Understanding the Alleged Russian Hacking of Vermont Utility

On the evening of December 30, 2016, the Washington Post published a news story that indicated Russian-affiliated hackers infiltrated Burlington Electric Department in Vermont. On Monday, January 02, 2017, the Washington Post retracted their story. While much confusion still follows this alleged Russian hack, OATI took this story very seriously and, in accordance with our security policies and procedures, immediately investigated the report to determine what, if any, action OATI must take.
According to an online statement issued by Burlington Electric (that has since been removed from their website), there was an indication of malicious code found on a single employee’s laptop that was not affiliated with actual grid operations. Other sources noted that the malicious code found on that single laptop, also referred to as “malware,” could have come from virtually anywhere. In fact, what happened was a Burlington employee used their laptop to check email on Yahoo. This triggered a red flag because the IP address associated with the email service had, at one point, been associated with malicious activity, including the Russian hacking of the Democratic National Committee. Due to the ubiquitous nature of IP addresses, researchers have concluded that Burlington was not the specific target of an attack.
In cybersecurity, the most difficult task for anyone investigating malware-related attacks is attribution. Just look at the Norse “Live Attacks” map to see a real time visual of all attacks taking place throughout the world. Within mere minutes of pulling up the attack visual, the log will be filled with thousands of potential attacks that originate from a wide range of sources. Due to the nature of these cyber-attacks, the visual origination of the attacks might not be accurate, because it is possible for a malicious actor to compromise a computer half-way around the world, then use that compromised computer to hack their next-door neighbor. Moreover, technology exists to hide the location of the attacker even further. Thus, the attribution of cyber-attacks can be nearly impossible.
Due to the difficulty of this cyber problem, the U.S. Government has multiple agencies investigating cyber-attacks. This is, of course, in addition to the wide range of private sector security research firms also researching cyber-attacks. The agencies, private sector research firms, private/public companies, and even individuals leverage a variety of information-sharing organizations in an effort to stay up-to-date with the latest threat information for the purpose of cyber threat mitigation. The report provided to Burlington Electric, which originated from research by Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), is just one example of a resource for disseminating threat information. 
OATI takes physical and cyber security very seriously. We have extensive security policies and procedures in place to monitor and respond to security threats. For example, OATI proactively engages a variety of information-sharing organizations and other resources on a regular basis to keep abreast of the latest cyber threat information. OATI also regularly scans all corporate networks and devices using industry standard third-party tools as part of its standard internal practices. These efforts are in addition to a host of other robust security practices that are implemented and audited on an annual basis.
Since learning of the initial report by the Washington Post and its subsequent retractions, OATI has found no evidence of the malicious code presented in the joint DHS/FBI report providing indicators of compromise for the malware dubbed “Grizzly-Steppe.” OATI implements security best practices and proactive mitigations as described by the DHS/FBI report and will continue to remain vigilant for future cyber-based attacks.
About the Author:
Jerrod Montoya is an innovative security expert who focuses on the intersection of the law, technology, and cybersecurity. In his role as Security and Compliance Counsel at OATI, he provides counsel on legal, policy, regulatory, and strategic matters. He also manages several internal cybersecurity related initiatives and provides project management support for new projects in OATI’s rapidly expanding Smart Grid area. He is President of the InfraGard Minnesota Members Alliance, an FBI-sponsored nonprofit that fosters critical infrastructure security through public/private collaboration, as well as an adjunct associate professor at the University of Minnesota Law School and Mitchell Hamline School of Law, where he teaches courses on cybersecurity law. Mr. Montoya is also an advisor to the Cybersecurity Summit. Previously, he served as a non-commissioned officer in the U.S. Marine Corps.