New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids

Mandiant discovers Industroyer-like OT malware 

Mandiant on Thursday detailed a new piece of malware that appears to be linked to Russia and is designed to target industrial control systems (ICS), specifically in an effort to cause electric grid disruption. 

Named CosmicEnergy, the latest malware family targeting operational technology (OT) is designed to interact with IEC 60870-5-104 (IEC-104) devices, sending remote commands to tamper with the actuation of power line switches and circuit breakers in an effort to cause power disruption. Mandiant believes it “poses a plausible threat to affected electric grid assets”.

IEC 60870-5-104 is a protocol for telecommunication functions for electric power systems. In the case of CosmicEnergy, it can interact with remote terminal units (RTUs), specifically ones that are commonly used in electric transmission and distribution in regions such as Europe, the Middle East and other parts of Asia. 

The malware has two main components: LightWork, which implements the IEC-104 protocol to modify the RTU state to on/off, and PieHop, which connects to a specified remote MSSQL server for uploading files and issuing remote commands to an RTU using LightWork.

The security firm pointed out that CosmicEnergy is not capable of obtaining the information needed to carry out an attack on its own. The attacker needs to manually collect IP addresses and credentials. 

The CosmicEnergy sample analyzed by Mandiant was uploaded to a malware scanning service in December 2021 by someone from Russia.

In fact, Mandiant believes the malware may have been created by a contractor at Russian cybersecurity company Rostelecom-Solar as part of a red teaming tool for power disruption and emergency response exercises. Rostelecom-Solar received a subsidy from the Russian government in 2019 to begin training cybersecurity experts and conducting such exercises. The malware may have been used in exercises conducted in 2021 or 2022. 

“However, given the lack of conclusive evidence, we consider it also possible that a different actor – either with or without permission – reused code associated with the cyber range to develop this malware. Threat actors regularly adapt and make use of red team tools – such as commercial and publicly available exploitation frameworks – to facilitate real world attacks, like Temp.Veles’ use of Meterpreter during the Triton attack,” Mandiant noted.  

“There are also many examples of nation-state actors leveraging contractors to develop offensive capabilities, as shown most recently in contracts between Russia’s Ministry of Defense and NTC Vulkan. These observations leave open the possibility that CosmicEnergy was developed with malicious intent, and at a minimum that it can be used to support targeted threat activity in the wild,” it added.

CosmicEnergy’s capabilities are reminiscent of Industroyer and Industroyer2, Russian malware used in the past to target Ukraine’s energy sector. Researchers have also found technical similarities to other OT malware families such as Triton and Incontroller, which were also designed to cause physical damage or disruption.  

Related: Moxa NPort Device Flaws Can Expose Critical Infrastructure to Disruptive Attacks

Related: Vulnerabilities in Eaton Product Can Allow Hackers to Disrupt Power Supply