JCDC Success Stories

In its short history, JCDC has unified cyber defense between industry and government to improve information sharing, planning efforts for large-scale cyber events, and collaborating on enhanced cyber threat guidance. This collaboration has allowed us to enhance the way government and industry work together to coordinate on cyber operations, ensuring that actions are informed and actionable. Examples include improving information sharing and threat mitigation, coordinating on cyber playbooks, expediting updates to the Known Exploited Vulnerabilities Catalog, as well jointly developing alerts and advisories to better inform and protect the cyber community on cyber threats and vulnerabilities, threat actor tactics, and detection and mitigation guidance.

See below to learn about other notable examples of JCDC’s operational collaboration leading to real insight and action.

Chinese APT Campaign Targeting SLTT Organizations

Between 2021 and 2022, CISA recognized an emerging Chinese APT campaign impacting state, local, tribal, and territorial (SLTT) partners, with the actors employing the use of common tactics, techniques, and procedures. CISA collaborated with affected SLTT government organizations and JCDC members to better understand the nature of the activity and identify multiple zero-day vulnerabilities used as initial intrusion vectors. CISA also acted as a broker to share timely and actionable network defense information among JCDC members and SLTT governments. This broader perspective enabled multiple SLTT governments to locate and respond to associated intrusion activity while supporting JCDC members’ understanding of the same. Finally, CISA collaborated with SLTT organizations and JCDC members, including interagency partners, to develop two network defense advisories based on this activity and share with JCDC members and SLTT partners.

CISA Releases U.S. Elections Cybersecurity Toolkit

With the approach of the 2022 midterm elections, JCDC has ramped up efforts to support the CISA elections security mission via a range of events, resources, and synchronized communications and operations for the duration of the election season. In August 2022, CISA worked with JCDC members to release a new toolkit of free services and tools to help enhance the cybersecurity and cyber resilience of U.S. election infrastructure. The toolkit includes free tools, services, and resources provided by CISA, JCDC members, and others across the cybersecurity community. The toolkit offers stakeholders—including state and local government officials, election officials, and vendors—resources to protect themselves against common cyber threats like phishing, ransomware, and distributed denial-of-service attacks.

JCDC Supports Albania's CERT

In July 2022, JCDC coordinated the response to a high-visibility, high-priority international event: an intrusion into the network of the Albanian National Agency for Information Society (AKSHI), which is Albania’s national Computer Emergency Response Team (CERT). After learning of the compromise, JCDC engaged with AKSHI and U.S. federal partners to learn more about the incident and determine next steps. AKSHI shared indicators of compromise (IOCs) and malware samples with JCDC and granted JCDC permission to further share the IOCs and samples with trusted industry partners, including JCDC member companies. JCDC members, in turn, shared helpful analysis back with AKSHI. JCDC also connected Albania with partners at Twitter and Discord to remove content posted by the AKSHI network intruders from the social media platforms. This incident demonstrates the power of JCDC’s public-private partnerships model to provide a foreign government with quick and comprehensive expert analysis and incident response guidance.

Expansion to Include Industrial Control

Recognizing the need to further increase U.S. government focus on the cybersecurity and resilience of industrial control systems (ICS), CISA recently expanded JCDC to form JCDC-ICS. JCDC-ICS includes ICS industry experts, 10 new companies—including security vendors, integrators, and distributors—and two current JCDC partners with experience in ICS and operational technology (OT).

JCDC-ICS leverages the knowledge, visibility, and capabilities of the ICS community to build plans around the protection and defense of control systems; inform U.S. government guidance on ICS/OT cybersecurity; and contribute to operational fusion across private and public partners in the ICS/OT space.

Geopolitical Tensions Cyber Defense Plan

In early 2022, CISA developed a Russia-Ukraine Tensions Plan with JCDC members that lays out phases and objectives of operational coordination between the U.S. government and private sector partners amidst escalating geopolitical tensions. Additionally, JCDC conducted a tabletop exercise of this plan with interagency and private sector members. The plan serves to guide and align collective operational posture and support the ability to synchronize defensive actions to mitigate harmful impacts to U.S. critical infrastructure from Russian cyber operations.

JCDC members worked together to compile a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This list has proved particularly impactful for small businesses and other organizations who are target rich and resource poor.

Amplified Discovery of Daxin

In February 2022, researchers from JCDC member and global software company, Broadcom, discovered a backdoor malware known as Daxin attributed to China that allows the controller to install malicious software and collect information from specific government targets as part of a larger espionage campaign.

Broadcom leveraged JCDC’s operational collaboration to notify foreign governments that are not Broadcom customers about the threat.

"Within 48 hours of contacting JCDC, we put on a call with the first government that we worked with, along with DHS and JCDC,” said Vikram Thakur, technical director at Symantec Threat Intelligence, a division of Broadcom Software.

CISA leveraged pre-existing relationships with both the U.S. private sector and international partners to notify foreign governments affected by this activity and assist in remediation. Specifically, as JCDC members, CISA and Broadcom were able to uncover the new "Daxin" malware and provide advice on both detection and remediation to partners across the globe.

For more information, see CISA's Current Activity on Daxin and the Broadcom blog post, “Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks.”

Defense Against Log4Shell

Upon the discovery of the Log4Shell vulnerability in Apache Log4j software in December 2021, JCDC shared indicators of compromise, threat activity, and intelligence with and among JCDC members to enable partners to act quickly on this threat affecting software broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. JCDC partners built true operational collaboration by helping the cybersecurity community to better understand and manage the threat posed by Log4Shell and related vulnerabilities.

For more information, see Apache Log4j Vulnerability Guidance.