Malware found at Burlington Electric Department not connected to grid

-A A +A

Malware found at Burlington Electric Department not connected to grid

Sat, 12/31/2016 - 10:46am -- tim

Vermont Business Magazine Based on an alert from the US Department of Homeland Security, Burlington Electric Department confirmed that it had discovered late Thursday presumed Russian malware in one of its laptops, which was not connected to its network. Homeland Security issued the alert to all US utilities.

A statement from BED Saturday said: "Cybersecurity is an issue that the Burlington Electric Department and all US utilities take very seriously and on which we focus every day to protect the integrity of the electric grid and the personal information of our valued customers. 

"Federal officials have indicated that the specific type of Internet traffic, related to recent malicious cyber activity that was reported by us yesterday, also has been observed elsewhere in the country and is not unique to Burlington Electric. It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country.

"At Burlington Electric, where we take great pride in conveying timely and accurate information, we want our community to know that there is no indication that either our electric grid or customer information has been compromised. Media reports stating that Burlington Electric was hacked or that the electric grid was breached are false.

"We want to thank our customers for their continued confidence and trust in Burlington Electric."

A statement from BED Friday said: "Last night, US utilities were alerted by the Department of Homeland Security (DHS) of a malware code used in Grizzly Steppe, the name DHS has applied to a Russian campaign linked to recent hacks. We acted quickly to scan all computers in our system for the malware signature. We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems. We took immediate action to isolate the laptop and alerted federal officials of this finding. Our team is working with federal officials to trace this malware and prevent any other attempts to infiltrate utility systems. We have briefed state officials and will support the investigation fully."

Governor Peter Shumlin issued a scathing statement against Russia and Russian President Putin. Russia has also been implicated by the Obama Administration in cyber-operations to influence the US presidential election: “We’ve been in touch with the federal government, state officials, and Vermont’s utilities on this matter. Vermonters and all Americans should be both alarmed and outraged that one of the world's leading thugs, Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality-of-life, economy, health, and safety. This episode should highlight the urgent need for our federal government to vigorously pursue and put an end to this sort of Russian meddling. I call upon the federal government to conduct a full and complete investigation of this incident and undertake remedies to ensure that this never happens again.”

Other Vermont politicians also weighed in.

US Senator Patrick Leahy (D-Vermont): "State-sponsored Russian hacking is a serious threat, and the attempts to penetrate the electric grid through a Vermont utility are the latest example.  My staff and I were briefed by Vermont State Police Colonel Matthew Brimingham this evening.  This is beyond hackers having electronic joy rides – this is now about trying to access utilities to potentially manipulate the grid and shut it down in the middle of winter. That is a direct threat to Vermont and we do not take it lightly."

Representative Peter Welch (D-VT) said: "This attack shows how rampant Russian hacking is. It's systemic, relentless, predatory. They will hack everywhere, even Vermont, in pursuit of opportunities to disrupt our country. We must remain vigilant, which is why I support President Obama's sanctions against Russia and its attacks on our country and what it stands for."

Green Mountain Power said in a statement that it did not find any malware: "Green Mountain Power did not self-report a security incident. Our teams have done a complete systems check and found no security concerns. GMP was also recently thoroughly reviewed for safety by the U.S. Department of Homeland Security. The company will continue to rigorously monitor our system and remain vigilant."

Vermont Electric Cooperative issued a statement also saying that no malware was discovered: "In regard to the recent Department of Homeland Security malware code alert, VEC has no evidence of a threat to our system.  VEC recently participated in a rigorous Risk Vulnerability Assessment with the Department of Homeland Security and has complied with the White House security protocol, C2M2, since 2012. Cyber security is part of our overall safety program which involves review by the Department of Homeland Security, the FBI and the Vermont National Guard.  VEC will continue to work diligently to ensure we reduce the odds of a cyber-attack."

The Obama Administration’s Response to Russia

On Thursday, President Obama authorized actions in response to the Russian government’s aggressive harassment of US officials and cyber operations aimed at the US election and other cyber-attacks attributed to Russia.

President Obama authorized a number of actions in response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election in 2016. Russia’s cyber activities were intended to influence the election, erode faith in U.S. democratic institutions, sow doubt about the integrity of our electoral process, and undermine confidence in the institutions of the U.S. government. These actions are unacceptable and will not be tolerated.

The President released the following statement regarding Thursday's actions:

"Today, I have ordered a number of actions in response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at the U.S. election. These actions follow repeated private and public warnings that we have issued to the Russian government, and are a necessary and appropriate response to efforts to harm U.S. interests in violation of established international norms of behavior.

All Americans should be alarmed by Russia’s actions. In October, my Administration publicized our assessment that Russia took actions intended to interfere with the U.S. election process. These data theft and disclosure activities could only have been directed by the highest levels of the Russian government. Moreover, our diplomats have experienced an unacceptable level of harassment in Moscow by Russian security services and police over the last year. Such activities have consequences. Today, I have ordered a number of actions in response.

I have issued an executive order that provides additional authority for responding to certain cyber activity that seeks to interfere with or undermine our election processes and institutions, or those of our allies or partners. Using this new authority, I have sanctioned nine entities and individuals: the GRU and the FSB, two Russian intelligence services; four individual officers of the GRU; and three companies that provided material support to the GRU’s cyber operations. In addition, the Secretary of the Treasury is designating two Russian individuals for using cyber-enabled means to cause misappropriation of funds and personal identifying information. The State Department is also shutting down two Russian compounds, in Maryland and New York, used by Russian personnel for intelligence-related purposes, and is declaring “persona non grata” 35 Russian intelligence operatives. Finally, the Department of Homeland Security and the Federal Bureau of Investigation are releasing declassified technical information on Russian civilian and military intelligence service cyber activity, to help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities.

These actions are not the sum total of our response to Russia’s aggressive activities. We will continue to take a variety of actions at a time and place of our choosing, some of which will not be publicized. In addition to holding Russia accountable for what it has done, the United States and friends and allies around the world must work together to oppose Russia’s efforts to undermine established international norms of behavior, and interfere with democratic governance. To that end, my Administration will be providing a report to Congress in the coming days about Russia’s efforts to interfere in our election, as well as malicious cyber activity related to our election cycle in previous elections."

Here are some of the ways in which President Obama is taking action:

Sanctioning Malicious Russian Cyber Activity

In response to the threat to U.S. national security posed by Russian interference in our elections, the President has approved an amendment to Executive Order 13964. As originally issued in April 2015, this Executive Order created a new, targeted authority for the U.S. government to respond more effectively to the most significant of cyber threats, particularly in situations where malicious cyber actors operate beyond the reach of existing authorities. The original Executive Order focused on cyber-enabled malicious activities that:

  • Harm or significantly compromise the provision of services by entities in a critical infrastructure sector;
  • Significantly disrupt the availability of a computer or network of computers (for example, through a distributed denial-of-service attack); or
  • Cause a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain (for example, by stealing large quantities of credit card information, trade secrets, or sensitive information).

Read more about today's sanctions on Russia here.

Responding to Russian Harassment of U.S. Personnel

Over the past two years, harassment of our diplomatic personnel in Russia by security personnel and police has increased significantly and gone far beyond international diplomatic norms of behavior. Other Western Embassies have reported similar concerns. In response to this harassment, the President has authorized the following actions:

Today the State Department declared 35 Russian government officials from the Russian Embassy in Washington and the Russian Consulate in San Francisco “persona non grata.” They were acting in a manner inconsistent with their diplomatic status. Those individuals and their families were given 72 hours to leave the United States.

In addition to this action, the Department of State has provided notice that as of noon on Friday, December 30, Russian access will be denied to two Russian government-owned compounds, one in Maryland and one in New York.

Raising Awareness About Russian Malicious Cyber Activity

The Department of Homeland Security and Federal Bureau of Investigation are releasing a Joint Analysis Report (JAR) that contains declassified technical information on Russian civilian and military intelligence services’ malicious cyber activity, to better help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities.

  • The JAR includes information on computers around the world that Russian intelligence services have co-opted without the knowledge of their owners in order to conduct their malicious activity in a way that makes it difficult to trace back to Russia. In some cases, the cybersecurity community was aware of this infrastructure, in other cases, this information is newly declassified by the U.S. government.
  • The report also includes data that enables cyber security firms and other network defenders to identify certain malware that the Russian intelligence services use. Network defenders can use this information to identify and block Russian malware, forcing the Russian intelligence services to re-engineer their malware. This information is newly de-classified.
  • Finally, the JAR includes information on how Russian intelligence services typically conduct their activities. This information can help network defenders better identify new tactics or techniques that a malicious actor might deploy or detect and disrupt an ongoing intrusion.

Read more about this action here.

As the Administration stated today, cyber threats pose one of the most serious economic and national security challenges the United States faces today. For the last eight years, this Administration has pursued a comprehensive strategy to confront these threats. And as we have demonstrated by these actions today, we intend to continue to employ the full range of authorities and tools, including diplomatic engagement, trade policy tools, and law enforcement mechanisms, to counter the threat posed by malicious cyber actors, regardless of their country of origin, to protect the national security of the United States.

Here's a look at the specifics on how the Administration is responding to Russia: 

Sources: BED 12.30.2016, 12.31.2016. Governor Shumlin 12.31.2016. VEC 12.30.2016. Senator Leahy 12.30.2016. Congressman Welch 12.30.2016. The White House 12.29.2016.