The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) joined the FBI and National Security Agency — along with security agencies in the U.K., Australia, New Zealand and Canada — on Wednesday to release a report detailing the cyber threats against critical infrastructure that have been detected in connection with Russia’s invasion of Ukraine.

The report, “Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure,” presented hostile cyber activities by a host of Russian government agencies, including the Federal Security Service (FSB), Foreign Intelligence Service (SVR), Main Intelligence Directorate (GRU) and Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM). Attacks could come “as a response to the unprecedented economic costs imposed on Russia, as well as materiel support provided [to Ukraine] by the United States and U.S. allies and partners,” the report said.

Veteran Cyber Units Hard at Work

Each Russian agency has been linked to previous cyber incidents: Just last month the Justice Department announced it had indicted agents of TsNIIKhM and the FSB for a series of cyberattacks against the global energy industry. (See DOJ Reveals Indictments Against Russian Energy Hackers.) GRU’s Unit 74455 — which analysts have variously dubbed Sandworm, Electrum and Voodoo Bear — is believed to have carried out attacks around the world, including against the Winter Olympics in 2018 and the Ukrainian power grid in 2015 and 2017. (See Six Russians Charged for Ukraine Cyberattacks.)

Industroyer, another breed of malware linked to Unit 74455 that knocked out 20% of Ukrainian capital Kyiv’s power grid in 2016, was back in the news recently after Ukraine’s Computer Emergency Response Team reported discovering a very similar attack underway last week. Like the earlier threat, the new “Industroyer2” hack appeared designed to attack the industrial control systems used by electric utilities; however, in this case the attack was stopped before any damage could be done. (See E-ISAC Warns of Escalating Russian Cyber Threats.)

Along with these officially government-linked groups, the report identified two malicious actors as “aligned” with Russia but not definitely known to be employed by its government. The first, dubbed Gamaredon or Primitive Bear, has “targeted Ukrainian organizations since at least 2013,” including multiple operations before Russia’s invasion. The other, known as Venomous Bear or Turla, “is known for its unique use of hijacked satellite internet connections” to attack NATO-aligned governments, defense contractors and “other organizations of intelligence value.”

Nominally independent cybercrime groups are another growing threat, the report said, with some gangs pledging support for Russia’s government and threatening to “retaliate against perceived attacks against Russia or materiel support for Ukraine.” Among the groups identified by code name is Wizard Spider, responsible for the Conti ransomware that has targeted more than 1,000 organizations worldwide. Other groups historically have focused more narrowly on the Ukrainian government.

Cybercrime gangs tend not to have the direct support of Russia’s government, even when based in the country; rather, law enforcement often turns a blind eye to their activities as long as they are directed against Russia’s perceived adversaries. The agencies noted that even for the groups that have promised to support Russia’s war in Ukraine, their primary motivation and mode of attack are likely to remain financial rather than participating in government hacking operations.

Warnings Becoming More Urgent

CISA has been in a “Shields Up” posture since Russia’s invasion began in February, calling for critical infrastructure operators to be vigilant for potential cyber interference. Though the agency initially said it had seen “no specific or credible cyber threats to the U.S. homeland,” it and other federal entities — including the White House — have issued more pointed warnings as the conflict wears on and Russia’s military seemed increasingly unlikely to score a clear victory on the battlefield, making a cyber escalation more probable.

“We know that malicious cyber activity is part of the Russian playbook. We also know that the Russian government is exploring options for potential cyberattacks,” CISA Director Jen Easterly said in a release. “We urge all organizations to review the guidance in this advisory as well as visit [CISA’s website] for continually updated information on how to protect yourself and your business.”