
Russian government hackers do not appear to have targeted Vermont utility - stablemap
https://www.washingtonpost.com/world/national-security/russian-government-hackers-do-not-appear-to-have-targeted-vermont-utility-say-people-close-to-investigation/2017/01/02/70c25956-d12c-11e6-945a-76f69a399dd5_story.html
======
Animats
What seems to have happened is that some laptop at the utility was compromised
by some basic malware, but that's as far as the attacker got. Apparently the
malware connects to some IP address in Russia. That's all we know for sure.

We can't be sure who the attacker was, or their ultimate goal. It could be a
random event, some piece of automatically distributed malware, or part of a
targeted attack.

This sort of false alarm is normal after an attack. Attention levels go up,
events that look like possible threats are detected and have to be
investigated. Go back and look at the aftermath of 9/11\. There were false
alarms for months. Further back, see the Battle of Los Angeles in 1942.[1]

Remain watchful; do not panic.

[1]
[https://en.wikipedia.org/wiki/Battle_of_Los_Angeles](https://en.wikipedia.org/wiki/Battle_of_Los_Angeles)

~~~
alfiedotwtf
Or you know, just plain propaganda.

During the first days of during Operation Iraqi Liberation once embedded
"journalists" were on the ground, chemical weapon sirens would go off daily.
Broadcast around the world were reporters stopping live feeds and quickly
changing into hazmat-like suits...

We now know there were zero chemical weapons, so why so many alarms?

~~~
rtpg
Because it's safer to have a chemical weapons early-warning system that goes
off too often rather than too little?

The cost of a false negative when lives are at stake are worth noisy alarms
(smoke detectors).

~~~
pdkl95
When exceptional signals become normalized from too many false positives,
people start ignoring alarms.

~~~
amirhirsch
In Israel when we hear the color red alarm some people run outside to watch
iron dome shoot down the missile.

~~~
weaksauce
How well does the iron dome work? I assume it works pretty well if it's a
spectacle.

------
ekianjo
This is several days after the WP shamelessly said that Russian hackers had
attacked a fundamental part of the US's infrastructure, without doing any
research work before publishing their article.

The WP is becoming the voice of the White House.

~~~
myowncrapulence
.. isn't "the voice of the white house" the voice of the nation?

You seem to believe the White House wasn't voted into power and somehow does
not have America's best interest at heart.

Don't forget to remain just as critical when the next president takes office.

~~~
trhway
>.. isn't "the voice of the white house" the voice of the nation?

>You seem to believe the White House wasn't voted into power and somehow does
not have America's best interest at heart.

your statement sounds just like the propaganda from my childhood in USSR.
Substituting the voice of the governing body for the voice of the nation has
been a kingpin of any totalitarian state known to date.

------
snksnk
This saga started with "Russian hackers penetrated U.S. electricity grid
through a utility in Vermont, officials say".

Then we got "Russian operation hacked a Vermont utility, showing risk to U.S.
electrical grid security, officials say"

In summary, (i) the U.S. electricity grid was not penetrated, (ii) the malware
can be purchased online by anyone.

The WaPo seems to be more concerned lately with pursuing a certain agenda
instead of quality journalism. Another example is a recent article in which
they give credibility and rely on an organisation called PropOrNot; this
article even became "one of the most widely circulated political news articles
on social media". [1]

And organisations such as the WaPo are supposed to shield us from fake news
and "fact-check" Trump.

[1] For a good discussion, see:
[https://theintercept.com/2016/11/26/washington-post-
disgrace...](https://theintercept.com/2016/11/26/washington-post-
disgracefully-promotes-a-mccarthyite-blacklist-from-a-new-hidden-and-very-
shady-group/)

~~~
non_repro_blue
A utility worker's laptop suffering an intrusion is something that should be
investigated earlier, rather than later.

I'd rather hear about false alarms, early and often, since I'm not convinced
that critical infrastructure is actually insulated from attack at all.

Electricity and water infrastructure is almost certainly in terrible shape,
based on what we've learned about lead in Flint, Michigan and what's
remembered about the 2003 blackout, and Enron.

Knowing this, and hearing not very much about what's being done to modernize
essential utilities, I'd hate to find out that a massive accident was caused
by someone's idea of modernization being a PHP web app prone to SQL injection
running inside a docker image, as a rube goldberg facade wrapping a galaxy of
SCADA controllers.

This is the kind of thing people should get noisy about, since there's been
pretty much only silence and very little "disruption."

~~~
throwaway7645
A laptop shouldn't be connected in any way to critical infrastructure like
SCADA/EMS/DMS. Only trusted software runs there that is tightly controlled. At
least that is the right design. I'm aware of no utilities that violate this.

~~~
rtpg
Serious question: How can software arrive onto critical infrastructure?

For example, if it's possible to update the software on the infrastructure,
there's going to be a delivery mechanism, right? One could imagine that coming
from some process that is further up the chain until, eventually, you arrive
at infrastructure that would be attached to the laptop.

For example, what if some build server got compromised (assuming that was the
state of the art)? Some software backups, along with some phishing/false alarm
to trigger a rollback?

Having rules like what you're saying is extremely helpful, but I imagine it's
very likely for there to be a path between many devices to the infrastructure,
even if its several jumps away. The chain of trust is probably very long.

~~~
open_bear
IIRC, uranium enrichment centrifuges in Iran were infected by Stuxnet because
someone brought an infected USB stick, found in the parking lot, into the
facility.

Social engineering is the best way to infiltrate the airgapped infrastructure.

~~~
throwaway7645
I don't think you should be able to plugin a thumb drive to critical
infrastructure. I don't disagree that this happened, but modern well designed
systems shouldn't allow it.

------
woodruffw
I said this when the first article was posted here, and I'll say it again:

 _This is journalistic ethics in action._

Greenwald spoke, you spoke, and The WaPo listened. They've done _exactly what
they should do_ in this situation, and a certain contingent will find fault
regardless.

~~~
belovedeagle
And wouldn't journalistic ethics have not littered this very article with
dozens of references to "Russian hackers" — evidence of whose existence is
still completely absent? Twenty-four hours from now, essentially no one who
has read this article will remember anything but the incessantly repeated
notion that there are dangerous Russian hackers out to compromise US national
security in some way, and that we need to be vigilant.

~~~
woodruffw
Regardless of whether the WaPo operated with a story in mind, they _did_
operate with sources:

> The investigation by officials began Friday, when the Vermont utility
> reported its alert to federal authorities, some of whom told The Washington
> Post that code associated with the Russian hackers had been discovered
> within the system of an unnamed Vermont utility.

> A senior DHS official, speaking on the condition of anonymity to discuss a
> sensitive security matter, defended the report.

> “We know the Russians are a highly capable adversary who conduct technical
> operations in a manner intended to blend into legitimate traffic,” the
> official said. The indicators of compromise contained in the report, he
> said, “are indicative of that. That’s why it’s so important for net
> defenders to leverage the recommended mitigations contained in the [report],
> implement best practices, and analyze their logs for traffic emanating from
> those IPs, because the Russians are going to try and hide evidence of their
> intrusion and presence in the network.”

You may not like the _quality_ or the _presentation_ of the sources as more
weighty than they turned out to be, but they are sources.

~~~
zigzigzag
Yeah, but when the sources are government officials peddling the government
line, in an environment where they have every motive to exaggerate, why would
you assign them any credibility at all?

How has the WaPo not got this message yet? _Government officials talking about
Russia are probably lying_

~~~
rtpg
What's the basis that officials have a "blame Russia" policy? Why does this
seem to be official policy only since this year?

It's not like anti-Russian saber rattling was a thing even 12 months ago,
despite the Ukraine situation.

The DNC hacks are a thing that happened, and a lot of people outside the
government seem to agree that evidence points to it happening from Russia, by
actors who seem to have worked with the Russian government.

If you accept the DNC hack analysis, it's not absurd to imagine that closer
scrutiny reveals more infrastructure that Russian state actors have
penetrated. Especially given that we know infrastructure is more vulnerable
that we might like.

Considering that Republicans are not peddling the anti-Russia line, what's the
angle here? in the last 6 months of an 8 year term, Obama decides to activate
the anti-Russian propaganda machine? Only for it to be dismantled in 2 weeks
anyways with the new administration? What sequence of events causes that?

~~~
angry-hacker
These attacks were classic script kiddie attacks.

Hillary losing elections triggered that. Warlord as Putin is, you can't
blindly blame everyone else for your faults.

~~~
rtpg
Threatconnect did a decent amount of research into the attacks[0] for trying
to figure out who did the attacks. There are other security researchers out
there who come to similar conclusions.

So either the government is bribing a bunch of security researchers (who
doesn't want the scoop that the consensus is wrong?), the government executed
a perfect false flag to blame Russia on something (why do this? It's not like
having Russia as an enemy is useful for us), the analyses by these researchers
are right, or something else.

My money is on a decent amount of smart people all arriving somewhere near the
truth.

[0]: [https://www.threatconnect.com/blog/guccifer-2-0-dnc-
breach/](https://www.threatconnect.com/blog/guccifer-2-0-dnc-breach/)

------
smitherfield
Note that other media outlets still are running with this story, e.g. an
uncorrected version remains in the BBC News US/Canada "top headlines:"
[http://www.bbc.com/news/world-us-
canada-38479179](http://www.bbc.com/news/world-us-canada-38479179)

------
EJTH
But the media told me it was the russians! Surely well established media
cannot be sending out fake news deliberately!?

~~~
_fizz_buzz_
It's also the established media that tells you that it wasn't Russian hackers
now. So, what's your point?

~~~
angry-hacker
That all media is bullshit and the whole fake news fiasco is hypocritical. No
one fact checks or does real investigative journalism. WaPo might as well call
themselves into wars or whatever that crap is called. At least the latter,
delusional as they might be, believe they make world better place instead
knowingly working for the great propaganda machine.

~~~
pmyteh
Obviously false. There is an explosion of fact checkers and still plenty of
investigative journalism teams.

If you mean 'not every story is fully fact-checked and the product of
investigative journalism', then sure. But then, they never have been. That's
the nature of a news industry that tries to fill a paper by print time every
day (or, in modern terms, to get their stories out a minute before the
competition online).

~~~
jerf
Then those "fact checkers" and "investigative journalism teams" obviously
aren't doing much good, if they weren't deployed for what was obviously going
to be an explosive article. If the fact checkers couldn't be deployed for this
story, they obviously are stretched to near-nonexistence.

I really don't envy you right now, trying so vigorously to defend something
that has long since become so obviously indefensible. Sure, it _could_ be the
case that the media is really, really careful all the time, exercising their
nigh-superhuman judgment with fairness and care, but this one story just
happened to slip through. But it is a far more parsimonious explanation that
the story flattered their biases and they shipped it without so much as a
tenth of the examination they'd give a story that doesn't favor flatter their
biases. The "this was an exception to their otherwise phenomenal care!" excuse
wears quite thin when you have to deploy it several times _every day_.

This story isn't an exception. The exceptional thing about it is that they got
nailed so hard on it they were forced to retract, not that they had stuff to
be retracted.

~~~
pmyteh
I'm not defending the story at all. It ran on the word of two insiders, one of
them anonymous. It turned out to be wrong. No shock there. And news production
is in no way associated with exceptional care - and never has been. It's
associated with rushing copy out for tight deadlines.

There are lots of problems with the way news is made. But in this case, what
was actually reported ('officials say Russia implicated') is _true_. What
seems to be false is that the officials' claims had any merit. Newsroom
incentives are to get breaking news out. That's one reason a lot of stuff in
the papers is wrong.

Incidentally, investigative journalists don't do breaking news - they run long
term investigations, which are usually published as such. They're massively
important, but not a panacea for poor news coverage.

------
droithomme
The current title of this article is just as absurd as the original.

Why have an article saying that something else with no evidence "did not
appear" to have happened. Why not title it "Mole people do not appear to have
targeted Vermont utility" or "Reptilian overlords do not appear to have
targeted Vermont utility".

------
jister
Trump won that's why the media and the Liberals keep pointing their fingers to
Russia. It's mind conditioning and they will continue to do so until people in
the US will believe all the lies. It's a tactic out of desparation.

We are currently experiencing that too in the Philippines. We know how the
media and paid journalists are twisting the truth to mind-conditioned people.
We experience this everyday.

~~~
heartbreak
I'm having a hard time researching the concept of "mind conditioning." Is this
a real thing or conspiracy nonsense?

~~~
dmichulke
This is to distinguish it from the somewhat higher hair conditioning (just a
few centimeters though).

Jokes aside, I believe GP is referring to

[https://en.wikipedia.org/wiki/Classical_conditioning](https://en.wikipedia.org/wiki/Classical_conditioning)

[https://en.wikipedia.org/wiki/Operant_conditioning](https://en.wikipedia.org/wiki/Operant_conditioning)

------
openasocket
People seem to be very upset at both WaPo and the US government, more than a
few calling this "propaganda." However, it should be noted that it wasn't the
government that said this was Grizzly Steppe, it was the utility company
(Burlington Electric). It wasn't the government making exaggerated statements
to the press, it was this private company. I think this is more likely a case
of someone handling security for this company over-reacting after hearing
about the Russian hacks of the DNC than overt propaganda.

~~~
cnnsucks
>> after hearing about the Russian hacks of the DNC

Fictions built upon fictions. Assange has stated again in another interview,
airing tonight, that it wasn't Russia. It wasn't any 'state' actor.

    
    
        "Yes. We can say, we have said, repeatedly that over the last two months
         that our source is not the Russian government and it is not a state party."
    

The same people that took the fantastic and easily debunked claims of a power
company and amplified it into a diplomatic dispute with Russia will not
emphasize this; if they can't somehow discredit it then they'll bury it.

~~~
pjc50
He's _stated_ that, but why should we believe him and not believe all the
various people who have said the opposite?

Russian intelligence are presumably quite capable of laundering it through an
intermediary, which would make his statement literally true but misleading.

~~~
alyx
Because unlike the US government, WikiLeaks has a more accurate/transparent
track record?

~~~
skybrian
That argument only works if you trust WikiLeaks and a lot of people don't.

~~~
zeroer
When reasoning with incomplete information, things like history of credibility
have to be taken into account. US Intelligence services have been caught in
lie after lie. Wikileaks has never been caught lying.

Trust is not binary. You don't have to "trust" WikiLeaks to wonder if there's
something sketchy going on.

~~~
skybrian
Since I don't trust anyone on this issue, my only conclusion is that I don't
know what's going on here, and I'm not going to pretend to be an instant
expert.

(In particular, I don't trust Wikileaks to know whether they are being played
or not. Attribution seems difficult.)

~~~
zeroer
It's by design that you don't know what's going on here.

~~~
skybrian
Yes, that's how it works. It's still the right conclusion, particularly when
you're not paying close attention.

------
dang
Discussed at
[https://news.ycombinator.com/item?id=13292607](https://news.ycombinator.com/item?id=13292607),
but this article appears to add new information, so probably doesn't count as
a dupe.

------
zigzigzag
So is Facebook going to retroactively mark the original article as 'fake news'
now?

------
badcede
This is a pretty good critique of how the 'story' developed:
[http://www.forbes.com/sites/kalevleetaru/2017/01/01/fake-
new...](http://www.forbes.com/sites/kalevleetaru/2017/01/01/fake-news-and-how-
the-washington-post-rewrote-its-story-on-russian-hacking-of-the-power-grid/).
It's forbes, though, so expect annoyance and don't dare read it with an
adblocker.

------
dovdovdov
But, but that Fallout screenshot on CNN was so convincing. :/

~~~
workerIbe
Careful using text-mode in public! [http://kotaku.com/cnn-shows-fallout-
hacking-terminal-in-a-vi...](http://kotaku.com/cnn-shows-fallout-hacking-
terminal-in-a-video-about-rus-1790693451)

------
mladenkovacevic
Has mainstream media devoted so much attention to analyzing and reporting on
fake news that they were unwittingly seduced into producing their own? Those
dastardly Russians, this must've been their evil scheme all along to besmirch
the reputation of our fine journalistic institutions.

------
wyclif
WaPo peddles fake news, and this is how the sausage is made and "fact
checked": publish first based on "trusted" gov't sources, then re-write the
story bit by bit instead of developing and publishing real news
[http://www.forbes.com/sites/kalevleetaru/2017/01/02/how-
the-...](http://www.forbes.com/sites/kalevleetaru/2017/01/02/how-the-
washington-posts-defense-of-its-russian-hacking-story-unraveled-through-web-
archiving/)

------
sschueller
Regardless if this was propaganda or just bad journalism, Reuters should
remove the Washington Post from their list of trusted sources.

Hundreds of papers around the world printed this and the correction will not
be.

~~~
grzm
_Reuters should remove the Washington Post from their list of trusted
sources._

Can you elaborate on this? I understand that Reuters (like other news
agencies) use their own journalists. Am I misunderstanding what you mean?

~~~
sschueller
From what I understand, The Washington Post is a third party content provider
for Reuters. The articles that are submitted to Reuters most likely do not get
verified a second time by Reuters Journalist as they trust that WaPo already
did that.

~~~
grzm
Interesting. Do you have a reference for this? I did an admittedly cursorily
search before posting my initial comment, and didn't find any.

~~~
sschueller
The Washington post is listed here as a 3rd party source [1]

[1]
[http://financial.thomsonreuters.com/content/dam/openweb/docu...](http://financial.thomsonreuters.com/content/dam/openweb/documents/pdf/financial/thomson-
reuters-news-and-third-party-news.pdf)

~~~
grzm
Thanks for the extra legwork! I wonder if this extends beyond the their
financial wire service, though I don't see why it wouldn't necessarily. I'd
also like to know more about how third-party sources are vetted.

------
andrewclunn
Yet the retraction made earlier was flagged. Moderation on hacker news, gotta
love it. Now quick down vote me!

~~~
grzm
The mods are pretty open and comment when they take action. Flagging is nearly
always user action. Was it otherwise for the submission you refer to? Do you
mean something otherwise by "Moderation on hacker news"?

~~~
andrewclunn
Thanks for the information. I guess my complaints are regarding the users
rather than the moderation then. I did not realize that users had that much
power.

------
shitgoose
WP is slipping. as we all know - lie should be big and repeated often enough,
so people will believe it. going back and forth destroys the narrative.

