Russian government hackers do not appear to have targeted Vermont utility, say people close to investigation
As federal officials investigate suspicious Internet activity found last week on a Vermont utility computer, they are finding evidence that the incident is not linked to any Russian government effort to target or hack the utility, according to experts and officials close to the investigation.
An employee at Burlington Electric Department was checking his Yahoo email account Friday and triggered an alert indicating that his computer had connected to a suspicious IP address associated by authorities with the Russian hacking operation that infiltrated the Democratic Party. Officials told the company that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity.
The investigation by officials began Friday, when the Vermont utility reported its alert to federal authorities, some of whom told The Washington Post that code associated with the Russian hackers had been discovered within the system of an unnamed Vermont utility. On Friday evening, The Post published its report, and Burlington Electric released a statement identifying itself as the utility in question and saying the firm had “detected the malware” in a single laptop. The company said in its statement that the laptop was not connected to its grid systems.
The Post initially reported incorrectly that the country’s electric grid had been penetrated through a Vermont utility. After Burlington Electric released its statement saying that the potentially compromised laptop had not been connected to the grid, The Post immediately corrected its article and later added an editor’s note explaining the change.
U.S. officials are continuing to investigate the laptop. In the course of their investigation, though, they have found on the device a package of software tools commonly used by online criminals to deliver malware. The package, known as Neutrino, does not appear to be connected with Grizzly Steppe, which U.S. officials have identified as the Russian hacking operation. The FBI, which declined to comment, is continuing to investigate how the malware got onto the laptop.
Initially, company officials publicly said they had detected code that had been linked by the Department of Homeland Security to Grizzly Steppe.
Over the weekend, the company issued a statement, saying only that it had “detected suspicious Internet traffic” on the computer in question.
The murkiness of the information underlines the difficulties faced by officials as they try to root out Grizzly Steppe and share with the public their findings on how the operation works. Experts say the situation was made worse by a recent government report, which they described as a genuine effort to share information with the industry but criticized as rushed and prone to causing confusion. Authorities also were leaking information about the utility without having all the facts and before law enforcement officials were able to investigate further.
The incident comes as President-elect Donald Trump has cast doubt on the findings of intelligence officials that the Russians conducted a hacking operation designed to help him win the White House.
Experts also said that because Yahoo’s mail servers are visited by millions of people each day, the fact that a Burlington Electric employee checking email touched off an alert is not an indication that the Russian government was targeting the utility.
“It’s not descriptive of anything in particular,” said Robert M. Lee, chief executive of Dragos, a cybersecurity firm.
The company said it was told much the same thing by authorities. “Federal officials have indicated that the specific type of Internet traffic, related to recent malicious cyber activity that was reported by us [on Friday], also has been observed elsewhere in the country and is not unique to Burlington Electric,” company spokesman Mike Kanarick said in a statement.
The FBI and DHS released a report last week intended to prompt companies to search their systems for any evidence of a Russian hacking operation that they concluded had infiltrated Democratic Party servers. The document was intended to help companies mitigate Russian hacking and report any suspicious activity to the government. That report itself contained a caution regarding the suspicious IP addresses it listed: “Upon reviewing the traffic from these IPs, some traffic may correspond to malicious activity, and some may correspond to legitimate activity.”
The discovery of the laptop issue has prompted criticism that the government provided overly broad information to companies that was not effective in isolating Russian government hacking.
“That report offered no technical value for defenders,” Lee said. “It was very much high level and nothing in there was specifically descriptive of Russian activity.”
Some in the administration are concerned that this episode with the Vermont utility will cause industry officials to avoid sharing information with the government, for fear that it will be leaked. The company in this case, the U.S. official said, “did what it was supposed to do.”
Experts also expressed concerns regarding the report released by DHS and the FBI on the Russian hacking operation. The report said it was providing “technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence services” to “compromise and exploit” political, government and private computer networks. The government released the document on the same day it announced a series of measures taken to punish the Russian government for its interference in the 2016 presidential election, including the DNC hacks.