A new Russia-linked malware named CosmicEnergy has recently come to light, posing a serious threat to industrial control systems (ICS). Mandiant, a prominent cybersecurity firm, has analyzed this malware and discovered it had the potential to disrupt electric power grids.
Understanding CosmicEnergy
CosmicEnergy is an advanced piece of malware specifically designed to target operational technology (OT) systems, with a focus on industrial control systems. More specifically, It communicates with devices via the IEC 60870-5-104 (IEC-104) protocol, which is widely used in electric transmission and distribution networks. By exploiting vulnerabilities in remote terminal units (RTUs), the malware gains the ability to tamper with power line switches and circuit breakers, aiming to cause disruptive power outages.
Components and Functionality
According to Mandiant's study, CosmicEnergy is made up of two key components: LightWork and PieHop. LightWork uses the IEC-104 protocol to alter the state of RTUs, allowing the virus to remotely turn them on and off. PieHop, on the other hand, uses LightWork to connect to a selected remote MSSQL server for file uploads and remote command execution on the RTUs.
Manual Assistance Required
It's important to note that CosmicEnergy cannot carry out an attack independently. The attacker must manually collect IP addresses and credentials, indicating that the malware relies on human intervention. This suggests a deliberate effort to target specific entities and infrastructure rather than conducting indiscriminate attacks.
Possible Origins and Intent
Mandiant's investigation has led them to believe that CosmicEnergy may have been developed by a contractor associated with the Russian cybersecurity company Rostelecom-Solar. It is speculated that this contractor may have created the malware as part of a red teaming exercise, aimed at testing power disruption and emergency response capabilities. However, conclusive evidence is lacking, leaving open the possibility that another actor, with or without permission, repurposed code associated with Rostelecom-Solar's cyber range to develop this malware.
Similarities and Implications
CosmicEnergy exhibits similarities to previous Russian malware such as Industroyer and Industroyer2, which were employed to target Ukraine's energy sector. Furthermore, technical resemblances to other OT malware families like Triton and Incontroller have been discovered. These similarities suggest that CosmicEnergy, like its predecessors, is intended to cause physical damage or disruption within critical infrastructure.
Protecting Critical Infrastructure
The emergence of CosmicEnergy underscores the critical importance of robust cybersecurity measures for protecting critical infrastructure. The potential impact of disruptive attacks on electric power grids is immense, with wide-ranging consequences for society. Organizations and governments must remain vigilant, investing in advanced threat detection, monitoring, and incident response capabilities to mitigate the risks posed by such malware.
Overall, CosmicEnergy represents a concerning development in the realm of ICS malware, with the potential to disrupt electric power grids. The malware's ability to interact with RTUs using the IEC-104 protocol, coupled with its similarities to previously observed Russian malware, suggests a targeted and deliberate approach. The true origins and intent of CosmicEnergy remain speculative, but the threat it poses to critical infrastructure calls for enhanced cybersecurity measures and continuous vigilance from organizations and governments alike.
This blog was written by the Activated Solutions team. If you are a business owner or an individual concerned about your cybersecurity, it's time to take action. Activated Solutions can help you to protect your business and personal data from potential cyber threats.
Contact Activated Solutions today to learn more about how they can help you protect your business. With our expertise and commitment to cybersecurity, you can have peace of mind knowing that you are taking proactive steps to protect yourself and your business from potential data breaches.
For more information, please visit: activatedsolutions.ca.
Sources
Kovacs, Eduard, et al. “New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids.” SecurityWeek, 25 May 2023, https://www.securityweek.com/new-russia-linked-cosmicenergy-ics-malware-can-disrupt-electric-grid/.
Comments