Security specialists have detected a new type of malware, named “CosmicEnergy,” that possesses the potential to wreak havoc on key infrastructure systems and electricity networks.
The researchers from Mandiant discovered the malware, which they claim has capabilities similar to the devastating Industroyer malware utilized by the Russian state-backed “Sandworm” hacking team to bring down Ukraine’s electricity supply in 2016.
Interestingly, the malware was found through proactive threat hunting by Mandiant rather than as a consequence of a cyberattack on critical infrastructure. CosmicEnergy was submitted to VirusTotal, a malware and virus detection tool owned by Google, by a Russia-based submitter in December 2021, as per Mandiant.
The cybersecurity firm’s analysis suggests that the malware could have been created by Rostelecom-Solar, the cybersecurity division of Russia’s national telecom operator Rostelecom, for purposes such as the ones facilitated jointly with the Russian Ministry of Energy in 2021.
Mandiant proposes that it might have been crafted as a red-teaming tool by a contractor for simulated electricity disruption exercises hosted by Rostelecom-Solar. Yet, due to insufficient definitive proof, the possibility that another player – either authorized or unauthorized – reused code related to the cyber range to develop the malware has not been ruled out.
Hackers frequently modify and use red-team tools to aid real-world assaults, according to Mandiant. Their examination of CosmicEnergy shows that its functionality closely resembles other malware strains that aim at industrial control systems (ICS), such as Industroyer, making it a credible risk to impacted electric grid assets.
The company reported to TechCrunch that it has not yet detected any CosmicEnergy attacks in real-world settings. However, the malware lacks exploratory capabilities, indicating that hackers would need to undertake some internal surveillance to gather environment data, like IP addresses and credentials, prior to initiating an attack.
The fact that the malware targets IEC-104, a widely-used network protocol in industrial settings that was also compromised in the 2016 Ukraine power grid attack, underscores the real threat CosmicEnergy poses to electricity transmission and distribution entities, the researchers highlight.
Mandiant researchers cautioned that the emergence of a new operational technology (OT) malware signifies an immediate risk to affected organizations. This is primarily because such discoveries are uncommon, and the malware chiefly exploits inherent security vulnerabilities in OT environments that are unlikely to be resolved shortly.
This revelation of a new ICS-focused malware by Mandiant follows Microsoft’s disclosure this week that hackers backed by the Chinese state had infiltrated American critical infrastructure. As per the report, a spy group that Microsoft calls “Volt Typhoon” has been targeting Guam, a U.S. island territory, and might be planning to “interfere with essential communications infrastructure between the U.S. and Asia during impending crises.”
Following the report, the U.S. government announced its collaboration with Five Eyes partners to identify possible breaches. Microsoft disclosed that the group has tried to infiltrate entities in sectors such as communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education.
Conclusion
On Thursday, Mandiant reported the discovery of a new malware, potentially linked to Russia, engineered to target industrial control systems (ICS) with the specific aim of disrupting electric grids. This newly found malware, named CosmicEnergy, targets operational technology (OT) and is configured to interface with IEC 60870-5-104 (IEC-104) devices. Its purpose is to send remote instructions that meddle with the operations of power line switches and circuit breakers, potentially causing electricity disruptions. Mandiant suggests that it “represents a credible risk to impacted electric grid assets”. IEC 60870-5-104 is a protocol responsible for telecommunication functions in electric power systems.
With regard to CosmicEnergy, it is capable of interacting with remote terminal units (RTUs), specifically those commonly employed in electricity transmission and distribution in areas like Europe, the Middle East, and other parts of Asia. The malware comprises two primary components: LightWork, which utilizes the IEC-104 protocol to switch the RTU state to on/off, and PieHop, which establishes a connection with a designated remote MSSQL server for the purposes of uploading files and delivering remote commands to an RTU using LightWork. The cybersecurity company underscored that CosmicEnergy does not possess the ability to acquire the information required to execute an attack independently. The attacker needs to manually gather IP addresses and credentials.
