The discovery of new malware targeting electricity networks — similar to that used to knock out Kyiv’s power supply in 2016 — shows “the barriers to entry are lowering” for industrial attacks, researchers say.
Threat research group Mandiant identified the new malware, which it calls CosmicEnergy, when the code was uploaded to a public malware scanning utility in December 2021.
In a fresh analysis of CosmicEnergy, published on May 25, Mandiant now says it was designed to disrupt power supplies by interacting with devices using the IEC-104 protocol, such as remote terminal units (RTUs) that are commonly used in electric transmission and distribution operations in Europe, the Middle East and Asia.
Mandiant’s report said CosmicEnergy was a rare find because specialized operational technology (OT) or industrial control system (ICS) malware capable of causing cyber physical impacts were seldom discovered or disclosed.
Those that have been discovered — including Stuxnet, PipeDream and BlackEnergy — have prompted concerns from the White House down, about the need to improve the cybersecurity of critical infrastructure.
Mandiant said a unique aspect of CosmicEnergy was that there was evidence to suggest it had been developed by a contractor as a red teaming tool for simulated power disruption exercises hosted by Russian cybersecurity company Rostelecom-Solar.
“This discovery suggests that the barriers to entry are lowering for offensive OT threat activity since we normally observe these types of capabilities limited to well resourced or state sponsored actors,” Mandiant said.
The research group’s analysis showed CosmicEnergy had similar capabilities to Industroyer, the malware behind a 2016 power grid attack on the Ukrainian capital, Kyiv. It was also similar to Industroyer2, an updated version of Industroyer found in Ukrainian electrical substations in 2022 before it could be activated.
Like CosmicEnergy, the Industroyer variants targeted IEC-104 devices, issuing IEC-104 on/off commands to interact with RTUs and possibly also using an MSSQL server to access OT systems.
“The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware,” Mandiant’s report said.
“Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets.”
Once CosmicEnergy accessed a target’s OT systems, it could initiate power disruptions by sending remote commands to powerline switches and circuit breakers. Mandiant said CosmicEnergy achieved that using two derivative components which it called Piehop and Lightwork.
Piehop was a Python tool which connected to a remote MSSQL server to upload files and issue remote commands to an RTU. It used Lightwork, written in C++, to issue the IEC-104 on/off commands to the remote system before immediately deleting the executable.
Mandiant said its analysis of CosmicEnergy highlighted several trends in the OT threat landscape, including abuse of “insecure by design” protocols such as IEC-104.
“While OT-oriented malware families can be purpose built for a particular target environment, malware that takes advantage of insecure by design OT protocols, such as LIGHTWORK’s abuse of the IEC-104 protocol, can be modified and employed multiple times to target multiple victims,” the report said.
“The availability of open source projects that implement OT protocols can lower the barrier of entry for actors attempting to interact with OT devices. However, proprietary OT protocols will likely continue to require custom protocol implementations.”
Mandiant recommended several actions organizations potentially at risk from CosmicEnergy should take, including identifying and investigating any unauthorized Python-packaged executables on their OT systems or with access to OT resources, and monitoring certain systems and MSSQL servers with access to OT resources.
