Discovered a malware that could plunge our cities into darkness

Security company researchers mandiant they discovered a new malwareidentified as CosmicEnergydeveloped to target Operational Technology (OT) systems and Industrial Process Control Systems (ICS).

The term “operational technology” (OT, Operational Technology) refers to i hardware and software systems used to control industrial processes.

A malfunction in these systems could have serious consequences, especially if they oversee processes within critical infrastructures such as electrical networks.

According to Mandiant experts, CosmicEnergy was first uploaded to online malware scanning service VirusTotal in December 2021 by a Russian user. The circumstance suggests that the user was testing the malware’s ability to evade the main antivirus systems used by VirusTotal.

The malware was designed to interfere with devices using the IEC 60870-5-104 (IEC-104) protocol, such as remote terminals (RTU), with theintent to cut off the power supply.

RTU systems are very popular in the industrial sector, especially in the energy sector where they are common in electricity transmission and distribution processes, in Europe, the Middle East and Asia.

Unfortunately, CosmicEnergy is nothing new in the threat landscape, other malware has been developed and used to attack OT systems in the past. However, it must be said that these malware, including the codes known as Industroyer and Industroyer2, were conceived in a nation state context, i.e. by groups operating sabotage operations on behalf of governments.

According to Mandiant, CosmicEnergy distinguishes itself from OT malware discovered in the past as it appears to have been developed by a Russian government Red Teaming contractor. The malware was allegedly developed and used in an exercise in which an attack on electrical power systems was simulated. The malware was developed by the Russian cybersecurity company Rostelecom-Solar and its capabilities are similar to those of the Industroyer and Industroyer2 malware that have been used by Russian groups to attack power grids in Ukraine since 2015.

“CosmicEnergy’s capabilities and overall attack strategy appear to be reminiscent of the 2016 Industroyer incident, which executed IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have used an MSSQL server as the system for accessing OT systems.” reads the analysis published by Mandiant. “Taking advantage of this access, a remote attacker can send commands to affect the activation of power line breakers and circuit breakers to cause power outages“.

CosmicEnergy malware consists of two main components identified as Piehop and Lightwork.

Piehop is the component for executing IEC-104 “ON” or “OFF” commands on remote systems, while Lightwork is a tool that implements the IEC-104 protocol to change the state of RTUs.

“The CosmicEnergy discovery demonstrates that barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge of previous attacks to develop new malware.” Mandiant concludes. “we believe that CosmicEnergy poses a real threat to the resources used by electricity grids“.

At this point it is It is legitimate to ask how vulnerable the national industrial sector is and if this type of malware could soon become a valuable tool in the arsenals of criminal groups.

Safe on the Net

The roots of attacks on the energy sector are rooted in the Dark Web

by Pierluigi Paganini

May 19, 2023

To clarify the subject I interviewed a security expert specialized in the protection of OT systems, Alessio Rosas OT senior expert in Sicuranext.

Here are his answers:

How complex is it to develop malware like Cosmicenergy and why? Are we able today to neutralize threats like this and how?

Surely a malware like CosmicEnergy is very expensive in terms of resources and research in development and testing (not by chance it is assumed that it derives from a red teaming tool used by a Russian company). The complexity arises from the search for the automation method to best exploit the “by design” vulnerabilities of the target industrial protocol and of the OT devices involved in the kill chain.

These threats can be stopped with a combination of traffic monitoring and threat intelligence, certainly as well as research and development to minimize entry points and exploit vulnerabilities in OT assets.

In your opinion, what is the Italian situation and what damage could malware like Cosmicenergy cause? What are the most exposed sectors?

Currently in Italy we are trying to increase awareness of the threat in the field of industrial cyber security, we recall that the Italian economic fabric is mainly composed of small and medium-sized enterprises and is therefore very critical; There are still many vulnerabilities and points of exposure on the internet and in some cases we are in the presence of critical flaws, for example I am talking about the possibility of taking total control of PLCs rather than exposing SCADA or HMI systems, but also of servers Historian, ScadaServer.

Malware like the one in question (which closely follows the footsteps of the Industroyer series) in the event of infection, could cause serious damage especially to companies in the energy sector or companies that in any case use the target protocol (IEC-104).

To date, malware like Cosmicenergy has been developed exclusively by nation-state actors. Do you think cybercrime groups could start developing ICS malware to attack our systems?

Certainly yes, many criminal groups, such as for example the ransomware gangs, have been dedicating themselves to the study of the ICS field for some time, also with the creation of prototypes, because they have understood that it is a sector which, if hit, could bring large profits.

Nation-state actors will certainly continue to develop sophisticated tools that will then be used by the aforementioned groups to reshape the attack, targeting even medium-sized companies.