New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Energy Grids

Deal Score0
Deal Score0

Might 26, 2023Ravie LakshmananICS/SCADA Safety

A brand new pressure of malicious software program that is engineered to penetrate and disrupt crucial methods in industrial environments has been unearthed.

Google-owned risk intelligence agency Mandiant dubbed the malware COSMICENERGY, including it was uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. There isn’t any proof that it has been put to make use of within the wild.

“The malware is designed to trigger electrical energy disruption by interacting with IEC 60870-5-104 (IEC-104) units, akin to distant terminal items (RTUs), which are generally leveraged in electrical transmission and distribution operations in Europe, the Center East, and Asia,” the corporate said.

COSMICENERGY is the most recent addition to specialized malware like Stuxnet, Havex, Triton, IRONGATE, BlackEnergy2, Industroyer, and PIPEDREAM, that are able to sabotaging crucial methods and wreaking havoc.

Mandiant stated that there are circumstantial hyperlinks that it could have been developed as a pink teaming instrument by Russian telecom agency Rostelecom-Photo voltaic to simulate power disruption and emergency response exercises that have been held in October 2021.

This raises the likelihood that the malware was both developed to recreate real looking assault situations towards power grid belongings to check defenses or one other social gathering reused code related to the cyber vary.

Power Grid Malware

The second various will not be remarkable, particularly in mild of the truth that risk actors are identified to adapt and repurpose legitimate red team and post-exploitation instruments for malicious ends.

COSMICENERGY’s options are akin to that of Industroyer – which has been attributed to the Kremlin-backed Sandworm group – owing to its skill to take advantage of an industrial communication protocol referred to as IEC-104 to subject instructions to RTUs.

“Leveraging this entry, an attacker can ship distant instructions to have an effect on the actuation of energy line switches and circuit breakers to trigger energy disruption,” Mandiant stated.


Zero Belief + Deception: Be taught Outsmart Attackers!

Uncover how Deception can detect superior threats, cease lateral motion, and improve your Zero Belief technique. Be part of our insightful webinar!

Save My Seat!

That is completed by way of two parts referred to as PIEHOP and LIGHTWORK, that are two disruption instruments written in Python and C++, respectively, to transmit the IEC-104 instructions to the related industrial gear.

One other notable facet of the commercial management system (ICS) malware is the dearth of intrusion and discovery capabilities, that means it requires the operator to carry out an inside reconnaissance of the community to find out the IEC-104 gadget IP addresses to be focused.

To tug off an assault, a risk actor would due to this fact need to infect a pc throughout the community, discover a Microsoft SQL Server that has entry to the RTUs, and procure its credentials.

PIEHOP is then run on the machine to add LIGHTWORK to the server, which sends disruptive distant instructions to change the state of the items (ON or OFF) over TCP. It additionally instantly deletes the executable after issuing the directions.

“Whereas COSMICENERGY’s capabilities will not be considerably completely different from earlier OT malware households’, its discovery highlights a number of notable developments within the OT risk panorama,” Mandiant stated.

“The invention of recent OT malware presents an instantaneous risk to affected organizations, since these discoveries are uncommon and since the malware principally takes benefit of insecure by design options of OT environments which are unlikely to be remedied any time quickly.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.

We will be happy to hear your thoughts

Leave a reply
Enable registration in settings - general