# News Russian Code Found In US Utility Computer

1. Dec 31, 2016

### zoobyshoe

https://www.washingtonpost.com/worl...c2a61b0436f_story.html?utm_term=.3d3f0ce2546f

Source: Signs of Russian Hack Found in Vermont Utility System | NBC Chicago http://www.nbcchicago.com/news/nati...fficials-Believe-408886385.html#ixzz4URceJ855

Last edited: Dec 31, 2016
2. Dec 31, 2016

### Staff: Mentor

I wonder what makes a code Russian? Hacking in plain text? Only the alphabet which also Bulgarians use? My coding has always been mostly English. Did it make it American? Sometimes I coded French ...

3. Dec 31, 2016

### nsaspook

4. Dec 31, 2016

### StevieTNZ

The spread of fake news, especially those stories picked up by 'legit' news sources and published, is frightening. Such stories could lead to tension between countries if it is claimed 'x' said and is going to 'y' to 'z', and then we have 'z''s response. I do know some politician from Israel, I believe it was, saw a story and tweeted about it as if it was true. Turned out to be fake. I'll have to try and track that down.

5. Dec 31, 2016

### zoobyshoe

If it is actually a non-event, the Washington Post is not to blame. Their story was based on the utilities' report:

https://www.burlingtonelectric.com/news/3908/Burlington-Electric-Department-Statement-in-Response-to-Reports-of-Russian-Hacking-of-Vermont-Electric-Grid [Broken]

Whose scan of their equipment was instigated by this:

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY STEPPE-2016-1229.pdf

Last edited by a moderator: May 8, 2017
6. Dec 31, 2016

### nsaspook

I don't consider the Washington Post a link site that just copies information. I would hope their journalistic standards would require them to check primary sources before making fantastic claims of Russia hacking the Vermont Electric Grid. The Vermont Burlington Electric Department Statement seems have been issued after the first WaPo story , not before. So a 'government' official was their original source it seems.

Last edited by a moderator: May 8, 2017
7. Dec 31, 2016

### zoobyshoe

Where are you getting this timeline?

8. Dec 31, 2016

### nsaspook

This implies a WaPo story -> Burlington Electric statement sequence but there are no time-stamps to prove it.

9. Dec 31, 2016

### zoobyshoe

Two separate things here: The official utility statement:

https://www.burlingtonelectric.com/news/3908/Burlington-Electric-Department-Statement-in-Response-to-Reports-of-Russian-Hacking-of-Vermont-Electric-Grid [Broken]

which preceded and precipitated the WashPost story, and the later same utilities' statement to the Burlington Free Press, which came after the WashPost story.

Last edited by a moderator: May 8, 2017
10. Dec 31, 2016

### nsaspook

If that timing is correct then where did the Washington Post headline of hacking the grid come from? None of the Burlington stories say this hacked computer was anywhere near the power grid control systems.
http://www.cnn.com/2016/12/30/us/grizzly-steppe-malware-burlington-electric/index.html

"The Washington Post first reported the existence of the malicious software."

Last edited by a moderator: May 8, 2017
11. Dec 31, 2016

### zoobyshoe

You are correct. The 'hyperbolic headline' was an obviously sensationalized take on the news.

The story does, however, report the less sensational facts:

Which is what always happens: sensational headline pulls you into reading what ends up being a much less sensational story. Which is why my thread title was toned down from the WP headline.

Regardless, I don't see any mainstream media outlets suggesting the malware might have gotten on that laptop "innocently." Your links are the first sources I encountered that suggest it needn't have gotten there directly from a Russian hacker. So, good catch. I'm still not going to blame the WP, though, since the source of any undue alarm would seem to be the FBI/Homeland Security hypervigilance about what constitutes dangerous code in this situation.

12. Dec 31, 2016

### nsaspook

I would use the same words they did about the original story that was changed later to closer fit reality, incorrect as in "false" and "not true".

13. Dec 31, 2016

### anorlunda

In the Washpost story, the facts do not come out until paragraph three. They were preceded by very scary headline and paragraphs 1 and 2.
I'm willing to believe that the malware found was of Russian origin. But hackers share malware freely and excerpt and morph it to fit their needs. The Stuxnet virus, supposedly of US Government origin is like that. Finding a snippet of Stuxnet code on an infected computer today is very weak evidence that the US Government put it there.

Here is the point IMO. Bad guys can very simply and cheaply use hacking to spread fear in out country, and to erode trust in our institutions, and to cause us to spend our money foolishly. Measured in terms of money, it is asymmetric to the extreme. Security vendors salivate over prospective sales of $100-$150 billion in smart grid or cyber security hardware and software. It might have cost the bad guys less than \$10 to get the malware on the Vermont computer. That suggests a leverage of $10^{10}$. Readers may wish to argue for a lower number, perhaps $10^3$. But we should all agree that the gain is very much bigger than 1, thus asymmetric in favor of the attacker.

Next, I think back to the so-called Strategic Defense Initiative of the Reagan years (known as Star Wars). It has been said that Star Wars was the straw that broke the back of the Soviet Union. Perhaps Star Wars was genuine, or perhaps it was an insanely successful ruse. No matter. That little packet of information, true or false, achieved what 30,000 nuclear warheads over the span of 40 years did not accomplish. It was asymmetric to the extreme.

It seems entirely plausible that the Russians, North Koreans, Iranians, or other enemies can have a field day practicing asymmetric cyberwar with the USA. The beauty of the scheme is that they do not need to ever succeed in causing a blackout or anything else with physical reality. All they need to do it to destabilize our society with anxiety. If we accept that the Russians did meddle with the US election, then destabilization rather than electron of Trump seems to be a much more believable motive. Hundreds of millions of Trump opponents, still stinging with disappointment, are willing to jump on that destabilizing wagon at this moment in time. The media are also willing participants because scare sells almost as well as sex sells.

It may be true that the USA is more skilled than any other country in offensive cyberwar capability. But it is also true that we are more vulnerable because (a) we are so computer dependent, and (b) because our free speech traditions allow the media megaphone to amplify fears and concerns. The USSR in the 1980s was vulnerable in different socioeconomic ways. Star Wars was merely the trigger, not the total cause of Soviet Union collapse.

What can we do? We can't repeal the 1st amendment. But we can and should solicit the cooperation of the media. Using today's Washington Post article as an example, all that would be needed would be to to make the raw facts appear first. Make facts the first paragraph keep the headline factual. The authors would still be free to embellish, speculate, explain and extrapolate about scary possibilities, but the editors could simply move those to paragraph 20 of the story. It is ironic to note that other countries with weaker free press traditions (including much of Western Europe) would find it easier to do than we would.

It is my opinion that if we could accomplish that simple change in how we emphasize and highlight news stories, that the USA would become less vulnerable.

There are other non-cybersecurity things that we can do to make ourselves less vulnerable, but I'll leave those for another day.

14. Dec 31, 2016

### zoobyshoe

No doubt you would. But you are crying "fake news," laying it at the Washington Post's doorstep, and missing the alarm that was merely reported by the WP and not caused by the WP. For example, this alarm, caused, apparently, by a briefing by the Vermont State Police:

15. Dec 31, 2016

### zoobyshoe

Good idea, but it is one of those von Neuman ideas that requires all players be rational.

16. Dec 31, 2016

### nsaspook

Yes, I'm laying it at the Washington Post's doorstep, they published the story first with that misleading headline.

17. Dec 31, 2016

### zoobyshoe

'FAKE NEWS' CRIES FOLLOW DISCOVERY OF RUSSIAN MALWARE AT VERMONT UTILITY

http://www.newsweek.com/fake-news-cries-discovery-russian-malware-vermont-utility-537567

In other words, the "fake news" cry, is, itself, suspect coming primarily from a well known "hacking denier."

18. Dec 31, 2016

### nsaspook

"hacking denier."
That's just a ridiculous comment if you've actually read what Glenn Greenwald wrote in that article. I know the Russians are hacking our networks just like we are hacking their's. Do you actually think that US or Russian state operated intelligence services would be caught dead using code with such obvious known signature and IP paths to known hacking sites in a possible Cyber-attack on critical infrastructure? This WaPo story seems so naively pathetic in the understanding of basic facts in this story (or on computer security in general) it hurts their normally good reporting on other subjects.

Last edited: Dec 31, 2016
19. Dec 31, 2016

### zoobyshoe

Good quote from Greenwald.

My point is that the WP should not be faulted for reporting what was already in place when it was contacted. It repeated "hysteria" already in place in Vermont, that was actually caused by the FBI/Homeland Security's ideas about what constitutes dangerous code. Why isn't anyone faulting the utility company for reporting the code to the authorities? Shouldn't their computer people have known the presence of this code was neither here nor there? Seems like you're being selective about who in the chain you're deciding to say should have fact-checked better.

20. Dec 31, 2016

### nsaspook

If you work in an industry that been declared as 'critical infrastructure' then you don't have much leeway to ignore sending positive findings to DHS from security audits and testing data. Testing was requested by someone, it was done and one laptop had some random virus from a unknown source that matched the signature (a similarity) of previously found malware. The utility company did it's job and I see no indication the utility was the original source of this story (listed as unnamed government officals) because most companies would never talk to the press about a possible computer intrusion unless it leaked. If someone did it would be about they last thing they would do for that company if found out.
The ORIGINAL article.
http://archive.is/8AEHq [Broken]

Last edited by a moderator: May 8, 2017