The recently discovered CosmicEnergy malware, which is designed to target industrial control systems (ICS), does not pose an immediate threat to operational technology (OT), but organizations should not ignore it, according to industrial cybersecurity firm Dragos.
In May, Google-owned Mandiant detailed a new piece of malware named CosmicEnergy, warning that it could allow threat actors to cause electric grid disruptions.
The malware is designed to interact with ICS devices used in electric transmission and distribution, sending remote commands to tamper with the actuation of power line switches and circuit breakers. Mandiant warned at the time that CosmicEnergy “poses a plausible threat to affected electric grid assets”.
Mandiant linked the malware to Russian threat actors and said it appeared to target remote terminal units (RTUs) typically used in Europe, the Middle East and other parts of Asia.
The malware has two main components: LightWork, which implements the IEC104 communication protocol to modify the RTU state to on/off, and PieHop, which connects to a specified remote MSSQL server for uploading files and issuing remote commands to an RTU using LightWork.
Dragos has also analyzed CosmicEnergy and its components and determined that it’s not an immediate threat to OT, pointing out that it does not have the full-fledged attack capabilities of other ICS malware, such as Industroyer (aka CrashOverride) and Industroyer2, which were used to target Ukraine’s energy sector.
The security firm pointed out that there is no evidence of the malware being deployed in the wild. Dragos also noted that CosmicEnergy appears to have been created for training scenarios, with hardcoded Information Object Addresses (IOAs) and Common Address of ASDU (COA) for targeting a specific range of equipment. In more advanced malware, such as Industroyer and Industroyer2, these parameters are configurable.
Mandiant did indeed say that the malware may have been created by a contractor at Russian cybersecurity firm Rostelecom-Solar as part of a red teaming tool for power disruption and emergency response exercises. However, Mandiant said it’s also possible that someone used that red teaming tool’s code to create the malware.
Dragos’ analysis led to the discovery of coding errors in the PieHop component, which prevented the malware from running properly. LightWork did run, but it “lacks development maturity and requires more work before it’s a full-fledged IEC104 attack capability”.
While CosmicEnergy might not pose an immediate threat, Dragos has advised industrial organizations to take steps to protect their systems against attacks involving this type of malware. Recommendations include restricting access to and monitoring MS SQL servers.
“Even though there’s no evidence that CosmicEnergy is being deployed, its existence should prompt all organizations to reassess their firewall rules and configurations and ensure they have visibility into the ICS protocols traversing their network. This is the third discovery of IEC104 targeted tooling, so organizations should take notice and implement good security posture to raise the probability of detecting and mitigating potential future attacks,” Dragos concluded.
Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
October 23-26, 2023 | Atlanta
www.icscybersecurityconference.com
Related: Dragos Says Ransomware Gang Accessed Limited Data but Failed at Extortion Scheme
Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware
