Hackers will hack. But when it comes to attributing those attacks back to an individual, group or apparatus of the state, don't (always) believe the hype - at least not right away.
That's the obvious takeaway from an overblown Washington Post report, published Dec. 30, 2016, alleging that Russians targeted Burlington Electric Department in Vermont. The newspaper report connected the Russian government's apparent interference in U.S. elections - dubbed the Grizzly Steppe campaign by U.S. intelligence agencies - to the attack against the city of Burlington's power provider.
The newspaper, however, quickly revised the article's headline, highlighting potential inaccuracies in its initial report:
- "Russian hackers penetrated U.S. electricity grid through utility in Vermont, officials say" (before)
- "Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid, officials say" (after)
In the wake of that report, Sen. Patrick Leahy (D-Vt.) issued a statement condemning the attack. "State-sponsored Russian hacking is a serious threat, and the attempts to penetrate the electric grid through a Vermont utility are the latest example," he said.
The headline on the newspaper's Jan. 2 follow-up, however, tells a profoundly different story: "Russian government hackers do not appear to have targeted Vermont utility, say people close to investigation." What investigators actually found, the newspaper reported, was a single laptop - not connected to any networks connected to power-generation or control equipment - infected with the all-too-common Neutrino crimeware toolkit, aka Kasidet.
Elapsed time from breathless, erroneous report based on anonymous federal officials with supposed knowledge of the investigation, to a more factually correct one stating that there was, in fact, no story: Two days.
Blame is Cheap
As far as erroneous attribution reports go - and there are many - that's a relatively quick turnaround. In 2014, for example, after JPMorgan Chase suffered a series of network intrusions, Bloomberg reported that investigators were probing potential connections to the Russian government. Pundits quickly cast the attacks as potential retribution for U.S. sanctions imposed against Russia over Ukraine.
Eleven months later, however, the Department of Justice said JPMorgan Chase wasn't hacked by Russians, but two Israeli guys living in Florida, plus an American accomplice who spent much of his time in Moscow and Tel Aviv, as part of an alleged pump-and-dump stock scheme (see Report: Spammers Tied To JPMorgan Chase Hack). That case is continuing, with the U.S. suspect having just turned himself in at JFK International Airport in New York last month, following the arrest of the Israeli suspects last year, when the charges were first announced.
Attribution Carries Motives
Jeffrey Carr, CEO of threat-intelligence firm Taia Global, argues that behind every attribution, there's some type of motivation, such as a lawmaker pushing a political agenda, a cybersecurity firm seeking free marketing or a breached business trying to deflect blame for its shoddy cybersecurity practices.
Furthermore, for anyone except the government, worrying about "who did it" is a waste of time and money, says breach prevention and response expert Alan Brill of corporate investigations and risk consulting firm Kroll. Instead, he says breached firms need to focus on figuring out what happened, containing the damage and preventing repeat incidents.
Burlington Electric Done Good
In the case of the overblown hacking report issued by the Washington Post, kudos to Burlington Electric Department on two fronts.
First, after the Department of Homeland Security issued its Grizzly Steppe alert into "Russian malicious cyber activity" on Dec. 29, 2016, the utility ran malware scans on all computers, looking for related indicators of compromise. The utility reportedly found previously undetected malware on the one laptop, but nothing connected to Grizzly Steppe. (Burlington Electric didn't immediately respond to my request to confirm the precise type of malware it found on the laptop.) "We detected suspicious Internet traffic in a single Burlington Electric Department computer not connected to our organization's grid systems. We took immediate action to isolate the laptop and alerted federal officials of this finding," Neale F. Lunderville, general manager of Burlington Electric, says in a statement.
Second, the utility reacted quickly, issuing a statement just hours after The Washington Post published its erroneous New Year's Eve weekend report. "There is no indication that either our electric grid or customer information has been compromised," Lunderville said in the statement. "Media reports stating that Burlington Electric was hacked or that the electric grid was breached are false."
The utility has slammed the Washington Post for failing to attempt to confirm the story directly with the utility before publishing it, as well as the unnamed officials - whoever they are - for their erroneous interpretation of the situation.
"It's unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country," utility spokesman Mike Kanarick said.
As Dmitri Alperovitch, CTO of cybersecurity firm Crowdstrike - hired to investigate the intrusion of Democratic National Committee systems - noted via Twitter, "no one should be making any attribution conclusions" on the basis of information contained in DHS alerts, not least because cybercriminals - and others - often use, share or reuse the same attack infrastructure and tools.
No one should be making any attribution conclusions purely from the indicators in the USCERT report. It was all a jumbled mess https://t.co/t4gJayv01i— Dmitri Alperovitch (@DAlperovitch) December 31, 2016
As far as attribution goes, the Burlington Electric episode is reminder to not believe the hype - or at least not until it's been properly vetted.