CosmicEnergy, OT and ICS malware possibly developed in Russia for red teaming.
the cyberwire logoMay 26, 2023

CosmicEnergy might be a red-teaming tool. On the other hand, it might not.

CosmicEnergy, OT and ICS malware possibly developed in Russia for red teaming.

Update: CosmicEnergy does not appear to be an immediate threat.

(Update, 6:30 PM ET, June 12th, 2023.) Dragos has released its own research into and assessment of CosmicEnergy. Their conclusion is far less alarmist than some earlier evaluations of the malware had been. CosmicEnergy is not, they’ve determined, related to either Industroyer or CrashOverride. The researchers say, “After analyzing COSMICENERGY, Dragos concluded that it is not an immediate risk to OT environments. The primary purpose of COSMICENERGY appears to have been for training scenarios rather than for deployment in real-world environments. There is currently no evidence to suggest that an adversary is actively deploying COSMICENERGY.” 

CosmicEnergy discovered in a public malware-scanning utility.

Researchers at Mandiant have discovered a new malware designed to disrupt electricity supply and critical infrastructure. Called CosmicEnergy, the malware specializes in affecting operational technology (OT) and industrial control systems (ICS) by “interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia,” writes Mandiant. CosmicEnergy was uploaded to a public malware scanning utility in 2021 by a user in Russia. The version obtained by Mandiant lacks a built in discovery capability, which means that a user would have to manually identify the IPs of MSSQL servers, MSSQL credentials and target IEC-104 information object addresses. Attribution is not conclusive but researchers suggest that this malware could have been a Russian red teaming tool used in exercises to simulate an electric infrastructure attack.

CosmicEnergy is composed of two components, PieHop and LightWork. LightWork is a C++ tool which is meant to enable the user to modify RTUs over TCP, allowing the user to turn off power, and PIEHOP is able to issue remote commands to RTUs by connecting to an MSSQL user-server. Mandiant writes, “PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands ‘ON’ or ‘OFF’ to the remote system and then immediately deletes the executable after issuing the command. The sample of PIEHOP we obtained contains programming logic errors that prevent it from successfully performing its IEC-104 control capabilities, but we believe these errors can be easily corrected.” 

CosmicEnergy could be a Russian red teaming tool but attribution is inconclusive. 

The researchers explain that it is possible that this malware was developed as a red teaming tool for Rostelecom-solar, a Russian cyber security firm. Mandiant has not been able to attribute this malware to any nation state but they explain that this could have been used for an exercise in Russia to simulate an attack on power stations. They write, “Although we have not identified sufficient evidence to determine the origin or purpose of CosmicEnergy, we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets. It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom-Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the St.Petersburg’s International Economic Forum (SPIEF).” They add that it is equally possible that this was created by another actor as there is a lack of conclusive evidence, “Threat actors regularly adapt and make use of red team tools - such as commercial and publicly available exploitation frameworks - to facilitate real world attacks, like TEMP.Veles’ use of METERPRETER during the TRITON attack.”

Erich Kron, Security Awareness Advocate at KnowBe4, writes “Industrial control systems continue to be a significant target for bad actors around the globe, especially for nation state actors. The CosmicEnergy malware is simply another ICS targeted malware and will most certainly not be the last. Weaponizing security tools is not a new tactic or technique and the fact that this is one of those potentially weaponized red team tools, also serves to show that the nation state behind this likely has concerns over their own critical infrastructure.”

Critical industries are at risk due to lack of funding and inherent security flaws.

Mandiant writes that CosmicEnergy does not overlap with other malware, but it does exhibit some capabilities that resemble previously observed malware. “The most significant similarities we identified are with Industroyer and Industroyer.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution.” researchers explained. Further, the researchers assess that several trends could emerge based on technologies they observed in CosmicEnergy. Specifically, the abuse of OT protocols due to their inherent insecurities. The use of open source libraries can lower the barrier of entry to these OT attacks, but the researchers assert that the malware used will require “custom protocol implementations.” Lastly, Mandiant expects Python to continue being used for malware as they have observed in Irongate and Triton.

KnowBe4’s Kron commented on the risk infrastructure operators face. “Unfortunately the critical infrastructure industry suffers from a lack of resources on the security side,” he said. “With the high cost of security professionals and tools, these critical infrastructure organizations are between a rock and a hard place. Their primary mission is to provide cost effective and reliable services to people so this often consumes a significant part of the budget. Investing heavily in cybersecurity defense, especially for smaller organizations such as co-ops or municipality run service providers, could make the cost of the service, whether it's electricity, water, or something else, prohibitively high. For this reason, it's very important for these providers to budget their security funds wisely. Since one of the most common and effective attack methods is email phishing, wise organizations focus on the threat by educating their users in the methods to spot and report these phishing attacks. It's also important that these organizations have a program in place to patch software as quickly and efficiently as they can, while ensuring there is no disruption to services."

Preparing for a potential threat.

(Added, 12:15 AM ET, June 3rd, 2023. Jan Miller, CTO of Threat Analysis at OPSWAT, offered an appreciation of CosmicEnergy and suggested steps organizations might take to prepare themselves should a potential threat become actual:

“While concerning, COSMICENERGY lacks intrusion and discovery capabilities, meaning it requires the operator to perform an internal reconnaissance of the network to determine the IEC-104 device IP addresses to be targeted. INDUSTROYER, on the other hand, has a more sophisticated modular architecture that includes components for scanning, reconnaissance, command execution, and wiping. In the face of growing concerns regarding state-sponsored cyberattacks and their potential impact on energy grids, it is crucial for OT defenders and asset owners to take proactive measures to mitigate the effects of OT-specific malware. To address this pressing issue, we recommend implementing the following best practices:

  • "Monitor network traffic for IEC-104 protocol activity and anomalous commands and perform malware analysis on all inbound active content.
  • "Restrict access to MS-SQL servers that have access to RTUs and enforce strong authentication and encryption mechanisms. 
  • "Segment OT networks from IT networks and limit the exposure of IEC-104 devices to the internet. 
  • "Update OT devices with the latest security patches and firmware. "
  • Implement backup and recovery plans in case of power disruption incidents.

"Levering machine-learning based threat hunting and file emulation technologies, organizations can proactively defend against threats like COSMICENERGY by extracting hundreds of data points from a given file and using behavior-based fingerprints to identify similar and potential malware in the future.”)