Cyber Security

New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids

May 26, 2023Ravie LakshmananICS/SCADA Security

A new strain of malicious software that’s engineered to penetrate and disrupt critical systems in industrial environments has been unearthed.

Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY, adding it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. There is no evidence that it has been put to use in the wild.

“The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia,” the company said.

COSMICENERGY is the latest addition to specialized malware like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, which are capable of sabotaging critical systems and wreaking havoc.

Mandiant said that there are circumstantial links that it may have been developed as a red teaming tool by Russian telecom firm Rostelecom-Solar to simulate power disruption and emergency response exercises that were held in October 2021.

This raises the possibility that the malware was either developed to recreate realistic attack scenarios against energy grid assets to test defenses or another party reused code associated with the cyber range.

Power Grid Malware

The second alternative is not unheard of, especially in light of the fact that threat actors are known to adapt and repurpose legitimate red team and post-exploitation tools for malicious ends.

COSMICENERGY’s features are comparable to that of Industroyer – which has been attributed to the Kremlin-backed Sandworm group – owing to its ability to exploit an industrial communication protocol called IEC-104 to issue commands to RTUs.

“Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption,” Mandiant said.


Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

This is accomplished by means of two components called PIEHOP and LIGHTWORK, which are two disruption tools written in Python and C++, respectively, to transmit the IEC-104 commands to the connected industrial equipment.

Another notable aspect of the industrial control system (ICS) malware is the lack of intrusion and discovery capabilities, meaning it requires the operator to perform an internal reconnaissance of the network to determine the IEC-104 device IP addresses to be targeted.

To pull off an attack, a threat actor would therefore have to infect a computer within the network, find a Microsoft SQL Server that has access to the RTUs, and obtain its credentials.

PIEHOP is then run on the machine to upload LIGHTWORK to the server, which sends disruptive remote commands to modify the state of the units (ON or OFF) over TCP. It also immediately deletes the executable after issuing the instructions.

“While COSMICENERGY’s capabilities are not significantly different from previous OT malware families’, its discovery highlights several notable developments in the OT threat landscape,” Mandiant said.

“The discovery of new OT malware presents an immediate threat to affected organizations, since these discoveries are rare and because the malware principally takes advantage of insecure by design features of OT environments that are unlikely to be remedied any time soon.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Articles You May Like

iPadOS 17 Offers Support for External Studio Display Webcam, Microphone via USB Type-C Port
U.S.-China chip war could hurt South Korea’s tech giants — but not for long, Fitch says
Elon Musk’s Neuralink Worth $5 Billion Based on Private Stock Trades
Meta Previews AI Chatbots for WhatsApp and Messenger Along With AI Tools for Photos, Emoji Stickers
WWDC 2023 Keynote Today: How to Watch the Apple Event Livestream and What to Expect