The Russian cyberattacks on US water, Polish water, and a French dam are complicated. We had established that CARR was being used as a front for Sandworm/APT44 (Russian GRU) prior to the incidents and that they were even involved in creating some of CARR's online presence. 1/x

But without evidence of their involvement we had to allow for the possibility of other CARR affiliates acting outside of the direction of Sandworm/APT44. In that case what does Sandworm/APT44 have to do with it? 2/x

Even if these are legit hacktivists acting independently under the CARR umbrella, they have latched on to a hacktivist group that Sandworm/APT44 substantially contributed to, or even created. Further, they are a stone's throw from the Kremlin's most aggressive capability. 3/x

Most importantly, we shouldn't stand for attacks on water and dams from foreign attackers. These incidents weren't terribly impactful, but they did demonstrate a vulnerability that we must address. US water is now being attacked on three fronts (China, Iran, and Russia). 4/x