This is the FBI, open up. China's Volt Typhoon is on your network Nick Lawler, general manager of the Littleton Electric Light and Water Departments (LELWD), was at home one Friday when he got a call from the FBI alerting him that the public power utility's network had been compromised. The digital intruders turned out to be Volt Typhoon. Lawler didn't believe it at first. LELWD provides …
And the time it gets posted is well timed too! Just 11 hours after the other article relevant to that...
Indeed, a good article.
Also, you couldn't make up some of the catastrophic choices being made in the US at the moment.
It's almost like opening the doors and leaving the lights on when you go on holiday.
At a time of heightened cyber activity, you don't slash and burn your capabilities.... surely?
No, we are only at war with China, we have always been at war with China.
Russia never hacks us, Russia are our friends, Russia has always been our friends
First by Lawler's initial response - it really did sound like a scam, so good job not providing personal info or clicking a link sent via a text.
But even more impressed by the FBI's response - actually showing up in person (ok, they sent Homeland Security) instead of shrugging and saying "well, we tried to warn them".
Then following through, including running a penetration test to make sure all the vulnerabilities were closed.
Great job all around! (Except for Volt Typhoon, which should probably be renamed to Sewer Drinker or something similarly awful.)
I feel like the FBI's actions were terrible, and the employee's response (f-off, asshole!) was completely justified. I probably would have been just as cold but less insulting, told them what I think about the method (in straight-forward, honest terms), and hung up -- without calling the FBI office.
What kind of ass asks for *personal* contact information for company business?
Send a letter, if it simply can't be communicated through that network. Next-day if needed. Have them call you back at the FBI HQ and discuss steps to do next. There are better ways of doing *anything* than cold-calling someone, saying you're the FBI, and asking for their personal information. Fuck that, *especially* if you really are the FBI.
""We don't have any access to large critical infrastructure.""
Sure, an electric company wouldn't have a database of customer's information including those silly enough to sign up for auto-pay. Electric usage has been strongly correlated to wealth on a country level and I imagine that the premise translates, relatively, to the local level as well. A household in an area of higher than average property prices that uses lots of electricity on a regular basis is going to be better off. Name, address, estimated income/wealth, credit card number, tax ID, phone number (as good as a national ID) and the power company's records become very useful.
I like spy novels and they often go into how the protagonist is able to pull the information they need out of random data that they can get access to. This makes me very careful about the information I give out about myself. I don't think I have anything important to hide, but maybe I win the lottery this week. Maybe the Man is hunting for another spy and there's enough hits about me that I become a suspect and wind up collected and taken downtown to sit under a naked light bulb answering nonsensical (to me) questions for hours. Better to be a Blank.
China has already managed to do some very strange things to their infrastructure.
"We don't have any access to large critical infrastructure. We don't own transmission. We're a distribution company. Yes, we're part of the overall grid, but the impact of taking out Littleton is small. You would never think that would be a target of any type of attack," Lawler told The Register.
You know, unless you had heard about L0ft's testimony to the US Congress in...1998?
Okay, so it's not the job of the GM to be a cybersecurity expert. But you are designated as critical infrastructure. Somebody in the US government that you support so much thinks you matter. You have to wait for a personal contact that you done f***ed up to believe it?
Okay, so I can appreciate, very much, this part "It sounded like one of those Microsoft scams," Lawler said. He told the agent: "Go f-yourself, I'm not going to click on a link, you must think I'm an idiot. What is your name again?" Personally, as this was from the FBI, I would have gone with, "You ever hear of Frank Abernathy? I'm doing what he told me in this situation." And hung up. Yeah, you call the FBI up after that, since you are the GM of designated national critical infrastructure. Otherwise??? Yeah, that's a seriously unprofessional contact.
... probably could have thought through their approach a bit more. Like request that the person contacted should forward the information to their IT team or consult with a security expert.
But then that's not just the FBI. I had my credit card company ask me to call them back at a number I didn't recognize. About some questionable charges. No way I'm calling that. But I did contact them on the customer service number on the back of the card. After getting the charge problem handled, I made a suggestion that they never request customers contact them through unknown numbers. It instills bad habits. And I don't really mind being forwarded by the primary service contact to the proper department.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
