Spotted: Suspected Russian malware designed to disrupt Euro, Asia energy grids

For simulation or for real, we don't like the vibes from this CosmicEnergy

Updated Malware designed to disrupt electric power grids was likely developed by a Russian contractor, according to Mandiant's threat intel team that discovered the malicious software and dubbed it CosmicEnergy.

Mandiant spotted the industrial-equipment malware after it was uploaded to VirusTotal, which is a little unusual — albeit a better way to discover a new software nasty compared to, say, waiting for a massive cyberattack that shuts down critical infrastructure.

"We haven't seen any public targeting to date," Keith Lunden, Mandiant analysis manager at Google Cloud, told The Register. Yet, at least.

The team say it's likely a contractor created the malware as a red-teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cybersecurity company.

In 2019, the biz received a government subsidy to train security experts and conduct electric power disruption and emergency response exercises.

The CosmicEnergy malware targets IEC 60870-5-104 (IEC-104) devices including remote terminal units used in electrical transmission systems in Europe, the Middle East, and Asia. 

And it shares capabilities with 2016's Industroyer, a particularly dangerous type of Russian malware that can directly control electricity substation switches and circuit breakers, as well as its successor, Industroyer v2, which Ukrainian threat hunters discovered after Russia's invasion last year.

Both of these variants have been deployed to impact certain electricity transmission and distribution systems, we're told.

"Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe CosmicEnergy poses a plausible threat to affected electric grid assets," the Mandiant researchers said in research published today. "OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of CosmicEnergy."

As IEC-104 is generally not used in the US, which more commonly uses Distributed Network Protocol 3 (DNP3), this malware variant doesn't pose a direct threat to American power grids and other industrial control systems, Lunden said. 

"But US defenders can still learn about the overall attack strategy," he added.

The malware has two components, which Mandiant calls PieHop and LightWork. PieHop, written in Python, is expected to run on a compromised host within a target's network. It connects to a MSSQL server and uploads files to that machine. It appears PieHop needs to be supplied the IP address and credentials of that database server; some homework therefore needs to be done by an attacker to make use of the tool.

Judging from Mandiant's findings, PieHop uploads LightWork to the server and runs it. LightWork, written in C++, does the actual work of sending on or off commands to connected industrial equipment via the IEC-104 protocol. LightWork's executable is deleted immediately after it's used by PieHop.

To pull off an attack, an intruder would need to infect a PC within a power supplier's network, find a Microsoft SQL Server on the network that has access to operational equipment, and obtain the login details for that box. PieHop is then run on the PC to upload LightWork to the server, which sends disruptive commands to connected industrial devices.

"The sample of PieHop we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities, but we believe these errors can be easily corrected," the researchers noted.

And while they say there's not "sufficient evidence" to determine the malware's origin or purpose, "we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets." ®

Updated to add on June 28

Interestingly enough, Dragos says it also analyzed the CosmicEnergy malware, and reckons it's not an immediate threat.

Send us news

Scattered Spider traps 100+ victims in its web as it moves into ransomware

Mandiant warns casino raiders are doubling down on 'monetization strategies'

Russian allegedly smuggled US weapons electronics to Moscow

Feds claim sniper scope displays sold in sanctions-busting move

T-Mobile US exposes some customer data – but don't call it a breach

PLUS: Trojan hidden in PoC; cyber insurance surge; pig butchering's new cuts; and the week's critical vulns

Here's why cloud credentials are the hottest item on criminal marketplaces

And they cost less than a box of donuts

Gandalf chatbot security game counters privacy fireballs

You shall not pass judgement, Lakera AI insists, because exposed player info was harmless

Australia to build six 'cyber shields' to defend its shores

Local corporate regulator warns boards that cyber is totally a directorial duty

Cloud infrastructure security is having an identity crisis. Can CIEM help?

Who's that poking around in your infrastructure? Roles, permissions, policies, and more

International Criminal Court hit in cyber-attack amid Russia war crimes probe

Right as judges issued warrants against Putin

Marvell disputes claim Cavium backdoored chips for Uncle Sam

Allegations date back a decade to leaked Snowden docs

Grab those updates: Microsoft flings out fixes for already-exploited bugs

Plus: Adobe and Android also tackle abused-in-the-wild flaws

Thousands of Juniper Junos firewalls still open to hijacks, exploit code available to all

Unauthenticated and remote code execution possible without dropping a file on disk

Barracuda gateway attacks: How Chinese snoops keep a grip on victims' networks

Backdoors detailed, plus CISA releases more IOCs for IT depts to check