Spotted: Suspected Russian malware designed to disrupt Euro, Asia energy grids

Updated Malware designed to disrupt electric power grids was likely developed by a Russian contractor, according to Mandiant's threat intel team that discovered the malicious software and dubbed it CosmicEnergy.

Mandiant spotted the industrial-equipment malware after it was uploaded to VirusTotal, which is a little unusual — albeit a better way to discover a new software nasty compared to, say, waiting for a massive cyberattack that shuts down critical infrastructure.

"We haven't seen any public targeting to date," Keith Lunden, Mandiant analysis manager at Google Cloud, told The Register. Yet, at least.

The team say it's likely a contractor created the malware as a red-teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cybersecurity company.

In 2019, the biz received a government subsidy to train security experts and conduct electric power disruption and emergency response exercises.

The CosmicEnergy malware targets IEC 60870-5-104 (IEC-104) devices including remote terminal units used in electrical transmission systems in Europe, the Middle East, and Asia. 

And it shares capabilities with 2016's Industroyer, a particularly dangerous type of Russian malware that can directly control electricity substation switches and circuit breakers, as well as its successor, Industroyer v2, which Ukrainian threat hunters discovered after Russia's invasion last year.

Both of these variants have been deployed to impact certain electricity transmission and distribution systems, we're told.

"Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe CosmicEnergy poses a plausible threat to affected electric grid assets," the Mandiant researchers said in research published today. "OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of CosmicEnergy."

• Ukraine's cyber chief comes to Black Hat in surprise visit
• Ukraine fears 'massive' Russian cyberattacks on power, infrastructure
• Five Eyes and Microsoft accuse China of attacking US infrastructure again
• Russian IT guy sent to labor camp for DDoSing Kremlin websites

As IEC-104 is generally not used in the US, which more commonly uses Distributed Network Protocol 3 (DNP3), this malware variant doesn't pose a direct threat to American power grids and other industrial control systems, Lunden said. 

"But US defenders can still learn about the overall attack strategy," he added.

The malware has two components, which Mandiant calls PieHop and LightWork. PieHop, written in Python, is expected to run on a compromised host within a target's network. It connects to a MSSQL server and uploads files to that machine. It appears PieHop needs to be supplied the IP address and credentials of that database server; some homework therefore needs to be done by an attacker to make use of the tool.

Judging from Mandiant's findings, PieHop uploads LightWork to the server and runs it. LightWork, written in C++, does the actual work of sending on or off commands to connected industrial equipment via the IEC-104 protocol. LightWork's executable is deleted immediately after it's used by PieHop.

To pull off an attack, an intruder would need to infect a PC within a power supplier's network, find a Microsoft SQL Server on the network that has access to operational equipment, and obtain the login details for that box. PieHop is then run on the PC to upload LightWork to the server, which sends disruptive commands to connected industrial devices.

"The sample of PieHop we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities, but we believe these errors can be easily corrected," the researchers noted.

And while they say there's not "sufficient evidence" to determine the malware's origin or purpose, "we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets." ®

Updated to add on June 28

Interestingly enough, Dragos says it also analyzed the CosmicEnergy malware, and reckons it's not an immediate threat.