Industrial cybersecurity firm Dragos has emphasized the importance of not ignoring the recently discovered CosmicEnergy malware, despite it not posing an immediate threat to operational technology (OT). The malware, capable of targeting industrial control systems (ICS), was detailed by Mandiant in May and is linked to Russian threat actors. It is designed to interact with ICS devices used in electric transmission and distribution, potentially causing disruptions to electric grids.
While Dragos acknowledges that CosmicEnergy lacks the full-fledged attack capabilities of other ICS malware, they recommend organizations to enhance their security measures and monitor MS SQL servers to mitigate potential future attacks.
Mandiant’s report revealed that the CosmicEnergy malware could be used by threat actors to tamper with power line switches and circuit breakers through remote commands, posing a plausible threat to affected electric grid assets.
The malware primarily targets remote terminal units (RTUs) commonly used in Europe, the Middle East, and other parts of Asia. It comprises two main components: LightWork, which utilizes the IEC104 communication protocol to modify the state of RTUs, and PieHop, which connects to a specified remote MSSQL server for uploading files and issuing remote commands to an RTU using LightWork.
Dragos’ analysis of CosmicEnergy highlighted that the malware does not currently pose an immediate risk to OT. They found no evidence of it being deployed in the wild and suggested that it may have been created for training scenarios, as it contains hardcoded parameters specific to a particular range of equipment.
However, Dragos stressed the importance of organizations reassessing their firewall rules and configurations, as well as monitoring ICS protocols traversing their networks. While CosmicEnergy’s existence may not warrant immediate concern, organizations should implement robust security measures to detect and mitigate potential future attacks, given this is the third discovery of IEC104 targeted tooling.
