Story quickly falls apart after investigation finds claims to be inaccurate
The Washington Post reported Friday that the U.S. power grid had been hacked by the same Russian actors accused of breaching the DNC – the only problem, the grid wasn’t hacked.
According to the report, malicious “code” associated with Grizzly Steppe, the name given to Russian hacking operations by the Obama administration, was found within the system of a utility company in Virginia.
“While the Russians did not actively use the code to disrupt operations, according to officials who spoke on the condition of anonymity to discuss a security matter, the discovery underscores the vulnerabilities of the nation’s electrical grid,” the article states.
The code, which was not specifically identified by the Post, was released by the FBI and DHS in a Joint Analysis Report (JNC) Thursday regarding the “tools and infrastructure” of the accused Russian hackers. The report provided a way for network administrators to examine their systems for malicious activity and other Indicators of Compromise (IOCs).
As the news stirred fear among Americans across social media, members of the cybersecurity community immediately questioned the validity of the report.
Matt Tait, a former member of the GCHQ, the UK’s NSA equivalent, quickly noted that attribution, or the process of discovering “whodunnit,” would almost certainly not be accomplished in less than 24 hours.
Treat this story with a whole boatload of caution. No way a proper assessment has been done in < 1 day. https://t.co/303FDxkBko
— Pwn All The Things (@pwnallthethings) December 31, 2016
John Hultquist, who has spent a decade tracking cyber espionage threats for both the government and private sector, noted that Russian operators had previously infiltrated the grid, making it possible that the discovered code was a “lingering infection.”
Sandworm was found in US grid before and this could be lingering infection found with recently released info. https://t.co/uiugDGBlxa
— John Hultquist (@JohnHultquist) December 31, 2016
The IOCs, while important in detecting possible hacks, will likely produce numerous false positives for the near future.
Robert M. Lee, CEO and founder of cybersecurity company Dragos, which specializes in threats facing critical infrastructure, also noted that the IOCs included “commodity malware,” or hacking tools that are widely available for purchase.
1. No they did not penetrate the grid. 2. The IOCs contained commodity malware – can’t attribute based off that alone. https://t.co/AMNMVzFpFW
— Robert M. Lee (@RobertMLee) December 31, 2016
No evidence at this time connects the malware to Russia or any recent hacking campaigns.
Soon after publication of the Post’s story, it was revealed that the malware had only infected a utility company laptop that had no access whatsoever to the electrical grid.
Alleged Russian hack of power grid was actually hack on utility company laptop with no access to the grid https://t.co/DzRavFdYBd pic.twitter.com/K1u4PEr2Dy
— Mikael Thalen (@MikaelThalen) December 31, 2016
As noted by Politico cybersecurity reporter Eric Geller, the Post quickly edited its headline upon learning that the incident was far less serious than initially reported.
Compare the initial and current versions of the headline. pic.twitter.com/ejbE3A7eZ7
— Eric Geller (@ericgeller) December 31, 2016
The mistake on behalf of the Post is not to suggest that nation states do not hack into one another’s critical infrastructure. Russia has successfully infiltrated the U.S. grid before, is likely inside now, and has attacked the power grids of other countries, such as the Ukraine, in the past.
The U.S. government likewise has gained access to foreign power grids. As part of the “Nitro Zeus” operation, the U.S. breached Iranian infrastructure and prepared to carry out cyber attacks during the early years of the Obama administration in the event that diplomatic efforts to reduce Iran’s nuclear program failed.
In case you’re wondering, this is what an actual nation-state power grid hack looks like. pic.twitter.com/sleSBsUsrN
— Mikael Thalen (@MikaelThalen) December 31, 2016
The Post’s false hacking story, which continues to be spread by countless media outlets, will likely fuel both fear and distrust as allegations of government hacking continue to captivate the public.
While the U.S. intelligence community leads the world in hacking capabilities, America remains one of the more vulnerable countries given its reliance on technology.
The U.S. government and private companies are working to harden the power grid by testing their own defenses against simulated attacks. Watch cybersecurity experts hired by a power company in the Midwest breach the grid below:
