A new malware capable of disrupting industrial control systems has been detected by Mandiant researchers on VirusTotal. The anti-virus system revealed the CosmicEnergy software, which had been uploaded by a Russian user in December 2021 and is believed to be connected to a power disruption red-team exercise run by the Russian cybersecurity firm Rostelecom-Solar. CosmicEnergy is modelled on the first-ever malware for electric grids, Industroyer, and other damaging software such as Irongate, Ironcontroller and Triton/Trisis. The software can manipulate a remote terminal unit, a critical type of industrial controller that provides telemetry links between machines and their control systems. Mandiant analysis manager at Google Cloud, Daniel Kapellmann Zafra, said “CosmicEnergy demonstrates just how approachable malware designed for kinetic damage can be”.
With the CosmicEnergy malware, attackers can cause power disruptions simply by sending a command to trip a power-line switch or circuit breaker. The software relies on two components. The first, PieHop, is a Python-based tool that links an attacker-controlled MSSQL server with a remote terminal unit at a targeted industrial site. The second is Lightwork, a C++-based tool, which then takes advantage of the remote terminal unit’s toggling capabilities, modifying the unit’s state before erasing its execution from the targeted system. The researchers have noted that “the sample of PieHop we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities,” but added that “we believe these errors can be easily corrected.”
Compounding the danger of CosmicEnergy’s discovery is the reality that industrial control devices, such as remote terminal units, are typically “insecure by design.” This is due to such machines having often being designed to operate in trusted environments, without security being taken into consideration. Even their features or the functionalities detailed in their manuals can be seen as vulnerabilities in a security context. Despite the lack of security, these essential devices form the backbone of many industrial operations. In the case of CosmicEnergy, overcoming the remote terminal units is facilitated by open-source protocols that are relatively easy to manipulate.
To defend against the insidious CosmicEnergy malware – and others like it – proactivity is key, according to Mandiant’s Kapellmann Zafra. Detection is crucial, but keeping an eye out for any behaviour that is unexpected is also vital. The malware illustrates a fundamental weakness that has not previously received much attention in the industrial world. Now, the challenge for industrialists is to ensure that their vital systems and assets are protected until remote terminal units with a higher level of inherent security become more commonplace.