Late last week, the Washington Post breathlessly informed its readers that Russian hackers had penetrated the power grid in Vermont, ratcheting up the anxiety over the threat of cyberwar. It didn’t take long for the story to fall apart; in fact, all it took was someone asking the Vermont utility in question about whether the computer with the malware was ever connected to the grid at all. Today the Washington Post sheepishly reports that investigators have mainly dispensed with the idea that the malware came from Russian government activity at all, and may not have even been a hack attempt:
As federal officials investigate suspicious Internet activity found last week on a Vermont utility computer, they are finding evidence that the incident is not linked to any Russian government effort to target or hack the utility, according to experts and officials close to the investigation.
An employee at Burlington Electric Department was checking his Yahoo email account Friday and triggered an alert indicating that his computer had connected to a suspicious IP address associated by authorities with the Russian hacking operation that infiltrated the Democratic Party. Officials told the company that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity.
In other words …
— Eric Geller (@ericgeller) January 3, 2017
Even Burlington Electric seems a bit confused over the status of their own computer systems. The Post reports that they had been told by Homeland Security that the malware package was connected to “Grizzly Steppe,” a Russian government hacking operation, but now investigators have dismissed that possibility. Instead, the malware package was Neutrino, a common attack platform aimed at Windows OS users. Trend Micro’s report from three years ago noted its emergence in the underground market as a ransomware delivery system, and the ease in which private actors could either buy it or rent it from Neutrino’s creators ($450 a month).
So what caused the confusion between Neutrino — a genuinely nasty piece of malware on its own — and the Russian-backed Grizzly Steppe? Three guesses:
The murkiness of the information underlines the difficulties faced by officials as they try to root out Grizzly Steppe and share with the public their findings on how the operation works. Experts say the situation was made worse by a recent government report, which they described as a genuine effort to share information with the industry but criticized as rushed and prone to causing confusion. Authorities also were leaking information about the utility without having all the facts and before law enforcement officials were able to investigate further. …
The FBI and DHS released a report last week intended to prompt companies to search their systems for any evidence of a Russian hacking operation that they concluded had infiltrated Democratic Party servers. The document was intended to help companies mitigate Russian hacking and report any suspicious activity to the government. That report itself contained a caution regarding the suspicious IP addresses it listed: “Upon reviewing the traffic from these IPs, some traffic may correspond to malicious activity, and some may correspond to legitimate activity.”
Come now — it wasn’t just that authorities were leaking like a sieve, or that the agencies involved fumbled the data. That’s all true too, and it seems in service of stoking the Russian-cyberwar panic, but it was the Washington Post that rushed it to press without having all of the facts or performing the proper due diligence. All it would have taken was a simple question to Burlington Electric: Was the computer connected to the grid?
Instead, after a weekend of The Russians are coming, the Russians are coming!, we get this today:
Here’s one last question: Why didn’t we get this same level of heightened sensitivity, Congressional outrage, and media anxiety when China was hacking actual government agencies over the last three years?