Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids

Mandiant has analyzed a new Russia-linked ICS malware named CosmicEnergy that is designed to cause electric power disruption.

China Volt Typhoon electric grid

Mandiant discovers Industroyer-like OT malware 

Mandiant on Thursday detailed a new piece of malware that appears to be linked to Russia and is designed to target industrial control systems (ICS), specifically in an effort to cause electric grid disruption. 

Named CosmicEnergy, the latest malware family targeting operational technology (OT) is designed to interact with IEC 60870-5-104 (IEC-104) devices, sending remote commands to tamper with the actuation of power line switches and circuit breakers in an effort to cause power disruption. Mandiant believes it “poses a plausible threat to affected electric grid assets”.

IEC 60870-5-104 is a protocol for telecommunication functions for electric power systems. In the case of CosmicEnergy, it can interact with remote terminal units (RTUs), specifically ones that are commonly used in electric transmission and distribution in regions such as Europe, the Middle East and other parts of Asia. 

The malware has two main components: LightWork, which implements the IEC-104 protocol to modify the RTU state to on/off, and PieHop, which connects to a specified remote MSSQL server for uploading files and issuing remote commands to an RTU using LightWork.

The security firm pointed out that CosmicEnergy is not capable of obtaining the information needed to carry out an attack on its own. The attacker needs to manually collect IP addresses and credentials. 

The CosmicEnergy sample analyzed by Mandiant was uploaded to a malware scanning service in December 2021 by someone from Russia.

In fact, Mandiant believes the malware may have been created by a contractor at Russian cybersecurity company Rostelecom-Solar as part of a red teaming tool for power disruption and emergency response exercises. Rostelecom-Solar received a subsidy from the Russian government in 2019 to begin training cybersecurity experts and conducting such exercises. The malware may have been used in exercises conducted in 2021 or 2022. 

Advertisement. Scroll to continue reading.

“However, given the lack of conclusive evidence, we consider it also possible that a different actor – either with or without permission – reused code associated with the cyber range to develop this malware. Threat actors regularly adapt and make use of red team tools – such as commercial and publicly available exploitation frameworks – to facilitate real world attacks, like Temp.Veles’ use of Meterpreter during the Triton attack,” Mandiant noted.  

“There are also many examples of nation-state actors leveraging contractors to develop offensive capabilities, as shown most recently in contracts between Russia’s Ministry of Defense and NTC Vulkan. These observations leave open the possibility that CosmicEnergy was developed with malicious intent, and at a minimum that it can be used to support targeted threat activity in the wild,” it added.

CosmicEnergy’s capabilities are reminiscent of Industroyer and Industroyer2, Russian malware used in the past to target Ukraine’s energy sector. Researchers have also found technical similarities to other OT malware families such as Triton and Incontroller, which were also designed to cause physical damage or disruption.  

Related: Moxa NPort Device Flaws Can Expose Critical Infrastructure to Disruptive Attacks

Related: Vulnerabilities in Eaton Product Can Allow Hackers to Disrupt Power Supply

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.