A new piece of malware has been discovered that is designed to target industrial control systems (ICS) and operational technology (OT). The malware, dubbed “COSMICENERGY,” was first uploaded to VirusTotal in December 2021 by a user with a Russian IP address. Mandiant, a cybersecurity firm, analyzed the malware and found that it is similar to another ICS-focused malware known as INDUSTROYER. INDUSTROYER was used by Russia to cause power outages in Ukraine in 2016.
COSMICENERGY Malware Overview
According to Mandiant, the malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
COSMICENERGY is a modular malware, which means that it is made up of different components that can be combined to create different attacks. The malware can be used to steal data, disable systems, or even cause physical damage.
Mandiant believes that COSMICENERGY is still under development, but it is already capable of causing significant damage. In fact, the firm warns OT asset owners leveraging IEC-104 compliant devices to take immediate action to preempt potential cyberattacks leveraging the malware.
Russian Ties to COSMICENERGY Malware Creation
Mandiant cautions that more research and analysis will be required to firmly attribute the origins of the malware strain, however, evidence points to Rostelecom-Solar as the developer source. Rostelecom-Solar is a Russian telecom and cybersecurity company.
A leak of more than 5,000 documents in March from a Russian IT contractor named NTC Vulkan highlights Russia’s interest in implementing offensive operational technology tools for industrial control systems.
