Researchers find Russian-linked malware that could bring power grids to a standstill

Security researchers have discovered new industrial control system malware, dubbed “CosmicEnergy”, which they believe could be used to disrupt critical infrastructure systems and power grids.

The malware was discovered by researchers at Mandiant, who compared CosmicEnergy’s capabilities to the destructive Industroyer malware that the Russian state-backed “Sandworm” hacking group used to knock out power in Ukraine in 2016.

Unusually, Mandiant says he discovered CosmicEnergy through threat hunting and not as a result of a cyberattack on critical infrastructure. The malware was uploaded to VirusTotal, a Google-owned malware and virus scanner, in December 2021 by a Russia-based submitter, according to Mandiant. Analysis by the cybersecurity firm shows that the malware may have been developed by Rostelecom-Solar, the cybersecurity arm of Russian national telecommunications operator Rostelecom, to support exercises such as those held in conjunction with the Russian ministry. Energy in 2021.

“A contractor may have developed it as a red team tool for power outage simulation exercises hosted by Rostelecom-Solar,” Mandiant said. “However, given the lack of conclusive evidence, we consider it also possible that a different actor – with or without permission – reused code associated with the cyber range to develop this malware.”

Mandiant claims that not only do hackers adapt and routinely use red team tools to facilitate real-world attacks, but its analysis of CosmicEnergy reveals that the malware’s functionality is also comparable to that of other variants. malware targeting industrial control systems (ICS), such as Industroyer, posing a “plausible threat to affected power grid assets”.

Mandiant tells TechCrunch that he hasn’t observed any CosmicEnergy attacks in the wild and notes that the malware lacks discovery capabilities, which means hackers would have to perform internal reconnaissance to get information about the environment, such as IP addresses and credentials, before launching an attack.

However, the researchers added that because the malware targets IEC-104, a network protocol commonly used in industrial environments that was also targeted in the 2016 attack on Ukraine’s power grid, CosmicEnergy poses a threat. real for organizations involved in the transmission and distribution of electricity.

“The discovery of new OT [operational technology] Malware poses an immediate threat to affected organizations because such discoveries are rare and because malware primarily takes advantage of insecure design features of OT environments that are unlikely to be patched anytime soon,” Mandiant researchers warned. .

Mandiant’s discovery of new ICS-oriented malware comes after Microsoft revealed this week that Chinese state-backed hackers had breached US critical infrastructure. According to the report, a spy group Microsoft calls “Volt Typhoon” has targeted the US island territory of Guam and may attempt to “disrupt critical communications infrastructure between the United States and the Asian region in future crises.”

In light of the report, the US government said it was working with its Five Eyes partners to identify potential violations. Microsoft says the group tried to gain access to organizations in communications, manufacturing, utilities, transportation, construction, shipping, government, information technology and education.