COSMICENERGY Malware May be Artifact of Russian Emergency Response Exercises

Malware intended to disrupt electric power by remote terminal units (RTUs) and other IEC 104 devices and may be related to Russian emergency response exercises.

The new operational technology (OT)/industrial control system (ICS) malware, dubbed COSMICENERGY by the Mandiant researchers who discovered it, was uploaded to a public malware scanning utility in December 2021.

“COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed,” the researchers said in a blog post. They noted that COSMICENERGY is unique because “a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cybersecurity company.”

Mandiant’s analysis showed that the malware’s “capabilities are comparable to those employed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104.”

The researchers also believed its discovery showed that “the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware.”

Since the bad actors “use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets,” the researcher wrote, warning OT asset owners  that leverage IEC-104 compliant devices to “take action to preempt potential in the wild deployment of COSMICENERGY.”

Mandiant compared COSMICENERGY to the 2016 INDUSTROYER incident, where IEC-104 ON/OFF commands interacted with RTUs and an MSSQL server may have been used as a conduit for accessing OT. The researchers said that access could be leveraged by the novel malware to “send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption. COSMICENERGY accomplishes this via its two derivative components,” which Mandiant tracks as PIEHOP and LIGHTWORK.

PIEHOP, “a disruption tool written in Python and packaged with PyInstaller,” can connect “to files and issue remote commands to an RTU. PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands ‘ON’ or ‘OFF’ to the remote system and then immediately deletes the executable after issuing the command,” they noted. While the sample of PIEHOP obtained by Mandiant is riddled with “programming logic errors that prevent it from successfully performing its IEC-104 control capabilities,” they think those errors are easily correctible.

LIGHTWORK, another disruption tool key to the new malware written in C++, “implements the IEC-104 protocol to modify the state of RTUs over TCP,” Mandiant said. “It crafts configurable IEC-104 Application Service Data Unit (ASDU) messages to change the state of RTU Information Object Addresses (IOAs) to ON or OFF. LIGHTWORK utilizes positional command line arguments for target device, port, and IEC-104 command.”

The malware operator likely has to perform internal reconnaissance to get environmental information, like MSSQL server IP addresses and credentials, because COSMICENERGY doesn’t have discovery capabilities. “The sample of LIGHTWORK we obtained includes eight hardcoded IEC-104 information object addresses (IOA), which typically correlate with input or output data elements on a device and may correspond to power line switches or circuit breakers in an RTU or relay configuration,” the researchers wrote.

But because IOA mappings can differ between manufacturers, devices and even environments, “the particular actions intended by the actor are unclear without further knowledge about the targeted assets,” Mandiant said.

“Although we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY, we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets,” they wrote. “It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom-Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the St.Petersburg’s International Economic Forum (SPIEF).”

In lieu of conclusive evidence, though, Mandiant researchers said, “a different actor—either with or without permission—reused code associated with the cyber range to develop this malware.”

Jan Miller, CTO of threat analysis at OPSWAT, said that “while concerning, COSMICENERGY lacks intrusion and discovery capabilities, meaning it requires the operator to perform an internal reconnaissance of the network to determine the IEC-104 device IP addresses to be targeted.”

He noted that INDUSTROYER “has a more sophisticated modular architecture that includes components for scanning, reconnaissance, command execution and wiping.”

But as concern grows over “state-sponsored cyberattacks and their potential impact on energy grids, it is crucial for OT defenders and asset owners to take proactive measures to mitigate the effects of OT-specific malware,” Miller said.

To address this pressing issue, he recommended organizations implement best practices such as:

  • Monitor network traffic for IEC-104 protocol activity and anomalous commands and perform malware analysis on all inbound active content.
  • Restrict access to MS-SQL servers with access to RTUs and enforce strong authentication and encryption mechanisms.
  • Segment OT networks from IT networks and limit the exposure of IEC-104 devices to the internet.
  • UpdateOT devices with the latest security patches and firmware.
  • Implement backup and recovery plans in case of power disruption incidents.
Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 197 posts and counting.See all posts by teri-robinson