Upon receiving the DHS-FBI report the Burlington Electric Company network security team immediately ran searches of its computer logs using the lists of IP addresses it had been provided. When one of IP addresses cited in the report as an indicator of Russian hacking was found on the logs, the utility immediately called DHS to inform it as it had been instructed to do by DHS.
Washington Post
(Image by (From Wikimedia) Daniel X. O'Neil from USA, Author: Daniel X. O'Neil from USA) Details Source DMCA
In fact, the IP address on the Burlington Electric Company's computer was simply the Yahoo e-mail server, according to Lee, so it could not have been a legitimate indicator of an attempted cyber-intrusion. That should have been the end of the story. But the utility did not track down the IP address before reporting it to DHS. It did, however, expect DHS to treat the matter confidentially until it had thoroughly investigated and resolved the issue.
"DHS wasn't supposed to release the details," said Lee. "Everybody was supposed to keep their mouth shut."
Instead, a DHS official called The Washington Post and passed on word that one of the indicators of Russian hacking of the DNC had been found on the Burlington utility's computer network. The Post failed to follow the most basic rule of journalism, relying on its DHS source instead of checking with the Burlington Electric Department first. The result was the Post's sensational Dec. 30 story under the headline "Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say."
DHS officials evidently had allowed the Post to infer that the Russians hack had penetrated the grid without actually saying so. The Post story said the Russians "had not actively used the code to disrupt operations of the utility, according to officials who spoke on condition of anonymity in order to discuss a security matter," but then added, and that "the penetration of the nation's electrical grid is significant because it represents a potentially serious vulnerability."
The electric company quickly issued a firm denial that the computer in question was connected to the power grid. The Post was forced to retract, in effect, its claim that the electricity grid had been hacked by the Russians. But it stuck by its story that the utility had been the victim of a Russian hack for another three days before admitting that no such evidence of a hack existed.
The day after the story was published, the DHS leadership continued to imply, without saying so explicitly, that the Burlington utility had been hacked by Russians. Assistant Secretary for Pubic Affairs J. Todd Breasseale gave CNN a statement that the "indicators" from the malicious software found on the computer at Burlington Electric were a "match" for those on the DNC computers.
As soon as DHS checked the IP address, however, it knew that it was a Yahoo cloud server and therefore not an indicator that the same team that allegedly hacked the DNC had gotten into the Burlington utility's laptop. DHS also learned from the utility that the laptop in question had been infected by malware called "neutrino," which had never been used in "GRIZZLY STEPPE."
Only days later did the DHS reveal those crucial facts to the Post. And the DHS was still defending its joint report to the Post, according to Lee, who got part of the story from Post sources. The DHS official was arguing that it had "led to a discovery," he said. "The second is, 'See, this is encouraging people to run indicators.'"
Original DHS False Hacking Story
The false Burlington Electric hack scare is reminiscent of an earlier story of Russian hacking of a utility for which the DHS was responsible as well. In November 2011, it reported an "intrusion" into a Springfield, Illinois water district computer that similarly turned out to be a fabrication.
Red Square in Moscow with a winter festival to the left and the Kremlin to the right.
(Image by (Photo by Robert Parry)) Details DMCA
Like the Burlington fiasco, the false report was preceded by a DHS claim that U.S. infrastructure systems were already under attack. In October 2011, acting DHS deputy undersecretary Greg Schaffer was quoted by The Washington Post as warning that "our adversaries" are "knocking on the doors of these systems." And Schaffer added, "In some cases, there have been intrusions." He did not specify when, where or by whom, and no such prior intrusions have ever been documented.
On Nov. 8, 2011, a water pump belonging to the Curran-Gardner township water district near Springfield, Illinois, burned out after sputtering several times in previous months. The repair team brought in to fix it found a Russian IP address on its log from five months earlier. That IP address was actually from a cell phone call from the contractor who had set up the control system for the pump and who was vacationing in Russia with his family, so his name was in the log by the address.
Without investigating the IP address itself, the utility reported the IP address and the breakdown of the water pump to the Environmental Protection Agency, which in turn passed it on to the Illinois Statewide Terrorism and Intelligence Center, also called a fusion center composed of Illinois State Police and representatives from the FBI, DHS and other government agencies.
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).