Security researchers from Mandiant Security has discovered a new Malware CosmicEnergy, Linked to A Russian cybersecurity organization Rostelecom-Solar (previously known as Solar Security). The malware is said to target ICS (Industrial Control Systems).
Image source: Fixitgearware.com
According to Mandiant security researchers, the malware specifically targets IEC-104-compliant Remote Terminal Units (RTUs), which is utilized in electrical transmission and distribution across regions such as Asia, Europe, and The Middle East.
The malware (CosmicEnergy), was discovered when a sample of the malware signature was uploaded to VirusTotal (A platform for malware analysis) in the year 2021 December by a source IP (originating IP) from Russia.
A malware analysis of the sample which was leaked, revealed a series of notable facts, mode of propagation, and malware functionality (intended purpose of the malware).
The malware is found to share similar signatures with a previously known Operational Technology malware (Industroyer and Industroyer.V2), which were found attacking Ukrainian powerplants between December 2016 and April 2022.
It is discovered that the malware is written in python programming language, and uses open-source libraries for OT protocol implementation, that is quite similar to malware such as IronGate, Triton, and Incontroller which also target industrial control systems.
The mode of exploitation of CosmicEnergy is similar to that of Industroyer, which is by gaining access to Operational Technologies (OT), via compromised MSSQL servers with a disruption tool known as Piehop.
Once the victim network has successfully be infiltrated, the threat actors can control Remote Terminal Units (RTUs) remotely by utilizing IEC-104 “ON” OR “OFF” commands via a malicious Lightwork tool.
Image: CosmicEnergy chain of execution (Mandiant)
Image source: bleepingcomputer.com
According to Mandiant Security researchers, it is believed that the newly discovered malware might have been designed as a red teaming tool, which is intended in simulating disruption exercises by Rostelecom-Solar (A Russian Cybersecurity Firm).
Public information discovered that Rostelecom has been receiving funding from the Russian Government intended for cybersecurity training, and simulating power grid disruption. Mandiant researchers are suspicious of CosmicEnergy being used by Russian threat actors in conducting disruptive cyberattacks targeting critical infrastructures just like other red team tools.
ANALYSIS AND DISCOVERY OF COSMICENERGY:
According to Mandiant Researchers:
“During our analysis of COSMICENERGY, we identified a comment in the code that indicated the sample uses a module associated with a project named ‘Solar Polygon.’ We searched for the unique string and identified a single match to a cyber range (aka polygon) developed by Rostelecom-Solar.”
Furthermore, Mandiant Researchers said:
“Although we have not identified sufficient evidence to determine the origin and purpose of COSMICENERGY, we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against power grid assets.”
“Given that threat actors use read team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets.” -Source bleeping Computers.
In April 2022, after Russia invaded Ukraine, Microsoft has initially reported a group of hackers from Russia to have deployed a series of malware families (some never discovered before in the history of malware attacks). These malwares are intended in causing destructive attacks against Ukrainian critical infrastructures.
The list of malware includes but not limited to Industroyer2, Lasainraw (aka IsaccWiper), FiberLake (aka DoubleZero), WhisperGate/WhisperKill, FoxBlade (aka HermeticWiper), CaddyWiper, DesertBlade, SonicVote (aka HermeticRansom).
The Russian Military hacker known as Sandworm, tried using the Industroyer2 malware in taking down ICS network belonging to a prominent Ukrainian energy provider; however, they were only successful in disrupting energy delivery across the country, and attempts in taking down the high-voltage electrical substations seems abortive.
Please do let us know in the comment section what are your thoughts about this.