Hacking Too Close to Home: Why the Vermont Electric Grid “Laptop” Malware Matters

Logo of Burlington Electric Company

The recent political furor over state sponsored hacking took an ugly and dangerous turn, on the morning of December 30th when a tiny Vermont electric utility reported that Grizzly Steppe – the spear-fishing process used to access DNC emails – had been found on one of their systems.

Vermont Governor, Peter Shumlin issued a statement accusing Vladimir Putin of attempting to hack Vermont’s electrical grid, and many others follow suit.

And there appears to be a good chance that the malicious code found on a Burlington Electric laptop is evidence of a state sponsored cyberattack.

More Fake News?

Following the initial news cycle, some pundits dismissed the finding as a non-story. It’s true, the laptop was “not connected to the power grid systems”, and there is no proof yet that the Russians were involved. It’s also true that the Russian built Grizzly Steppe hacking code is widely available on the dark internet, and anyone could have put it on that laptop.

But those truths are irrelevant.

Finding any evidence of cyber hacking anywhere near the systems running our nation’s critical infrastructure is a major event, and one that we must take very seriously. Here's why.

The Chilling Truth

In 2015, Lloyd’s and the Cambridge Centre for Risk Studies ran a hypothetical disaster scenario of an electricity blackout covering 15 northeastern U.S. states and discovered such a cyberattack would create an increase in mortality, disruption of water, and transportation chaos, totalling over $1 trillion in damages.

As perhaps a very chilling precursor to the Vermont report of malware, the Lloyds scenario supposes a piece of malware is injected into a number of electrical plant control rooms through “identification and targeting of laptops and other personal electronic devices used by key personnel with routine access to multiple power plants.” The malware lies dormant, phoning home occasionally to pass data its creators, until it is activated months or years later on a single day when it destroys 50 generators in rapid succession plunging over 15 million citizens into darkness.

In June 2016, malware dubbed SFG was used to attack a European energy company. SFG uses extremely sophisticated code that targeted specific users with the intent of shutting down the energy grid. The SFG code, which is believed to have originated in Eastern Europe, exhibits behavior seen in other state sponsored cyber-attack root kits. The software is distributed initially through weaponized versions of familiar files, and is designed to bypass traditional anti-virus tools, next-generation firewalls, and even has the prescience to destroy itself if it detects it is being observed.

Attacks on Industrial Control Systems are on the Rise

If the intrusion in Vermont is determined to be a state sponsored attack, it won’t be the first-time foreign governments have attempted to commandeer U.S. critical infrastructure. In 2013, a dam in Rye Brook, NY was compromised by Iranian hackers. Kept secret for several years, the attack was reported by the U.S. Justice Department in March 2016.

And, it certainly won’t be the last. In fact, according to a report by IBM Managed Security Services, cyberattacks on Industrial Control Systems increased 110% in 2016.

Chart from IBM showing increase in ICS attacks over timeSource: IBM                                                                

As widely reported, the electrical grid in the Ukraine was hacked in December 2015, creating power outages for more than a quarter million citizens. According to Ukrainian energy provider Ukrenergo, a second major outage on December 17, 2016, may have been caused by a similar cyber-attack.

Long, Low, and Slow

Here’s the critical point. Attacks on critical infrastructure typically require a long, slow, low-profile campaign, beginning with subtle, difficult to detect maneuvers, like slipping malware on laptop computers.

Two years prior to the first Ukraine incident, hackers began attempting to acquire legitimate login credentials by hacking non-operational systems at Ukrainian utilities – systems very much like Burlington Electric’s laptop. According to a Booz Allen analysis, spear-phishing emails containing weaponized Microsoft Word, Excel, and PowerPoint files, exactly the type of files typically found on laptop computers, were sent to Ukraine electric utility employees as early as May 2014.

Once legitimate login credentials were discovered through these seemingly minor attacks on non-operational systems, the hackers used them to access critical Industrial Control Systems (ICS) in order to shutoff breakers, shutdown uninterrupted power supplies (UPS), destroy Human Machine Interface (HMI) systems, and destroy Serial-to-Ethernet devices at substations.

On November 25th, Ed Amoroso, the retired Chief Security Officer of AT&T, posted a plea to incoming President Elect Trump. He stated, “I believe that recent advances in offensive capability make it inevitable that significant, large-scale cyber-attacks will be launched against our critical infrastructure during your time in office. These attacks will shift from the theft of intellectual property to destructive attacks aimed at disrupting our ability to live as free American citizens.”

Turns out Ed didn’t have to wait long for confirmation of his concerns.

So, yes, discovering Russian built cyber-hacking tools on one isolated laptop at a small electric utility in Burlington, Vermont is a big deal. A very big deal.

To learn more about how Bayshore can help protect critical infrastructure please click here www.bayshorenetworks.com/contact

Speak with one of our experts.