New Russian-linked malware designed to take down electricity networks has been identified by Mandiant threat researchers, who have urged energy firms to take action to mitigate this “immediate threat.”
The specialized operational technology (OT) malware, dubbed COSMICENERGY, has similarities to malware used in previous attacks targeting electricity grids, including the ‘Industroyer’ incident that took down power in Kiev, Ukraine in 2016.
COSMICENERGY is designed to disrupt electric power by interacting with IEC 60870-5-104 (IEC-104) standard devices, such as remote terminal units. These devices are commonly used in electric transmission and distribution operations in Europe the Middle East and Asia.
Similarly, in the Industroyer attack in 2016, believed to have been perpetrated by Russian APT group Sandworm, the malware issued IEC-104 ON/OFF commands to interact with RTUs, and may have made use of an MSSQL server as a conduit system to access OT.
This enabled attackers to send remote commands to affect the actuation of power line switches and circuit breakers, thereby causing power disruption.
Mandiant said that COSMICENERGY was uploaded to a public malware scanning utility by a submitter in Russia in December 2021. Interestingly, from its subsequent analysis, the firm believes Russian cybersecurity company Rostelecom-Solar or a contractor may have initially developed the malware for training purposes – to recreate real attack scenarios against energy grid assets.
Mandiant researchers said it is then possible that a threat actor, with or without permission, reused code associated with the cyber range to develop this malware.
This makes COSMICENERGY distinct from previous OT malware designed to take down energy grids – as threat actors are leveraging knowledge from previous attacks to create new offensive tools, thereby lowering he barrier to entry to attack OT systems.
This is particularly concerning “since we normally observe these types of capabilities limited to well resourced or state sponsored actors.”
Therefore, the researchers warned: “Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY.”
The team noted that COSMICENERGY lacks discovery capabilities, “which implies that to successfully execute an attack the malware operator would need to perform some internal reconnaissance to obtain environment information.”