Security researchers have discovered new industrial control system malware, dubbed “CosmicEnergy,” which they say could be used to disrupt critical infrastructure systems and electric grids.
The malware was uncovered by researchers at Mandiant, who have likened CosmicEnergy’s capabilities to the destructive Industroyer malware that the Russian state-backed “Sandworm” hacking group used to cut power in Ukraine in 2016.
Unusually, Mandiant says it uncovered CosmicEnergy through threat hunting and not following a cyberattack on critical infrastructure. The malware was uploaded to VirusTotal, a Google-owned malware and virus scanner, in December 2021 by a submitter based in Russia, according to Mandiant. The cybersecurity company’s analysis shows that the malware may have been developed by Rostelecom-Solar, the cybersecurity arm of Russia’s national telecom operator Rostelecom, to support exercises such as the ones hosted in collaboration with the Russian Ministry of Energy in 2021.
“A contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar,” Mandiant said. “However, given the lack of conclusive evidence, we consider it also possible that a different actor — either with or without permission — reused code associated with the cyber range to develop this malware.”
Mandiant says that not only do hackers regularly adapt and make use of red team tools to facilitate real-world attacks, but its analysis of CosmicEnergy reveals that the malware’s functionality is also comparable to that of other malware variants targeting industrial control systems (ICS), such as Industroyer, thus posing a “plausible threat to affected electric grid assets.”
Mandiant tells ProWellTech that it has not observed any CosmicEnergy attacks in the wild and notes that the malware lacks discovery capabilities, which means hackers would need to perform some internal reconnaissance to obtain environment information, such as IP addresses and credentials, before launching an attack.
However, the researchers added that because the malware targets the IEC-104, a network protocol commonly used in industrial environments that was also targeted during the 2016 attack on Ukraine’s power grid, CosmicEnergy poses a real threat to organizations involved in electricity transmission and distribution.
“The discovery of new OT [operational technology] malware presents an immediate threat to affected organizations since these discoveries are rare and because the malware principally takes advantage of insecure by-design features of OT environments that are unlikely to be remedied any time soon,” Mandiant researchers warned.
Mandiant’s discovery of new ICS-oriented malware comes after Microsoft revealed this week that Chinese state-backed hackers had hacked into American critical infrastructure. According to the report, an espionage group that Microsoft refers to as “Volt Typhoon” has targeted the U.S. island territory of Guam and could be attempting to “disrupt critical communications infrastructure between the United States and Asia region during future crises.”
In light of the report, the U.S. government said it was working with its Five Eyes partners to identify potential breaches. Microsoft says the group has attempted to access organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.