Russian link to malware on Burlington Electric Department computer now in question

BURLINGTON — It’s unclear whether malware discovered on a Burlington Electric Department laptop, which wasn’t connected to the electric grid, originated with Russian operatives.

A VTDigger report last Friday said that Russian hackers penetrated the laptop. That assertion was based on information from a Friday BED statement, which said that the malware code discovered last week was “used in Grizzly Steppe, the name (the Department of Homeland Security) has applied to a Russian campaign linked to recent hacks.”

BED Director Neale Lunderville said in an interview that his company has received no further information from federal officials as to the malware’s source.

“The intelligence around this is not our job,” Lunderville said, “We take the information they give us and report back. The feds will determine where the threat came from and what, if anything, should be done.”

Neale Lunderville. File photo.

Neale Lunderville. File photo.

However, The Washington Post, which initially reported inaccurately that the hack penetrated the electric grid and that Russia was responsible, has since corrected its initial report and published two subsequent reports calling any Russian involvement into question.

The Post said it received bad information from anonymous authorities who leaked to them “without having all the facts and before law enforcement officials were able to investigate further.”

Moreover, it does not appear that BED was targeted with the malware. In a subsequent statement Saturday, BED said federal officials indicated that “the specific type of Internet traffic, related to recent malicious cyber activity that was reported by us (on Friday), also has been observed elsewhere in the country and is not unique to Burlington Electric.”

BED officials discovered the malware Friday morning after DHS and FBI officials issued a report to the electric industry asking them to conduct scans for evidence of the Russian hacking operation, which was reportedly responsible for the Democratic National Committee hack last year.

The code was flagged when a Burlington Electric employee checked their email account. Experts told the Post that because millions of people visit Yahoo’s email servers daily, the fact that the traffic triggered an alert doesn’t indicate the BED was being targeted.

Sen. Patrick Leahy, D-Vt., who issued a fiery statement Saturday condemning Russian hackers for “trying to access utilities to potentially manipulate the grid and shut it down in the middle of winter,” walked back his response in a new statement released Wednesday.

The two paragraph statement doesn’t mention Russia once, but says in part that, “I am grateful that the initial news report was inaccurate and that the affected laptop of a Vermont utility was not connected to the power grid. This does not change the fact that we face serious threats to our critical infrastructure, and I will continue to do everything I can to protect Vermont and the rest of the country from cyber threats.”

The Post reported concerns from government officials that the episode with Burlington Electric could have a chilling effect on utilities’ willingness to come forward when they detect suspicious internet activity.

“This is Exhibit A for why utilities might be cautious about sharing information with the federal government,” Lunderville said. Still, Burlington Electric will continue to report anything turned up in routine scans, he said.

“I’m certainly disappointed in one or two federal officials that decided to leak this, but let’s not throw the baby out with the bathwater,” Lunderville said.

A BED team responding to the public relations nightmare sparked by the Post story published Friday has worked nonstop ever since, Lunderville said.

He said his greatest concern was communicating to BED customers that their lights weren’t going to shut off and that their account information wasn’t compromised.

“I think within 24 hours most of our customers understood that the threat reported by the Washington Post was inaccurate,” Lunderville said.

Morgan True

Comment Policy requires that all commenters identify themselves by their authentic first and last names. Initials, pseudonyms or screen names are not permissible.

No personal harrassment, abuse, or hate speech is permitted. Be succinct and to the point. Comments should be 1000 characters or fewer. If your comment is over 500 words, consider sending a commentary instead.

We personally review and moderate every comment that is posted here. This takes a lot of time; please consider donating to keep the conversation productive and informative.

The purpose of this policy is to encourage a civil discourse among readers who are willing to stand behind their identities and their comments. VTDigger has created a safe zone for readers who wish to engage in a thoughtful discussion on a range of subjects. We hope you join the conversation. If you have questions or concerns about our commenting platform, please review our Commenting FAQ.

Privacy policy
Thanks for reporting an error with the story, "Russian link to malware on Burlington Electric Department computer no..."