A new malware toolkit dubbed COSMICENERGY has been found by cybersecurity researchers from Mandiant. This toolkit is believed to have been created for red-teaming exercises by a Russian cybersecurity company called Rostelecom-Solar, which has links to the Russian government. This malware can interact with remote terminal units (RTUs) and other operational technology (OT) devices that use the specialized IEC-60870-5-104 (IEC-104) protocol, which is commonly used for electrical engineering and power automation.
Mandiant’s researchers have warned that COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed. The malware toolkit’s capabilities have been found to be comparable to those employed in previous incidents and malware such as INDUSTROYER and INDUSTROYER.V2, which were both deployed in the past to impact electricity transmission and distribution via IEC-104.
INDUSTROYER, aka Crashoverride, is a malware program that was used in 2016 against the Ukraine power grid, which left a fifth of Kyiv, the country’s capital, without power for 1 hour. The malware reached the RTUs on the OT network via MSSQL servers that acted as data historians and then issued ON/OFF commands via the IEC-104 to impact power line switches and circuit breakers. Sandworm, an apt group that’s thought to be a cyberwar unit within the GRU, Russia’s military intelligence service, is attributed to the creation and use of INDUSTROYER. In 2022, Sandworm attempted another attack against Ukraine’s power grid using an updated version of the malware known as INDUSTROYER.V2.
Mandiant’s analysis of COSMICENERGY’s code material suggests that it was created for red team exercises hosted by Rostelecom-Solar. The malware toolkit was uploaded to a public malware scanning service in December 2021 by someone in Russia. Mandiant suggests that despite its apparent ties to red team exercises, the possibility exists that the malware toolkit could be repurposed for real-world attacks, including by Russian nation-state actors that have used private contractors before to develop tools.
COSMICENERGY consists of two components – one written in Python and one in C++. The Python-based component, which Mandiant has dubbed PIEHOP, is designed to connect to MSSQL servers to upload files or issue commands. Once connected, it deploys the second component, dubbed LIGHTWORK, designed to issue ON and OFF commands to connected RTUs via IEC-104 over TCP.
A module in the malware toolkit contains a reference to Solar Polygon, which appears to tie it to Rostelecom-Solar. Rostelecom-Solar has received funding from the Russian government to train cybersecurity experts and conduct electric power disruption and emergency response exercises.
While COSMICENERGY doesn’t share any code with previous OT malware tools, it does borrow techniques from several of them, aside from INDUSTROYER. The malware toolkit utilizes Python for OT malware development, which has also been observed with IRONGATE and TRITON malware. The use of open-source libraries that implement proprietary OT protocols and lower the bar for developing such threats has also been seen. Furthermore, the malware toolkit abuses protocols that are insecure by design, such as IEC-104, and lack authentication and encryption mechanisms.
While there’s no evidence that COSMICENERGY has been used in attacks in the wild, the possibility cannot be discounted. Organizations should conduct active threat hunting, and the Mandiant report contains indicators of compromise and file hashes. Additionally, they should establish collection and aggregation of host-based logs for crown jewels systems such as human-machine interfaces (HMI), engineering workstations (EWS), and OPC client servers within their environments and review logs for the evidence of Python script or unauthorized code execution on these systems. Organizations should also monitor systems with access to OT resources for the creation of legitimate temporary folders, files, artifacts, and external libraries required as evidence of the execution of packaged Python scripts. It’s also essential to monitor MSSQL servers with access to OT systems and networks for evidence of: reconnaissance and enumeration activity of MSSQL servers and credentials, unauthorized network connections to MSSQL servers (TCP/1433) and irregular or unauthorized authentication, enablement and usage of SQL extended stored procedures for Windows shell command execution, and the transfer, creation, staging, and decoding of base64 encoded executables.