A Vermont utility was for a brief moment last week at the center of a geopolitical scandal in which the Russian government was implicated in an attack against a U.S. electric grid.
As it turns out, a laptop at Burlington Electric Department was infected with the Neutrino Exploit Kit. There was no targeted attack. There was no attempt to access the grid, and no one tried to shut off the lights in the dead of winter. A Burlington Electric employee, like thousands of other Neutrino victims, was popped somewhere along the line with commodity malware.
Representatives from the utility said that computer was not connected to the grid and immediately tried to distance themselves from the mess.
“Federal officials have indicated that this specific type of Internet traffic also has been observed elsewhere in the country and is not unique to Burlington Electric,” said Neale Lunderville, general manager for Burlington Electric. “It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country.”
With a rocky presidential transition under way and nerves frayed over allegations that Russia’s intelligence community sponsored attacks in an attempt to sway the election in Donald Trump’s favor, too many officials were too quick to jump to conclusions when it came attribution for the hack against Burlington Electric.
It was an unfortunate rush to judgment, and one that is going to continue because too many elected officials and decision-makers aren’t schooled in cyber. Politicians are getting better slowly out of simple necessity, but all you need to do is watch a subcommittee hearing on anything cyber, be it APTs, IoT security or data breaches, and you’ll quickly see that pols remain way out of step. Yet in this arena of national security and attacks against critical infrastructure, you need to know who the bad guy is on the other side of the command prompt.
Attribution is really hard. Even the best of the best investigators, researchers and forensics experts are never 100 percent sure of the “who” when it comes to targeted attacks. They can tell you with a fair degree of certainty details about the “when” and “how,” but “who” is a whole different game.
If you’re going to catch a very talented state-sponsored hacking outfit, you need reliable technical indicators of compromise, some evidence these techniques have been used elsewhere by the same crew, and you need them to mess up. Luck goes hand-in-hand with expertise, and sometimes your good luck also turns out to be your misfortune. More attack groups are laying down land mines, false flags to throw good guys off the scent. Kaspersky Lab researchers Juan Andres Guerrero-Saade and Brian Bartholomew released a paper during Virus Bulletin in October on attribution in targeted attack research and describe how much of an inexact science this is. A good chunk of their paper delves into the deliberate attempts by adversaries to disrupt analysis of attacks, and the consequences of rash attribution.
“At a time when ‘hacking back’ is discussed as a legitimate option for victims, and governments are willing to take heavy-handed geopolitical retribution on the basis of threat intelligence products, misattribution can have a hefty cost,” the paper says.
The confluence of unfortunate events in publicizing the Burlington Electric story centers on two Washington Post articles, which in the span of three days reported an attack against the grid, tied it to the Russian government. The Washington Post eventually back-pedaled on Monday after Burlington Electric came forward and admitted it was the utility in question and said only the one laptop was infected.
“We detected suspicious Internet traffic in a single Burlington Electric Department computer not connected to our organization’s grid systems,” Lunderville said. “We took immediate action to isolate the laptop and alerted federal officials of this finding.”
This was an imperfect storm of events that began with the Dec. 29 release of a Joint Analysis Report by DHS and the FBI on Grizzly Steppe, and the Obama administration’s sanctions against Russian intelligence agents who were named, and the expulsion of 35 diplomats from the U.S. In the JAR, U.S. authorities connected Russian civilian and military intelligence services to attacks against networks tied to the U.S. election. Details in the JAR are thin, though it calls out APT28 and APT29 by name as the culprits. APT28 is Sofacy, a group widely believed to be linked to Russian military intelligence (GRU) while APT29 is believed to be Cozy Bear, the group behind the MiniDuke operations uncovered by Kaspersky Lab.
On its surface, the JAR was supposed to be the definitive link between the election hacks and Russia. Security experts were quick to pump the brakes last week and pointed out the jargon and high-level simplicity of the report did just the opposite. And now we have the Burlington Electric hack-that-wasn’t, fueled by incomplete reporting on the Post’s part and politicians eager to identify a villain, compounding the stress and anxiety already in the air.
This is exactly why attribution is a rabbit hole that researchers have treaded lightly around for years; some vendors just won’t tie attacks to countries or specific adversaries, thus the reason we have names for APT gangs such as Sofacy, Equation, MiniDuke and many others. There are many lessons here, the biggest perhaps being that there’s very little that’s definitive when it comes to computer security, making it imperative that we’re responsible about attribution.