A new malware referred to as CosmicEnergy has been found that targets operational technologies. Researchers that identified the malware mentioned they think it was created by a contractor as aspect of a red teaming tool for conducting electric energy disruption workout routines.

Researchers with Mandiant initially found the malware immediately after it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. They think the malware has been employed for simulated energy disruption workout routines hosted by Russian safety corporation Rostelecom-Solar, which received a government subsidy in 2019 to train cybersecurity professionals for conducting emergency response workout routines. The discovery of this prospective red group-connected malware is substantial since commonly these varieties of capabilities are restricted to state-sponsored actors that have the experience and sources to launch offensive OT threat activities.

“The discovery of COSMICENERGY illustrates that the barriers to entry for building offensive OT capabilities are lowering as actors leverage information from prior attacks to create new malware,” mentioned researchers with Mandiant in a Thursday evaluation. “Given that threat actors use red group tools and public exploitation frameworks for targeted threat activity in the wild, we think COSMICENERGY poses a plausible threat to impacted electric grid assets.”

Researchers produced the hyperlink to Rostelecom-Solar immediately after identifying a comment in CosmicEnergy’s code displaying the sample makes use of a module related with a project referred to as “Solar Polygon,” which is linked to a cyber variety created by the corporation. Even though this hyperlink exists, researchers mentioned that it is also doable that a various actor reused the code related with the cyber variety to create CosmicEnergy for malicious purposes, although no public targeting has been observed however.

“Threat actors consistently adapt and make use of red group tools – such as industrial and publicly accessible exploitation frameworks – to facilitate true planet attacks, like TEMP.Veles’ use of METERPRETER throughout the TRITON attack,” mentioned researchers. “There are also lots of examples of nation-state actors leveraging contractors to create offensive capabilities, as shown most lately in contracts involving Russia’s Ministry of Defense and NTC Vulkan.”

CosmicEnergy is related in its capabilities to earlier OT malware households Industroyer and Industroyer two., as each variants aim to trigger electric energy disruption by way of targeting devices generally employed in electric transmission and distribution operations.

“The discovery of COSMICENERGY illustrates that the barriers to entry for building offensive OT capabilities are lowering as actors leverage information from prior attacks to create new malware.”

Industroyer, initially deployed in December 2016 to trigger energy outages in Ukraine, targeted a network protocol referred to as IEC-104 that is generally employed by devices in industrial manage program environments such as remote terminal units (RTUs), which are employed to remotely monitor and manage numerous automation systems. Industroyer sent ON/OFF commands by way of IEC-104 to interact with these RCUs, impacting the operations of energy line switches and circuit breakers in order to trigger energy disruption. CosmicEnergy makes use of this similar capability by means of two disruption tools: A single tool referred to as PieHop written in Python, which connects to a remote MSSQL server to upload files and situation remote ON/OFF commands to an RTU by means of IEC-104 and yet another referred to as LightWork, which PieHop makes use of to execute the ON/OFF commands on remote systems by means of the IEC-104 protocol prior to deleting the executable.

“COSMICENERGY is rather comparable to other OT malware households – primarily INDUSTROYER and INDUSTROYERV2 with which it has some similarities in the strategy it requires to the attack and the protocol it leverages,” mentioned Daniel Kapellmann Zafra, Mandiant evaluation manager with Google Cloud. “We also identified some similarities with IRONGATE, TRITON and INCONTROLLER on a lesser level which includes abuse of insecure by style protocols, use of open supply libraries for protocol implementation and use of python for malware improvement and/or packaging.”

Of note, CosmicEnergy does lack discovery capabilities, so an operator would will need to execute internal reconnaissance of MSSQL server IP addresses and credentials, and IEC-104 device IP addresses. The malware’s PieHop tool also incorporates a quantity of programming logic errors that might indicate it was nonetheless beneath active improvement when found, mentioned Kapellmann Zafra – nonetheless, he mentioned, the fixes necessary to make the malware usable are minimal.

The discovery of CosmicEnergy is one of a kind since malware households targeting industrial manage systems – like Stuxnet, PipeDream and BlackEnergy – are hardly ever disclosed. Even so, attackers are beginning to concentrate far more on ICS environments with custom-constructed frameworks and malware targeting these networks. And whilst crucial infrastructure safety has been top rated of thoughts for the U.S. government more than the previous year, researchers mentioned CosmicEnergy, like other related varieties of malware, will continue to leverage vulnerable pieces of OT environments – which includes insecure by style protocols like IEC-104 – that are “unlikely to be remedied any time quickly.”

“For these causes, OT defenders and asset owners ought to take mitigating actions against COSMICENERGY to preempt in the wild deployment and to much better realize widespread capabilities and capabilities that are regularly deployed in OT malware,” mentioned Mandiant researchers. “Such information can be beneficial when performing threat hunting workout routines and deploying detections to determine malicious activity inside OT environments.”