A Russian government-linked malware targeting power transmission was discovered recently by researchers at Mandiant during research, suggesting its potential use in training exercises for cyberattacks on electric grids.
The malware COSMICENERGY, named by Google’s threat intelligence firm Mandiant, was uploaded to VirusTotal in December 2021 from Russia, but no evidence suggests its actual deployment.
This malware explicitly targets IEC-104 devices like RTUs used in electric transmission and distribution operations, potentially leading to power disruptions in various regions like:-
COSMICENERGY is a unique tool developed by a contractor for power disruption exercises. It resembles malware like INDUSTROYER and INDUSTROYER.V2, used to impact electricity transmission through IEC-104.
This malware shows that developing offensive OT capabilities is becoming easier as attackers learn from previous attacks. It poses a real threat to electric grid assets, so owners should act to prevent its deployment.
While it also resembles the 2016 INDUSTROYER incident, using IEC-104 commands and possibly an MSSQL server to access OT. COSMICENERGY allows remote control of power line switches and circuit breakers for disruption through its components:-
In the analysis of COSMICENERGY, a code comment linked it to the “Solar Polygon” project.
The researchers found a match to a cyber range developed by Rostelecom-Solar, a Russian company conducting power disruption exercises.
The origin and purpose of COSMICENERGY remain unclear. Possibly developed by Rostelecom-Solar or an associated party for simulated energy grid attacks.
They are potentially used in exercises like Rostelecom-Solar’s collaboration with the Russian Ministry of Energy in 2021 or SPIEF in 2022.
The lack of evidence makes it possible that another actor reused the cyber range code to create this malware.
Threat actors often repurpose red team tools for real-world attacks, like TEMP.Veles is using METERPRETER in the TRITON attack.
Here below, we have mentioned all the key similarities with the existing OT malware:-
COSMICENERGY’s capabilities align with previous OT malware; its discovery reveals notable developments in OT threats.
New OT malware poses an immediate risk due to rare discoveries and reliance on insecure OT features that are unlikely to be fixed soon.
Discovery of COSMICENERGY indicates lower barriers for offensive OT threats, possibly due to red team involvement.
Typically, such capabilities were limited to well-resourced or state-sponsored actors.
At the same time, the contractors and red team tools are frequently used by threat actors in real-world OT attacks.
Here below, we have mentioned all the discovery methods that Mandiant researchers provide:-
Common Security Challenges Facing CISOs? – Download Free CISO’s Guide
In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…
Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…
The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…
In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…
A recent campaign has been observed to be delivering DJvu ransomware through a loader that…
In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…