Alleged Russian operation has compromised a laptop at a Vermont utility

Pierluigi Paganini December 31, 2016

The code associated with Russian hacking operation dubbed Grizzly Steppe by the Obama administration infected a laptop at a Vermont utility.

Russian hackers are again in the headlines because according to US officials, they hacked a Vermont utility, raising concerns about the security of the electrical grid of the country.

Researchers discovered on a laptop a malware associated with operations of Russian hackers, the experts linked it with an outdated Ukrainian hacking tool.

The malware was discovered thanks to the sharing of information contained in the Grizzly Steppe JAR about Russian malicious cyber activities.

DHS and FBI along with the report released a sample of the malware code allegedly used in the Grizzly Steppe operation. The code was shared with executives from multiple industries in the US allowing the experts at Burlington Electric in Vermont to discover the intrusion.

“A code associated with the Russian hacking operation dubbed Grizzly Steppe by the Obama administration has been detected within the system of a Vermont utility, according to U.S. officials.” states the report published by the Washington Post.

“Burlington Electric said in a statement that the company detected a malware code used in the Grizzly Steppe operation in a laptop that was not connected to the organization’s grid systems. The firm said it took immediate action to isolate the laptop and alert federal authorities.”

The malicious code was spotted during a scan of a company laptop that was anyway not connected to the grid. The authorities immediately adopted the necessary measures to contain the threat.

“We took immediate action to isolate the laptop and alerted federal officials of this finding. Our team is working with federal officials to trace this malware and prevent any other attempts to infiltrate utility systems. We have briefed state officials and will support the investigation fully,” the statement said.

This means that fortunately, at least in this specific case, did not penetrate the US grid.

“Vermonters and all Americans should be both alarmed and outraged that one of the world’s leading thugs, Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality-of-life, economy, health, and safety,” explained the Vermont Governor Peter Shumlin.

“This episode should highlight the urgent need for our federal government to vigorously pursue and put an end to this sort of Russian meddling,” he said.

Security experts at the security firm Wordfence published an interesting report in which they analyzed the PHP malware sample and the IP addresses that the US government has provided as proof the involvement of Russian hackers in the attacks against the Presidential Election.

“As an interesting side-project, we performed analysis on the PHP malware sample and the IP addresses that the US government has provided as “…technical details regarding the tools and infrastructure used by Russian civilian and military intelligence services (RIS)”. [Source]” states the report published by WordFence.

“We used the PHP malware indicator of compromise (IOC) that DHS provided to analyze the attack data that we aggregate to try to find the full malware sample. We discovered that attackers use it to try to infect WordPress websites. We found it in the attacks that we block.”

Experts from Wordfence traced the malware code to a tool available online, dubbed P.A.S., that claims to be “made in Ukraine.”

The FBI/DHS JAR refers the version 3.1.7, while the most current version it the 4.1.1b.

“One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources,” the report says.

The report published by WordFence includes the list of IP addresses that “don’t appear to provide any association with Russia” and “are probably used by a wide range of other malicious actors.”

15% of IP addresses are associated with Tor exit nodes.

“The malware sample is old, widely used and appears to be Ukrainian. It has no apparent relationship with Russian intelligence and it would be an indicator of compromise for any website.” reads the report from WordFence.

The rest of the story is known, the Obama administration accused the Russian government of interference in internal affairs and ejected 35 Russian diplomats and blocking access to two leisure compounds used by Russian Foreign Ministry personnel.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Vermont utility, APT28)

you might also like

leave a comment