A new malware called CosmicEnergy has been discovered that targets operational technology. Researchers that found the malware said they believe it was developed by a contractor as part of a red teaming tool for conducting electric power disruption exercises.
Researchers with Mandiant first discovered the malware after it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. They believe the malware has been used for simulated power disruption exercises hosted by Russian security company Rostelecom-Solar, which received a government subsidy in 2019 to train cybersecurity experts for conducting emergency response exercises. The discovery of this potential red team-related malware is significant because typically these types of capabilities are limited to state-sponsored actors that have the expertise and resources to launch offensive OT threat activities.
“The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware,” said researchers with Mandiant in a Thursday analysis. “Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets.”
Researchers made the link to Rostelecom-Solar after identifying a comment in CosmicEnergy’s code showing the sample uses a module associated with a project called “Solar Polygon,” which is linked to a cyber range developed by the company. While this link exists, researchers said that it’s also possible that a different actor reused the code associated with the cyber range to develop CosmicEnergy for malicious purposes, though no public targeting has been observed yet.
“Threat actors regularly adapt and make use of red team tools – such as commercial and publicly available exploitation frameworks – to facilitate real world attacks, like TEMP.Veles’ use of METERPRETER during the TRITON attack,” said researchers. “There are also many examples of nation-state actors leveraging contractors to develop offensive capabilities, as shown most recently in contracts between Russia’s Ministry of Defense and NTC Vulkan.”
CosmicEnergy is similar in its capabilities to previous OT malware families Industroyer and Industroyer 2.0, as both variants aim to cause electric power disruption through targeting devices commonly used in electric transmission and distribution operations.
“The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware.”
Industroyer, originally deployed in December 2016 to cause power outages in Ukraine, targeted a network protocol called IEC-104 that is commonly used by devices in industrial control system environments such as remote terminal units (RTUs), which are used to remotely monitor and control various automation systems. Industroyer sent ON/OFF commands through IEC-104 to interact with these RCUs, impacting the operations of power line switches and circuit breakers in order to cause power disruption. CosmicEnergy uses this same capability via two disruption tools: One tool called PieHop written in Python, which connects to a remote MSSQL server to upload files and issue remote ON/OFF commands to an RTU via IEC-104; and another called LightWork, which PieHop uses to execute the ON/OFF commands on remote systems via the IEC-104 protocol before deleting the executable.
“COSMICENERGY is quite comparable to other OT malware families – mainly INDUSTROYER and INDUSTROYERV2 with which it has some similarities in the approach it takes to the attack and the protocol it leverages,” said Daniel Kapellmann Zafra, Mandiant analysis manager with Google Cloud. “We also found some similarities with IRONGATE, TRITON and INCONTROLLER on a lesser level including abuse of insecure by design protocols, use of open source libraries for protocol implementation and use of python for malware development and/or packaging.”
Of note, CosmicEnergy does lack discovery capabilities, so an operator would need to perform internal reconnaissance of MSSQL server IP addresses and credentials, and IEC-104 device IP addresses. The malware’s PieHop tool also includes a number of programming logic errors that may indicate it was still under active development when discovered, said Kapellmann Zafra – however, he said, the fixes required to make the malware usable are minimal.
The discovery of CosmicEnergy is unique because malware families targeting industrial control systems – like Stuxnet, PipeDream and BlackEnergy – are rarely disclosed. However, attackers are starting to focus more on ICS environments with custom-built frameworks and malware targeting these networks. And while critical infrastructure security has been top of mind for the U.S. government over the past year, researchers said CosmicEnergy, like other similar types of malware, will continue to leverage vulnerable pieces of OT environments – including insecure by design protocols like IEC-104 – that are “unlikely to be remedied any time soon.”
“For these reasons, OT defenders and asset owners should take mitigating actions against COSMICENERGY to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware,” said Mandiant researchers. “Such knowledge can be useful when performing threat hunting exercises and deploying detections to identify malicious activity within OT environments.”