The Utility Cyber Attack that Wasn’t, for Now
As 2016 came to a close, the Washington Post reported on December 31 that malware programming code from a Russian hacking operation (called Grizzly Steppe) had penetrated the U.S. electricity grid through a Vermont Utility company.
Thankfully, that wasn’t the case.
Later, the Washington Post heavily edited the article to indicate Russian hacker code was found on a laptop owned by the Vermont utility, Burlington Electric, but that the grid was not compromised.
The laptop wasn’t connected to the electricity grid and hadn’t caused any noticeable problems, rather it was detected after federal officials shared Russian malware codes and IP addresses with executives from 16 sectors nationwide, including the utility sector (see the JAR report below). Burlington Electric ran a diagnostic, found information from the federal report on a single laptop, and reported it to federal officials.
Apparently, an unnamed federal official leaked the story to the Washington Post and some important details were ‘lost in translation,’ perhaps.
On December 29, the Federal Bureau of Investigations (FBI) and the Department of Homeland Security (DHS) issued a Joint Analysis Report (JAR) identifying cyber tools and tactics used by the Russian Intelligence Services (including military and civilian actors) to compromise U.S. private and public sector entities, including targeting groups in an attempt to influence the U.S. presidential election.
Many believe the December 29 JAR was weak on technical information and strong on politics, asserting the JAR presented loose evidence of Russian involvement and was a politically motivated maneuver by the outgoing administration. Others suggest the Neutrino malware in question is available for purchase online and that IP addresses alone are a poor indicator of malicious intent.
Indeed, on January 2, the Washington Post published a new story indicating the whole incident may have been just a misunderstanding, the utility may not have been targeted, let alone by the Russians. However, an investigation into the laptop is ongoing.
Still, some believe this is a success story, where the federal government shared early info enabling utilities to identify and neutralize threats before problems occurred.
Yet, Russia presents a long-standing, cyber-aggressive threat that utilities should not ignore, especially after (presumably) Russian hackers successfully penetrated and brought down the Ukrainian grid in December 2015.
But, why is Russia’s cyber game so tight? Here’s what I found after a little digging…
Apparently, in 2007, Russia made a calculated decision to direct military investments towards information warfare, concluding that this was the key to winning world conflict.
Russia uses a combination of cyber attacking, information warfare (e.g. fake news, funding NGOs), and military electronic warfare to distort their opponent’s perceptions, causing the opponent to mistakenly take wrong or harmful actions that benefit Russia. An information warfare technique called “reflexive control,” that apparently Russia has been using for quite some time and now applying to cyberspace.
Also, Russia has a significant number of world-class (often criminal) hackers, which have been recruited and cultivated (or at least allowed to thrive) by the government.
Although the Washington Post got it wrong, there is proof that Russian hackers have infiltrated U.S. energy infrastructure in the past, both in terms of IT systems and operational controls. While many utilities rely on separation between IT systems and infrastructure operation control systems, increased automation and other factors may be weakening the separation between virtual and physical control systems, leading to increased vulnerabilities.
So, the Burlington Electric “attack” was all hype, but that doesn’t mean utilities should let their guard down.
