CosmicEnergy - Designed to disrupt Euro, Asia Energy grids

[upnorth]

Content source

https://www.theregister.com/2023/05/25/russian_energy_malware/

Mandiant spotted the industrial-equipment malware after it was uploaded to VirusTotal, which is a little usual — albeit a better way to discover a new software nasty compared to, say, waiting for a massive cyberattack that shuts down critical infrastructure. "We haven't seen any public targeting to date," Keith Lunden, Mandiant analysis manager at Google Cloud, told The Register. Yet, at least. The team say it's likely a contractor created the malware as a red-teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cybersecurity company.

In 2019, the biz received a government subsidy to train security experts and conduct electric power disruption and emergency response exercises. The CosmicEnergy malware targets IEC 60870-5-104 (IEC-104) devices including remote terminal units used in electrical transmission systems in Europe, the Middle East, and Asia. And it shares capabilities with 2016's Industroyer, a particularly dangerous type of Russian malware that can directly control electricity substation switches and circuit breakers, as well as its successor, Industroyer v2, which Ukrainian threat hunters discovered after Russia's invasion last year. Both of these variants have been deployed to impact certain electricity transmission and distribution systems, we're told.

Russian-linked malware designed to disrupt energy grids

For simulation or for real, we don't like the vibes from this CosmicEnergy

www.theregister.com

 

[[correlate]]

Threat intelligence company Mandiant detected novel OT/ICS-oriented malware, tracked as CosmicEnergy, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

“CosmicEnergy’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT,” Mandiant researchers wrote in a Thursday blog post. “Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption. CosmicEnergy accomplishes this via its two derivative components, which we track as PIEHOP and LIGHTWORK.”

PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user-supplied remote MSSQL server for uploading files and issuing remote commands to a RTU, while LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP.

CosmicEnergy OT malware linked to Russian emergency response exercises could cause power disruption - Industrial Cyber

Mandiant reports CosmicEnergy OT malware linked to Russian emergency response exercises could cause power disruption.

industrialcyber.co