Malware found on a laptop belonging to an organization responsible for maintaining a Vermont power grid was reportedly similar or identical to that used by Russian hackers.
The infected laptop was not connected to the power grid, and no evidence documents that the malware was placed on the laptop by Russian hackers and/or by persons with the intent of disrupting a U.S. power grid.
After the FBI and the Department of Homeland Security issued a joint report on 29 December 2016 that included code believed to have been used by Russian hackers to penetrate the Democratic National Committee, Burlington Electric in Vermont scanned their systems for malware and discovered a single laptop had been compromised.
The Washington Post used this piece of information as the basis for a story they published the following day under the headline “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say” which opened as follows:
A code associated with the Russian hacking operation dubbed Grizzly Steppe by President Barack Obama’s administration has been detected within the system of a Vermont utility, according to U.S. officials.
While the Russians did not actively use the code to disrupt operations of the utility, according to officials who spoke on condition of anonymity in order to discuss a security matter, the penetration of the nation’s electrical grid is significant because it represents a potentially serious vulnerability.
Government and utility industry officials regularly monitor the nation’s electrical grid because it is highly computerized and any disruptions can have disastrous implications for the function of medical and emergency services.
Critics soon began seizing on issues related to the Post‘s reporting, including the newspaper’s later updating of the online version of the article without notice to readers:
The original article was posted online on the Washington Post’s website at 7:55PM EST. Using the Internet Archive’s Wayback Machine, we can see that sometime between 9:24PM and 10:06PM the Post updated the article to indicate that multiple computer systems at the utility had been breached (“computers” plural), but that further data was still being collected: “Officials said that it is unclear when the code entered the Vermont utility’s computers, and that an investigation will attempt to determine the timing and nature of the intrusion.” Several paragraphs of additional material were added between 8PM and 10PM, claiming and contextualizing the breach as part of a broader campaign of Russian hacking against the US, including the DNC and Podesta email breaches.
Despite the article ballooning from 8 to 18 paragraphs, the publication date of the article remained unchanged and no editorial note was appended, meaning that a reader being forwarded a link to the article would have no way of knowing the article they were seeing was in any way changed from the original version published 2 hours prior.
Even more important, however, was that the Post‘s article stated or implied information not supported by facts that had been gathered at the time. Most notably, no power grid was demonstrably threatened, as only a single laptop had been infected with malware, and that computer was not even connected to Burlington Electric’s grid system:
Last night, U.S. utilities were alerted by the Department of Homeland Security (DHS) of a malware code used in Grizzly Steppe, the name DHS has applied to a Russian campaign linked to recent hacks. We acted quickly to scan all computers in our system for the malware signature,” Burlington Electric spokesman Mike Kanarick said. “We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems.”
And as the Post itself noted in a follow-up article three days later, the malware found on Burlington Electric’s laptop “does not appear to be connected with” the Russian hacking operation known as Grizzly Steppe:
U.S. officials are continuing to investigate the laptop. In the course of their investigation, though, they have found on the device a package of software tools commonly used by online criminals to deliver malware. The package, known as Neutrino, does not appear to be connected with Grizzly Steppe, which U.S. officials have identified as the Russian hacking operation. The FBI, which declined to comment, is continuing to investigate how the malware got onto the laptop.
Moreover, since malware is openly bought, sold, and used by multiple parties, the fact that malware found on Burlington Electric’s laptop might have been related to malware used by Russians doesn’t prove it was Russians who put it on the laptop. Nor does it prove in itself that Russians (or anyone else) were actually trying to penetrate an electrical grid system.
Burlington Electric Department subsequently posted a statement noting that similar Internet activity had been observed in other parts of the U.S. and was not necessarily targeting the power company:
Federal officials have indicated that the specific type of Internet traffic, related to recent malicious cyber activity that was reported by us, also has been observed elsewhere in the country and is not unique to Burlington Electric. It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country.
At Burlington Electric, where we take great pride in conveying timely and accurate information, we want our community to know that there is no indication that either our electric grid or customer information has been compromised. Media reports stating that Burlington Electric was hacked or that the electric grid was breached are false.
The Washington Post also noted in their follow-up that the similar network activity was neither necessarily indicative of Russian involvement nor malicious in nature:
[U.S. government] officials told the company that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity.
Experts also said that because Yahoo’s mail servers are visited by millions of people each day, that a Burlington Electric employee checking his email touched off an alert is not an indication that the Russian government was targeting the utility.
“It’s not descriptive of anything in particular,” said Robert Lee, chief executive of Dragos, a cybersecurity firm.
The Post was criticized not only for editing their article substantially after publication in a way that was not readily apparent to readers, but for being slow to notify their audience of significant corrections to it:
From Russian hackers burrowed deep within the US electrical grid, ready to plunge the nation into darkness at the flip of a switch, an hour and a half later the story suddenly became that a single non-grid laptop had a piece of malware on it and that the laptop was not connected to the utility grid in any way.
However, it was not until almost a full hour after the utility’s official press release (at around 10:30PM EST) that the Post finally updated its article, changing the headline to the more muted “Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say” and changed the body of the article to note “Burlington Electric said in a statement that the company detected a malware code used in the Grizzly Steppe operation in a laptop that was not connected to the organization’s grid systems. The firm said it took immediate action to isolate the laptop and alert federal authorities.” Yet, other parts of the article, including a later sentence claiming that multiple computers at the utility had been breached, remained intact.
The following morning, nearly 11 hours after changing the headline and rewriting the article to indicate that the grid itself was never breached and the “hack” was only an isolated laptop with malware, the Post still had not appended any kind of editorial note to indicate that it had significantly changed the focus of the article.
Only after numerous outlets called out the Post’s changes did the newspaper finally append an editorial note at the very bottom of the article more than half a day later saying “An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far. The computer at Burlington Electric that was hacked was not attached to the grid.”