New Russia-linked malware can physically harm power grids, Mandiant reports

In December 2021, a user with a Russian IP address uploaded mysterious malware to Google's virus scanning service VirusTotal.

According to an analysis published Thursday by Mandiant security researchers, this malicious software is designed to disrupt and damage critical infrastructure systems, including power grids.

The malware, labeled CosmicEnergy by Mandiant, is similar to Industroyer, used by Russia to attack Ukraine’s energy infrastructure in 2022 and 2016.

Mandiant suggested that CosmicEnergy also has ties to Russia. The researchers discovered a comment in the code linking it to a "Solar Polygon'' project organized by Rostelecom, Russia’s largest telecom firm, to train cybersecurity specialists.

Last year, the Russian government made a commitment to invest $24 million in the project. Its goal is to safeguard Russia's banking, energy, and oil infrastructure against potential cyberattacks.

Mandiant suggested that CosmicEnergy was created to simulate actual attack scenarios on the Russian energy grid, similar to the red-teaming exercise organized by Rostelecom in partnership with the Russian Ministry of Energy in 2021.

Although researchers don't have enough evidence to determine the exact origin or purpose of CosmicEnergy, the discovery is concerning because hackers can repurpose the malware and direct it toward existing critical infrastructure facilities.

“Threat actors regularly adapt and make use of red team tools to facilitate real-world attacks,” the researchers said. So far it has not been used for attacks, they said.

How it works

CosmicEnergy was created to target a communication protocol commonly used in the electric power industry in Europe, the Middle East, and Asia. This protocol facilitates the exchange of data between control centers and various devices, including remote terminal units (RTUs), that are essential for operating and controlling electric transmission and distribution systems.

In a 2016 attack on Ukraine, the Industroyer malware issued commands to interact with RTUs, disrupting the power grid and leaving parts of Ukraine’s capital Kyiv without electricity for an hour.

Mandiant says CosmicEnergy has two disruption tools used to carry out attacks: PieHop (written in Python) and LightWork (written in C++). The sample of PieHop obtained by Mandiant contains some errors that, if hackers choose to deploy it, can be easily fixed, the researchers said.

Danger in its lineage

In addition to the Russian Industroyer malware, CosmicEnergy shares technical similarities with other malware specifically designed for industrial targets. This includes the Triton malware, which was used in a cyberattack on a Saudi Arabian petrochemical facility in 2017, as well as the Incontroller malware, which is created to manipulate and disrupt industrial processes.

Industrial-focused malware typically exploits protocols that are insecure by design, allowing hackers to modify and reuse malicious software to target multiple victims. Also, the availability of open-source projects that implement these protocols can lower the barrier of entry for hackers, according to Mandiant.

The discovery of such malware “presents an immediate threat to affected organizations,” since these discoveries are rare and because the malware takes advantage of insecure by-design features of industrial environments that are unlikely to be fixed any time soon, the researchers conclude.