New COSMICENERGY Malware Targets ICS Protocol to Compromise Power Grids
New COSMICENERGY Malware Targets ICS Protocol to Compromise Power Grids

Image: Mohammad Rahmani (unsplash)

The emergence of a new variant of harmful software, specifically programmed to invade and interrupt essential systems within industrial settings, has been discovered. This threat was identified by Mandiant, a threat intelligence firm owned by Google, and was named COSMICENERGY. According to the details available, the malware was first spotted on VirusTotal, a public malware scanning utility, in December 2021, having been submitted by a user from Russia. Currently, there is no proof to suggest its deployment in actual scenarios.

Designed to disrupt electrical power by interfacing with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), the malware is aimed at systems commonly employed in electric transmission and distribution operations across Europe, the Middle East, and Asia, as per Mandiant’s analysis.

The malware, COSMICENERGY, falls in line with other specialized malware like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, notorious for their ability to compromise critical systems and induce chaos.

Mandiant shared insights hinting at the possibility of the malware being a creation of Russian telecom company Rostelecom-Solar as a part of their red teaming toolset, with the primary purpose of simulating power disruption and emergency response drills conducted in October 2021.

This information brings forth the probability that the malware was either created to replicate realistic attack scenarios against energy grid assets for defense testing or was utilized by another party reusing code associated with the cyber range.

The second possibility is not uncommon considering threat actors’ history of adapting and repurposing legitimate red team and post-exploitation tools for malevolent purposes.

Drawing a comparison, COSMICENERGY shares features with Industroyer, a malware attributed to the Sandworm group backed by the Kremlin, due to its capability to manipulate an industrial communication protocol, IEC-104, to control RTUs.

According to Mandiant, exploiting this access allows a potential attacker to transmit remote commands influencing the operation of power line switches and circuit breakers, resulting in power disruption.

This is facilitated by two Python and C++ written components named PIEHOP and LIGHTWORK respectively, which are disruption tools devised to convey IEC-104 commands to the connected industrial machinery.

The Industrial Control System (ICS) malware’s unique characteristic lies in its absence of intrusion and discovery capabilities, which implies that the operator is required to conduct an internal reconnaissance of the network to identify the targeted IEC-104 device IP addresses.

Conducting an attack would, therefore, necessitate a threat actor to infect a network computer, locate a Microsoft SQL Server with access to the RTUs, and procure its credentials.

The threat actor would then run PIEHOP on the infected machine to upload LIGHTWORK to the server, which proceeds to send disruptive remote commands to alter the units’ state (ON or OFF) over TCP. The executable is deleted promptly after instructions are issued.

Daniel Kapellmann Zafra, analysis manager at Google Cloud’s Mandiant Intelligence division, spoke to The Hacker News, highlighting the unusual occurrence of discovering an ICS malware family before its active deployment in real-world attacks.

Mandiant states that although COSMICENERGY’s capabilities don’t deviate significantly from prior Operational Technology (OT) malware families, its detection accentuates several notable developments in the OT threat landscape.

The identification of new OT malware is an immediate risk to affected organizations because such discoveries are infrequent and mainly exploit insecure by design features of OT environments unlikely to be remedied promptly.

Drawing insights from COSMICENERGY, Kapellmann Zafra emphasizes that defenders should be acquainted with previous OT malware families, their capabilities, and their operational mechanisms.

This knowledge can aid defenders in maintaining threat hunting and detection programs that thoroughly investigate behaviors known to be suspicious in OT networks.