Understanding COSMICENERGY, an Emerging OT Malware

When thinking of malware, we often consider the impact on the targeted organization’s data and IT systems. However, security researchers with Mandiant have identified a new OT/ICS-oriented malware, COSMICENERGY, which leverages electric power disruption to cause physical security impacts. Mandiant compares the malware’s capabilities to those in the Industroyer and Industroyer2 malware variants, which were both also deployed to impact and disrupt electric transmission. Russia has historically targeted Ukraine’s electrical grids—including missile and drone attacks in November 2022—that resulted in Ukrainian civilians being left without power, water, or heat. While missiles and drones caused these attacks, the possession of a malware variant that can cause power outages would allow Russia to continue targeting Ukraine without undertaking significant kinetic military efforts.

 

In 2016, the Ukrainian capital of Kiev was hit with a blackout caused by a cyberattack. The malware, Industroyer, directly interfered with the operation of industrial hardware and was developed to exploit weaknesses in ICS systems and the communication protocols they used. The Industroyer attack was attributed to Sandworm Team, a Russia-linked APT group known for the targeting of Ukraine. This blog post covers the COSMICENERGY malware and the potential impacts looking forward.

 

 

About COSMICENERGY

The initial access vector for COSMICENERGY is not known at the time of writing. However, there is an Even Chance that the malware is deployed via the exploitation of vulnerabilities or social engineering tactics. Mandiant notes that Industroyer previously used an MSSQL server as a conduit to access OT systems, which allowed the threat actors to send remote commands to affect the operation of power line switches and circuit breakers. COSMICENERGY uses two components to achieve this action: PIEHOP and LIGHTWORK.

 

PIEHOP is a Python-based disruption tool that, as Mandiant writes, connects to a user-supplied remote MSSQL server for issuing commands to a remote terminal unit (RTU). Unlike a programmable line controller (PLC), an RTU typically contains remotely accessible presets and dashboards and provides access to multiple sites. This feature Likely makes an RTU an attractive target for remote threat actors, as they can cause a significant impact on the organization and the citizens of the targeted geography. Russia has consistently attempted to conduct attacks that push Ukrainian citizens to lose trust in their government. An attack that leaves the citizens of Ukraine without heat and power would Likely aid in that goal.

 

LIGHTWORK, according to Mandiant, is disruption tool based in C++ that PIEHOP leverages to enter the IEC-104 commands to turn the RTU on or off and then delete the executable. Mandiant writes that the LIGHTWORK sample they reviewed “includes eight hardcoded IEC-104 information object addresses (IOA) which typically correlate with input or output data elements on a device […] However, IOA mappings often differ between manufacturers, devices, and even environments.” This indicates that there is an Even Chance that the threat actors developed this to target specific victims. Because the COSMICENERGY malware lacks discovery capabilities, successful attack execution is dependent on internal reconnaissance techniques that target individuals.

 

 

Attribution

The origin of COSMICENERGY is not known. However, Mandiant found that a unique comment in the code matched a cyber range developed by Rostelecom-Solar, a Russian cybersecurity company that started training cybersecurity experts on “electric power disruption and emergency response exercises” in 2019. There is an Even Chance that COSMICENERGY was created to recreate real attack scenarios against grid assets for training purposes.

 

However, there is an Even Chance that another threat actor took the code – with or without permission – and created a new malware strain that could be used to target the ICS of other countries, including Ukraine and Western-supporting countries.

 

 

Threat Outlook

Mandiant researchers stated that the identification of COSMICENERGY highlights multiple trends in the OT threat landscape, including the abuse of insecure by design protocols, such as IEC-104.

 

COSMICENERGY does not appear to be significantly more different, sophisticated, or notable than any of the previous OT malware variants that Mandiant found comparable, including IRONGATE, TRITON, and INCONTROLLER. They all use third-party libraries, target and abuse insecure design protocols, and operate in similar ways. Russia-linked threat actors have historically used OT malware to target ICS in other countries, particularly Ukraine, since at least 2015. However, the discovery of a new variant, no matter how similar, poses a significant threat to the landscape. Given the current Russia-Ukraine war, it is Likely that threat actors will begin targeting Ukrainian and Western-supporting countries with COSMICENERGY over the next 30 days.

 

If COSMICENERGY was developed as a red teaming tool to simulate real attack scenarios on electrical grids, then this discovery highlights the consistent use of legitimate tools by threat actors to conduct malicious attacks. Threat actors, including both APT and cybercriminal groups, are often observed using legitimate tools, including Cobalt Strike, Metasploit, and BloodHound. It is Likely that threat actors will continue to use open-source, publicly available, and legitimate tools to conduct malicious attacks over the next 12 months.

 

 

Mitigations

Optiv’s Global Threat Intelligence Center (gTIC) recommends the following mitigations to protect OT systems from the COSMICENERGY malware:

 

  • Restrict physical access to OT devices, as physical access can give a threat actor full access to achieve attack objectives.
  • Implement a patch management program that prioritizes pathing based on a few considerations, which include the vulnerability’s impact on the organization’s data, the types and number of systems affected, the access level required to exploit the vulnerability, and how widely known the vulnerability is.
  • Enable least-privilege policies and allowlists or denylists for tools, software, and applications. These prevent employees and adversaries from downloading and installing unauthorized software. They also deter adversaries from running administrator-level processes and commands on infected devices.
  • Perform penetrating testing and red team exercises to identify weaknesses and enhance defenses. Penetration testing coupled with a training exercise, such as a tabletop exercise, can help ensure that incident responders are prepared in the event of an incident.
  • Create a robust security awareness program that includes training on downloading software and reporting incidents and concerns to an incident response authority.
  • Ensure that third-party suppliers and vendors are held to the same security standards as your organization. Consider the addition of “right to audit” clauses. Finally, ensure that the organization maintains an incident response program (IRP) and network monitoring with protections in place for cyberattacks.

 

Read more of gTIC’s related threat intelligence in the Vertical Target Series: Energy and Utilities white paper and Russia/Ukraine Update – May 2023 blog post.

Intelligence Analyst | Optiv
Andi Ursry has over four years of experience in Threat Intelligence. Ursry began her career in the retail sector in Loss Prevention and Safety positions. She worked on-site to help stores mitigate risks. After seeing a shift toward cybercrime, she changed focus to cyber intelligence. Ursry’s research focuses on ransomware groups and their tactics.

Prior to joining Optiv, Ursry was a Cyber Threat Intelligence Analyst for a California-based cybersecurity company that specializes in digital risk. She earned a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.