The Washington Post wrote a fake story about Russia having hacked the American power grid. The Post changed it story several times, but the article still included incorrect information and a misleading headline.
On Friday the Washington Post sparked a wave of fear when it ran the breathless headline “Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say.” The lead sentence offered “A code associated with the Russian hacking operation dubbed Grizzly Steppe by the Obama administration has been detected within the system of a Vermont utility, according to U.S. officials” and continued “While the Russians did not actively use the code to disrupt operations of the utility, according to officials who spoke on condition of anonymity in order to discuss a security matter, the penetration of the nation’s electrical grid is significant because it represents a potentially serious vulnerability.”
Yet, it turns out this narrative was false and as the chronology below will show, illustrates how effectively false and misleading news can ricochet through the global news echo chamber through the pages of top tier newspapers that fail to properly verify their facts.
The original article was posted online on the Washington Post’s website at 7:55PM EST. Using the Internet Archive’s Wayback Machine, we can see that sometime between 9:24PM and 10:06PM the Post updated the article to indicate that multiple computer systems at the utility had been breached (“computers” plural), but that further data was still being collected: “Officials said that it is unclear when the code entered the Vermont utility’s computers, and that an investigation will attempt to determine the timing and nature of the intrusion.” Several paragraphs of additional material were added between 8PM and 10PM, claiming and contextualizing the breach as part of a broader campaign of Russian hacking against the US, including the DNC and Podesta email breaches.
Despite the article ballooning from 8 to 18 paragraphs, the publication date of the article remained unchanged and no editorial note was appended, meaning that a reader being forwarded a link to the article would have no way of knowing the article they were seeing was in any way changed from the original version published 2 hours prior.
Yet, as the Post’s story ricocheted through the politically charged environment, other media outlets and technology experts began questioning the Post’s claims and the utility company itself finally issued a formal statement at 9:37PM EST, just an hour and a half after the Post’s publication, pushing back on the Post’s claims: “We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems. We took immediate action to isolate the laptop and alerted federal officials of this finding.”
From Russian hackers burrowed deep within the US electrical grid, ready to plunge the nation into darkness at the flip of a switch, an hour and a half later the story suddenly became that a single non-grid laptop had a piece of malware on it and that the laptop was not connected to the utility grid in any way.
However, it was not until almost a full hour after the utility’s official press release (at around 10:30PM EST) that the Post finally updated its article, changing the headline to the more muted “Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say” and changed the body of the article to note “Burlington Electric said in a statement that the company detected a malware code used in the Grizzly Steppe operation in a laptop that was not connected to the organization’s grid systems. The firm said it took immediate action to isolate the laptop and alert federal authorities.” Yet, other parts of the article, including a later sentence claiming that multiple computers at the utility had been breached, remained intact.
The following morning, nearly 11 hours after changing the headline and rewriting the article to indicate that the grid itself was never breached and the “hack” was only an isolated laptop with malware, the Post still had not appended any kind of editorial note to indicate that it had significantly changed the focus of the article.
This is significant, as one driving force of fake news is that as much of 60% of the links shared on social media are shared based on the title alone, with the sharer not actually reading the article itself. Thus, the title assigned to an article becomes the story itself and the Post’s incorrect title meant that the story that spread virally through the national echo chamber was that the Russians had hacked into the US power grid.
Only after numerous outlets called out the Post’s changes did the newspaper finally append an editorial note at the very bottom of the article more than half a day later saying “An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far. The computer at Burlington Electric that was hacked was not attached to the grid.”
Yet, even this correction is not a true reflection of public facts as known. The utility indicated only that a laptop was found to contain malware that has previously been associated with Russian hackers. As many pointed out, the malware in question is actually available for purchase online, meaning anyone could have used it and its mere presence is not a guarantee of Russian government involvement. Moreover, a malware infection can come from many sources, including visiting malicious websites and thus the mere presence of malware on a laptop computer does not necessarily indicate that Russian government hackers launched a coordinated hacking campaign to penetrate that machine – the infection could have come from something as simple as an employee visiting an infected website on a work computer.
Moreover, just as with the Santa Claus and the dying child story, the Post story went viral and was widely reshared, leading to embarrassing situations like CNBC tweeting out the story and then having to go back and retract the story.
Particularly fascinating that the original Post story mentioned that there were only two major power utilities in Vermont and that Burlington Electric was one of them, meaning it would have been easy to call both companies for comment. However, while the article mentions contacting DHS for comment, there is no mention of any kind that the Post reached out to either of the two utilities for comment. Given that Burlington issued its formal statement denying the Post’s claims just an hour and a half later, this would suggest that had the Post reached out to the company it likely could have corrected its story prior to publication.