Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids

Mandiant has analyzed a new Russia-linked ICS malware named CosmicEnergy that is designed to cause electric power disruption.

Denmark energy hack

Mandiant discovers Industroyer-like OT malware 

Mandiant on Thursday detailed a new piece of malware that appears to be linked to Russia and is designed to target industrial control systems (ICS), specifically in an effort to cause electric grid disruption. 

Named CosmicEnergy, the latest malware family targeting operational technology (OT) is designed to interact with IEC 60870-5-104 (IEC-104) devices, sending remote commands to tamper with the actuation of power line switches and circuit breakers in an effort to cause power disruption. Mandiant believes it “poses a plausible threat to affected electric grid assets”.

IEC 60870-5-104 is a protocol for telecommunication functions for electric power systems. In the case of CosmicEnergy, it can interact with remote terminal units (RTUs), specifically ones that are commonly used in electric transmission and distribution in regions such as Europe, the Middle East and other parts of Asia. 

The malware has two main components: LightWork, which implements the IEC-104 protocol to modify the RTU state to on/off, and PieHop, which connects to a specified remote MSSQL server for uploading files and issuing remote commands to an RTU using LightWork.

The security firm pointed out that CosmicEnergy is not capable of obtaining the information needed to carry out an attack on its own. The attacker needs to manually collect IP addresses and credentials. 

The CosmicEnergy sample analyzed by Mandiant was uploaded to a malware scanning service in December 2021 by someone from Russia.

In fact, Mandiant believes the malware may have been created by a contractor at Russian cybersecurity company Rostelecom-Solar as part of a red teaming tool for power disruption and emergency response exercises. Rostelecom-Solar received a subsidy from the Russian government in 2019 to begin training cybersecurity experts and conducting such exercises. The malware may have been used in exercises conducted in 2021 or 2022. 

Advertisement. Scroll to continue reading.

“However, given the lack of conclusive evidence, we consider it also possible that a different actor – either with or without permission – reused code associated with the cyber range to develop this malware. Threat actors regularly adapt and make use of red team tools – such as commercial and publicly available exploitation frameworks – to facilitate real world attacks, like Temp.Veles’ use of Meterpreter during the Triton attack,” Mandiant noted.  

“There are also many examples of nation-state actors leveraging contractors to develop offensive capabilities, as shown most recently in contracts between Russia’s Ministry of Defense and NTC Vulkan. These observations leave open the possibility that CosmicEnergy was developed with malicious intent, and at a minimum that it can be used to support targeted threat activity in the wild,” it added.

CosmicEnergy’s capabilities are reminiscent of Industroyer and Industroyer2, Russian malware used in the past to target Ukraine’s energy sector. Researchers have also found technical similarities to other OT malware families such as Triton and Incontroller, which were also designed to cause physical damage or disruption.  

Related: Moxa NPort Device Flaws Can Expose Critical Infrastructure to Disruptive Attacks

Related: Vulnerabilities in Eaton Product Can Allow Hackers to Disrupt Power Supply

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...