The power grid hack that wasn’t – Vermont’s Burlington Electric

The schadenfreude is real, but Friday’s story by the Post is a perfect example of how hacking coverage can go sideways in no time flat

On Friday, the Washington Post reported that Russian hackers had penetrated the U.S. power grid by compromising a utility in Vermont. The story was altered, and the initial claims were eventually retracted, but by the time this happened, the news had spread to other media outlets.

Given the hype around the White House sanctions against Russia over hacking the U.S. election, widely reported the previous day, the story the Post was chasing was certain to have legs and get plenty of attention - especially since they were going to be the first to report it.

The process behind getting this story to print is where things started to breakdown.

The Post story, prior to edits and retractions, relied heavily on anonymous government sources. Moreover, archives of the original story show no mention of attempts to contact the two utilities in Vermont prior to publication. Had they had done so, Burlington Electric would have given them a statement of facts.

Anonymous sources are sometimes a necessary evil when it comes to covering security topics, but that doesn’t mean the information they share shouldn’t be questioned or verified.

As it turns out, Burlington Electric did what they were supposed to do, and the sources who leaked the details to the Post were either misunderstood by the reporters, or failed to understand the significance of proactive scanning.

In a statement, Burlington Electric said they used the IOCs released by DHS and the FBI on December 29 to scan their network.

As it turns out, they got a hit and Burlington Electric reported this to DHS. Again, this is exactly what they should’ve done. After the results of the scan were reported, someone leaked those details to the Post.

But, almost like a game of telephone, the critical details got lost.

“There is no indication that either our electric grid or customer information has been compromised. Media reports stating that Burlington Electric was hacked or that the electric grid was breached are false,” the utility said in a statement.

In short, a single laptop, not connected to anything, was flagged as part of the scan. So does that mean it was infected? Does that mean Russians had targeted the utility, and were using this laptop as a gateway to get further into the grid? No. Not even close.

As it turns out, the laptop was being used by an employee to check their Yahoo account, and the IP traffic related to this action hit on the IPs released by the DHS and FBI. It's an important note however, that most of the IP addresses released by the agencies are benign. A large chunk of them are Tor exit nodes.

“Federal officials have indicated that this specific type of Internet traffic also has been observed elsewhere in the country and is not unique to Burlington Electric. It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country,” the utility said.

So at the end of the day, all of this hype was because of someone checking email. Well, this isn’t the first time email has triggered panic.

In 2011, the Post published a story claiming that foreign hackers had caused a water pump in Illinois to fail. The story noted that, if confirmed, the incident would be the first time a utility in the U.S. had been attacked in such a way.

The story went viral, and utility hacking became the topic of interest in the following week. However, seven days later, the Post printed a follow-up, stating the original story “incorrectly described a source’s summary of a federal investigation.”

“The finding was that a contractor who logged on to the plant’s computer system while traveling in Russia created the erroneous impression of a cyberattack, not that the log-in caused the malfunction itself,” the Post said.

At the end of 2016, there was a major backlash against clickbait headlines, or “fake news” and a major media push to warn the public about Russian hackers. But when the basics are skipped, such as source verification and fact checking, it’s hard for those who are not technically savvy to determine hype from reality.

Thing is, Russian hackers have always been here, and they’re not the only ones targeting companies or people in the U.S. A few years back, China was the monster of the moment. When the Post’s story dropped, most security experts questioned its validity immediately.

They’re experts, and finding possible evidence of an attack is nothing new to them. Yet, they also know that possible evidence is not proof positive. Problem is, the larger public doesn’t know that. What they know is what they’re reading – published by one of the world’s largest, and most trusted, news organizations.

To be fair, the Post did correct the record, and on Monday published a follow-up story explaining that the original claims were mistaken. They’ve also altered the headline and tone of the original story.

Hopefully, we can chalk this up to lesson learned and move forward.


Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)