The news stories surrounding the alleged hack of Burlington Electric Department’s by Russian hacking group Grizzly Steppes has created interesting headlines. The story came to light over the last few days of 2016 and is covered in a series of press releases from the company. It demonstrates is how dealing with one attack can often expose another. It also shows the need for accurate information in these circumstances.
The most important thing about this is that it demonstrates the need for good incident reporting. This is not just about getting information out quickly. It also requires correcting any bad information with a timely and accurate response.
2015 and 2016 saw an increase in high profile attacks. Most of these were made worse through bad communication. This is more than just poorly briefed executives talking to the press. It also deals with the use of false information to control a story. The incident response from Burlington Electric Department is an example of how to do better.
Phone scammers demanding money
This story starts with a warning to customers on December 27 alerting customers to a phone scam. Customers of both Burlington Electric Department and Green Mountain Power were targeted. The calls were mainly targeting restaurants and threatening disconnection if fictitious bills were not paid. Both organisations issued alerts to their customers including providing advice on what to do if they received any calls.
DHS alerts to Russian hacker threat
On December 30, Burlington Electric Department was notified by the Department of Homeland Security of malware code linked to a Russian hacking group, Grizzly Steppes. They responded by posting a press release from Mike Kanarick, Director of Customer Care on the website. In it Kanarick gave details of what action the company took after it received the alert.
Kanarick said: “We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems. We took immediate action to isolate the laptop and alerted federal officials of this finding. Our team is working with federal officials to trace this malware and prevent any other attempts to infiltrate utility systems. We have briefed state officials and will support the investigation fully.”
The response to the DHS announcement of the threat predictably led to stories about threats to the US power grid. What wasn’t expected was that the following day Kanarick would publish an updated release about the incident. He said that Burlington Electric Department were not the only company notified by DHS. He also said: “It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country.”
Getting ahead of the story
One of the challenges with this story is working out what actually happened. The phone scam is confirmed. The laptop with malware on it is confirmed. The attack on the US power grid appears to be an overreach by an overzealous media officer at the DHS.
The good news is that Burlington Electric Department has a well-rehearsed incident response process. This is shown in the speed it responded to the phone scam and the initial DHS briefing. It is also shown by the speed of correction once it was established the DHS data was inaccurate.
What is less clear is the role of the infected laptop. It appears, at the moment, that it is the likely source of the customer data used in the telephone scam. However, Kanarick has not confirmed this. What he has said is: “Media reports stating that Burlington Electric was hacked or that the electric grid was breached are false.” He needs to provide more details on the malware found on the laptop before his statement about hacking can be taken for granted.
This was and still is a fast moving story. It now appears that there was no direct attack on the US power grid. Burlington Electric Department have proven that it is possible to deal with a cyber incident quickly and effectively. While there is still a question over the compromised laptop the story will stay live.
It will be interesting to see what happens next. There are certainly questions to be asked of DHS about why they alleged the US power grid was under attack without any proof. This level of poor communication doesn’t help anyone. It often leads to alert fatigue where people fail to respond to critical incidents effectively.