Mandiant discovers Industroyer-like OT malware
Mandiant on Thursday detailed a new piece of malware that appears to be linked to Russia and is designed to target industrial control systems (ICS), specifically in an effort to cause electric grid disruption.
Named CosmicEnergy, the latest malware family targeting operational technology (OT) is designed to interact with IEC 60870-5-104 (IEC-104) devices, sending remote commands to tamper with the actuation of power line switches and circuit breakers in an effort to cause power disruption. Mandiant believes it “poses a plausible threat to affected electric grid assets”.
IEC 60870-5-104 is a protocol for telecommunication functions for electric power systems. In the case of CosmicEnergy, it can interact with remote terminal units (RTUs), specifically ones that are commonly used in electric transmission and distribution in regions such as Europe, the Middle East and other parts of Asia.
The malware has two main components: LightWork, which implements the IEC-104 protocol to modify the RTU state to on/off, and PieHop, which connects to a specified remote MSSQL server for uploading files and issuing remote commands to an RTU using LightWork.
The security firm pointed out that CosmicEnergy is not capable of obtaining the information needed to carry out an attack on its own. The attacker needs to manually collect IP addresses and credentials.
The CosmicEnergy sample analyzed by Mandiant was uploaded to a malware scanning service in December 2021 by someone from Russia.
In fact, Mandiant believes the malware may have been created by a contractor at Russian cybersecurity company Rostelecom-Solar as part of a red teaming tool for power disruption and emergency response exercises. Rostelecom-Solar received a subsidy from the Russian government in 2019 to begin training cybersecurity experts and conducting such exercises. The malware may have been used in exercises conducted in 2021 or 2022.
“However, given the lack of conclusive evidence, we consider it also possible that a different actor – either with or without permission – reused code associated with the cyber range to develop this malware. Threat actors regularly adapt and make use of red team tools – such as commercial and publicly available exploitation frameworks – to facilitate real world attacks, like Temp.Veles’ use of Meterpreter during the Triton attack,” Mandiant noted.
“There are also many examples of nation-state actors leveraging contractors to develop offensive capabilities, as shown most recently in contracts between Russia’s Ministry of Defense and NTC Vulkan. These observations leave open the possibility that CosmicEnergy was developed with malicious intent, and at a minimum that it can be used to support targeted threat activity in the wild,” it added.
CosmicEnergy’s capabilities are reminiscent of Industroyer and Industroyer2, Russian malware used in the past to target Ukraine’s energy sector. Researchers have also found technical similarities to other OT malware families such as Triton and Incontroller, which were also designed to cause physical damage or disruption.
Related: Moxa NPort Device Flaws Can Expose Critical Infrastructure to Disruptive Attacks
Related: Vulnerabilities in Eaton Product Can Allow Hackers to Disrupt Power Supply

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
Latest News
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
