The Russians Are Coming! The Russians Are — Oops! No Russians!

In my piece on Sunday on the package of sanctions the government released last week, I noted the likelihood the Joint Analysis Report would result in false positives.

But several of the reports also include some version of this conclusion from Lee: “the indicators are not very descriptive and will have a high rate of false positives for defenders that use them.”

That is, we may see more of what we saw Friday, when a Vermont utility did as instructed with the report — searched for the indicators included in the report — reported a positive hit, only to have anonymous sources immediately blow it up to mean Russia had hacked our grid. That find might turn out to be a Russian probe, or it might not; there’s little doubt that Russia can hack our electrical system. But what it did do is feed a panic.

Sure enough, that’s what Friday’s alarmist WaPo story turned out to be. Another WaPo story last night revealed that there’s no evidence Russian government hackers were in Burlington Electric — indeed, it sounds like what the utility might have found was one of the many Tor or other innocuous IP addresses included in the report.

As federal officials investigate suspicious Internet activity found last week on a Vermont utility computer, they are finding evidence that the incident is not linked to any Russian government effort to target or hack the utility, according to experts and officials close to the investigation.

An employee at Burlington Electric Department was checking his Yahoo email account Friday and triggered an alert indicating that his computer had connected to a suspicious IP address associated by authorities with the Russian hacking operation that infiltrated the Democratic Party. Officials told the company that traffic with this particular address is found elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians. Indeed, officials say it is possible that the traffic is benign, since this particular IP address is not always connected to malicious activity.

As it happens, after the government took custody of they laptop, they found other malware, not associated with Russians, on the laptop, but which wasn’t found as a result of last week’s report and scan.

In the course of their investigation, though, they have found on the device a package of software tools commonly used by online criminals to deliver malware. The package, known as Neutrino, does not appear to be connected with Grizzly Steppe, which U.S. officials have identified as the Russian hacking operation. The FBI, which declined to comment, is continuing to investigate how the malware got onto the laptop.

But ultimately, Friday night’s scare, with comments from half of Vermont’s public officials, was about an IP address that has no definitive tie to the Russians.

And that wasn’t the only false positive arising from this report. A Dutch paper did a story accusing a key Dutch privacy person (Bits of Freedom is sort of like EFF) of running a Tor node used by the Russians, as if Tor node operators sign off on the traffic that transits their nodes.

Remember: one of the primary claimed goals of Russia’s hacking is to make Americans lose trust in our government. Because of the way this report and subsequent reporting was rolled out (and leaked to a White House beat reporter), both security professionals and the general public will lose confidence not just in the government’s ability to respond to hacks, but also in the government’s report claiming the Russians were behind the hack. Not to mention, the alarmist report has led the paper that pushed the PropOrNot bullshit to make this kind of claim, blaming sources but not their own reporting.

Authorities also were leaking information about the utility without having all the facts and before law enforcement officials were able to investigate further.

Remember: WaPo first published the story before getting any comment from Burlington Electric.

The government appears to be doing Vlad Putin’s work for him, damaging its own credibility in its efforts to combat his efforts to damage its credibility.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

14 replies
  1. tryggth says:

    “Remember: one of the primary claimed goals of Russia’s hacking is to make Americans lose trust in our government.”

    There is obviously an easier indirect attack vector.

  2. bevin says:

    Taken individually these claims and charges verge upon the farcical. The ‘evidence’ behind them seems to be nothing more than serial assertion from the CIA, which has been purveying ‘false news’ -as one of its primary endeavours-since 1948.
    When a story is based upon findings of the CIA it is almost invariably false.
    This ‘false positive’ -more false than positive- is inevitable given the current lynch mob mentality being whipped up by the lame duck in Washington.
    Does anyone remember the Cold War? Korea, Vietnam..? Probably. But those were only the tip of the bloody iceberg- there simply isn’t space here to list the venues in which massacres occurred during the Cold War, massacres which were part of myriad proxy wars and civil wars which formed the daily substance of the period.
    The Cold War was founded in cheap and tawdry propaganda campaigns, many of them emanating from Congress, conducted by persons who, notoriously, did not live in villages like My Lai or the jungles of Angola, the townships of South Africa, the Universities of South America, from which tens of thousands of baby boomers were disappeared by agents of the Cold Warriors, the slums of Valparaiso or the kampongs of Indonesia, where the rivers ran crimson with the blood of a million voters for the Communist Party, fingered by CIA assets, rewarded by the US taxpayer.
    The supercillious insouciance with which a new Cold War, this one already involving over a million dead Libyans, Iraqis, Syrians and others, mainly muslims and Christians, is being accepted as if it were all part of a game played by dilettante cannibals is sickening.
    Let those who seek to convince the people that Russia has initiated aggressions against the United States-provided a casus belli- adduce some evidence before they are tasked with starting a new war, re-building nuclear arsenals and reviving the SS all over eastern europe.
    This is not something that it is possible to make an honest living from.

  3. Raven says:

    In two successive paragraphs you state: “WaPo first published the story before getting any comment from Burlington Electric.” (Or getting any comment from DHS or the DOE; their info source was a *statement* by Burlington Electric.)
    -and-
    “The government appears to be doing Vlad Putin’s work for him….” (But it wasn’t the federal government that made the false statement; and the quoted 2nd article states it was the federal government that debunked Burlington’s jump to conclusions.)

    This is a fallacy — the conclusion doesn’t follow from the premise.

    • emptywheel says:

       

      The story came from anonymous government sources, including one senior source. When the story was first published, WaPo hadn’t gotten any comment from Burlington. So their misrepresentation about what the problem was came entirely from the govt sources. Shortly after they published, other news outlets published Burlington’s comment, which made it clear WaPo got the part about the grid v. laptop wrong. THen further reporting from the government decided this was just a Yahoo leak.

      But the initial problem was anonymous sources from the govt.

       

  4. greengiant says:

    Nice, seems there is more behind the dark clouds. How much has gone to the shadow banking system in the last 8 years? 12 trillion? Follow the money, there are large resources available for dust, smoke and mirrors. Clinton’s corruption can be measured by the one single thing she spoke for after the election, censorship. In Russia and much less so in the US journalists get killed, in Turkey they are jailed en masse. Manipulation is everywhere, media, social media, search engines, snopes, wikipedia.

  5. Duncan says:

    A good piece, but… “one of the primary claimed goals of Russia’s hacking is to make Americans lose trust in our government.”  My question is whether the claim comes from Russia, or from US propagandists.  It makes a difference.

  6. Jeff Bozo From Amazon says:

    You really got to wonder just how much access jeff bezos has to the CIA. Its like he gets these assessment leaks when the assessment isnt even quite done yet. For those that dont know…Jeff Bezos owns amazon and the washington post. He also has financial ties to the CIA.

  7. Karl Kolchak says:

    Doing Putin’s work for him, just like we did Osama bin Laden’s work for him after 9/11 by invading Iraq.  America has become a profoundly stupid country governed by idiots.  If we didn’t have the capability to incinerate all of humanity it would almost be funny.

Comments are closed.