Connect with us

Hi, what are you looking for?



New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids

Mandiant has analyzed a new Russia-linked ICS malware named CosmicEnergy that is designed to cause electric power disruption.

COSMICENERGY - OT Malware to Disrupt Power Grid

Mandiant discovers Industroyer-like OT malware 

Mandiant on Thursday detailed a new piece of malware that appears to be linked to Russia and is designed to target industrial control systems (ICS), specifically in an effort to cause electric grid disruption. 

Named CosmicEnergy, the latest malware family targeting operational technology (OT) is designed to interact with IEC 60870-5-104 (IEC-104) devices, sending remote commands to tamper with the actuation of power line switches and circuit breakers in an effort to cause power disruption. Mandiant believes it “poses a plausible threat to affected electric grid assets”.

IEC 60870-5-104 is a protocol for telecommunication functions for electric power systems. In the case of CosmicEnergy, it can interact with remote terminal units (RTUs), specifically ones that are commonly used in electric transmission and distribution in regions such as Europe, the Middle East and other parts of Asia. 

The malware has two main components: LightWork, which implements the IEC-104 protocol to modify the RTU state to on/off, and PieHop, which connects to a specified remote MSSQL server for uploading files and issuing remote commands to an RTU using LightWork.

The security firm pointed out that CosmicEnergy is not capable of obtaining the information needed to carry out an attack on its own. The attacker needs to manually collect IP addresses and credentials. 

The CosmicEnergy sample analyzed by Mandiant was uploaded to a malware scanning service in December 2021 by someone from Russia.

Advertisement. Scroll to continue reading.

In fact, Mandiant believes the malware may have been created by a contractor at Russian cybersecurity company Rostelecom-Solar as part of a red teaming tool for power disruption and emergency response exercises. Rostelecom-Solar received a subsidy from the Russian government in 2019 to begin training cybersecurity experts and conducting such exercises. The malware may have been used in exercises conducted in 2021 or 2022. 

“However, given the lack of conclusive evidence, we consider it also possible that a different actor – either with or without permission – reused code associated with the cyber range to develop this malware. Threat actors regularly adapt and make use of red team tools – such as commercial and publicly available exploitation frameworks – to facilitate real world attacks, like Temp.Veles’ use of Meterpreter during the Triton attack,” Mandiant noted.  

“There are also many examples of nation-state actors leveraging contractors to develop offensive capabilities, as shown most recently in contracts between Russia’s Ministry of Defense and NTC Vulkan. These observations leave open the possibility that CosmicEnergy was developed with malicious intent, and at a minimum that it can be used to support targeted threat activity in the wild,” it added.

CosmicEnergy’s capabilities are reminiscent of Industroyer and Industroyer2, Russian malware used in the past to target Ukraine’s energy sector. Researchers have also found technical similarities to other OT malware families such as Triton and Incontroller, which were also designed to cause physical damage or disruption.  

Related: Moxa NPort Device Flaws Can Expose Critical Infrastructure to Disruptive Attacks

Related: Vulnerabilities in Eaton Product Can Allow Hackers to Disrupt Power Supply

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.