Two days before the start of the New Year’s holiday weekend, the Department of Homeland Security shared technical details and indicators of compromise related to tools used by Russian intelligence services in attacks allegedly attempting to influence the U.S. presidential election.
Dutifully, IT administrators at Burlington Electric Department, one of 17 electric distribution utilities in Vermont, fed those IOCs into its scanners. The IOCs included a list of hundreds of IP addresses believed used by the Sofacy and Cozy Bear APT groups in attacks worldwide against strategic targets such as government agencies, diplomatic institutions, military organizations, defense contractors and public policy research institutes.
Last Friday morning, as workers prepped for the three-day weekend, one of those signatures fired off an alert at Burlington Electric that triggered a series of events that nearly culminated in a geopolitical nightmare. In the short span of a workday, Burlington Electric went from a nondescript utility in one of the smallest states in the union, to “the grid hacked by the Russians.” And as it turned out, it was all because one of the IOCs was a benign IP address belonging to Yahoo.
“We updated our scanning systems to look for that information (the IOCs), and Friday morning when one of our employees checked email on Yahoo.com, our scanner detected network traffic to an IP address listed there,” Burlington Electric Department general manager Neale Lunderville told Threatpost today. “Based on that alert, we isolated the computer and reached out to the Feds to let them know what we saw.”
By 8 p.m., the Washington Post was reporting that a Vermont utility had been penetrated and that the electric grid had been hacked. Calls began flooding Burlington Electric from other utilities and the media asking whether the grid had been breached. No one was more surprised than Lunderville and his staff, which quickly surmised that the report sent to DHS earlier in the day was the likely trigger.
The initial reports from the Washington Post did not identify the allegedly attacked grid, but once the calls began, Burlington Electric put out statements identifying themselves as the “victim” in question, and more importantly stressing that it was one isolated computer in question, and that neither the grid, nor critical systems had been compromised.
“We sent the report to the Feds and their indication was that they would get back to us. We went home and the report broke—and it was wrong,” Lunderville said, adding that the first Washington Post story was posted at 7:55 p.m. and the first indications that reporters reached out to them was at 8:05 p.m. Officials at Green Mountain Power, another Vermont utility, told Burlington Electric that the Washington Post contacted them at 7:59, minutes after the article was published online. The Washington Post has since corrected its initial reporting.
“We were trying to sort this out. Was it new? When calls came in asking whether the grid had been breached, that was a different question (than what was reported to the Feds),” Lunderville said. “We did put two-and-two together quickly that this was a result of the report we filed.”
Control center operators were not seeing any indications that the grid had been breached, yet remained vigilant, Lunderville said.
“We wanted to quickly put a statement out that it was us, and that we were not breached,” Lunderville said. “We wanted to stop what would be public panic if hackers had penetrated the electric grid. We had an obligation to our customers and to America to let them know this had not occurred.”
Security analysts have been critical and skeptical of the initial DHS Grizzly-Steppe report since it was released last Thursday. The report was positioned as a definitive link between the Russians and the DNC hack that dominated coverage of the election last summer. Instead, analysts were curious because the report didn’t share much more than was already known about APT28 and APT29, and demanded more concrete evidence for analysis.
“You had the DHS and US-CERT issue the ‘GRIZZLY-STEPPE’ report ‘attributing those compromises to Russian malicious cyber activity.’ It does nothing of the sort,” said Robert Graham of Errata Security in a scathing letter to President Obama published yesterday. In it, Graham said the Grizzly Steppe report had the opposite effect intended by the Obama administration. “It’s full of garbage. It contains signatures of viruses that are publicly available, used by hackers around the world, not just Russia. It contains a long list of IP addresses from perfectly normal services, like Tor, Google, Dropbox, Yahoo, and so forth. Yes, hackers use Yahoo for phishing and malvertising. It doesn’t mean every access of Yahoo is an ‘Indicator of Compromise.'”
While the incident wasn’t disruptive of operations at Burlington Electric, it did put its response teams unnecessarily through its paces and raises the question of how trustworthy future information sharing from the government can be. Lunderville said this is something he and his industry peers want to work through.
“It’s a shame this happened; it does undermine the confidence we could have working with that kind of partner,” Lunderville said. “As an industry, we have to push through and find a way to work through this. They have the best intelligence to protect our customers and our portion of the grid. They need to conversely protect information when we share it with them. This incident shouldn’t be a roadblock, but an opportunity to have a discussion about how to make this partnership work.”