Connect with us

Hi, what are you looking for?



CosmicEnergy ICS Malware Poses No Immediate Threat, but Should Not Be Ignored

The Russia-linked ICS malware named CosmicEnergy does not pose a direct threat to OT systems as it contains errors and lacks maturity.

COSMICENERGY - OT Malware to Disrupt Power Grid

The recently discovered CosmicEnergy malware, which is designed to target industrial control systems (ICS), does not pose an immediate threat to operational technology (OT), but organizations should not ignore it, according to industrial cybersecurity firm Dragos.

In May, Google-owned Mandiant detailed a new piece of malware named CosmicEnergy, warning that it could allow threat actors to cause electric grid disruptions. 

The malware is designed to interact with ICS devices used in electric transmission and distribution, sending remote commands to tamper with the actuation of power line switches and circuit breakers. Mandiant warned at the time that CosmicEnergy “poses a plausible threat to affected electric grid assets”.

Mandiant linked the malware to Russian threat actors and said it appeared to target remote terminal units (RTUs) typically used in Europe, the Middle East and other parts of Asia. 

The malware has two main components: LightWork, which implements the IEC104 communication protocol to modify the RTU state to on/off, and PieHop, which connects to a specified remote MSSQL server for uploading files and issuing remote commands to an RTU using LightWork. 

Dragos has also analyzed CosmicEnergy and its components and determined that it’s not an immediate threat to OT, pointing out that it does not have the full-fledged attack capabilities of other ICS malware, such as Industroyer (aka CrashOverride) and Industroyer2, which were used to target Ukraine’s energy sector.

The security firm pointed out that there is no evidence of the malware being deployed in the wild. Dragos also noted that CosmicEnergy appears to have been created for training scenarios, with hardcoded Information Object Addresses (IOAs) and Common Address of ASDU (COA) for targeting a specific range of equipment. In more advanced malware, such as Industroyer and Industroyer2, these parameters are configurable. 

Advertisement. Scroll to continue reading.

Mandiant did indeed say that the malware may have been created by a contractor at Russian cybersecurity firm Rostelecom-Solar as part of a red teaming tool for power disruption and emergency response exercises. However, Mandiant said it’s also possible that someone used that red teaming tool’s code to create the malware. 

Dragos’ analysis led to the discovery of coding errors in the PieHop component, which prevented the malware from running properly. LightWork did run, but it “lacks development maturity and requires more work before it’s a full-fledged IEC104 attack capability”.

While CosmicEnergy might not pose an immediate threat, Dragos has advised industrial organizations to take steps to protect their systems against attacks involving this type of malware. Recommendations include restricting access to and monitoring MS SQL servers.

“Even though there’s no evidence that CosmicEnergy is being deployed, its existence should prompt all organizations to reassess their firewall rules and configurations and ensure they have visibility into the ICS protocols traversing their network. This is the third discovery of IEC104 targeted tooling, so organizations should take notice and implement good security posture to raise the probability of detecting and mitigating potential future attacks,” Dragos concluded. 

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Related: Dragos Says Ransomware Gang Accessed Limited Data but Failed at Extortion Scheme 

Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...