New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids

May 26, 2023Ravie LakshmananICS/SCADA security

A new strain of malicious software designed to penetrate and disrupt critical systems in industrial environments has been explored.

Threat intelligence firm owned by Google Mandiant has dubbed the malware COSMIC ENERGY, adding it was uploaded to public malware scanning utilities in December 2021 by a sender in Russia. There is no evidence that it has been used in the wild.

This malware is designed to cause power interruptions by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), which are typically utilized in power transmission and distribution operations in Central Europe. East, and Asia,” the company said said.

COSMICENERGY is the latest addition to specialized malware such as Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, which are capable of sabotaging critical systems and wreaking havoc.

Mandiant said that there is an indirect link that may have been developed as a tool of red cooperation by the Russian telecommunications company Rostelecom-Solar to simulate power failure and drill emergency response which will be held in October 2021.

This increases the likelihood that malware is developed to recreate realistic attack scenarios against energy grid assets to test defenses or others reuse code associated with cyberspace.

The second alternative is not unheard of, especially considering the fact that threat actors are known to adapt and reuse official red team and post-exploitation tools for nefarious purposes.

COSMICENERGY’s features are comparable to Industroyer – which is associated with the Kremlin-backed Sandworm group – for its ability to exploit an industrial communications protocol called IEC-104 to issue commands to RTUs.

“By leveraging this access, an attacker can remotely send commands to influence the actuation of power line switches and circuit breakers to cause power interruptions,” Mandiant said.

This is achieved through two components called PIEHOP and LIGHTWORK, which are two jamming tools written in Python and C++ respectively, to send IEC-104 commands to connected industrial equipment.

Another important aspect of industrial control system (ICS) malware is its lack of intrusion and discovery capabilities, meaning it requires operators to perform network internal reconnaissance to determine the IP addresses of IEC-104 devices to target.

To carry out the attack, the threat actor must infect computers on the network, find a Microsoft SQL Server that has access to the RTU, and obtain its credentials.

PIEHOP is then run on the machine to upload the LIGHTWORK to the server, which sends a remote interrupt command to toggle the unit’s state (ON or OFF) over TCP. It also immediately deletes the executable after issuing instructions.

“While COSMICENERGY’s capabilities are not significantly different from previous OT malware families, its discovery highlights several important developments in the OT threat landscape,” Mandiant said.

“New OT malware discoveries present an immediate threat to affected organizations, because these discoveries are rare and because the malware principally takes advantage of insecure OT environment design features that are unlikely to be fixed in the near future.”