[B]URLINGTON — It’s unclear whether malware discovered on a Burlington Electric Department laptop, which wasn’t connected to the electric grid, originated with Russian operatives.
A VTDigger report last Friday said that Russian hackers penetrated the laptop. That assertion was based on information from a Friday BED statement, which said that the malware code discovered last week was “used in Grizzly Steppe, the name (the Department of Homeland Security) has applied to a Russian campaign linked to recent hacks.”
BED Director Neale Lunderville said in an interview that his company has received no further information from federal officials as to the malware’s source.
“The intelligence around this is not our job,” Lunderville said, “We take the information they give us and report back. The feds will determine where the threat came from and what, if anything, should be done.”
However, The Washington Post, which initially reported inaccurately that the hack penetrated the electric grid and that Russia was responsible, has since corrected its initial report and published two subsequent reports calling any Russian involvement into question.
The Post said it received bad information from anonymous authorities who leaked to them “without having all the facts and before law enforcement officials were able to investigate further.”
Moreover, it does not appear that BED was targeted with the malware. In a subsequent statement Saturday, BED said federal officials indicated that “the specific type of Internet traffic, related to recent malicious cyber activity that was reported by us (on Friday), also has been observed elsewhere in the country and is not unique to Burlington Electric.”
BED officials discovered the malware Friday morning after DHS and FBI officials issued a report to the electric industry asking them to conduct scans for evidence of the Russian hacking operation, which was reportedly responsible for the Democratic National Committee hack last year.
The code was flagged when a Burlington Electric employee checked their Yahoo.com email account. Experts told the Post that because millions of people visit Yahoo’s email servers daily, the fact that the traffic triggered an alert doesn’t indicate the BED was being targeted.
Sen. Patrick Leahy, D-Vt., who issued a fiery statement Saturday condemning Russian hackers for “trying to access utilities to potentially manipulate the grid and shut it down in the middle of winter,” walked back his response in a new statement released Wednesday.
The two paragraph statement doesn’t mention Russia once, but says in part that, “I am grateful that the initial news report was inaccurate and that the affected laptop of a Vermont utility was not connected to the power grid. This does not change the fact that we face serious threats to our critical infrastructure, and I will continue to do everything I can to protect Vermont and the rest of the country from cyber threats.”
The Post reported concerns from government officials that the episode with Burlington Electric could have a chilling effect on utilities’ willingness to come forward when they detect suspicious internet activity.
“This is Exhibit A for why utilities might be cautious about sharing information with the federal government,” Lunderville said. Still, Burlington Electric will continue to report anything turned up in routine scans, he said.
“I’m certainly disappointed in one or two federal officials that decided to leak this, but let’s not throw the baby out with the bathwater,” Lunderville said.
A BED team responding to the public relations nightmare sparked by the Post story published Friday has worked nonstop ever since, Lunderville said.
He said his greatest concern was communicating to BED customers that their lights weren’t going to shut off and that their account information wasn’t compromised.
“I think within 24 hours most of our customers understood that the threat reported by the Washington Post was inaccurate,” Lunderville said.