In a recent report, leading cybersecurity firm Mandiant uncovered a highly sophisticated malware known as CosmicEnergy. This malicious software, believed to have ties to Russia, specifically targets industrial control systems (ICS) with the intent to disrupt electric grids. The discovery highlights the mounting concerns surrounding the potential threats faced by operational technology (OT) environments. This article delves into the key findings of the analysis conducted by Mandiant and explores the implications of this evolving cyber threat.
CosmicEnergy leverages the IEC 60870-5-104 (IEC-104) protocol, widely used for telecommunication functions within electric power systems. By exploiting this protocol, the malware gains the ability to interact with remote terminal units (RTUs) commonly found in electric transmission and distribution networks across Europe, the Middle East, and parts of Asia. Its primary objective is to tamper with power line switches and circuit breakers, manipulating their actuation to disrupt power supply.
Understanding the Components:
CosmicEnergy comprises two primary components: LightWork and PieHop. LightWork employs the IEC-104 protocol and allows for modifications to the state of RTUs, enabling remote control over the switching on or off of these devices. On the other hand, PieHop establishes connections with designated remote Microsoft SQL (MSSQL) servers for file uploads and remote command execution on RTUs via LightWork.
Manual Involvement Required:
It is important to note that CosmicEnergy alone is incapable of gathering the necessary information required to launch an attack. The attacker must manually collect IP addresses and credentials to initiate an assault on the targeted infrastructure.
Potential Linkages to Russia:
Mandiant's analysis uncovered a sample of the CosmicEnergy malware uploaded to a malware scanning service in December 2021. The uploader is believed to be an individual from Russia. Intriguingly, Mandiant suspects that the malware may have been developed by a contractor associated with Rostelecom-Solar, a Russian cybersecurity company. There is speculation that the malware could have been part of a red teaming tool employed for simulating power disruption scenarios and emergency response exercises. Rostelecom-Solar received government funding in 2019 to conduct cybersecurity training and exercises, further suggesting a plausible connection.
Despite these indications, Mandiant acknowledges the absence of definitive evidence and presents an alternate possibility. It suggests that a different actor, with or without permission, repurposed code associated with the cyber range to create the CosmicEnergy malware. Threat actors often adapt and utilize red team tools, including publicly available exploitation frameworks, for real-world attacks. Temp.Veles' use of Meterpreter during the Triton attack serves as an example of such practices.
Implications and Similarities:
Furthermore, instances of nation-state actors engaging contractors to develop offensive capabilities have been observed, as evidenced by contracts between Russia's Ministry of Defense and NTC Vulkan. These observations imply that CosmicEnergy may have been intentionally developed for malicious purposes or, at the very least, can be utilized to support targeted threat activities. The capabilities displayed by CosmicEnergy bear resemblances to previous Russian malware such as Industroyer and Industroyer2, which targeted Ukraine's energy sector. Researchers have also identified technical similarities to other OT malware families like Triton and Incontroller, specifically designed to cause physical damage or disruption.
Enhancing Security Measures:
The emergence of CosmicEnergy serves as a stark reminder of the evolving threat landscape facing critical infrastructure, particularly electric grids. Safeguarding against such attacks demands heightened vigilance, proactive security measures, and continued collaboration among government entities, private sector organizations, and cybersecurity experts.
The discovery of CosmicEnergy and its potential linkages to Russia underscore the urgent need for robust cybersecurity measures in protecting critical infrastructure, particularly electric grids. As the threat landscape continues to evolve, it is crucial for organizations to remain vigilant and proactive in their approach to security.
To defend against the sophisticated tactics employed by malware like CosmicEnergy, the following measures should be implemented:
By implementing these measures, organizations can enhance their resilience against evolving cyber threats like CosmicEnergy. It is crucial to stay updated on the latest cybersecurity developments, invest in robust defenses, and foster a proactive security culture to safeguard critical infrastructure from potential disruptions.