Russia-linked CosmicEnergy malware could disrupt energy grids

Its capabilities closely resemble those observed in malware such as Industroyer and Industroyer2

Researchers at cybersecurity firm Mandiant have uncovered a novel form of industrial control system malware, dubbed "CosmicEnergy," which could be used to disrupt critical infrastructure systems and electric grids.

According to the researchers, Rostelecom-Solar (formerly Solar Security) - the cybersecurity division of Russia's national telecommunications operator Rostelecom - could be behind the malware.

Mandiant detected the presence of the malware following an upload of a sample to the VirusTotal malware analysis platform in December 2021. Notably, the upload originated from an IP address associated with Russia.

Thorough examination of the malware sample has unveiled several notable characteristics concerning CosmicEnergy and its operational capabilities.

As per the researchers' findings, the CosmicEnergy's capabilities closely resemble those observed in malware such as Industroyer and Industroyer2. These particular malware variants have been associated by experts with Sandworm, a highly proficient hacking group affiliated with the Kremlin.

In December 2016, the Sandworm group utilised Industroyer to orchestrate a power outage in Kyiv, Ukraine, resulting in a substantial portion of the city being without electricity for approximately an hour.

This incident followed a previous attack that disrupted power for approximately 225,000 Ukrainians for six hours.

Industroyer2, which emerged last year, is believed to have been employed in a third assault on Ukraine's power grids. However, it was identified and thwarted before it could achieve its objectives.

These attacks serve as a clear demonstration of the susceptibility of electric power infrastructure and highlighted Russia's increasing proficiency in exploiting such vulnerabilities.

The newly discovered CosmicEnergy malware has been designed to target remote terminal units (RTUs) that adhere to the IEC-104 standard. These RTUs are widely utilised in electric transmission and distribution operations across Europe, the Middle East and Asia.

CosmicEnergy, similar to other malware strains targeting industrial control systems, is built using the Python programming language and utilises open-source libraries for implementing Operational Technology (OT) protocols.

CosmicEnergy infiltrates the targeted OT systems by exploiting compromised MSSQL servers, employing the Piehop disruption tool. Once on the victims' network, attackers can remotely manipulate the RTUs by issuing "ON" or "OFF" commands through the Lightwork tool, which operates on the IEC-104 protocol. This grants them control over the targeted RTUs and the corresponding operational functions.

"A contractor may have developed it as a red-teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar," Mandiant said.

"However, given the lack of conclusive evidence, we consider it also possible that a different actor — either with or without permission — reused code associated with the cyber range to develop this malware."

Microsoft's report in April 2022 highlighted the deployment of numerous malware families by Russian hacking groups following Russia's invasion of Ukraine. These attacks, aimed at Ukrainian targets, used previously unseen malware strains and were intended to cause significant damage. Critical infrastructure systems were a particular target.

So far, Mandiant has not encountered any instances of CosmicEnergy attacks being conducted in live environments. Nonetheless, the researchers emphasise that due to the malware's focus on IEC-104 targets, CosmicEnergy represents a real threat to organisations engaged in electricity transmission and distribution operations.

"The discovery of CosmicEnergy illustrates that the barriers to entry for developing offensive OT [operational technology] capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware," the researchers warned.

"Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe CosmicEnergy poses a plausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to pre-empt potential in the wild deployment of CosmicEnergy."