The Hackers Are Coming! Burlington Electric’s Crisis That Wasn’t | Off Message

The Hackers Are Coming! Burlington Electric’s Crisis That Wasn’t


Neale Lunderville - FILE: MATTHEW THORSEN
  • File: Matthew Thorsen
  • Neale Lunderville
Burlington Electric Department communications director Mike Kanarick said he didn’t notice the first time his cellphone buzzed just after 8 p.m. on December 30. Or the second time. It was a Friday night after all, and Kanarick’s house was crowded with 25 guests celebrating Hanukkah with a healthy offering of potato latkes and Heady Topper.

It wasn’t until after 8:20 p.m. that Kanarick heard about a Washington Post report, posted 25 minutes earlier, that suggested that the municipal utility had been hacked by Russians. By then the news had already gone viral; Kanarick’s work phone was inundated with calls from unfamiliar numbers. He called back one he recognized: BED general manager Neale Lunderville’s.

Lunderville had gotten wind of the story around 8:15 p.m. He and his wife were at dinner at a friend’s house when Green Mountain Power spokesperson Kristin Carlson called to ask: “Has your electric grid been hacked?”
The Washington Post, Carlson told him, had posted a story citing an anonymous 
Mike Kanarick - COURTESY OF BED
  • Courtesy of BED
  • Mike Kanarick
federal official that was headlined: “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say.”

“While it is unclear which utility reported the incident, there are just two major utilities in Vermont, Green Mountain Power and Burlington Electric,” the original report read.

Lunderville said he was bewildered: “I’m like ‘What? What are you talking about?’” he said. It took about seven minutes, he said, for him and his wife to slip on their shoes and drive the mile to the BED offices on Pine Street.

By then, Lunderville had put two and two together. The previous day, the Department of Homeland Security had issued an alert to BED and 3,300 other U.S. utilities to scan for code associated with the Grizzly Steppe cyber campaign.

It was a routine scan, Lunderville said. But a red flag went up when one employee checked a Yahoo email account and the scan found interaction with one of the flagged IP addresses. BED promptly isolated the laptop from the network, shut it down and notified the U.S. Department of Energy. It was the first time in his tenure, Lunderville said, that such a scan had resulted in any cause for concern.

That was the news that had been leaked — inaccurately, as it turned out. But the story exploded. That night, Kanarick and Lunderville could hardly communicate because of the number of calls. In the midst of the party, Kanarick retreated to the porch to respond to the onslaught.

“It was extraordinarily intense,” Lunderville said.

Lunderville spoke with power systems coordinators while his wife, Dennise Casey, who runs a communication company, drafted a press release. The crux of the message? The grid was not in danger.

BED community program coordinator Destenie Vital crafted messages on Facebook and Twitter and the group launched the press release and a coordinated social media response at 9:27 p.m.

“We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems,” the release read. “Our team is working with federal officials to trace this malware and prevent any other attempts to infiltrate utility systems.”

In those two hours following the 7:55 p.m. Post article, several paragraphs were added to the original story, according to an analysis from Forbes. But the Post didn’t add material from BED’s release until about 10:30 p.m.

Meanwhile, state officials were scrambling for answers. An administrative rep participated in a conference call with the FBI, according to records that Seven Days obtained. By 10:44 p.m., then-governor Peter Shumlin had released a statement calling Russian President Vladimir Putin “one of the world’s leading thugs.”

Department of Public Service Commissioner Chris Recchia initially commented to the press, downplaying the story, but the administration warned him to stop talking, according to records. Recchia later apologized to Shumlin spokesman Scott Coriell and Keith Flynn, Shumlin’s public safety commissioner.

In Burlington, Lunderville and Kanarick continued their efforts to quell the storm until 12:30 a.m. on December 31.

Later that morning, on New Year’s Eve, Lunderville was back at work by 7:30 a.m. He had a phone call with “federal officials” — he declined to be specific — as well as two conference calls with representatives of state and regional utilities. Kanarick skipped a family ski date to come into the office. Vital, IT director Sue Fritz and customer care staffer Andi Higbee joined them to review the company’s technology systems and speak with customers.

That morning, BED called in Jon Rajewski, director of the Senator Patrick Leahy Center for Digital Investigation at Champlain College, to consult on the issue.

The press calls kept coming. Saturday afternoon, Kanarick released a statement that seemed to target the Post and its sources. “It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country,” it read.

BED’s efforts to clear the air continued. In the coming week, Lunderville granted roughly 50 interviews, Kanarick estimated. Among the news outlets: Forbes, CBS, NBC, the Associated Press, the Wall Street Journal and Fortune. Requests for interviews were only just winding down, Kanarick said Thursday.

BED employees have been debriefing over their procedures, Lunderville said, and in spite of the media frenzy, their response has gone according to plan. “Nothing with cybersecurity is routine, but we were doing it according to the playbook,” he said.

Rajewski said he will be looking at the laptop and “other data sources” in an investigation that will last at least a few more weeks. Neither BED nor even the electric industry appear to have been targeted, he said. “It’s hard to say yet with any degree of certainty if the Grizzly Steppe malware was involved,” he wrote in an email to Seven Days.

Rajewski also noted that he had received “at least three” calls from other entities in Vermont concerned that they had been affected by the same code that the feds were flagging.

Phil Susmann, president of Norwich University Applied Research Institutes, didn’t fault Burlington Electric for any lack of security or issues of protocol.

“At a high level, they followed a very good instant response plan,” he said, noting the rapid response and subsequent public relations campaign. But, Susmann added, referring to the suspect laptop, “No one should be using a Yahoo email account … That’s an awareness issue.”