did Russian disinformation by the FBI feed corruption in LA?

LADWP officials were so spooked by a Washington Post story reporting a Vermont utility was hacked by Russia that they started giving multimillion-dollar contracts to fix things. That story was a lie.

On the last day of 2016, the Washington Post ran a scary story.

“Russian hackers penetrated U.S. electricity grid through a utility in Vermont, officials say,” blazed the headline.

Quoting anonymous national security sources, the story said Vermont utility Burlington Electric discovered malware linked to the Russia hacking op Grizzly Steppe. The utility’s grid was penetrated, according to the news org. Post-scripting a flurry of 2016 elections stories saying the Russians hacked our election, this story brought the boogeyman right into our backyards.

Fearing Russia was coming for LA next, officials at the Los Angeles Department of Water and Power (LADWP) passed around the news story, according to recently filed court records. They were freaking out, and rightly so. This was a serious story about national security implications.

Almost immediately, Mark Townsend, then the chief information officer at LADWP, began preparing a powerpoint presentation titled, “Vermont Utility Cyber Attack—GRIZZLY STEPPE—Russian Malicious Cyber Activity,” according to court documents.

The powerpoint asked, “What actions are LADWP taking?” and said it was instituting a range of action items, including scanning for viruses and malware, updating anti-virus software, and patching applications, among other things.

Then-DWP Commissioner Christina Noonan kicked off a Jan. 3, 2017 meeting by asking then-DWP General Manager David Wright to, “Please provide a closed session presentation on the recent hacking of the Vermont Grid and how it compares to LADWP.” Ten days later DWP commissioner Mel Levine, a former U.S. Congressman, also asked for more information, “especially the Russia part?” he wrote in an email to Wright.

Soon, DWP officials were meeting with FBI and Secret Service agents concerning LADWP security.

We don’t know what was said in those meetings, but DWP’s solution: award $30 million in cyber security contracts to a company that hadn’t even been created yet. That company, Aventador Utility Solutions, whose expertise to fix’s DWP’s massive security problems was highly questioned, received the contracts less than five months later. Its rates, which were $400 an hour, were higher than normal for the market. Aventador would eventually become part of one of the biggest corruption scandals in modern LA history, costing hundreds of millions of dollars and sending four people to jail. The head of DWP—Wright—helped sell the cyber security contracts in exchange for a million-dollar job at Aventador. Wright was sentenced to jail for six years for the bribe. Same thing happened to David Alexander, a former security official at DWP. He’s been sentenced to four years in jail for accepting a job with the company in exchange for pushing contracts. And the investigation is ongoing.

As Paul Paradis, a former city lawyer who ran Aventador, said in a recent bankruptcy filing (emphasis mine):

The constant drumbeat of negative cyber security news reports that culminated in the December 31, 2016 news report of Russian hackers having conducted a successful cyber-attack on Burlington Electric which prompted Levine and others to request and attend meetings with both Secret Service and FBI cyber security officials in January 2017 was the tipping point, and caused Levine and [William] Funderburk to direct Wright to speak with debtor about providing those project management services for the LADWP.

Paradis said it was city officials, not him, who pushed for the fraudulent Aventador contracts in the first place; that the city ultimately drove the corruption. And the inciting incident was the Washington Post’s Russian utility hacking story, without commenting on its veracity.

Only one problem: that WaPo story was false. The malware was found on a single laptop not connected to the grid, so there was no possibility of a utility hack. And there was no proven Russian connection. The Post had to run a correction.

Just when I thought the DWP story couldn’t get any more ridiculous, a hilarious detail like this emerges. If you really want to get an American bureaucrat to do something, all you gotta do is say “But Russia!” DWP leaders panicked in response to an irresponsible news story, then chose the wrong solution. This is a direct example of how Russian xenophobia by the United States national security apparatus, in conjunction with a major media outlet, can lead to incredibly damaging consequences. Touched off by this false hacking story pushed by anonymous government sources, the result was spooked DWP officials blindly awarding tens of millions of dollars in contracts to a cyber security company that never fixed the problem, and multiple city officials going to jail. Now the feds have to clean up what natsec spooks started.

This is more about award-winning reporters relying on natsec officials who spout disinformation behind a veil of anonymity, and the downstream repercussions it causes. With the Vermont utility story, the FBI and Department of Homeland Security (DHS) under the Obama Administration sent out a joint report about hacking. In the report, it identified Grizzly Steppe as malicious Russian malware, and listed a bunch of IP addresses as possibly being connected to Russian hackers. Somebody employed by the Vermont Utility Burlington Electric said he saw the IP address on a utility laptop and reported it to federal authorities. Those authorities then called up Post reporters, giving them the scoop. And on down to DWP officials the story reverberated. In a way, the FBI, which posted information about the malware along with DHS, started the problem. If you wanna get trippy, think about how the FBI inadvertently helped create DWP corruption.

But that laptop was not connected to the grid, and further, it wasn’t even proven that the IP address was connected to Russia. Malware can be purchased. As the FBI’s own report states:

Upon reviewing the traffic from these IPs, some traffic may correspond to malicious activity, and some may correspond to legitimate activity.

Regardless, the story ran without anyone checking with the Vermont utility, which eventually had to put out an angry statement.

“It’s unfortunate that an official or officials improperly shared inaccurate information with one media outlet, leading to multiple inaccurate reports around the country,” said Mike Kanarick, the company’s communications director, in a statement.

We see bogus info leak into the the news all the time, with the biggest recent example being Russiagate, that hoax perpetuated by the political establishment and enabled by the mainstream press to discredit an insurgent populist movement, in this case Donald Trump. We now know, following Robert Mueller’s investigation, and buried in paragraphs in publications like the Post and New York Times, that there is no credible evidence that Donald Trump assisted the Russian government to hack the 2016 election. I’m sorry. Trump sucks, but it didn’t happen. Russia is terrible, but it’s not responsible for all of America’s problems. Reporters like Matt Taibbi, Glenn Greenwald, and Aaron Maté have gone deep on this for years now. On the other side of the political aisle, anonymous national security sources came for our post-911 fears when reporters quoted them non-stop in the run-up to the Iraq War, saying Saddam Hussein had weapons of mass destruction. That Big Lie cost trillions of dollars and hundreds of thousands dead. The same thing happened in the Trump era, except this time it’s Democrats who mostly got it wrong.

This is a direct example of how Russian xenophobia by the United States national security apparatus, in conjunction with a major media outlet, can lead to incredibly damaging consequences. Touched off by this false hacking story pushed by anonymous government sources, the result was spooked DWP officials blindly awarding tens of millions of dollars in contracts to a cyber security company that never fixed the problem, and multiple city officials going to jail.

But About That DWP Infrastructure

This all doesn’t change the fact that DWP’s security infrastructure was, and still is, in very bad shape. Don’t just take it from Paul Paradis.

In 2015 a leaked report by consulting firm Navigant, which was hired by the city of LA, blasted DWP’s security infrastructure:

Past assessments by LADWP security staff and the recent assessment conducted by Navigant have revealed a number of factors that limit the Department’s ability to mitigate security threats and vulnerabilities, including a lack of formal cyber and physical security processes, limited risk assessments, constrained resources, and limited executive level support.

The report also rested blame on management:

Moreover, there is little oversight from senior management and executive leadership due to the lack of formal processes and accountability . . . . the Department is not able to appropriately prioritize cybersecurity issues on an enterprise level.

This contradicted what DWP told the federal government in 2013 regarding its infrastructure. A DWP official said the utility followed guidelines for its critical infrastructure control systems, firewalls and encryption methods (emphasis mine).

LADWP maintains an in-house inventory system, and utilizes industry available software to inventory computer systems on the network and to ensure that security patch levels and antivirus signatures are up-to-date.

Following the damaging Navigant report, the city apparently hired a former CIA security officer named Robert Bigman to get a sense of what kind of shape DWP’s IT system was really in. It wasn’t looking good. Bigman, who reportedly briefed Garcetti, Feuer, and DWP officials, said a scan of the LADWP billing system identified over 4,000 unpatched vulnerabilities that could be exploited by cyber attackers.

Paradis and his company Aventador did its own analysis of the utility’s IT system, telling the city:

Connection to these systems demonstrates [sic] will enable an attacker to shut off water and power from across the Internet. Unauthorized access to the control and SCADA environment can directly impact public health and safety.

These problems were confirmed by former DWP executives, according to Paradis, who covertly recorded them at the direction of the FBI as part of the government’s criminal investigation into LA city officials. According to Paradis’ briefings to the FBI of one meeting with Alexander, DWP’s former chief security officer, DWP had been falsifying regulatory records for the past 15 years “to cover up non-compliance with CIP standards and other regulatory requirements.”

One of the ways DWP did this was by self-reporting small violations so it could avoid regulators discovering bigger problems, according to Paradis. He went on to quote a meeting with former general manager Wright, saying he did not “give a fuck about regulatory issues” because no one knows about them and no one is looking.

Paradis court filing claiming DWP officials buried the utility’s regulatory violations.

DWP officials also made sure other companies wouldn’t get cyber work with the utility so as to prevent them from uncovering regulatory violations, according to Paradis.

Paradis’, who is awaiting sentencing for bribery, says he is the scapegoat for the city’s malfeasance, and couldn’t have received the cyber contracts without the green light from top city officials like Levine, Wright and Garcetti. DWP board members already decided months prior to the June 2017 vote to approve Aventador’s contracts that Aventador would get the contracts, according to Paradis. Paradis in his recent bankruptcy filing:

While there is, indeed, a massive fraud scheme that has been perpetrated – and that continues to be perpetrated – this fraudulent scheme has been perpetrated by the City, itself, and by and through the senior ranking officials in the Los Angeles City Attorney’s Office, the Los Angeles Department of Water and Power and the Office of Mayor Garcetti. The fraudulent scheme has not been perpetrated by [Paradis] or his former co-counsel, attorney Paul Kiesel on the City as “rogue actors” -- as the City has falsely claimed since April 2019.

Could an outsider really get away with such extreme levels of grift without the help of the system?

…Had Kiesel and Paradis been “rogue actors” operating under cover of darkness and defrauded the City and City and LADWP officials as the City has falsely claimed since April 2019, Kiesel and Paradis surely would not have had the number two ranking City Attorney official [Jim Clark] personally instructing, authorizing and directing them at every critical juncture in the Jones case.

As I previously reported, Paradis cites covert recordings of DWP officials and texts that point to city hall, including requests to approve the Aventador contracts under a new name, Ardent. And this is just one part of a sprawling corruption investigation in which incorrectly billed DWP customers were given a puppet lawyer selected by the city. The Aventador/Ardent contracts were sort of a thank you in order to cover up the collusive billing lawsuit guided by the city attorney’s office.

Paradis pointed to a text message from then-DWP commissioner Cynthia McClain-Hill to Ardent president Ryan Clarke in April 2019, updating Clarke on Ardent’s contracting status with the city prior to a formal vote.

There has been a last minute change in duration and amount per the Mayor’s Office. [The Mayor’s Office] wanted me to let you know that they full[y] support the entire period and resource commitment...but would like it done in installments so no one authorization is in double figures. We will approve a second contract in 45 days and a 3rd contract 45 days after that. We are finally at the end of this road...hope this works for you.

About $10 million was soon approved by the DWP board. Paradis said communications such as these indicate the city was calling the shots the whole time.

Again, look at the chain reaction of events: Bogus Russian hacking story started by DHS>DWP officials freak out upon reading>award contracts to questionable company>FBI sends people to jail.

And it’s really not that funny. Here we have a cyber security problem that’s gone unaddressed for years at the biggest public utility in the country. And the one time city officials were moved to actually do something was apparently because of an extremely nationalist, false news story. The cure was the disease. Nothing was fixed. Instead lots of money was wasted and people went to jail. The government is eating itself. Allow it one bite and it will stay hungry.