Researchers uncover Russian-related malware that can cripple power grids
Security researchers have discovered a new industrial control system malware, dubbed “CosmicEnergy,” which they say can be used to disrupt critical infrastructure systems and power grids.
The malware was spotted by researchers at Mandiant, who likened CosmicEnergy’s capabilities to the damaging Industroyer malware that the Russian state-backed “Sandworm” hacking group used to cut power in Ukraine in 2016.
Unusually, Mandiant said they discovered CosmicEnergy through threat hunting and not following cyberattacks on critical infrastructure. The malware was uploaded to VirusTotal, Google’s malware and virus scanner, in December 2021 by a Russian-based sender, according to Mandiant. The cybersecurity firm’s analysis suggests the malware may have been developed by Rostelecom-Solar, the cybersecurity arm of Russia’s national telecommunications operator Rostelecom, to support hosted-like exercises. in collaboration with the Ministry of Energy of Russia in 2021.
“The contractor may have developed it as a tool for the red team for the simulated power interruption exercise organized by Rostelecom-Solar,” Mandiant said. “However, given the lack of conclusive evidence, we are also considering the possibility that a different actor – whether with or without permission – reused code associated with cyberspace to develop this malware.”
Mandiant says that not only do hackers regularly adapt and use red team tools to facilitate real-world attacks, but its analysis of CosmicEnergy reveals that the malware’s functionality is also comparable to other malware variants targeting industrial control systems (ICS). , such as Industroyer, thus posing a “reasonable threat to the affected grid assets.”
Mandiant told Zero2Billions that it has not observed any CosmicEnergy attacks in the wild and noted that the malware lacks discovery capabilities, meaning hackers need to perform internal reconnaissance to obtain environmental information, such as IP addresses and credentials, before launching attacks.
However, the researchers added that because the malware targets IEC-104, a network protocol commonly used in industrial environments which was also targeted during the 2016 attack on Ukraine’s power grid, CosmicEnergy poses a real threat to organizations involved in electricity transmission and distribution.
“New OT invention [operational technology] the malware presents an immediate threat to affected organizations because these discoveries are rare and because the malware is inherently exploiting insecure by-design features of OT environments that are unlikely to be fixed in the near future,” warned Mandiant researcher.
Mandiant’s discovery of new ICS-oriented malware comes after Microsoft revealed this week that Chinese state-backed hackers had hacked into America’s critical infrastructure. Based on reportan espionage group that Microsoft calls “Volt Typhoon” has targeted the US island territory of Guam and could try to “disrupt critical communications infrastructure between the United States and the Asian region during a future crisis”.
In light of the report, the US government said it was working with Five Eyes partners to identify potential breaches. Microsoft said the group has sought access to organizations in the communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors.
