HexaFusion’s research team has been closely following the developments around a newly identified malware that poses a significant threat to industrial systems. Named CosmicEnergy, this disruptive malware has been linked to the Russian cybersecurity firm Rostelecom-Solar, which was formerly known as Solar Security.
Unmasking the CosmicEnergy Threat
CosmicEnergy primarily targets IEC-104-compliant remote terminal units (RTUs), devices typically found in electric transmission and distribution networks across Europe, Asia, and the Middle East.
The discovery of CosmicEnergy came about when a sample of the malware was uploaded to the VirusTotal malware analysis platform in December 2021. Interestingly, the upload originated from a Russian IP address.
Technical Details and Tactics
CosmicEnergy showcases notable similarities with previous Operational Technology (OT) malware like Industroyer and Industroyer.V2. These were both implicated in attacks on Ukrainian energy providers in 2016 and 2022. CosmicEnergy is Python-based, using open-source libraries for OT protocol implementation, a trait shared with other industrial control system-targeting malware strains, such as IronGate, Triton, and Incontroller.
The infection route CosmicEnergy seems to take involves compromising MSSQL servers via the Piehop disruption tool. Once it breaches the victim’s network, the malware can remotely control RTUs by issuing IEC-104 “ON” or “OFF” commands through the Lightwork malicious tool.
Behind the Creation of CosmicEnergy
While there isn’t conclusive evidence to pinpoint the origin or purpose of CosmicEnergy, it’s believed that it might have been developed as a red teaming tool by Rostelecom-Solar or an associated party. The intention behind this could be to simulate real attack scenarios against energy grid assets for training purposes.
Rostelecom-Solar is known to have received funding from the Russian government for cybersecurity training and simulating electric power disruption. Given this, CosmicEnergy might also be weaponized by Russian threat actors to launch disruptive cyberattacks on critical infrastructure.
Russian Malware Landscape
Since Russia’s invasion of Ukraine in April 2022, Russian hacking groups have launched numerous destructive attacks against Ukrainian targets, using a multitude of malware families, some of which had never been seen before in the wild. CosmicEnergy represents a potential addition to this arsenal, emphasizing the importance of vigilant cybersecurity practices and robust defenses in maintaining the integrity of critical infrastructure systems.
Stay tuned with HexaFusion for the latest updates and insights into the world of cybersecurity.