As federal officials investigate suspicious Internet activity found last week on a Vermont utility computer, they are finding evidence that the incident is not linked to any Russian government effort to target or hack the utility, according to experts and officials close to the investigation.
An employee at Burlington Electric Department was checking his Yahoo email account Friday and triggered an alert indicating that his computer had connected to a suspicious IP address associated by authorities with the Russian hacking operation that infiltrated the Democratic Party. Officials told the company that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity.
The investigation by officials began Friday, when the Vermont utility reported its alert to federal authorities, some of whom told The Washington Post that code associated with the Russian hackers had been discovered within the system of an unnamed Vermont utility. On Friday evening, The Post published its report, and Burlington Electric released a statement identifying itself as the utility in question and saying the firm had “detected the malware” in a single laptop. The company said in its statement that the laptop was not connected to its grid systems.
The Post initially reported incorrectly that the country’s electric grid had been penetrated through a Vermont utility. After Burlington Electric released its statement saying that the potentially compromised laptop had not been connected to the grid, The Post immediately corrected its article and later added an editor’s note explaining the change.
U.S. officials are continuing to investigate the laptop. In the course of their investigation, though, they have found on the device a package of software tools commonly used by online criminals to deliver malware. The package, known as Neutrino, does not appear to be connected with Grizzly Steppe, which U.S. officials have identified as the Russian hacking operation. The FBI, which declined to comment, is continuing to investigate how the malware got onto the laptop.
Initially, company officials publicly said they had detected code that had been linked by the Department of Homeland Security to Grizzly Steppe.
Over the weekend, the company issued a statement, saying only that it had “detected suspicious Internet traffic” on the computer in question.
The murkiness of the information underlines the difficulties faced by officials as they try to root out Grizzly Steppe and share with the public their findings on how the operation works. Experts say the situation was made worse by a recent government report, which they described as a genuine effort to share information with the industry but criticized as rushed and prone to causing confusion. Authorities also were leaking information about the utility without having all the facts and before law enforcement officials were able to investigate further.
The incident comes as President-elect Donald Trump has cast doubt on the findings of intelligence officials that the Russians conducted a hacking operation designed to help him win the White House.
Experts also said that because Yahoo’s mail servers are visited by millions of people each day, the fact that a Burlington Electric employee checking email touched off an alert is not an indication that the Russian government was targeting the utility.
“It’s not descriptive of anything in particular,” said Robert M. Lee, chief executive of Dragos, a cybersecurity firm.
The company said it was told much the same thing by authorities. “Federal officials have indicated that the specific type of Internet traffic, related to recent malicious cyber activity that was reported by us [on Friday], also has been observed elsewhere in the country and is not unique to Burlington Electric,” company spokesman Mike Kanarick said in a statement.
The FBI and DHS released a report last week intended to prompt companies to search their systems for any evidence of a Russian hacking operation that they concluded had infiltrated Democratic Party servers. The document was intended to help companies mitigate Russian hacking and report any suspicious activity to the government. That report itself contained a caution regarding the suspicious IP addresses it listed: “Upon reviewing the traffic from these IPs, some traffic may correspond to malicious activity, and some may correspond to legitimate activity.”
The discovery of the laptop issue has prompted criticism that the government provided overly broad information to companies that was not effective in isolating Russian government hacking.
“That report offered no technical value for defenders,” Lee said. “It was very much high level and nothing in there was specifically descriptive of Russian activity.”
Some in the administration are concerned that this episode with the Vermont utility will cause industry officials to avoid sharing information with the government, for fear that it will be leaked. The company in this case, the U.S. official said, “did what it was supposed to do.”
Experts also expressed concerns regarding the report released by DHS and the FBI on the Russian hacking operation. The report said it was providing “technical details regarding the tools and infrastructure used by the Russian civilian and military intelligence services” to “compromise and exploit” political, government and private computer networks. The government released the document on the same day it announced a series of measures taken to punish the Russian government for its interference in the 2016 presidential election, including the DNC hacks.
But a range of cybersecurity experts say that although the intention of the report was good, it lacked specific details that would enable firms to detect Russian government hackers.
At least 30 percent of the IP addresses listed were commonly used sites such as public proxy servers used to mask a user’s location, and servers run by Amazon.com and Yahoo. (Amazon’s founder and chief executive, Jeffrey P. Bezos, owns The Washington Post.) The IP address information alone is not useful, experts noted. Moreover, a server that is used by Russian spies one year might be used by “granny’s bake shop” the next, Lee said.
“No one should be making any attribution conclusions purely from the indicators in the [government] report,” tweeted Dmitri Alperovitch, chief technology officer of CrowdStrike, which investigated the DNC hack and attributed it to the Russian government. “It was all a jumbled mess.’’
A senior DHS official, speaking on the condition of anonymity to discuss a sensitive security matter, defended the report.
“We know the Russians are a highly capable adversary who conduct technical operations in a manner intended to blend into legitimate traffic,” the official said. The indicators of compromise contained in the report, he said, “are indicative of that. That’s why it’s so important for net defenders to leverage the recommended mitigations contained in the [report], implement best practices, and analyze their logs for traffic emanating from those IPs, because the Russians are going to try and hide evidence of their intrusion and presence in the network.”
The official said the information shared was “precisely the type of information DHS should be sharing, particularly since we know that cybersecurity capabilities differ among companies and organizations.”
The nation’s electrical grid is not a physical entity, but rather a series of networks that generate, transmit and distribute electricity. There are three primary networks--the Eastern Interconnect, Western Interconnect and the Electric Reliability Council of Texas--and smaller grids within those three groups. Each amounts to an industrial control system that dispatches electricity from where it is generated to the consumers who use it.
While these systems include redundancies to prevent any disruptions in service, and human operators oversee them, the functioning of the country’s grid is also highly automated. Experts say that this results in the system being more vulnerable to hacking attacks.
Utilities connected to the grid are routinely subjected to penetration efforts, but the U.S. electrical grid has never lost its transmission capacity because of such attempts.
“This is an example of the system working, and us getting bad things off our system as soon as they’re known,” said Nathan Mitchell Sr., who directs electric reliability standards and security at the American Public Power Association.
He added that while federal authorities inform utilities on a daily basis about potential threats to the grid, when it came to Thursday’s joint report, “A presidential directive and a high-profile release on this brought it to the forefront.”
Adam Entous contributed to this report.