The Washington Post has walked back a story claiming Russian malware was found in the systems of a Vermont utility. The paper earlier linked it to the same operation US officials say was used to interfere with the 2016 presidential election, and flagged it as a potentially larger threat to the nation’s power grid.
To some in the security community, it’s just the latest example of people rushing to judgment when it comes to Russia’s hacking operations.
The Obama Administration has fueled the fire, releasing what it called proof of election hacking and expelling Russian diplomats in retaliation. Security experts who’ve analyzed the reports are more than a little skeptical.
They say the government’s analysis of election hacking is more theory than proof. And, they say, the media has seriously overhyped the power grid story.
Hacking the power grid
It’s not that security experts don’t see risks to the US power grid. They’ve been analyzing the vulnerabilities and warning of danger for years. But stories making the rounds in such major publications as The Washington Post and Wall Street Journal show a serious lack of perspective and understanding, they say.
The initial Washington Post story, for example, reported that Russian code associated with the hacking operation Grizzly Steppe was detected in the system of Vermont utility Burlington Electric. From the article:
While the Russians did not actively use the code to disrupt operations, according to officials who spoke on the condition of anonymity to discuss a security matter, the discovery underscores the vulnerabilities of the nation’s electrical grid. And it raises fears in the US government that Russian government hackers are actively trying to penetrate the grid to carry out potential attacks.
Lawrence M Walsh, CEO and chief analyst at New York-based business strategy firm the 2112 Group, said that before people panic over the discovery of Grizzly Steppe malware in the Vermont power grid, a few things must be taken into account:
- The malware in question is quite common.
- The US has known about power grid vulnerabilities for more than a decade.
- The US has its fingers on the lights switches in Russia, China, Iran and Mozambique. In other words, nations hacking nations is an old story in which the US is a chief protagonist.
“Don’t get all worked up over this and the many sensational news reports to come as they make more such discoveries,” Walsh says. “The puppet masters are just showing you what’s behind the curtain; this is the current world order of which we’re largely and blissfully ignorant.”
The Obama administration last week issued what it called a sweeping report detailing Russian efforts to interfere with the US presidential election and ordered new sanctions that included the expulsion of 35 Russians. The belief is that Russia sought to interfere with the election in favor of a Trump victory.
As part of the announcement, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a document with technical details on the tools and infrastructure used by the Russian civilian and military intelligence Services (RIS) to compromise and exploit networks and endpoints associated with the election. This is the document in which the US refers to the activity as Grizzly Steppe.
Dave Kennedy, CEO and founder at TrustedSec, an information security consultancy based near Cleveland, Ohio, said the documentation falls short on cold, hard evidence. The material is devoid of proof that Russia hacked the election. It merely points to the hacking of the Democratic National Committee (DNC), along with unsuccessful attempts to hack the Republican National Committee (RNC).
“There’s no evidence regarding the DNC leak causing any disruptions to voter opinion or changing votes,” Kennedy says. “The hacks did reveal that the DNC threw the election to Hillary and gave Bernie zero chance to win.”
Dan Goodin says the White House failed to make its case in an Ars Technica article. He writes:
Sadly, the JAR, as the Joint Analysis Report is called, does little to end the debate. Instead of providing smoking guns that the Russian government was behind specific hacks, it largely restates previous private-sector claims without providing any support for their validity. Even worse, it provides an effective bait and switch by promising newly declassified intelligence into Russian hackers’ “tradecraft and techniques” and instead delivering generic methods carried out by just about all state-sponsored hacking groups.
Careful who you poke
Experts are also quick to point out that American outrage over what happened is more than a little hypocritical.
“We hack countries all the time – all day, every day,” Kennedy says. “I’m not saying we shouldn’t retaliate, as we should with any incursion. I am saying that doing so publicly like this is dangerous. They also didn’t hack a government entity, they hacked political party emails – mind you, with a 1990s-style cred harvesting attack.”
Kennedy says the US must be careful who it pokes and how, and that evidence must be more ironclad.
“I’m all for showing signs of strength,” he said. “I’m not cool with landing us possibly into another cold war or worse.”