Ukraine at D+456: CosmicEnergy's attack potential.
N2K logoMay 26, 2023

Cross-border strikes, and an ambiguous but disturbing discovery of malware designed to disrupt industrial operations.

Ukraine at D+456: CosmicEnergy's attack potential.

Governors of three Russian regions said they experienced Ukrainian shelling overnight. Ukraine hasn't commented on the reports. Russia fired seventeen missiles and thirty-one Iranian-made Shahed drones against a range of targets in Ukraine last night. Ukrainian air defenses shot down ten of the missiles and twenty-three of the drones. Some of the targets were military, other, including a medical clinic in Dnipro, civilian.

Russian paramilitaries in Ukraine.

The Wagner Group isn't the only paramilitary formation fighting in Ukraine. This morning's situation report from the UK's Ministry of Defence describes their growing role in holding occupied territory. "Over at least the last 20 years, Russia has experienced a proliferation of paramilitary groups out of its regular armed forces. However, this ‘paramilitarisation’ has dramatically accelerated since Russia’s invasion of Ukraine and is particularly important in the Crimean Peninsula. The leader of Russian-occupied Crimea, Sergei Aksyonov, has been instrumental in setting up several local units, which often claim affiliation with the Cossack tradition. Most have been given some semi-official status as reserve units of the regular army. Aksyonov is likely keen to burnish his patriotic credentials by recruiting fighters, but he is likely also concerned about the regular army’s ability to defend the peninsula. The main element of the Russian garrison, 22nd Army Corps, is currently mostly deployed outside the peninsula and has taken heavy casualties."

CosmicEnergy, an Operational technology and ICS malware possibly developed for Russian red teaming. 

Researchers at Mandiant have discovered a new malware designed to disrupt electricity supply and critical infrastructure. Called CosmicEnergy, the malware specializes in affecting operational technology (OT) and industrial control systems (ICS) by “interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia,” writes Mandiant. CosmicEnergy was uploaded to a public malware scanning utility in 2021 by a user in Russia. The version obtained by Mandiant lacks a built in discovery capability, which means that a user would have to manually identify the IPs of MSSQL servers, MSSQL credentials and target IEC-104 information object addresses. Attribution is not conclusive but researchers suggest that this malware could have been a Russian red teaming tool used in exercises to simulate an electric infrastructure attack.

CosmicEnergy was found on VirusTotal, which seems a curious place for a threat actor to park malware, but it's happened before. The researchers explain that it is possible that this malware was developed as a red teaming tool for Rostelecom-solar, a Russian cyber security firm. Mandiant has not been able to attribute this malware to any nation state, but they explain that this could have been used for an exercise in Russia to simulate an attack on power stations. They write, “Although we have not identified sufficient evidence to determine the origin or purpose of CosmicEnergy, we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets. It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom-Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the St.Petersburg’s International Economic Forum (SPIEF).” They add that it is equally possible that this was created by another actor as there is a lack of conclusive evidence, “Threat actors regularly adapt and make use of red team tools - such as commercial and publicly available exploitation frameworks - to facilitate real world attacks, like TEMP.Veles’ use of METERPRETER during the TRITON attack.”

And, of course, even legitimate red-teaming tools can be put to malign purposes. CosmicEnergy hasn't been observed in attacks so far, either in Ukraine or elsewhere, but the possibility of its offensive use can't be ignored.