CosmicEnergy OT malware linked to Russian emergency response exercises could cause power disruption

Threat intelligence company Mandiant detected novel OT/ICS-oriented malware, tracked as CosmicEnergy, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

“CosmicEnergy’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT,” Mandiant researchers wrote in a Thursday blog post. “Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption. CosmicEnergy accomplishes this via its two derivative components, which we track as PIEHOP and LIGHTWORK.”

PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user-supplied remote MSSQL server for uploading files and issuing remote commands to a RTU, while LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP. 

The researchers said that CosmicEnergy lacks discovery capabilities, which implies that to successfully execute an attack the malware operator would need to perform some internal reconnaissance to obtain environment information, such as MSSQL server IP addresses, MSSQL credentials, and target IEC-104 device IP addresses. “The sample of LIGHTWORK we obtained includes eight hardcoded IEC-104 information object addresses (IOA), which typically correlate with input or output data elements on a device and may correspond to power line switches or circuit breakers in an RTU or relay configuration.” 

However, IOA mappings often differ between manufacturers, devices, and even environments, they added. “For this reason, the particular actions intended by the actor are unclear without further knowledge about the targeted assets.”

The researchers also outlined that although CosmicEnergy does not directly overlap with any previously observed malware families, its capabilities are comparable to those employed in previous incidents and malware. “The most significant similarities we identified are with INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution.” 

They added that CosmicEnergy also has notable technical similarities with other OT malware families that have been developed or packaged using Python or that have utilized open-source libraries for OT protocol implementation, including IRONGATE, TRITON, and INCONTROLLER.

Addressing these similarities, Mandiant highlights trends which could manifest in future OT malware. These include abuse of insecure by design protocols, use of open source libraries for protocol implementation, and use of Python for malware development and/or packaging.

Mandiant said that what makes CosmicEnergy unique is that based on “our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company. Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104.”

The researchers said that the discovery of CosmicEnergy illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware. “Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe CosmicEnergy poses a plausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of CosmicEnergy,” they added.

While CosmicEnergy’s capabilities are not significantly different from previous OT malware families’, its discovery highlights several notable developments in the OT threat landscape, the Mandiant post identified. “First, the discovery of new OT malware presents an immediate threat to affected organizations, since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon. Second, as CosmicEnergy was potentially developed as part of a red team, this discovery suggests that the barriers to entry are lowering for offensive OT threat activity since we normally observe these types of capabilities limited to well resourced or state sponsored actors.” 

Lastly, Mandiant emphasized “that although the samples of CosmicEnergy we obtained are potentially red team related, threat actors regularly leverage contractors and red team tools in real world threat activity, including during OT attacks.” 

The researchers added that for these reasons “OT defenders and asset owners should take mitigating actions against CosmicEnergy to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware. Such knowledge can be useful when performing threat hunting exercises and deploying detections to identify malicious activity within OT environments.”

The Mandiant reveal comes at a time when U.S. and international cybersecurity partners have released a joint Cybersecurity Advisory (CSA) highlighting malicious activity executed by a People’s Republic of China (PRC) state-sponsored cyber hacker group known as Volt Typhoon. The agencies have so far revealed that private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and believe the hacker could apply the same techniques against these and other sectors worldwide.

Earlier this month, CISA and global partner organizations published a detailed technical advisory containing information that can be used to detect and prevent attacks involving the Snake malware, including a recent variant. The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB) for long-term intelligence collection on sensitive targets.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.