CosmicEnergy: Advanced ICS Malware with Potential Russia Linkages Threatens Electric Grids

In a recent report, leading cybersecurity firm Mandiant uncovered a highly sophisticated malware known as CosmicEnergy. This malicious software, believed to have ties to Russia, specifically targets industrial control systems (ICS) with the intent to disrupt electric grids. The discovery highlights the mounting concerns surrounding the potential threats faced by operational technology (OT) environments. This article delves into the key findings of the analysis conducted by Mandiant and explores the implications of this evolving cyber threat.

Unveiling CosmicEnergy:
CosmicEnergy leverages the IEC 60870-5-104 (IEC-104) protocol, widely used for telecommunication functions within electric power systems. By exploiting this protocol, the malware gains the ability to interact with remote terminal units (RTUs) commonly found in electric transmission and distribution networks across Europe, the Middle East, and parts of Asia. Its primary objective is to tamper with power line switches and circuit breakers, manipulating their actuation to disrupt power supply.

Understanding the Components:
CosmicEnergy comprises two primary components: LightWork and PieHop. LightWork employs the IEC-104 protocol and allows for modifications to the state of RTUs, enabling remote control over the switching on or off of these devices. On the other hand, PieHop establishes connections with designated remote Microsoft SQL (MSSQL) servers for file uploads and remote command execution on RTUs via LightWork.

Manual Involvement Required:
It is important to note that CosmicEnergy alone is incapable of gathering the necessary information required to launch an attack. The attacker must manually collect IP addresses and credentials to initiate an assault on the targeted infrastructure.

Potential Linkages to Russia:
Mandiant's analysis uncovered a sample of the CosmicEnergy malware uploaded to a malware scanning service in December 2021. The uploader is believed to be an individual from Russia. Intriguingly, Mandiant suspects that the malware may have been developed by a contractor associated with Rostelecom-Solar, a Russian cybersecurity company. There is speculation that the malware could have been part of a red teaming tool employed for simulating power disruption scenarios and emergency response exercises. Rostelecom-Solar received government funding in 2019 to conduct cybersecurity training and exercises, further suggesting a plausible connection.

Alternate Scenarios:
Despite these indications, Mandiant acknowledges the absence of definitive evidence and presents an alternate possibility. It suggests that a different actor, with or without permission, repurposed code associated with the cyber range to create the CosmicEnergy malware. Threat actors often adapt and utilize red team tools, including publicly available exploitation frameworks, for real-world attacks. Temp.Veles' use of Meterpreter during the Triton attack serves as an example of such practices.

Implications and Similarities:
Furthermore, instances of nation-state actors engaging contractors to develop offensive capabilities have been observed, as evidenced by contracts between Russia's Ministry of Defense and NTC Vulkan. These observations imply that CosmicEnergy may have been intentionally developed for malicious purposes or, at the very least, can be utilized to support targeted threat activities. The capabilities displayed by CosmicEnergy bear resemblances to previous Russian malware such as Industroyer and Industroyer2, which targeted Ukraine's energy sector. Researchers have also identified technical similarities to other OT malware families like Triton and Incontroller, specifically designed to cause physical damage or disruption.

Enhancing Security Measures:
The emergence of CosmicEnergy serves as a stark reminder of the evolving threat landscape facing critical infrastructure, particularly electric grids. Safeguarding against such attacks demands heightened vigilance, proactive security measures, and continued collaboration among government entities, private sector organizations, and cybersecurity experts.

Conclusion:
The discovery of CosmicEnergy and its potential linkages to Russia underscore the urgent need for robust cybersecurity measures in protecting critical infrastructure, particularly electric grids. As the threat landscape continues to evolve, it is crucial for organizations to remain vigilant and proactive in their approach to security.

To defend against the sophisticated tactics employed by malware like CosmicEnergy, the following measures should be implemented:

1. Strengthen Network Security: Deploy advanced firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor and control network traffic. Implement strong access controls and authentication mechanisms to prevent unauthorized access.
2. Conduct Regular Vulnerability Assessments: Regularly scan and assess the security posture of the infrastructure, including both hardware and software components. Identify and address any vulnerabilities promptly to minimize the risk of exploitation.
3. Employ Behavioral Analytics: Utilize SIEM and advanced analytics tools to monitor network, user behavior and detect anomalies indicative of a potential cyber attack. This enables organizations to respond swiftly and effectively to emerging threats.
4. Implement Secure Configuration Practices: Follow industry best practices for configuring and hardening ICS devices, such as RTUs, to reduce the attack surface. Regularly update and patch software and firmware to address any known vulnerabilities.
5. Conduct Employee Training and Awareness Programs: Educate employees about the risks and best practices for cybersecurity. Promote a culture of security awareness and ensure that employees understand their role in protecting critical infrastructure.
6. Foster Public-Private Collaboration: Establish partnerships and information-sharing initiatives between government entities, private sector organizations, and cybersecurity experts. Collaborative efforts enhance collective defense capabilities and facilitate the dissemination of threat intelligence.
7. Develop an Incident Response Plan: Prepare a comprehensive incident response plan to guide organizations in effectively responding to and recovering from cyber attacks. Regularly test and update the plan to ensure its effectiveness.

​By implementing these measures, organizations can enhance their resilience against evolving cyber threats like CosmicEnergy. It is crucial to stay updated on the latest cybersecurity developments, invest in robust defenses, and foster a proactive security culture to safeguard critical infrastructure from potential disruptions.
​