A new breed of malicious software designed to infiltrate and destroy critical systems in industrial environments has been discovered.
Google-owned threat intelligence firm Mandiant named the malware cosmic energy, added that it was uploaded to a public malware scanning utility by a Russian submitter in December 2021. There is no evidence of wild use.
“This malware causes power disturbances by interacting with IEC 60870-5-104 (IEC-104) devices such as Remote Terminal Units (RTUs) commonly used in power transmission and distribution operations in Europe and the Middle East. It’s designed to trigger East Asia, and Asia,” the company said.
COSMICENERGY is a new addition to specialized malware such as Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer and PIPEDREAM that can cripple critical systems and wreak havoc.
Mandiant said the situational relevance is that Russian telecom company Rostelecom Solar may have been developed as a red team tool to simulate power outages and emergency response drills held in October 2021. said to be sexual.
This suggests that the malware was either developed to recreate realistic attack scenarios against energy grid assets to test defenses, or was developed to reuse code related to cyber scope by another party. more likely.
The second option is not unprecedented, especially given the fact that threat actors are known to adapt and reuse legitimate red team and post-exploit tools for malicious purposes.
COSMICENERGY’s functionality is comparable to that of Industroyer, believed to be by the Kremlin-backed Sandworm group, as it can issue commands to RTUs using an industrial communication protocol called IEC-104.
“Attackers can use this access to send remote commands to influence the operation of power line switches and circuit breakers, causing power outages,” Mandiant said.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
This is achieved by two components called PIEHOP and LIGHTWORK. These are two subversive tools written in Python and C++, respectively, that send IEC-104 commands to connected industrial equipment.
Another notable aspect of industrial control system (ICS) malware is its lack of intrusion and detection capabilities. This means the operator would have to perform internal reconnaissance of the network to determine her IP address of the targeted IEC-104 device.
Therefore, to carry out an attack, an attacker would have to infect a computer in the network, find a Microsoft SQL Server with access to the RTU, and obtain its credentials.
PIEHOP is then run on the machine, LIGHTWORK is uploaded to the server, and an intermittent remote command is sent over TCP to change the state of the unit (on or off). Also, the executable is deleted immediately after issuing the instruction.
“Although the functionality of COSMICENERGY is not significantly different from previous OT malware families, its discovery highlights some notable developments in the OT threat landscape,” said Mandiant.
“Discoveries of new OT malware pose an immediate threat to affected organizations because such discoveries are rare and this malware is primarily targeted in OT environments where remediation is unlikely to occur quickly. because it takes advantage of less secure features by design.”
