A new malware named COSMICENERGY has been discovered to penetrate and disrupts systems used in critical industrial environments, such as power grids. The malware was uploaded to VirusTotal in December 2021 by an individual in Russia.
Diving in details
According to Mandiant, COSMICENERGY is thought to be a red-teaming tool, created by a Russian telecom company to simulate emergency response exercises held in October 2021.
The malware causes electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as RTUs, used in electric transmission/distribution tasks in the Middle East, Europe, and Asia.
However, such attacks lack intrusion and discovery features and require the operator to perform an internal reconnaissance of the network to find the IEC-104 device IP addresses.
How does the attack work?
To perform an attack, a threat actor has to first infect a computer inside the targeted network, then find a Microsoft SQL Server having access to the RTUs and get its credentials.
This is followed by an infection involving two components, PIEHOP and LIGHTWORK, two disruption tools written in Python and C++, to transmit the IEC-104 commands to linked industrial equipment.
By having this access, a threat group can send remote commands for making changes to the actuation of power circuit breakers and line switches that result in power disruption.
Similarities with Sandworm
COSMICENERGY has comparable features with Industroyer (linked to the Sandworm group) including an ability to abuse an industrial communication protocol (IEC-104) to issue commands to RTUs.
Conclusion
The discovery of COSMICENERGY presents an immediate security threat to organizations using similar products. In such cases, malware takes advantage of insecure design features of OT environments which usually take time to be mitigated or get fixed. However, first-hand knowledge about such threats may help security teams to mitigate better. Advanced threat intelligence platforms can detect and analyze threats faster, and automate your threat intel workflows for improved security operations.