Researchers are at odds over the danger posed to critical infrastructure by recently discovered malware CosmicEnergy.
Threat intelligence firm Mandiant last month labeled CosmicEnergy a “plausible threat” to electric grid operators. The malware was first identified by Mandiant after the code was uploaded to a public malware scanning utility in December 2021. In last month’s analysis, the company said there was evidence to suggest it had been developed as a red teaming tool for simulated power disruption exercises.
“Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets,” the report said.
But in a report published last week researchers at industrial cybersecurity company Dragos said the malware currently lacks the maturity to endanger operational technology (OT) networks.
Dragos also referred to CosmicEnergy’s likely origins as a training tool for detection development, concluding that while its discovery should prompt organizations to reassess their OT security it was “not an immediate risk to OT environments."
“The primary purpose of COSMICENERGY appears to have been for training scenarios rather than for deployment in real-world environments. There is currently no evidence to suggest that an adversary is actively deploying COSMICENERGY,” wrote Jimmy Wylie, technical lead malware analyst and lead author.
Exploiting IEC 104 vulnerabilities
Mandiant said CosmicEnergy was designed to disrupt power supplies by interacting with devices using the IEC 104 protocol, such as remote terminal units (RTUs) that are commonly used in electric transmission and distribution operations.
CosmicEnergy had similar capabilities to Industroyer (also tracked as CrashOverride), the malware behind a 2016 power grid attack on the Ukrainian capital, Kyiv. It was similar to Industroyer2 an updated version of Industroyer found in Ukrainian electrical substations in 2022 before it could be activated.
All three malware types issued IEC 104 on/off commands to interact with RTUs and possibly also used a Microsoft SQL server to access OT systems, Mandiant said.
Once CosmicEnergy gained access it could initiate power disruptions by sending remote commands to powerline switches and circuit breakers. Mandiant said CosmicEnergy achieved that using two derivative components which it called Piehop and Lightwork.
Piehop was a Python tool which connected to a remote MSSQL server to upload files and issue remote commands to an RTU. It used Lightwork, written in C++, to issue the IEC 104 on/off commands to the remote system before immediately deleting the executable.
Dragos sees no immediate threat
Dragos said because Lightwork was compiled with symbol information, its researchers were able to decompile the function and argument names used in the malware code. That led to the discovery that the majority of Lightwork’s code was actually from a known, reputable IEC open-source library.
Industroyer and Industroyer2, on the other hand, used a custom IEC 104 library, leading Dragos to conclude that Lightwork was not a variant of the other two tools.
Lightwork was also hard-coded to affect a specific IEC 104 network configuration, whereas Industroyer and Industroyer2 had configuration formats that allowed a range of parameters to be changed to suit the network being targeted.
“In its current form, COSMICENERGY is not a direct threat to OT. Indications that it is a training tool with coding errors and a lack of development maturity lessen its potential risk,” Wylie wrote.
Agreement on need to prepare for OT vulnerabilities
While Mandiant and Dragos reached different conclusions about the threat posed by CosmicEnergy, the two teams agree their research should sound a warning to OT network operators.
“This discovery suggests that the barriers to entry are lowering for offensive OT threat activity since we normally observe these types of capabilities limited to well-resourced or state sponsored actors,” Mandiant said.
Given this was the third discovery of a malware tool targeting the IEC 104 protocol, organizations with industrial control system (ISC) and OT networks should take note and ensure they are prepared to detect and mitigate future attacks, Dragos said.
“Even though there’s no evidence that COSMICENERGY is being deployed, its existence should prompt all organizations to reassess their firewall rules and configurations and ensure they have visibility into the ICS protocols traversing their network.”
