What the Washington Post’s Hacked Electrical Grid Report Got Wrong
A Washington Post report on Friday said that Russian hackers had breached the nation’s power grid via a utility in Vermont, citing unnamed U.S. officials. Almost immediately, digital security experts panned the story, criticizing it as prematurely alarmist and lacking key details.
The supposed discovery linked “code” found on the utility’s computer network to Russian election meddlers, who were widely believed to be Kremlin-sponsored and associated with state security and intelligence agencies such as the FSB and GRU. The finding came a day after the government published an intelligence report, criticized by many as overly broad, claiming to contain evidence of a Moscow-backed election interference campaign dubbed “Grizzly Steppe.”
Soon after the initial Post story appeared, Burlington Electric came forward as the reportedly hacked organization. The municipally-owned utility clarified that had it had “detected the malware” on a single laptop, separate from its grid systems.
In other words, the main premise of the Post story—indeed, its headline—turned out to be incorrect. The breach involved a solitary laptop and no penetration of the grid, the Post said in an editor’s note appended Saturday.
Get Data Sheet, Fortune’s technology newsletter.
A day later, Burlington Electric revealed more information about the incident, debunking suspicions. The code presumably associated with the Russian hacking operation turned out to be nothing more than a “specific type of Internet traffic” that had “been observed elsewhere in the country and is not unique to Burlington Electric,” the utility said in a second press release.
The code in question was not a malicious software program, as some people suspected, but rather the appearance of a certain Internet connection.
In a follow-up story published Monday evening, a different set of Post reporters—citing more unnamed officials—revealed that a security alert at Burlington Electric had tripped when an employee accessed a Yahoo (YHOO) email account. The alerts had been put in place after the Department of Homeland Security issued an industry-wide warning to the nation’s utilities, pointing to certain IP addresses contained in its “Grizzly Steppe” report, jointly produced with the Federal Bureau of Investigation.
The second Post story also reported that investigators later discovered malicious software on the Burlington Electric employee’s laptop. This was a common malware program called Neutrino that’s commonly deployed through online advertising networks, and likely unrelated to the Russian campaign “Grizzly Steppe.”
For more on cybersecurity, watch:
Before the investigators who were responding to Burlington Electric’s findings could suss out what really happened within the utility’s computer network, U.S. officials had apparently tipped the Post to an incomplete version of the news. It’s unclear whether the U.S. officials relayed inaccurate information, whether the reporters made false assumptions, or a combination. Then, the report spread like a computer worm.
The dubious attribution to Russian hackers in the Burlington Electric incident—specifically, to Russian hackers associated with U.S. election mischief—arose because the utility had detected Internet connections that seemed to be linked to “Grizzly Steppe,” per the government’s report, despite the intelligence containing a range of IP addresses not exclusive to that hacking campaign. Indeed, a significant chunk of the IP addresses listed in the joint report mapped to ordinary proxy servers that privacy advocates, digital attackers, and others use to mask their tracks, as analyses of the set have showed.
Cybersecurity experts who had pored over the White House-mandated “Grizzly Steppe” report, expecting to find revelations about the tactics of Russian election hackers, were disappointed to discover that the paper contained little actionable information. For security teams looking to find and block Russian malware, the data was “nearly useless,” as one expert, Robert Lee, founder of Dragos Security, put it in a widely read critique.
Poor threat intelligence of this sort can be a costly distraction for resource-strapped security teams.
Burlington Electric, for its part, lamented the leaky lips of federal investigators when the organization was just trying to follow proper protocols in reporting the potential threat. “It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country,” said Mike Kanarick, communications director for the utility, in a statement.
“Media reports stating that Burlington Electric was hacked or that the electric grid was breached are false,” he added.
Quite a ruckus for a false alarm.