Dive Brief:

• Federal and international authorities issued urgent warnings Wednesday to critical infrastructure providers to take precautions against potential retaliatory cyberattacks from alleged Russian state actors and criminal cyber groups.
• The advisory from the Cybersecurity and Infrastructure Security Agency, FBI and National Security Agency, along with international partners in the Five Eyes, provides technical details and urges providers to patch systems and secure remote desktop operations.
• Separately, the U.S. is expanding the Joint Cyber Defense Collaborative in the U.S. to include experts in industrial cybersecurity as well as infrastructure specialists from Bechtel, Dragos, GE, Schneider Electric, Siemens and other firms. The move follows the discovery of a state-linked malware researchers warn could sabotage or destroy industrial sites.

Dive Insight:

The joint advisory updates threat intelligence about specific state-linked threat actors as well as sympathetic criminal gangs who may be acting in concert with Russian interests. 

Government officials in Ukraine said Russia-linked cyberattacks have ramped up in recent weeks against government agencies and critical industries, including an attempt to disrupt the electrical grid on April 8.

Experts have linked other nation state-affiliated actors like Berserk Bear to past cyber incidents against U.S. and Western European targets ranging from energy, transportation, defense contractors as well as water and wastewater system facilities. 

In late March, the Department of Justice indicted four Russian nationals that worked for the country's government on allegations they participated in hacking campaigns against the global energy sector between 2012 and 2018. 

CISA Director Jen Easterly announced the expansion of the JCDC while speaking at the S4x22 conference in Miami. Easterly warned cyberthreats to industrial control systems (ICS) represent a significant challenge that must include collaboration with private sector partners.

"As the destruction or corruption of these control systems could cause grave harm, ensuring their security and resilience must be a collective effort that taps into the innovation, expertise and ingenuity of the ICS community," Easterly said, according to the announcement from CISA.

Schneider Electric, working with cybersecurity and incident response specialist Mandiant, issued a security bulletin earlier this month to warn critical infrastructure providers about Incontroller/Pipedream, the custom-made malware that can completely sabotage industrial sites. 

"Working with our federal government and industry partners, we were able to analyze this malware framework and publish protective measures prior to this framework being exploited for destructive effect," Annette Clayton, president and CEO of North America at Schneider Electric said in a blog post.

Though experts have not made formal attribution, Mandiant researchers warned the malware poses the greatest threat to companies linked to sanctions and other activity taken in response to the Russian invasion of Ukraine.