New malware linked to emergency response exercises

Security researchers Mandiant discovered new malware called CosmicEnergy, designed to disrupt industrial systems and associated with the information security company Rostelecom-Solar.

The malware targets remote terminals (Remote Terminal Unit, RTU) that comply with the IEC-104 standard and are commonly used in power transmission and distribution operations in Europe, the Middle East and Asia.

CosmicEnergy was discovered after a sample was uploaded to VirusTotal in December 2021 by a user with a Russian IP address. Analysis of the sample revealed several aspects regarding CosmicEnergy and its functionality.

• CosmicEnergy is similar to Industroyer and Industroyer2 malware, which were used in attacks on Ukrainian energy companies in 2022;
• CosmicEnergy is based on Python and uses open source libraries to implement the OT protocol;
• Like Industroyer, CosmicEnergy is likely accessing the target’s OT systems via compromised MSSQL servers using the Piehop disruption tool.

Once inside the victim network, attackers can remotely control the RTU by issuing IEC-104 “ON” or “OFF” commands using the malicious Lightwork tool.

CosmicEnergy attack chain

Mandiant believes that the detected malware could have been developed as a red team tool designed to imitate the actions of the information security company Rostelecom-Solar. Mandiant experts suspect that CosmicEnergy could also be used by hackers to launch destructive cyberattacks on critical infrastructure, just like other red team tools.

“While we have not found sufficient evidence to determine the origin or purpose of CosmicEnergy, we believe that the malware may have been developed by either Rostelecom-Solar or a related party to recreate real attack scenarios against grid assets,” said Mandiant researchers. .