Security News CosmicEnergy - Designed to disrupt Euro, Asia Energy grids


Thread author
Staff Member
Malware Hunter
Jul 27, 2015
Mandiant spotted the industrial-equipment malware after it was uploaded to VirusTotal, which is a little usual — albeit a better way to discover a new software nasty compared to, say, waiting for a massive cyberattack that shuts down critical infrastructure. "We haven't seen any public targeting to date," Keith Lunden, Mandiant analysis manager at Google Cloud, told The Register. Yet, at least. The team say it's likely a contractor created the malware as a red-teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cybersecurity company.

In 2019, the biz received a government subsidy to train security experts and conduct electric power disruption and emergency response exercises. The CosmicEnergy malware targets IEC 60870-5-104 (IEC-104) devices including remote terminal units used in electrical transmission systems in Europe, the Middle East, and Asia. And it shares capabilities with 2016's Industroyer, a particularly dangerous type of Russian malware that can directly control electricity substation switches and circuit breakers, as well as its successor, Industroyer v2, which Ukrainian threat hunters discovered after Russia's invasion last year. Both of these variants have been deployed to impact certain electricity transmission and distribution systems, we're told.


Level 17
Top Poster
May 4, 2019
Threat intelligence company Mandiant detected novel OT/ICS-oriented malware, tracked as CosmicEnergy, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.

“CosmicEnergy’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT,” Mandiant researchers wrote in a Thursday blog post. “Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption. CosmicEnergy accomplishes this via its two derivative components, which we track as PIEHOP and LIGHTWORK.”

PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user-supplied remote MSSQL server for uploading files and issuing remote commands to a RTU, while LIGHTWORK is a disruption tool written in C++ that implements the IEC-104 protocol to modify the state of RTUs over TCP.
  • Like
Reactions: upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.