Foreign Attempt to 'Hack' Vermont Municipal Falls Short

Back to All News

Foreign Attempt to 'Hack' Vermont Municipal Falls Short

January 3, 2017

After detecting suspicious internet traffic that federal officials say has been linked to a Russian campaign tied to recent hacks, Vermont’s Burlington Electric Department acted quickly to isolate a single laptop on which the suspicious traffic was detected and reported the discovery to the federal government. The laptop was not connected to the Burlington Electric Department’s grid systems and the utility was not hacked, the Burlington Electric Department noted.

In a website message to customers and residents, Neale Lunderville, general manager of the Burlington Electric Department, said that on the night of Dec. 29, the utility was alerted by the Department of Homeland Security to IP addresses and malware code used in Grizzly Steppe, a Russian campaign linked to recent hacks.

“We acted quickly to scan all computers in our system for the malware signature. We detected suspicious Internet traffic in a single Burlington Electric Department computer not connected to our organization’s grid systems,” Lunderville said.

The utility took immediate action to isolate the laptop and alerted federal officials of this finding. “There is no indication of compromise to customer information or to the security of our system,” Lunderville reiterated.

“Our team takes the issue of cybersecurity very seriously and routinely assesses our systems for vulnerabilities with assistance from outside experts,” he said, noting that the utility is working with federal and state officials to prevent any other attempts to infiltrate utility systems across the sector.

Burlington Electric Department was not hacked

In a Dec. 31 statement, the utility said that cybersecurity is an issue that the Burlington Electric Department and all U.S. utilities take very seriously “and on which we focus every day to protect the integrity of the electric grid and the personal information of our valued customers.”

The utility went on to note that federal officials have indicated that the specific type of Internet traffic, related to recent malicious cyber activity reported by the Burlington Electric Department on Dec. 30, also has been observed elsewhere in the country and is not unique to the utility.

“It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country,” the statement went on to say.

“At Burlington Electric, where we take great pride in conveying timely and accurate information, we want our community to know that there is no indication that either our electric grid or customer information has been compromised. Media reports stating that Burlington Electric was hacked or that the electric grid was breached are false,” the statement said.

The Washington Post was the first news outlet to report the Burlington Electric Department discovery on Dec. 31. Several other news outlets, including the Associated Press and CNN, subsequently reported on the discovery.

The Washington Post subsequently posted an Editor’s Note that “An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far.” The Editor’s Note also noted that the computer at Burlington Electric was not attached to the grid.

Federal joint analysis report includes indicators of compromise

Burlington Electric Department detected the suspicious internet traffic after receiving federal government guidance detailed in a joint analysis report, released on Dec. 29.

In October, the DHS and the Office of the Director of National Intelligence issued a joint statement that the U.S. intelligence community was confident that the Russian government had directed the recent compromises of e-mails from U.S. persons and institutions, including from U.S. political organizations.

The DHS and the Federal Bureau of Investigation on Dec. 29 released the JAR, which the federal government said further expands on the October statement by providing details of the tools and infrastructure used by Russian intelligence services to compromise and exploit networks and infrastructure associated with the recent U.S. election, as well as a range of U.S. government, political and private sector entities.

“This activity by Russian intelligence services is part of a decade-long campaign of cyber-enabled operations directed at the U.S. government and its citizens,” the DHS, the FBI and the Office of the Director of National Intelligence said in a Dec. 29 joint statement.

These cyber operations have included spear phishing, campaigns targeting government organizations, critical infrastructure, think tanks, universities, political organizations, and corporations; theft of information from these organizations; and the recent public release of some of this stolen information, the DHS, the FBI and the Office of the Director of National Intelligence said in the joint statement.

In other countries, Russian intelligence services “have also undertaken damaging and disruptive cyber-attacks, including on critical infrastructure, in some cases masquerading as third parties or hiding behind false online personas designed to cause victim to misattribute the source of the attack,” the joint statement said.  

The JAR provides technical indicators related to many of these operations, recommended mitigations and information on how to report such incidents to the U.S. government.

“We encourage security companies and private sector owners and operators to look back within their network traffic for signs of the malicious activity described in the Joint Analysis Report,” the DHS, the FBI and the Office of the Director of National Intelligence said in their joint statement. “We also encourage such entities to utilize these indicators in their proactive defense efforts to block malicious cyber activity before it occurs.” 

Additional information about the JAR, which includes a section on indicators of compromise, can be found here.

The American Public Power Association and other trade associations, in coordination with the senior leadership of the Electricity Subsector Coordinating Council, have met with the Department of Energy to discuss actions utilities should take in response to the recent report on Russian cyber activity.

The Association kept member utilities updated on the rapidly evolving situation and sent alerts to all of its members on Dec. 30 and Dec. 31. 

President Obama on Dec. 29 issued a statement detailing various actions his administration is taking in response to what he called the Russian government’s “aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election.”

Sen. John McCain, R-Ariz., chairman of the Senate Armed Services Committee, has scheduled a hearing on cyber threats for Jan. 5, according to several media reports. The hearing will include an examination of Russian hacking, according to the media reports.

Industry, government collaboration on cyber, physical threats

The electricity sector, including the public power community, works on an ongoing basis with its government partners on a wide variety of cyber and physical security issues.

The Electricity Information Sharing and Analysis Center, in collaboration with the DOE and the ESCC, serves as the primary security communications channel for the electricity sector and enhances the sector's ability to prepare for and respond to cyber and physical threats, vulnerabilities, and incidents.

“It is vital that public power utilities, no matter what size, take full advantage of all that E-ISAC has to offer in the way of cyber and physical security information,” said Sue Kelly, president and CEO of the American Public Power Association. 

Nathan Mitchell, the Association’s senior director, electric reliability standards and security, noted that the quick action and reporting by Burlington Electric Department underscores that the industry-government partnership is effective and the cyber threat information sharing processes the ESCC has put in place are working well.

Public power plays a prominent role in the ESCC and is actively involved with E-ISAC activities. Kevin Wailes, administrator and CEO of Lincoln Electric System, serves as co-chair of the ESCC, while Sue Kelly serves on the ESCC steering committee, along with Gerry Cauley, president and CEO of the North American Electric Reliability Corporation, and several other trade association and power industry officials. 

The ESCC also includes CEO level representatives of asset owners from investor-owned utilities and cooperatives, as well as public power utilities – Scott Miller, general manager of City Utilities of Springfield, Missouri; John Bilda, general manager for Norwich Public Utilities in Connecticut; and Lonnie Carter, president and CEO of Santee Cooper in South Carolina. Wailes, Miller and Bilda serve on the Association’s board of directors. 

Brian Skelton, general manager of Tennessee’s Tullahoma Utilities Board, serves as a cross-sector representative for telecommunications on the ESCC.

In the summer of 2016, the DOE said it would provide up to $15 million over three years to support efforts by the American Public Power Association and the National Rural Electric Cooperative Association to enhance the culture of security within their utility members’ organizations.