New CosmicEnergy Operational Technologies Malware Identified

A new malware named CosmicEnergy has been found that targets operational technologies. Researchers that located the malware mentioned they think it was created by a contractor as element of a red teaming tool for conducting electric energy disruption workouts.

Researchers with Mandiant very first found the malware immediately after it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. They think the malware has been applied for simulated energy disruption workouts hosted by Russian safety business Rostelecom-Solar, which received a government subsidy in 2019 to train cybersecurity professionals for conducting emergency response workouts. The discovery of this prospective red group-associated malware is substantial simply because generally these varieties of capabilities are restricted to state-sponsored actors that have the knowledge and sources to launch offensive OT threat activities.

“The discovery of COSMICENERGY illustrates that the barriers to entry for building offensive OT capabilities are lowering as actors leverage know-how from prior attacks to create new malware,” mentioned researchers with Mandiant in a Thursday evaluation. “Given that threat actors use red group tools and public exploitation frameworks for targeted threat activity in the wild, we think COSMICENERGY poses a plausible threat to impacted electric grid assets.”

Researchers produced the hyperlink to Rostelecom-Solar immediately after identifying a comment in CosmicEnergy’s code displaying the sample utilizes a module related with a project named “Solar Polygon,” which is linked to a cyber variety created by the business. When this hyperlink exists, researchers mentioned that it is also doable that a diverse actor reused the code related with the cyber variety to create CosmicEnergy for malicious purposes, although no public targeting has been observed however.

“Threat actors often adapt and make use of red group tools – such as industrial and publicly offered exploitation frameworks – to facilitate true globe attacks, like TEMP.Veles’ use of METERPRETER through the TRITON attack,” mentioned researchers. “There are also numerous examples of nation-state actors leveraging contractors to create offensive capabilities, as shown most lately in contracts in between Russia’s Ministry of Defense and NTC Vulkan.”

CosmicEnergy is equivalent in its capabilities to earlier OT malware households Industroyer and Industroyer two., as each variants aim to trigger electric energy disruption via targeting devices generally applied in electric transmission and distribution operations.

“The discovery of COSMICENERGY illustrates that the barriers to entry for building offensive OT capabilities are lowering as actors leverage know-how from prior attacks to create new malware.”

Industroyer, initially deployed in December 2016 to trigger energy outages in Ukraine, targeted a network protocol named IEC-104 that is generally applied by devices in industrial manage method environments such as remote terminal units (RTUs), which are applied to remotely monitor and manage a variety of automation systems. Industroyer sent ON/OFF commands via IEC-104 to interact with these RCUs, impacting the operations of energy line switches and circuit breakers in order to trigger energy disruption. CosmicEnergy utilizes this identical capability by way of two disruption tools: A single tool named PieHop written in Python, which connects to a remote MSSQL server to upload files and concern remote ON/OFF commands to an RTU by way of IEC-104 and a further named LightWork, which PieHop utilizes to execute the ON/OFF commands on remote systems by way of the IEC-104 protocol prior to deleting the executable.

“COSMICENERGY is pretty comparable to other OT malware households – primarily INDUSTROYER and INDUSTROYERV2 with which it has some similarities in the method it requires to the attack and the protocol it leverages,” mentioned Daniel Kapellmann Zafra, Mandiant evaluation manager with Google Cloud. “We also located some similarities with IRONGATE, TRITON and INCONTROLLER on a lesser level such as abuse of insecure by design and style protocols, use of open supply libraries for protocol implementation and use of python for malware improvement and/or packaging.”

Of note, CosmicEnergy does lack discovery capabilities, so an operator would require to carry out internal reconnaissance of MSSQL server IP addresses and credentials, and IEC-104 device IP addresses. The malware’s PieHop tool also contains a quantity of programming logic errors that may possibly indicate it was nevertheless below active improvement when found, mentioned Kapellmann Zafra – even so, he mentioned, the fixes essential to make the malware usable are minimal.

The discovery of CosmicEnergy is exclusive simply because malware households targeting industrial manage systems – like Stuxnet, PipeDream and BlackEnergy – are hardly ever disclosed. On the other hand, attackers are beginning to concentrate far more on ICS environments with custom-constructed frameworks and malware targeting these networks. And even though crucial infrastructure safety has been major of thoughts for the U.S. government more than the previous year, researchers mentioned CosmicEnergy, like other equivalent varieties of malware, will continue to leverage vulnerable pieces of OT environments – such as insecure by design and style protocols like IEC-104 – that are “unlikely to be remedied any time quickly.”

“For these factors, OT defenders and asset owners really should take mitigating actions against COSMICENERGY to preempt in the wild deployment and to improved comprehend popular functions and capabilities that are regularly deployed in OT malware,” mentioned Mandiant researchers. “Such know-how can be valuable when performing threat hunting workouts and deploying detections to determine malicious activity inside OT environments.”