A new malware referred to as CosmicEnergy has been found that targets operational technologies. Researchers that located the malware stated they think it was created by a contractor as element of a red teaming tool for conducting electric energy disruption workouts.

Researchers with Mandiant initial found the malware immediately after it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. They think the malware has been utilised for simulated energy disruption workouts hosted by Russian safety firm Rostelecom-Solar, which received a government subsidy in 2019 to train cybersecurity professionals for conducting emergency response workouts. The discovery of this prospective red group-connected malware is considerable since ordinarily these varieties of capabilities are restricted to state-sponsored actors that have the experience and sources to launch offensive OT threat activities.

“The discovery of COSMICENERGY illustrates that the barriers to entry for building offensive OT capabilities are lowering as actors leverage understanding from prior attacks to create new malware,” stated researchers with Mandiant in a Thursday evaluation. “Given that threat actors use red group tools and public exploitation frameworks for targeted threat activity in the wild, we think COSMICENERGY poses a plausible threat to impacted electric grid assets.”

Researchers produced the hyperlink to Rostelecom-Solar immediately after identifying a comment in CosmicEnergy’s code displaying the sample utilizes a module connected with a project referred to as “Solar Polygon,” which is linked to a cyber variety created by the firm. Although this hyperlink exists, researchers stated that it is also probable that a various actor reused the code connected with the cyber variety to create CosmicEnergy for malicious purposes, although no public targeting has been observed however.

“Threat actors routinely adapt and make use of red group tools – such as industrial and publicly accessible exploitation frameworks – to facilitate actual globe attacks, like TEMP.Veles’ use of METERPRETER through the TRITON attack,” stated researchers. “There are also lots of examples of nation-state actors leveraging contractors to create offensive capabilities, as shown most not too long ago in contracts amongst Russia’s Ministry of Defense and NTC Vulkan.”

CosmicEnergy is equivalent in its capabilities to prior OT malware households Industroyer and Industroyer two., as each variants aim to trigger electric energy disruption by way of targeting devices typically utilised in electric transmission and distribution operations.

“The discovery of COSMICENERGY illustrates that the barriers to entry for building offensive OT capabilities are lowering as actors leverage understanding from prior attacks to create new malware.”

Industroyer, initially deployed in December 2016 to trigger energy outages in Ukraine, targeted a network protocol referred to as IEC-104 that is typically utilised by devices in industrial manage method environments such as remote terminal units (RTUs), which are utilised to remotely monitor and manage several automation systems. Industroyer sent ON/OFF commands by way of IEC-104 to interact with these RCUs, impacting the operations of energy line switches and circuit breakers in order to trigger energy disruption. CosmicEnergy utilizes this similar capability through two disruption tools: 1 tool referred to as PieHop written in Python, which connects to a remote MSSQL server to upload files and problem remote ON/OFF commands to an RTU through IEC-104 and a different referred to as LightWork, which PieHop utilizes to execute the ON/OFF commands on remote systems through the IEC-104 protocol just before deleting the executable.

“COSMICENERGY is fairly comparable to other OT malware households – mostly INDUSTROYER and INDUSTROYERV2 with which it has some similarities in the method it requires to the attack and the protocol it leverages,” stated Daniel Kapellmann Zafra, Mandiant evaluation manager with Google Cloud. “We also located some similarities with IRONGATE, TRITON and INCONTROLLER on a lesser level which includes abuse of insecure by style protocols, use of open supply libraries for protocol implementation and use of python for malware improvement and/or packaging.”

Of note, CosmicEnergy does lack discovery capabilities, so an operator would will need to execute internal reconnaissance of MSSQL server IP addresses and credentials, and IEC-104 device IP addresses. The malware’s PieHop tool also involves a quantity of programming logic errors that may well indicate it was nonetheless beneath active improvement when found, stated Kapellmann Zafra – nonetheless, he stated, the fixes essential to make the malware usable are minimal.

The discovery of CosmicEnergy is exclusive since malware households targeting industrial manage systems – like Stuxnet, PipeDream and BlackEnergy – are seldom disclosed. Nonetheless, attackers are beginning to concentrate additional on ICS environments with custom-constructed frameworks and malware targeting these networks. And whilst important infrastructure safety has been prime of thoughts for the U.S. government more than the previous year, researchers stated CosmicEnergy, like other equivalent varieties of malware, will continue to leverage vulnerable pieces of OT environments – which includes insecure by style protocols like IEC-104 – that are “unlikely to be remedied any time quickly.”

“For these causes, OT defenders and asset owners need to take mitigating actions against COSMICENERGY to preempt in the wild deployment and to much better fully grasp popular attributes and capabilities that are often deployed in OT malware,” stated Mandiant researchers. “Such understanding can be beneficial when performing threat hunting workouts and deploying detections to recognize malicious activity inside OT environments.”