Opinion: Confusion over Vermont Utility Underscores Risks of Cyber Attribution

In-brief: errant reports about a Russian government hack of a Vermont utility are the first byproduct of a flawed report on Russian hacking of U.S. interests. They won’t be the last. 

On Friday, this blog wrote about the criticism that the Obama Administration’s report on alleged Russian Hacking of the U.S. election system was receiving from information security professionals. By Saturday, we had a great illustration of the damage that bad intelligence (or at least badly presented intelligence) can do.

I’m speaking, of course, about The Washington Post’s story, Saturday, which claimed that Russian hacking groups had penetrated the United States electrical grid by way of a Vermont utility. The proof, according to the story, was “code associated with the Russian hacking operation dubbed GRIZZLY STEPPE by the Obama administration has been detected within the system of a Vermont utility.” That, according to reports from unnamed U.S. officials.

The report prompted swift responses from senior elected officials including Vermont’s Governor, Peter Shumlin, Sen. Patrick Leahy and Rep. Peter Welch. “Vermonters and all Americans should be both alarmed and outraged that one of the world’s leading thugs, Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality-of-life, economy, health, and safety,” Shumlin said in a statement.

The problem: no such hack of the electrical grid took place. Instead, a malicious code signature released by The Department of Homeland Security last week apparently matched with malware found on a single computer at Burlington Electric, which then reported the incident. However, the computer infected with the malware was not connected to the operation of the grid, Vermont Public Service Commissioner Christopher Recchia told The Burlington Free Press on Saturday. (The Washington Post subsequently corrected its article, saying that no hack of the U.S. grid took place.)

The confusion over “the Vermont incident” (my terminology) gets to the heart of criticisms that followed the release of the DHS and FBI Joint Analysis Report (JAR) on Russian hacking activity on U.S. shores. Those efforts were collectively branded “GRIZZLY STEPPE” in the report, which one expert described as reading “like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.”

Specifically: the U.S. Government’s Report lumped together under one banner a wide range of hacking groups and hacking tools – some of them long used and widespread. In some cases, the groups in questions have only tangential connections to the government of Russia. In other cases, tools and techniques for attacking organizations – including whole families of malware – were thrown under the GRIZZLY STEPPE umbrella. The effect was to water down the report while dangerously muddying the public’s understanding of what Russian government hackers are and are not doing.

The report about the Vermont hack proceeded from that assumption, citing intelligence from unnamed government sources that malicious code found at the utility was put there and controlled by “the Russians,” who “did not actively use the code to disrupt operations.”

The truth is that if any evidence exists linking the malware discovered on a machine owned by Burlington Electric to operatives of the government of Russia, none was presented. It’s not clear if the Washington Post ever asked for such proof. As Robert Lee noted in a blog post on Saturday: “the indicators supposedly were related to Russia because the DHS and FBI said so – and supposedly that’s good enough,” he wrote.

It is possible and even likely that some component of what the Government has called GRIZZLY STEPPE were found at Burlington Electric and that the utility identified the threat using the signature circulated by DHS in its report. Among the malware families listed as being part of that campaign was Black Energy, a malicious program that is widespread and known to target electric utilities and energy sector firms. But that’s nothing new: the Department of Homeland Security has been warning public and private sector firms about Black Energy since 2014. And, as Lee and others have noted, Black Energy isn’t unique to Russian government-backed hackers or even Russian cyber criminal groups. Rather: it is a widely used and commercially available family of malware well suited to use in energy firms and other industrial concerns.

Conceptually simple, GRIZZLY STEPPE is an analytic grenade, scrambling already complex inter relations between malware authors, government sponsored hacking crews, cyber criminal and politically motivated hacktivist groups and neutral third party providers.

But the FBI and DHS ignored that context and lumped together Black Energy and a wide range of other, similar threats under a common banner (GRIZZLY STEPPE), then stamped that overly broad conclusion with the U.S. Government’s seal of approval.Conceptually simple, GRIZZLY STEPPE is an analytic grenade, scrambling already complex inter relations between malware authors, government sponsored hacking crews, cyber criminal and politically motivated hacktivist groups and neutral third party providers.

In short: a report that was supposed to nail the lid shut on Russian hacking in U.S. elections has only raised more questions about the U.S. government’s evidence against Russia and whether that evidence is being interpreted in ways that distort its actual meaning or import.  The Washington Post story marked just the first, errant conclusions drawn from that errant report. Others are sure to follow – blurring rather than sharpening our understanding of the risks posed by Russia and other online adversaries.



  1. I tend to agree with your perspective. I fear we’ll see more faulty logic in security analysis. The Washington Post article relied on “Russians Used Malware. Malware Found on Utility’s PC. Therefore, Russians Hacked Utility.” While this might heighten security awareness, shoddy analysis and reporting will more likely result in heightened paranoia.

  2. Totally agree, Larry. As with other Cold Wars, folks on each side need to be clear-eyed about who the actor and adversary is, otherwise things can go sideways, fast. I worry that by blurring the lines between state sponsored actors, cyber criminal groups, script kiddies, etc. “GRIZZLY STEPPE” increased the chance of “someone” (ooh, let’s think of who that could be) flying off the handle.