In-brief: The Washington Post said on Monday that an investigation of a cyber attack against Burlington Electric in Vermont was not targeted and points away from Russian involvement.
After finding itself in hot water over a thinly sourced story alleging Russian intrusion onto the U.S. electric grid, The Washington Post said on Monday that an investigation of the incident points away from Russian involvement.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
The incident, which prompted angry statements from Vermont’s governor and senior Senator was little more than an alert generated by an employee checking his Yahoo email account on Friday. From the Washington Post:
An employee at Burlington Electric Department was checking his Yahoo email account Friday and triggered an alert indicating that his computer had connected to a suspicious IP address associated by authorities with the Russian hacking operation that infiltrated the Democratic Party.
Officials have informed Burlington Electric that the address in question has been used in attacks”elsewhere in the country and is not unique to Burlington Electric, suggesting the company wasn’t being targeted by the Russians.” In fact, the alert may have been a “false positive,” as the particular IP address is not always connected to malicious activity.
The initial Post story fell short on a number of accounts. It cited anonymous government sources, but did not identify the utility in question or verify the sourced information with the victim. Soon after the report went public, Burlington Electric issued a statement identifying itself as the victim, but stating that only a single laptop had been compromised.
The original story, released on Friday, also took at face value a joint report from the Department of Homeland Security and FBI that linked a wide range of known hacking groups and malware families directly to the Russian Government, using the label Grizzly Steppe to describe a far-flung campaign of targeted hacks against U.S. interests, but providing no evidence of the links between the more than two dozen groups. Cyber security experts have been critical of the conclusions of that report, noting (correctly) that it blurs the line between known nation-backed hacking groups and a wide range of other cyber threats, including commercially available malware and cyber criminal organizations.