Russian Hackers Said To “Penetrate US Electricity Grid” Using Outdated Ukrainian Malware
A Vermont state electric utility, Burlington Electric, announced on Friday it had found on one of its laptops not connected to the power grid a malware code the U.S. government says is used by Russian hackers. However, as usual in such cases, there is more to the story than initially reported.
Two days after the DHS and FBI released a report revealing what the US agencies alleged was the government-controlled Russian operation behind the “hacking of the US election” which they dubbed “Grizzly Steppe”, and which had a peculiar disclaimer according to which nothing contained in the report should be taken at face value or was even credible after the DHS said it “does not provide any warranties of any kind regarding any information contained within”…
… overnight the crusade against “Russian hackers” continued following news that Russian cyberspecialists had managed to penetrate the Vermont electric grid, after a state utility, Burlington Electric, announced it had found a notebook computer containing the same malware code that the FBI and DHS had touted as linked to the Russian hackers.
According to WaPo, “Burlington Electric said in a statement that the company detected a malware code used in the Grizzly Steppe operation in a laptop that was not connected to the organization’s grid systems. The firm said it took immediate action to isolate the laptop and alert federal authorities.” On Friday night, Vermont Gov. Peter Shumlin (D) called on federal officials “to conduct a full and complete investigation of this incident and undertake remedies to ensure that this never happens again.”
As a reminder, this Thursday when Obama unveiled sanctions against Russia and announced the expulsion of Russian state workers in the worst diplomatic clash between the two nations since the cold war, concurrently the FBI and DHS released a joint report on the “Grizzly Steppe” a hacking operation which was supposedly linked to the Russian government, and alleged that it had targeted “US persons and institutions, including from US political organizations.” In reality what they described in the report, was the simplest of spoofing operations, in which the “hackers involved in the Russian operation used fraudulent emails that tricked their recipients into revealing passwords.” In other words, if simple email spoofing – i.e., relying on the stupidity of its “American targets- was the best the Russian government could do to “hack the US elections”, then the US had little reason to be concerned.
Which is why the US felt the need to add to the sense of urgency overnight when it accused the same “government-organized group of hackers” as having penetrated the Vermont electric grid.
Along with the report, the US security agencies released a sample of the malware code allegedly used in the Grizzly Steppe operation to compromise US computer networks. The code was also shared with executives from 16 industries around the nation, including the financial, utility, and transportation sectors. It is this code which Burlington Electric, a Vermont-based utility, allegedly found.
The company released a statement on Friday night saying that the malware code had been detected during a scan of a single company laptop. However, soon after publication of the Post’s story, it was revealed that the malware had only infected a utility company laptop that had no access whatsoever to the electrical grid. As noted by Politico cybersecurity reporter Eric Geller, the Post quickly edited its headline upon learning that the incident was far less serious than initially reported.
Compare the initial and current versions of the headline. pic.twitter.com/ejbE3A7eZ7
— Eric Geller (@ericgeller) December 31, 2016
“We took immediate action to isolate the laptop and alerted federal officials of this finding. Our team is working with federal officials to trace this malware and prevent any other attempts to infiltrate utility systems. We have briefed state officials and will support the investigation fully,” the statement said.
Naturally, the US media promptly ran with the story as further evidence of Russian hacking of critical US infrastructure and national interests: the WaPo wrote “Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say” (originally the article’s title was “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, official say” which we now know was simply “fake news”), the AP added “Vermont Utility Finds Malware Code Attributed to Russians.” However, as Mikael Thalen notes, the mistake on behalf of the Post was not only to blow out the story out of proportion but not to suggest that nation states do not hack into one another’s critical infrastructure. Russia has successfully infiltrated the U.S. grid before, is likely inside now, and has attacked the power grids of other countries, such as the Ukraine, in the past. The U.S. government likewise has gained access to foreign power grids. As part of the “Nitro Zeus” operation, the U.S. breached Iranian infrastructure and prepared to carry out cyber attacks during the early years of the Obama administration in the event that diplomatic efforts to reduce Iran’s nuclear program failed.
However, the damage was quickly done and shortly after the statement, Vermont politicians had gotten involved.
“Vermonters and all Americans should be both alarmed and outraged that one of the world’s leading thugs, Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality-of-life, economy, health, and safety,” Vermont Governor Peter Shumlin said in a statement. “This episode should highlight the urgent need for our federal government to vigorously pursue and put an end to this sort of Russian meddling,” he said.
But was it really Russian meddling? After all, how does one prove not only intent but source in a world of cyberespionage, where planting false flag clues and other Indicators of Compromise (IOCs) meant to frame a specific entity, is as important as the actual hack.
Robert M. Lee, CEO and founder of cybersecurity company Dragos, which specializes in threats facing critical infrastructure, also noted that the IOCs included “commodity malware,” or hacking tools that are widely available for purchase.
1. No they did not penetrate the grid. 2. The IOCs contained commodity malware – can’t attribute based off that alone. https://t.co/AMNMVzFpFW
— Robert M. Lee (@RobertMLee) December 31, 2016
According to some cybersecurity specialists, the code came from an outdated Ukrainian hacking tool. As RT notes, IT specialists that have analyzed the code and other evidence published by the US government are questioning whether it really proves a Russian connection, let alone a connection to the Russian government. Wordfence, a cybersecurity firm that specializes in protecting websites running WordPress, a PHP-based platform, published a report on the issue on Friday.
Wordfence said they had traced the malware code to a tool available online, which is apparently funded by donations, called P.A.S. that claims to be “made in Ukraine.” The version tested by the FBI/DHS report is 3.1.7, while the most current version available on the tool’s website is 4.1.1b.
“One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources,” the report says.
The second part of the analysis deals with the list of IP addresses provided by the US agencies. The report says they “don’t appear to provide any association with Russia” and “are probably used by a wide range of other malicious actors.”
Meanwhile, that little nuance, i.e., the ongoing lack of actual evidence that Russians hacked the Vermont utility let alone the “US elections” however did not stop the Obama administration from accusing Russian government of hacking US computer networks in order to influence the presidential to justify imposing some of the toughest sanctions on Russia yet.
In the biggest news yesterday, however, Putin chose to ignore Obama’s punitive measures, calling their imposition a clear provocation, while saying that Moscow will build its relations with the US based on the policies of the next administration under President-elect Donald Trump, not President Barack Obama’s parting shots. In October, Putin ridiculed the idea that Russia could influence the US presidential election, saying that America was not “a banana republic.”
Shortly after Putin took the “high road” Donald Trump took to Twitter, praising Vladimir Putin, saying “Great Move On Delay – I Always Knew He Was Very Smart”, while mocking US media outlets, “Russians are playing @CNN and @NBCNews for such fools – funny to watch, they don’t have a clue!” His tweet promptly, and predictably, drew accusations of treason by many liberals.
Article originally appeared on Zero Hedge