Spotted: Suspected Russian malware designed to disrupt Euro, Asia energy grids

For simulation or for real, we don't like the vibes from this CosmicEnergy

Updated Malware designed to disrupt electric power grids was likely developed by a Russian contractor, according to Mandiant's threat intel team that discovered the malicious software and dubbed it CosmicEnergy.

Mandiant spotted the industrial-equipment malware after it was uploaded to VirusTotal, which is a little unusual — albeit a better way to discover a new software nasty compared to, say, waiting for a massive cyberattack that shuts down critical infrastructure.

"We haven't seen any public targeting to date," Keith Lunden, Mandiant analysis manager at Google Cloud, told The Register. Yet, at least.

The team say it's likely a contractor created the malware as a red-teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cybersecurity company.

In 2019, the biz received a government subsidy to train security experts and conduct electric power disruption and emergency response exercises.

The CosmicEnergy malware targets IEC 60870-5-104 (IEC-104) devices including remote terminal units used in electrical transmission systems in Europe, the Middle East, and Asia. 

And it shares capabilities with 2016's Industroyer, a particularly dangerous type of Russian malware that can directly control electricity substation switches and circuit breakers, as well as its successor, Industroyer v2, which Ukrainian threat hunters discovered after Russia's invasion last year.

Both of these variants have been deployed to impact certain electricity transmission and distribution systems, we're told.

"Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe CosmicEnergy poses a plausible threat to affected electric grid assets," the Mandiant researchers said in research published today. "OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of CosmicEnergy."

As IEC-104 is generally not used in the US, which more commonly uses Distributed Network Protocol 3 (DNP3), this malware variant doesn't pose a direct threat to American power grids and other industrial control systems, Lunden said. 

"But US defenders can still learn about the overall attack strategy," he added.

The malware has two components, which Mandiant calls PieHop and LightWork. PieHop, written in Python, is expected to run on a compromised host within a target's network. It connects to a MSSQL server and uploads files to that machine. It appears PieHop needs to be supplied the IP address and credentials of that database server; some homework therefore needs to be done by an attacker to make use of the tool.

Judging from Mandiant's findings, PieHop uploads LightWork to the server and runs it. LightWork, written in C++, does the actual work of sending on or off commands to connected industrial equipment via the IEC-104 protocol. LightWork's executable is deleted immediately after it's used by PieHop.

To pull off an attack, an intruder would need to infect a PC within a power supplier's network, find a Microsoft SQL Server on the network that has access to operational equipment, and obtain the login details for that box. PieHop is then run on the PC to upload LightWork to the server, which sends disruptive commands to connected industrial devices.

"The sample of PieHop we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities, but we believe these errors can be easily corrected," the researchers noted.

And while they say there's not "sufficient evidence" to determine the malware's origin or purpose, "we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets." ®

Updated to add on June 28

Interestingly enough, Dragos says it also analyzed the CosmicEnergy malware, and reckons it's not an immediate threat.

Send us news

Snowflake customers not using MFA are not unique – over 165 of them have been compromised

Mandiant warns criminal gang UNC5537, which may be friendly with Scattered Spider, is on the rampage

Russia takes gold for disinformation as Olympics approach

Featuring Tom Cruise deepfakes and multiple made-up terrorism threats

Microsoft paid Tenable a bug bounty for an Azure flaw it says doesn't need a fix, just better documentation

Let customers interfere with other tenants? That's our cloud working by design, Redmond seems to say

Russian hacktivists vow mass attacks against EU elections

But do they get to wear 'I DDoSed' stickers?

IBM spin-off Kyndryl accused of discriminating on basis of age, race, disability

Five current and former employees file formal charges with US employment watchdog

Snowflake tells customers to enable MFA as investigations continue

Also, industry begs Uncle Sam for infosec reg harmony, dueling container-compromise campaigns, and crit vulns

Cybercrooks get cozy with BoxedApp to dodge detection

Some of the biggest names in the game are hopping on the trend

Defiant Microsoft pushes ahead with controversial Recall – tho as an opt-in

Windows maker acknowledges 'clear signal' from everyone, then mostly ignores it

FCC takes some action against notorious BGP

How's your RPKI-based security plan coming along? Feds want to know

TikTok confirms CNN, other high-profile accounts hijacked via zero-day vulnerability

Beware of zero-click malware sliding into your DMs

Hudson Rock yanks report fingering Snowflake employee creds snafu for mega-leak

Cloud storage giant lawyers up against infosec house

FlyingYeti phishing crew grounded after abominable Ukraine attacks

Kremlin-aligned gang used Cloudflare and GitHub resources, and they didn't like that one bit