troops he is massing on the border, but cyberattacks that take down the electric grid, the banking system and other critical components of Ukraine's economy and government.
Russia's goal, according to U.S. intelligence assessments, would be to make Ukraine's president, Volodymyr Zelenskyy, look inept and defenseless -- and perhaps provide an excuse for an invasion.
In one sense, the Russian cybercampaign against Ukraine never stopped, U.S. officials say, though until recently it bubbled along at a low level. But in interviews, U.S. officials and experts say the action has stepped up over the past month even while public attention has been focused on the troop buildup.
"It's a widespread campaign targeting numerous Ukrainian government agencies, including internal affairs -- the national police -- and their electric utilities," said Dmitri Alperovitch, a leading investigator of Russian cyberactivity and chairman of Silverado Policy Accelerator, a new research group in Washington.
Alperovitch, who emigrated from Russia to the United States as a child, said the Russian leader sees the cyberattacks as "preparation of the battlefield."
U.S. officials say a military invasion is far from a certainty. "The current assessment of the U.S. government is that he has not made a decision," said Jake Sullivan, President Joe Biden's national security adviser, speaking at the Council on Foreign Relations. Sullivan did not address the Russian cyberactivity, but it has been an intense focus at the White House, the CIA, the National Security Agency and United States Cyber Command, whose "cyber mission forces" are deployed to identify vulnerabilities around the world.
The Russian cyberactivity was discussed by roughly a dozen officials, who requested anonymity because the information was derived from classified intelligence and sensitive discussions about how to mitigate the Russian threat. Those conversations have focused on whether Putin thinks that a crippling of Ukraine's infrastructure could be his best hope of achieving his primary goal: ousting the Ukrainian government and replacing it with a puppet leader.
The calculus, one senior intelligence official said, would be that such an attack would not require him to occupy the country -- or suffer as many of the sanctions that would almost certainly follow am actual invasion.
While neither government would provide details, officials said the United States was considering a larger deployment, including resources from U.S. Cyber Command. But it is unclear how much good a bigger team could do beyond demonstrating support.
"There's too much to patch," one U.S. official said.
NOT PARANOIA
The Ukrainian grid was built in the days of the Soviet Union, connected to Russia's. It has been upgraded with Russian parts.
The software is as familiar to the attackers as to its operators. And while Ukraine has repeatedly vowed to fix its system, Putin's hackers, or at least teams loyal to him, have shown time and time again that they know how to bring parts of the country to a halt.
The 2015 attack, which began in late December, was particularly instructive. It was directed at a major operator of Ukraine's grid.
Videos taken during the attack showed a skeleton crew of operators -- the attackers knew the holidays would be a particularly vulnerable time -- struggling to understand what was happening as hackers took over their screens remotely. Substations were flipped off. Neighborhood by neighborhood, lights went dark.
"It was jaw-dropping for us," Andy Ozment, who ran cyberemergency response for the Department of Homeland Security and helped investigate the attacks, said at the time. "The exact scenario we were worried about wasn't paranoia. It was playing out before our eyes."
The hackers had a final flourish: The last thing they turned off was the emergency power at the utility company's operations center, so that the Ukrainian workers were left sitting in their seats in the dark, cursing.
With the holidays approaching again, U.S. officials say they are on high alert. But if Putin does launch a cyberattack, either as a stand-alone action or as a precursor to a real-world attack, it will most likely come after Orthodox Christmas, at the end of the first week of January, according to people briefed on the intelligence.
U.S. and allied officials have discussed a variety of sanctions that could possibly deter Russia. But all the measures that could possibly cut deep enough for Russia to care would also cause pain in Europe, which is highly dependent on Russia for winter energy supplies.
Sen. Angus King, I-Maine, a member of the Senate Intelligence Committee, said that if an invasion does take place, the first sign will be in cyberspace.
"I don't think there's a slightest doubt that if there is an invasion or other kind of incursion into Ukraine, it will start with cyber," he said.
King has long argued that the United States and its allies need to think more deeply about how to deter cyberattacks. The United States, King said, should issue a declaratory policy about what the consequences for such attacks will be.
"So the question is," King said, "what are our tools to to deter that?"