The Burlington Electric Department discovered suspected Russian malware code on one of its laptops Friday, the municipal utility confirmed late that night.
According to BED spokesman Mike Kanarick, the code is associated with a Russian hacking campaign known by the federal government as Grizzly Steppe. Kanarick said in a written statement Friday that the laptop was “not connected to our organization’s grid systems.”
“We took immediate action to isolate the laptop and alerted federal officials of this finding,” he said. “Our team is working with federal officials to trace this malware and prevent any other attempts to infiltrate utility systems.”
BED issued a second statement Saturday afternoon saying that there was “no indication that either our electric grid or customer information has been compromised.” It said that similar malware had been discovered elsewhere in the country and was “not unique to Burlington Electric.”
“Media reports stating that Burlington Electric was hacked or that the electric grid was breached are false,” the utility said in the second statement.
BED first disclosed the breach shortly after the Washington Post reported late Friday that an unnamed Vermont utility had discovered malware in its systems. That report, which was later updated to identify BED, was sourced to unnamed federal officials.
File: Matthew Thorsen
Burlington Electric Department general manager Neale Lunderville
In the Saturday statement, BED appeared to slam the Washington Post and its sources for spreading what it called erroneous information.
“It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country,” the utility said.
The code was discovered after the Department of Homeland Security ordered the nation’s utilities late Thursday to scan their systems for traces of the Grizzly Steppe campaign. Green Mountain Power, Vermont’s largest electrical utility, conducted a similar scan and “found no security concerns,” spokeswoman Kristin Carlson said in a statement.
In interviews with multiple media outlets, Vermont Department of Public Service Commissioner Chris Recchia downplayed the immediate impact of the breach, but the state’s political leadership seized on the report to assail Russian President Vladimir Putin.
“Vermonters and all Americans should be both alarmed and outraged that one of the world’s leading thugs, Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality of life, economy, health and safety,” Gov. Peter Shumlin said in a statement late Friday night.
Shumlin called on the federal government to “conduct a full and complete investigation” in order to “put an end to this sort of meddling.”
The incident came during a period of heightened tension between the United States and Russia. On Thursday, the U.S. expelled 35 Russian officials from the country in retaliation for alleged Russian interference in November’s presidential election.
In his own statement, Sen. Patrick Leahy (D-Vt.) called “state-sponsored Russian hacking” a “serious threat” — and the BED incident “the latest example.”
“This is beyond hackers having electronic joy rides — this is now about trying to access utilities to potentially manipulate the grid and shut it down in the middle of winter,” Leahy said. “That is a direct threat to Vermont and we do not take it lightly.”
Said Congressman Peter Welch (D-Vt.), “This attack shows how rampant Russian hacking is. It’s systemic, relentless, predatory. They will hack everywhere, even Vermont, in pursuit of opportunities to disrupt our country.”