Your Weekly Alarming Anonymous Friday Night WaPo Dump: Vermont Electrical Grid Edition

It seems like every Friday this month, there has been an alarming Friday night news dump in the WaPo based off anonymous leaks. This time, it’s a story claiming that,

Russian hackers penetrated U.S. electricity grid through a utility in Vermont

The anonymous officials behind this story have just squandered the efforts of a slew of infosecurity professionals trying to get non-experts to take the attribution of the DNC hack seriously.

The story, which features WaPo White House bureau chief Julie Eilperin first on the byline (followed by the usually strong Adam Entous) but does not include WaPo’s cybersecurity reporter Ellen Nakashima at all, claims that “a code” associated with the family of signatures associated with several Russian hacking groups that Obama dubbed Grizzly Steppe for the purposes of yesterday’s CERT report was found “within the system of a Vermont utility.” The language of the report — what do they mean by “code”??? — exhibited no certitude about what the report actually meant.

The original version of the story included no comment from Burlington Electric Department, though added one after the Burlington Free Press revealed that the “code” was not actually in the grid at all, but in a laptop unattached to it. As the Free Press explained, there’s really no reason to worry this would affect the grid.

The utility found the malware Friday on a laptop after the Obama administration released code associated with the campaign, dubbed Grizzly Steppe, on Thursday.

The aim of the release was to allow utilities, companies and organizations to search their computers for the digital signatures of the attack code, to see if they had been targeted.

The computer on which the malware was found was not connected to the operation of the grid, Vermont Public Service Commissioner Christopher Recchia said.

Based on his knowledge, Recchia said Friday night he did not believe the electrical power grid was at risk from the incident. “The grid is not in danger,” Recchia said. “The utility flagged it, saw it, notified appropriate parties and isolated that one laptop with that malware on it.”

So here’s what appears to have happened.

Yesterday, along with all the sanction-related information, DHS released a US-CERT report attempting to draw together all the signatures from the two Russian related hacking groups accused of hacking the DNC. Numerous security experts have criticized it, noting that it reads like “a poorly done vendor intelligence report stringing together various aspects of attribution without evidence” and finding that “21% (191 of 876) of [IP addresses included in the report] were TOR exit nodes,” meaning there are a lot of worse-than-useless details in the report.

That in and of itself was a problem. But then potential Russian targets, including utilities, started scanning their system for the malware included in the report and one of two Vermont utilities found one malware signature on a laptop and alerted the government. The other one is spending its Friday night insisting it was unaffected.

At which point multiple “US officials” (which can include Congressional staffers) and one Senior Administration Official (who, given Eilperin’s involvement, is likely at the White House) ran to the press and insinuated that Russia had hacked our grid, even while admitting they don’t really know what the fuck this is.

American officials, including one senior administration official, said they are not yet sure what the intentions of the Russians might have been. The incursion may have been designed to disrupt the utility’s operations or as a test to see whether they could penetrate a portion of the grid.

Officials said that it is unclear when the code entered the Vermont utility’s computers, and that an investigation will attempt to determine the timing and nature of the intrusion, as well as whether other utilities were similarly targeted.

“The question remains: Are they in other systems and what was the intent?” a U.S. official said.

Of course, by the time this report was amended to make it clear the malware was not in the grid at all, the story itself had gotten picked up by other outlets, even in spite of the many many many security professionals mocking the report as soon as it came out.

So now a slew of people are convinced that Russia has hacked (a word that has lost all meaning in the last month) our electrical grid — I’ve even seen some people assuming this occurred this week! — even though no actual analysis of what is going on has happened yet.

Here’s the thing. Some of these security professionals are the same ones who’ve been saying for months that the DNC hack can be reliably attributed to the Russian state. I mostly agree (though I’ve got some lingering doubts). And while those of us who follow this closely can distinguish the two different kind of analyses, the general public will not. And — having been alarmed off a premature report here that was not sufficiently researched before publicized — they will be utterly justified in believing the government is making baseless claims to generate fear among the public.

As I said, I mostly agree with reports attributing the DNC hack to the Russians. But seeing inflammatory shit like this peddled anonymously to the press makes me far more inclined to believe the government is blowing smoke.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

43 replies
  1. SYnoia says:

    Seems Obama threw a temper tantrum after the Russian and Turks resolved Syria, whith no US help.

    Is that egg on your face, Obama?

  2. sonofnewo says:

    The Obama administration look like little children who are upset at being grounded for eating too many cookies.

  3. bloopie2 says:

     
    As Alec Guinness would say, “Madness!”  Spot on article.  Lying and misleading at their best.  Don’t these “professional” journalists have anything better to do?  Don’t they have any standards?  Are they so desperate for clicks that they write such stuff?  Too bad there isn’t any accountability for them.
     
    And I can tell you this about the Northeast’s electrical grid.  A sizable chunk of it is strung out along the Connecticut shoreline, directly accessible by any boat in Long Island Sound (or car) because the infrastructure was built right along the water’s edge (and the shore rail lines)—power plants, substations, high tension wire towers, everything.  Anyone with a group of fast, well-armed boats could pull in some evening, leave some bombs to detonate 12 hours later, and run for open water, faster than you can say “Northeast blackout that takes months to repair”.  Cops are always looking for packages left on MTA trains, but the hundreds of miles of infrastructure perimeter there and inland?  Nah.  And Vermont—hilly, wooded, open—anyone know whether its electrical grid/infrastructure is physically accessible?  Priorities, people?

    • jawbone says:

      So…all the infrastructure you mention is a great candidate for global warming and rising sea levels to destroy as well.  Uh oh.

  4. der says:

    Of course, by the time this report was amended to make it clear the malware was not in the grid at all, the story itself had gotten picked up by other outlets, even in spite of the many many many security professionals mocking the report as soon as it came out.

    Among those other outlets could be Putin and the Russian security state itself. Could this be a way to say to Russia that the NSA has the keys to their power grid and may already have malware in place?

  5. Trevanion says:

    These days of hysteria-as-political life have the feel of my fellow baby boomers reaching back for one last taste of the duck-and-cover days. Rather like attending an old-timer’s fantasy baseball camp where having the on-field lingo is key to covering up flabbiness and lost skills.

  6. scory says:

    In short, we’ve screwed ourselves.  There are good and bad actors in intelligence, security, and surveillance.  Marcy’s analysis of what on the face of it looks like a pretty consistent story is a great example of teasing out the bad actors.

    So:  every state has need for intelligence gathering, both from domestic and foreign sources.  And the corollary is:  every state needs protection from surveillance, both domestic and foreign.  Unfortunately for the United States, we lost a lot of the legitimacy for intelligence and surveillance following 9/11 and the passage of the Patriot Act and other follow on legislation and regulation.  Our elected officials, political appointees, and intelligence professionals, both civil service and contractor are constantly chasing “threats” and playing security theater.  While this drama makes for pretty good press and justifies increasing appropriations for both intelligence and security spending, it doesn’t allow us to gain better intelligence nor does it truly protect us.  It does also allow for people to make statements and take actions that consolidate authority for intelligence, surveillance, and security in the hands of a few people — who in turn are more vulnerable to mistakes.

    It’s pretty clear throughout the Russian cyberhacking debacle a lot of people — including the oversight committees in the House and Senate — have been making mistakes.  This will take a long time to sort out, and will take a lot of patience and subtlety to tease out good actors and bad actors, and get us back to a more rational strategy and accurate and authentic capabilities.

  7. emptywheel says:

    It was pretty clever of Vlad to target the Bernie Sanders supporting grid and not the Lockheed Martin supporting one, I gotta say.

    • Brad says:

      That way then Sanders supports laugh at this latest charge, they can be slandered as “Putin puppets” or whatnot.

      I’m afraid this ridiculous campaign, extending also to Trump opponents in both parties in Congress, won’t end until it whacks Trump onto the anti-Russia track they had expected to escalate with the “preordained” victory of Clinton.

      If they can get Trump with the program then things will be alright.  Trump can oversee the trashing of Medicare, SS, privatize whatever, and conduct a Bacchanal of crony corruption that would make Warren Harding blush.  That will be allright so long as he doesn’t jump the shark on the preapproved Russia policy.

  8. bevin says:

    “I mostly agree with reports attributing the DNC hack to the Russians..”
    No doubt you have your reasons, but they do not constitute what would be accepted as evidence. You seem, and have every right to do so, to be operating on the basis of ‘gut feeling’ in this matter.
    Craig Murray’s blog today ought to give those who share your suspicions food for thought. It is entitled
    “Exit Obama in a Cloud of Disillusion, Delusion and Deceit”
    https://www.craigmurray.org.uk/

    • bmaz says:

      The ability of people with a cute little agenda to take it upon themselves to discern what is, and what is not, evidence, is hilarious.

      Are you talking about “evidence admissible in court”? “Evidence” that may be compelling, but, for one or more of various reasons, is not admissible in court?

      Are you talking about two sourced reportage by the press?

      What the fuck are you yammering about? Because I am pretty sure from you comment history, it is all self affirming horseshit.

      What IS your definition of “evidence” Big Bevin?

      • bevin says:

        There is very little point in entering into a shouting match with you. bmaz.

        There are two problems that stick out a mile. The first is that the charges that Russia (the state) collected and arranged the publication of the DNC and Podesta emails are based entirely on assertions. No evidence that they did either has been published.

        The second is that the Clinton people have two obvious motives for turning the story into one about “Russian hacking”. The first is to distract attention from the sleaze through to criminality revealed in the emails. The second is to throw the blame for losing not only the Presidential but Congressional and local elections, to a candidate as weak as Trump was onto others.

        The fault lies entirely with the Democratic Party leadership from the White House down. Anyone who thinks otherwise is beginning the year in a very confused mental state.

        • bmaz says:

          Your first point is a bald faced lie. There is “evidence” and it has been published by private security researchers and noted here on this blog. You may give it whatever credibility you wish in order to satisfy your personal agenda, but to blithely claim that there is “no evidence” is flat out a lie. Secondly, the official statements of US intelligence agencies and the President of the United States are, too, evidence. you may or may not trust them, but, again, to say that is not “evidence” is idiotic. It belies someone who has no idea what “evidence” is, and is not, and the difference between weight of evidence versus existence.

          Your second “problem” point is just your same old ridiculous Clinton and Dem derangement syndrome. It is literally cheap blather.

          By the way, I am not shouting at you, I’m laughing.

    • Bardi says:

      “to be operating on the basis of ‘gut feeling’ in this matter.”

      On an article denigrating “journalists” for doing the same?  Craig Murray occasionally ventures into fantasyland.  This seems one of those times.

      As a former hacker, even I can read between the lines and see that what seems “obvious” to the most casual observer has little to do with reality.

  9. annenigma montana says:

    Marcy, you say “I’m operating with more than is in the public record”. Do you do (or have you done) contract work for the Gov’t?

    You didn’t make the Propornot blacklist so I’m wondering about that too.

    • Karl Kolchak says:

      Hee hee–The Post has demonstrated yet again that when it comes to pushing out “fake news” on behalf of the powers that be, they have few rivals.

    • emptywheel says:

      Nope. But I’m pretty sure I can fill the biggest holes in the DNC story. Just trying to confirm to a point where I can explain it.

  10. Tony says:

    There are plenty of valid complaints about the quality of the US-CERT report, but I’m surprised to see security pros using the fact that some of the IPs are Tor exit nodes to cast aspersions on the quality of the report.  Machines operating as Tor exit nodes can also be doing other things, and Tor nodes come and go fairly often.  If those IPs were used as part of the attacks, and your agency’s mission is to help network operators secure their systems, it makes sense to include them.  It’s the job of the organizations consuming the list to vet them and decide if they should be blacklisted, watched, or ignored.

    Complaining that half of the report is recommendations for improving security is also silly.  It’d be like complaining that a CDC brochure about a disease outbreak consists of disease prevention tips.  That’s what they do.

      • Tony says:

        I’m not sure why you’re reading my comment with such an assumption of bad faith, and don’t understand which part of it you want me to back up.  Which facts are you disputing?

  11. Bob In Portland says:

    Just a warning. The malware supposedly used was Ukrainian, which means nothing, except that Ukraine keeps coming up in these hacking/fake news stories. There’s this:
    http://www.nakedcapitalism.com/2016/12/site-behind-washington-posts-mccarthyite-blacklist-appears-to-be-linked-to-ukrainian-fascism-and-cia-spying.html. Then there was the false report of Donbas military officials talking over their radios about shooting down MH17 in the hours after the shootdown, which turned out to be a false construction by Ukrainians of previous comments by Donbas radio operators about supply planes landing at an airport. That should have been considered evidence of a false flag. You know, by the guys who our State Department assures us aren’t Nazis.

    Excuse me if I seem to be seeing Ukrainians all over these apparent false flags. And since we are talking about Ukraine we are also talking about the CIA, who’s had that seventy-year relationship with the old OUN-B built under the watchful eye of Reinhard Gehlen.

    And let’s face it. The Ukrainian experiment hasn’t been terribly successful for the US. The Ukraine lost Donbas, the Russians took over Crimea. The only value of Ukraine is either cutting off Russian gas lines or doing intelligence dirty work.

    • drouse says:

      Keeping in mind that NakedCapitalism is heavily in the denial camp as far as the Russian hacking go. She is also a long time Hillary hater. The snide comments she adds to the links she puts up make that very clear. At this point any site’s biases have to be taken into account because that is the way the false and the fantastical creep in.

  12. Chip Daniels says:

    There are two realities that are colliding in all this.

    One is that espionage and intelligence gathering are by their very nature, done in the shadows where nothing can ever be proven or verified beyond a doubt. In this world, nations must act and react without really having absolute certainty of the truth, and the citizens have to make voting decisions based on scraps of declassified data and mostly trust in our official sources.

     

    The other reality is that citizens themselves face a dilemma. We should be cautious and wary of blindly accepting official pronouncements, but the central weapon of authoritarians and tyrants is to create a cloud of disinformation such that no one ever really can trust any source of information. They capitalize on fear and suspicion and paranoia to strip citizens of freedom and dignity.

    So I applaud people for skepticism of anonymously sourced stories, but I take sharp exception to blanket cynicism that equates relatively trustworthy sources like the NYT and WaPo with sources like Breitbart and Infowars.

     

    • emptywheel says:

      Sorry. Who here equated WaPo w/Breitbart?

       

      And you do know WaPo issued an(other) Editors Note on this story, as they have with other Russian fearmongering ones?

      The issue of Russian spying is real. People who make bogus claims about it are being irresponsible.

      • Bardi says:

        The issue of Russian spying is real

        I think most Americans would be greatly surprised at the market that exists for, sometimes, illicit material.  Many people with little to do bang around constantly into all corners of the web and find a ready (black) market for such material, not just nations but corporations.  The mention of “TOR exit nodes” points to “officials” using terminology not understood by themselves but sounding good to the reader.

        Thank you, ma’am for providing a platform to discuss these issues, minimizing silly and ignorant posts.  and, Happy New Year for whatever that may portend.

      • Brad says:

        But is it really important?

        I say no.  It’s ludicrous on the face of it for anyone to claim that Russian spying decisively influenced the 2016 Presidential election result. Those that claim otherwise are advancing other agendas behind this question. Especially as it comes from the Clinton camp, it exudes the very elitism that denies the agency of ordinary people, in this case voters tired of empty promises, that lost them the election.

        As for WaPo and NYT, comparison with Breitbart and the like is apples and oranges.  The “normal” integrity of the former makes these the platforms of choice to launch strategic disinfo campaigns when it really matters.  As with the run up to the Iraq war – and now.

        Its obvious what the Russians are up to.  They are trying to defend themselves as NATO rolls up to their borders.  The truth is the problem is us, not them.

  13. annenigma montana says:

    Marcy admits to having information not in the public domain which informs her beliefs in this matter, but won’t, or can’t, reveal her inside information. I wondered if Gov’t contract work the source of that inside information. I don’t think that’s an unreasonable question warranting ridicule in response, but I also realize that a response might not be possible if that was indeed the case.

    To spell it out further, work, especially of a classified or sensitive nature,, is often protected by non-disclosure agreements so can’t be shared with the public. Just as with National Security Letters, even a simple admission or denial might be prohibited, so the response, if any, has to fly below the radar.

    So was that a canary I just saw flying by? It sounded like it was chirping “Hahahahahahaha!”  Or maybe it was just celebrating the New Year early.

     

     

     

     

     

    • Bardi says:

      “having information not in the public domain which informs her beliefs in this matter, but won’t, or can’t, reveal her inside information”

      Based on Marcy’s past history and skepticism, I believe the site owner.  Rarely, if ever, wrong.  Unlike, say, most anyone posting at breitbart.com, half-way house for liars and other out-of-work monkeys capable of stringing more than two words together.

    • bmaz says:

      Do you have anything besides a couple of sheer links??

      If not, then try to supply motte next time. This is not a link factory.

      • SpaceLifeForm says:

        The links are totally relevant. In fact you could discern this just from the URLs themselves.

        Here is another and including some context.

        https://www.burlingtonelectric.com

        We detected suspicious Internet traffic in a single Burlington Electric Department computer not connected to our organization’s grid systems.

        • bmaz says:

          Uh, yeah, so? Generally here, people explain what their links mean instead of just dead dropping them with no explanation.

          Also, don’t think anybody was contesting the nature and location of the malware found.

  14. annenigma montana says:

    @bmaz

    Why now? Why the hell not? I had a question I hoped would be answered. Is that a thought crime now?

    I’ve actually been reading this blog for years but admittedly only Marcy’s posts, and didn’t feel a need to add my two cents worth to the comments, although I do comment occasionally at the dozens of other blogs and news sites I read daily. I sure wouldn’t have asked my question today had I realized that Marcy had a personal guard dog to chase away anyone (new!) daring to ask an uncomfortable or unacceptable question.

    Sorry for crashing your party.

     

     

     

  15. Syd says:

    Empty Wheel needs to note that proof of Russian interference in the election means proof that Russia was Wikileaks’ source. For Russia along with who knows how many other state and non-state actors may well have hacked the DNC, Podesta, and most other prominent American organizations and individuals but without leaking any of it to Wikileaks or anyone else, and so without doing anything to influence the election. What so far is lacking is the slightest shred of evidence that Wikileaks got the emails via Russia. Wikileaks vehemently denies it and Craig Muray who is close to Wikileaks says he and Assange know who the originating sources were, that they were internal leaks not outside hacks, and that the Russians had nothing to do with it. The US gov’t needs to prove they are wrong in order to make the case that Russia influenced the election. Just providing evidence of hacking and attributing it to Russia isn’t good enough.

    • bmaz says:

      Golly, so “Emptywheel” needs to acknowledge things that have…..already been acknowledged here…..if you bothered to read the coverage? Okay.

      Murray’s curious self insertion into the fray has also been noted, along with several issues with the same.

      I see you are yet another poor soul who has no clue what “evidence” is. It is NOT what you want to hear. It is NOT proof beyond a reasonable doubt. And it is NOT whatever self serving twits like Assange admit.

      People are convicted of crimes, even capital crimes, every day based on circumstantial evidence. Yet people like you commonly bleat that there “is no evidence”. That is a load of crap. There is absolutely “evidence”. That you, personally, do not find it compelling enough for your agenda is of no moment as to whether there is any “evidence” at all.

      • bevin says:

        Glenn Greenwald adds:

        “…permit me once again to underscore my own view on the broader Russia issue: Of course it is possible that Russia is responsible for these hacks, as this is perfectly consistent with (and far more mild than) what both Russia and the U.S. have done repeatedly for decades.
        ‘But given the stakes involved, along with the incentives for error and/or deceit, no rational person should be willing to embrace these accusations as Truth unless and until convincing evidence has been publicly presented for review, which most certainly has not yet happened. As the above articles demonstrate, this week’s proffered “evidence” — the U.S. government’s evidence-free report — should raise rather than dilute suspicions. It’s hard to understand how this desire for convincing evidence before acceptance of official claims could even be controversial, particularly among journalists.’
        Thanks for the insights into the new definition of ‘evidence’ in capital cases: I’d suspected it, the number of unsafe convictions suggested it but I didn’t know that it was OK.

Comments are closed.