(updated below) The Washington Post on Friday reported a genuinely alarming event: Russian hackers have penetrated the U.S. power system through an electrical grid in Vermont. The Post headline conveyed the seriousness of the threat:

The first sentence of the article directly linked this cyberattack to alleged Russian hacking of the email accounts of the DNC and John Podesta — what is now routinely referred to as “Russian hacking of our election” — by referencing the code name revealed on Wednesday by the Obama administration when it announced sanctions on Russian officials: “A code associated with the Russian hacking operation dubbed Grizzly Steppe by the Obama administration has been detected within the system of a Vermont utility, according to U.S. officials.” The Post article contained grave statements from Vermont officials of the type politicians love to issue after a terrorist attack to show they are tough and in control. The state’s Democratic governor, Peter Shumlin, said: Vermonters and all Americans should be both alarmed and outraged that one of the world’s leading thugs, Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality of life, economy, health, and safety. This episode should highlight the urgent need for our federal government to vigorously pursue and put an end to this sort of Russian meddling. Vermont Sen. Patrick Leahy issued a statement warning: “This is beyond hackers having electronic joy rides — this is now about trying to access utilities to potentially manipulate the grid and shut it down in the middle of winter. That is a direct threat to Vermont and we do not take it lightly.” The article went on and on in that vein, with all the standard tactics used by the U.S. media for such stories: quoting anonymous national security officials, reviewing past acts of Russian treachery, and drawing the scariest possible conclusions (“‘The question remains: Are they in other systems and what was the intent?’ a U.S. official said”). The media reactions, as Alex Pfeiffer documents, were exactly what one would expect: hysterical, alarmist proclamations of Putin’s menacing evil:

Our Russian "friend" Putin attacked the U.S. power grid. https://t.co/iAneRgbuhF — Brent Staples (@BrentNYT) December 31, 2016

NEW: "One of the world's leading thugs, [Putin] has been attempting to hack our electric grid," says VT Gov. Shumlin https://t.co/YgdtT4JrlX pic.twitter.com/AU0ZQjT3aO — ABC News (@ABC) December 31, 2016

The Post’s story also predictably and very rapidly infected other large media outlets. Reuters thus told its readers around the world: “A malware code associated with Russian hackers has reportedly been detected within the system of a Vermont electric utility.” What’s the problem here? It did not happen. There was no “penetration of the U.S. electricity grid.” The truth was undramatic and banal. Burlington Electric, after receiving a Homeland Security notice sent to all U.S. utility companies about the malware code found in the DNC system, searched all its computers and found the code in a single laptop that was not connected to the electric grid. Apparently, the Post did not even bother to contact the company before running its wildly sensationalistic claims, so Burlington Electric had to issue its own statement to the Burlington Free Press, which debunked the Post’s central claim (emphasis in original): “We detected the malware in a single Burlington Electric Department laptop not connected to our organization’s grid systems.” So the key scary claim of the Post story — that Russian hackers had penetrated the U.S. electric grid — was false. All the alarmist tough-guy statements issued by political officials who believed the Post’s claim were based on fiction. Even worse, there is zero evidence that Russian hackers were even responsible for the implanting of this malware on this single laptop. The fact that malware is “Russian-made” does not mean that only Russians can use it; indeed, like a lot of malware, it can be purchased (as Jeffrey Carr has pointed out in the DNC hacking context, assuming that Russian-made malware must have been used by Russians is as irrational as finding a Russian-made Kalishnikov AKM rifle at a crime scene and assuming the killer must be Russian). As the actual truth emerged once the utility company issued its statement, the Post rushed to fix its embarrassment, beginning by dramatically changing its headline:

The headline is still absurd: They have no idea that this malware was placed by a “Russian operation” (though they would likely justify that by pointing out that they are just stenographically passing along what “officials say”). Moreover, nobody knows when this malware was put on this laptop, how, or by whom. But whatever else is true, the key claim — “Russian hackers penetrated U.S. electricity grid” — has now been replaced by the claim that this all shows “risk to U.S. electrical grid.” As journalists realized what did — and did not — actually happen here, the reaction was swift:

1) Not an infiltration of the power grid.

2) "Russian" malware can be purchased online by anyone.

3) See 1 & 2. https://t.co/bVIG8zQBsk — Dell Cameron (@dellcam) December 31, 2016

Pretty amazing how badly the Post appears to have mangled this one. You didn't call the Vermont utility regulator before publishing? — Eric Geller (@ericgeller) December 31, 2016

My money's on this all turns out to be commodity malware and not even APT28/APT29 and everyone jumping on the bandwagon will look v silly — Pwn All The Things (@pwnallthethings) December 31, 2016