Suspicious activity detected on a Vermont-based utilities company laptop last week may not have been linked to Russian hackers, The Washington Post says today. That's a reversal on a report published by the Post last week, in which it said that US officials had found evidence of Russian malware on a computer at the Burlington Electric Department, code linked to a hacking operation codenamed "Grizzly Steppe" by US intelligence officers.
The alert was reportedly triggered when a Burlington Electric Department employee noticed his computer had connected to a suspicious IP address while checking his Yahoo email inbox. The IP address in question had previously been associated with Grizzly Steppe — the operation connected to the DNC email hack last year — but experts and officials close to the investigation now say that the traffic may have been benign.
Traffic with the noted IP address has been found elsewhere in the United States, indicating that the Burlington discovery wasn't a sign of a targeted attack, and is not always linked with malicious activity. The Post also reports that officials found a suite of malware on the laptop, a more standard criminal package known as "Neutrino," which is not believed to be connected to any Russian hacking operations.
The Post originally reported that Russian hackers had breached the US electrical grid with the apparent attack, but according to the Burlington Electric Department itself, the laptop in question was not connected to the utilities system. "The grid is not in danger," Vermont Public Service Commissioner Christopher Recchia said at the time, specifying that monitoring utilities "flagged it, saw it, notified appropriate parties and isolated that one laptop with that malware on it."
In a bid to inform companies about the risk of cyberattacks coming from abroad, the FBI and the Department of Homeland Security released a report last week that contained a list of suspicious IP addresses — a list that presumably included the address discovered by Burlington Electric Company employees. The report gave advice on how to proceed if such indicators were discovered, but warned against assuming every IP it mentioned was a stone-cold indicator of a hacking operation, with a note saying that “upon reviewing the traffic from these IPs, some traffic may correspond to malicious activity, and some may correspond to legitimate activity.”
The report was still criticized, however, for featuring too broad a swathe of IPs, with 30 percent of the addresses being benign proxies or servers used by companies like Amazon and Yahoo. Experts warned that the report may cause people to jump to early conclusions — as apparently happened in Vermont — but a Department of Homeland Security official said the document was "“precisely the type of information DHS should be sharing, particularly since we know that cybersecurity capabilities differ among companies and organizations.”