Verticals Targeted: Energy, Critical Infrastructure
Executive Summary
CosmicEnergy is a novel malware targeting operational technology (OT) and ICS.
Key Takeaways
- CosmicEnergy is a novel malware targeting operational technology (OT) and ICS.
- It may be a redteaming simulation tool rather than a malicious tool designed for disruption.
- CosmicEnergy uses two modules, Piehop and Lightwork, to disrupt power by issuing commands to RTUs.
What is CosmicEnergy?
Mandiant recently reported on CosmicEnergy, a novel malware targeting operational technology (OT) and ICS.
Origin
CosmicEnergy appears to be of Russian origin but may be a product of a simulated power disruption exercise and not related to a threat actor. Mandiant researchers said the sample could be associated with Rostelecom-Solar, a Russian cyber security company.
In other words, CosmicEnergy may be built as a redteaming simulation tool rather than a malicious tool for disruption. However, this does not preclude threat actors from obtaining and using CosmicEnergy to target critical infrastructure entities for disruption. Regardless of its origin and purpose, CosmicEnergy was clearly intended to be a specialized OT malware and is reminiscent of Industroyer and Industroyer 2.
Capabilities
CosmicEnergy is capable of disrupting power by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs). These units are often used for energy transmission and distribution in Europe, Asia, and the Middle East.
Infection Chain
To perform a successful CosmicEnergy attack, a threat actor would need to first infect a computer inside the target environment, then find an SQL Server with access to the RTUs and obtain its credentials. The next stage would be an infection involving CosmicEnergy’s two components: Piehop and Lightwork.
Components
Piehop
Piehop is a disruption tool written in Python and packaged with PyInstaller. It can connect to a user-supplied remote SQL server to upload files and issue remote commands to an RTU. Piehop uses Lightwork to issue the IEC-104 commands. However, in the sample analyzed by Mandiant, the code contained programming logic errors that prevented the successful execution of IEC-104 control capabilities.
Lightwork
Lightwork is a disruption tool written in C++. It uses the IEC-104 protocol to modify the state of RTUs over TCP.
Significance
Once the threat actor successfully engages the industrial equipment, they can send remote commands to change the actuation of power circuit breakers and line switches to disrupt power.
Although CosmicEnergy may be a redteam tool used by a Russian security organization, it could potentially be used by threat actors to target energy sector and critical infrastructure entities. Reporting on CosmicEnergy highlights security threats to OT environments, which are insecure by design. Entities leveraging these systems must be diligent in protecting against similar threats.
IOCs
PolySwarm has multiple samples associated with CosmicEnergy.
358f0f8c23acea82c5f75d6a2de37b6bea7785ed0e32c41109c217c48bf16010
740e0d2fba550308344b2fb0e5ecfebdd09329bdcfaa909d3357ad4fe5552532
You can use the following CLI command to search for all CosmicEnergy samples in our portal:
$ polyswarm link list -f CosmicEnergy
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
