New Russian OT Malware Could Wreak Havoc on Electric SystemsMandiant Researchers Say 'CosmicEnergy' May Come From Power Disruption Simulations
A new strain of Russian operational technology malware could cause electric power disruption in Europe, the Middle East and Asia.
The malware - dubbed "CosmicEnergy" by threat intel firm Mandiant - wreaks havoc by interacting with power system automation devices such as remote terminal units.
In research published Thursday, Mandiant said a contractor might have developed the malware as a red-teaming tool for simulated power disruption exercises hosted by a Russian cybersecurity company.
Mandiant said the discovery of CosmicEnergy is alarming since it takes advantage of insecure-by-design features of OT environments that are unlikely to be remediated anytime soon. Even if it was part of a simulated attack against remote terminal units prevalent in Europe, the Middle East and Asia, Mandiant said its development suggests that offensive OT threat activity is no longer limited to well-resourced or state-sponsored actors (see: More State-Sponsored OT Hacking to Come, Says ENISA).
"The barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware," the Mandiant researchers wrote. "Given that threat actors use red-team tools and public exploitation frameworks for targeted threat activity in the wild, we believe CosmicEnergy poses a plausible threat to affected electric grid assets."
How CosmicEnergy Works
The malware causes power disruption by allowing attackers to send remote commands that affect the operation of power line switches and circuit breakers. This method is similar to a 2016 exploit that appeared to make use of a Microsoft SQL server as a conduit system to access operational technology.
One component of CosmicEnergy can connect to a user-supplied remote Microsoft SQL server and remotely issue commands to the remote terminal unit, Mandiant found. The malware can direct the remote system to turn on or off and immediately deletes evidence of outside disruption after issuing the command.
A second component of CosmicEnergy modifies the state of remote terminal units via configurable messages that alter whether the device is on or off. To take advantage of CosmicEnergy, a malware operator would need to perform internal reconnaissance to get the Microsoft SQL server IP addresses, Microsoft SQL credentials and target remote terminal unit device IP addresses.
"OT defenders and asset owners should take mitigating actions against CosmicEnergy to preempt in the wild deployment and to better understand common features and capabilities that are frequently deployed in OT malware," the researchers wrote. "Such knowledge can be useful when performing threat hunting exercises and deploying detection to identify malicious activity within OT environments."
Where Did CosmicEnergy Come From?
A comment in CosmicEnergy's code links it to a Russian cybersecurity company that received a government subsidy in 2019 to train cybersecurity experts and conduct electric power disruption and emergency response exercises. The researchers said the malware could have been developed by the Russian cybersecurity company or a related party to re-create real attack scenarios against energy grid assets.
Alternatively, the researchers said, it's possible that a different actor - either with or without permission - reused code associated with the 2019 training exercise to develop CosmicEnergy. Threat actors regularly adapt and make use of red-team tools to facilitate real-world attacks, while nation-state actors frequently rely on contractors to develop offensive capabilities.
"These observations leave open the possibility that CosmicEnergy was developed with malicious intent, and at a minimum that it can be used to support targeted threat activity in the wild," the researchers wrote.
CosmicEnergy's capabilities align with other malware variants that have in the past crippled electricity transmission and distribution, according to Mandiant. The malware also has similarities to other strains that have been developed or packaged using Python or that have used open-source libraries for OT protocol implementation.
Given the increased use of Python in recent years to develop or package OT malware, Mandiant expects to continue observing attackers compiling OT malware in this manner. The availability of open-source projects can lower the barrier to entry for attackers attempting to interact with OT devices, but Mandiant said proprietary OT protocols will likely continue to require custom implementations.
"While OT-oriented malware families can be purpose-built for a particular target environment, malware that takes advantage of insecure by design OT protocols … can be modified and employed multiple times to target multiple victims," the researchers wrote.