COSMICENERGY: ‘Russian’ Threat to Power Grids ICS/OT

COSMIC ENERGYShouty name—dangerous game. Red-team tool ripe for misuse.

Researchers have discovered new malware that disrupts electricity grids. The sophisticated threat, dubbed COSMICENERGY, shares DNA with other nasties such as Industroyer, Incontroller and Triton.

And, yes, it appears to come from Russia. In today’s SB Blogwatch, we беспокоимся о будущем.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: /IMAGINE.

IEC 60870-5-104 ‘insecure by design’

What’s the craic? Let’s turn to Carly Page—“Russia-linked malware that could immobilize electric grids”:

Poses a real threat
Security researchers have discovered new industrial control system malware, dubbed “CosmicEnergy,” which they say could be used to disrupt critical infrastructure systems and electric grids. [They] likened [it] to the destructive Industroyer malware that the Russian state-backed “Sandworm” hacking group used to cut power in Ukraine in 2016.

The malware may have been developed by Rostelecom-Solar, the cybersecurity arm of Russia’s national telecom operator Rostelecom, to support exercises such as the ones hosted in collaboration with the Russian Ministry of Energy in 2021. … Because the malware targets the IEC-104, a network protocol commonly used in industrial environments that was also targeted during the 2016 attack on Ukraine’s power grid, CosmicEnergy poses a real threat to organizations involved in electricity transmission and distribution.

Exercises? Daryna Antoniuk has more—“New Russia-linked malware”:

Insecure by design
The researchers discovered a comment in the code linking it to a “Solar Polygon” project organized by Rostelecom, Russia’s largest telecom firm, to train cybersecurity specialists. Last year, the Russian government made a commitment to invest $24 million in the project. Its goal is to safeguard Russia’s banking, energy, and oil infrastructure against potential cyberattacks.

Industrial-focused malware typically exploits protocols that are insecure by design. … CosmicEnergy [also] shares technical similarities with … the Triton malware, which was used in a cyberattack on a Saudi Arabian petrochemical facility in 2017, [and] the Incontroller malware, which is created to manipulate and disrupt industrial processes.

Horse’s mouth? Ken Proska, Daniel Kapellmann Zafra, Keith Lunden, Corey Hildebrandt, Rushikesh Nandedkar and Nathan Brubaker tag team—“New OT Malware”:

Poses a plausible threat
Mandiant identified novel operational technology (OT) / industrial control system (ICS)-oriented malware, which we track as COSMICENERGY. … The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices [common] in electric transmission and distribution operations in Europe, the Middle East, and Asia.

Based on our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises. [But we] leave open the possibility that COSMICENERGY was developed with malicious intent. … Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to … electric grid assets.

Worried yet? Kiki 007 is disturbed:

This is disturbing. … It demonstrates that, while America is apparently not taking the threat of having our nation’s power grids hacked and/or disabled … Russia is clearly taking these threats to their own quite seriously: … They are red-teaming scenarios to that effect. … The bottom line Americans need to take away from this is that Russia is definitely into power-grid disability and hijacking, since they are developing technologies in those veins—and we better start taking that seriously.

I think you ought to know FerociousLabRetriever’s feeling very depressed:

There are days I feel like we’re getting dark glimpses into the future, and this is one of them. As relationships between the US-led democratic alliance … and the Chinese/Russia-led authoritarian alliance … deteriorate and reports of aggressive hacking campaigns into critical infrastructure increase, it seems like we’re escalating ever closer to seeing what true cyber warfare may end up looking like.

Some military analysts suspect we could even see a hot war around ’27 over Taiwan, and who only knows what role devastating cyberattacks would play in such an event. The hope for a positive US-China diplomatic reset in relations seems less likely each month.

Ahem. This Anonymous Coward cautions against the Russia-Russia-Russia drumbeat:

Russia … didn’t pioneer the “cyber attack on infrastructure” trick. The US ([Reagan] boobytrapped tech to sabotage gas pipelines) and the US plus Israel (Stuxnet) are just two examples.

It’s another case of insecure tech getting connected to the internet. povlhp sees the irony in the “OT” abbreviation:

OT has been short for Old Technology for a long time. Some call it Operational Technology, But it is a general term for the Old Things in the warehouse / automation process that drives hardware, and can never be patched for a lot of reasons (no servicewindows, the code is ****py so we don’t know if it will survive an update, many items use a 1988 C library and don’t have storage for a newer version, etc.)

And these things are meant to last for 20 years — and be cheap at the same time. OT networks should be isolated … but many fail to do this.

Meanwhile, COSMICENERGY is an odd moniker, amirite? Arthur the cat has a “new party game”:

Given a name, decide whether it’s an aging hippy selling crystals and cosmic woo, or a hostile state actor intending to trash your infrastructure.

And Finally:

The uncanny valley is strong in this one

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Hal Gatewood (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi