Mandiant security researchers have uncovered a new malware named CosmicEnergy, which is linked to Russian cybersecurity firm Rostelecom-Solar. This malware specifically targets IEC-104-compliant remote terminal units (RTUs) used in electric transmission and distribution operations across Europe, the Middle East, and Asia.
CosmicEnergy shares similarities with previous OT malware like Industroyer and Industroyer.V2, suggesting a connection to previous attacks on Ukrainian energy providers.
CosmicEnergy was discovered when a sample was uploaded to the VirusTotal malware analysis platform by someone with a Russian IP address in December 2021. Analysis of the leaked sample revealed that the malware is Python-based and utilizes open-source libraries for OT protocol implementation.
It likely gains access to the target’s OT systems through compromised MSSQL servers using the Piehop disruption tool.
Mandiant believes that CosmicEnergy may have been developed as a red teaming tool by Rostelecom-Solar to simulate disruption exercises. The suspicion is based on public information regarding the firm’s funding from the Russian government for cybersecurity training and simulating electric power disruption.
While the exact origin and purpose of CosmicEnergy have not been confirmed, the malware poses a potential threat to electric grid assets, similar to other red team tools.
The discovery of CosmicEnergy adds to the list of malware families deployed by Russian hacking groups in destructive attacks, including WhisperGate/WhisperKill, FoxBlade, SonicVote, and Industroyer2.
The Sandworm Russian military hackers previously used Industroyer2 to target the ICS network of a prominent Ukrainian energy provider. Although their attempt to disrupt energy delivery failed, these incidents highlight the ongoing concern of cyber threats to critical infrastructure.