COSMICENERGY Malware Targets Industries

A recently discovered strain of malicious software has been uncovered, specifically designed to infiltrate and disrupt critical systems within industrial environments. Referred to as COSMICENERGY by Mandiant, a threat intelligence firm owned by Google, this malware was detected on the VirusTotal public malware scanning utility in December 2021, uploaded by an individual in Russia. Currently, there is no evidence of its deployment in the wild.

The primary objective of COSMICENERGY is to cause disturbances in electric power by targeting IEC-104 devices, such as remote terminal units (RTUs), commonly utilized in electric transmission and distribution operations across Europe, the Middle East, and Asia. This malware joins a family of specialized malicious software, including Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, all capable of sabotaging critical systems and creating widespread chaos.

Mandiant suggests that there are possible connections indicating that COSMICENERGY might have been developed as a tool for red teaming by the Russian telecommunications firm Rostelecom-Solar. The purpose would be to simulate power disruptions and evaluate emergency response procedures during exercises conducted in October 2021. This raises the possibility that the malware was either created to replicate realistic attack scenarios against energy grid assets for defense testing or that its code was repurposed by another party associated with cyber range activities.

COSMICENERGY's Features and Capabilities

In terms of features and capabilities, COSMICENERGY exhibits similarities to Industroyer, which has been attributed to the Kremlin-backed Sandworm group. The malware exploits an industrial communication protocol known as IEC-104 to issue commands to RTUs. Through this access, an attacker gains the ability to send remote commands that impact the actuation of power line switches and circuit breakers, leading to power disruptions. COSMICENERGY employs two components, PIEHOP and LIGHTWORK, written in Python and C++, respectively, to transmit the IEC-104 commands to the connected industrial equipment.

One notable aspect of this industrial control system (ICS) malware is its limited intrusion and discovery capabilities. This means that it relies on the operator to conduct internal reconnaissance of the network to identify the IP addresses of IEC-104 devices to target. To carry out an attack, a threat actor would need to infect a computer within the network, locate a Microsoft SQL Server with access to the RTUs, and obtain the necessary credentials. Subsequently, PIEHOP is executed on the compromised machine to upload LIGHTWORK to the server. LIGHTWORK then initiates disruptive remote commands to alter the state of the units (either ON or OFF) over TCP. The executable is promptly deleted after the instructions are issued.