- Jul 27, 2015
Mandiant spotted the industrial-equipment malware after it was uploaded to VirusTotal, which is a little usual — albeit a better way to discover a new software nasty compared to, say, waiting for a massive cyberattack that shuts down critical infrastructure. "We haven't seen any public targeting to date," Keith Lunden, Mandiant analysis manager at Google Cloud, told The Register. Yet, at least. The team say it's likely a contractor created the malware as a red-teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cybersecurity company.
In 2019, the biz received a government subsidy to train security experts and conduct electric power disruption and emergency response exercises. The CosmicEnergy malware targets IEC 60870-5-104 (IEC-104) devices including remote terminal units used in electrical transmission systems in Europe, the Middle East, and Asia. And it shares capabilities with 2016's Industroyer, a particularly dangerous type of Russian malware that can directly control electricity substation switches and circuit breakers, as well as its successor, Industroyer v2, which Ukrainian threat hunters discovered after Russia's invasion last year. Both of these variants have been deployed to impact certain electricity transmission and distribution systems, we're told.
Russian-linked malware designed to disrupt energy grids
For simulation or for real, we don't like the vibes from this CosmicEnergy