Mandiant recommends threat-hunting steps to detect COSMICENERGY despite no confirmed attacks in the wild.

Electricity grid

Over the past few years state-sponsored attackers have been ramping up their capabilities of hitting critical infrastructure like power grids to cause serious disruptions. A new addition to this arsenal is a malware toolkit that seems to have been developed for red-teaming exercises by a Russian cybersecurity company.

Dubbed COSMICENERGY by researchers from Mandiant, the malware can interact with remote terminal units (RTUs) and other operational technology (OT) devices that communicate over the specialized IEC 60870-5-104 (IEC-104) protocol and are commonly used for electrical engineering and power automation.

“COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed,” the Mandian researchers said in their report. “Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104.”

Red team framework inspired by past attacks

INDUSTROYER, also known as Crashoverride, is a malware program that was used in 2016 against the Ukrainian power grid and left a fifth of Kyiv, the country’s capital, without power for one hour. The malware reached RTUs on the OT network via MS-SQL servers that acted as data historians, then issued ON/OFF commands via the IEC-104 to impact power line switches and circuit breakers.

INDUSTROYER’s creation and use is attributed to Sandworm, an APT group that’s believed to be a cyberwar unit within the GRU, Russia’s military intelligence service. In 2022, Sandworm attempted another attack against Ukraine’s power grid using an updated version of the malware dubbed INDUSTROYER.V2.

The new COSMICENERGY toolkit found by Mandiant was uploaded to a public malware scanning service in December 2021 by someone in Russia. An analysis of the code suggests that it was created for red team exercises hosted by a Russian cybersecurity company called Rostelecom-Solar that has ties to the Russian government.

“Although we have not identified sufficient evidence to determine the origin or purpose of COSMICENERGY, we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets,” the researchers said. “It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom-Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the St. Petersburg’s International Economic Forum (SPIEF).”

Rostelecom-Solar has received funding from the Russian government to train cybersecurity experts and conduct electric power disruption and emergency response exercises. A module in the malware toolkit contains a reference to Solar Polygon and searchers for this term tie it to Rostelecom-Solar.

According to Mandiant, despite its apparent ties to red team exercises, the possibility exists that this malware toolkit has or can be repurposed for real-world attacks, including by Russian nation-state actors that have used private contractors before to develop tools.

Manually deployed two-component malware payload

COSMICENERGY is made up of two components — one written in Python and one in C++. The Python-based component, which Mandiant has dubbed PIEHOP, is designed to connect to MS-SQL servers and upload files or issue commands. Once connected, it deploys the second component dubbed LIGHTWORK which is designed to issue ON and OFF commands to connected RTUs via IEC-104 over TCP.

“It crafts configurable IEC-104 Application Service Data Unit (ASDU) messages, to change the state of RTU Information Object Addresses (IOAs) to ON or OFF,” the researchers said. “LIGHTWORK utilizes positional command line arguments for target device, port, and IEC-104 command.”

The IOAs correlate with inputs and outputs on RTUs, which depending on configuration and deployment could map to connected circuit breakers or power line switches. However, the IOAs mappings can differ between different RTU manufacturers, individual devices and even environments, according to Mandiant, which means the attackers need to have pre-existing reconnaissance information about the deployment they’re targeting. The analyzed LIGHTWORK sample had eight hard-coded IOAs, but it’s hard to determine what was the attackers’ intention when issuing commands to them without knowledge of the exact targeted assets.

Furthermore, the PIEHOP component and the malware itself don’t have any network discovery capabilities built in, which means that attackers need to already have information about the targeted MSSQL servers and RTUs, such as credentials and IP addresses, to deploy the components successfully. This makes it a post-intrusion toolkit.

While COSMICENERGY doesn’t share any code with previous OT malware tools, it does borrow techniques from several of them, aside from INDUSTROYER: The use of Python for OT malware development has also been observed with IRONGATE and TRITON; the use of open-source libraries that implement proprietary OT protocols and lower the bar for developing such threats; and the abuse of protocols that are insecure by design such as IEC-104 and lack authentication or encryption mechanisms.

How to mitigate and detect COSMICENERGY

While there’s no evidence that COSMICENERGY has been used in attacks in the wild, the possibility cannot be discounted and at the very least it can serve as inspiration for other OT malware developers, just like INDUSTROYER served as inspiration for its creators.

The Mandiant report contains indicators of compromise and file hashes, but the company also recommends that organizations conduct active threat hunting:

  • Establish collection and aggregation of host-based logs for crown jewels systems such as human-machine interfaces (HMI), engineering workstations (EWS), and OPC client servers within their environments and review logs for the evidence of Python script or unauthorized code execution on these systems.
  • Identify and investigate the creation, transfer, and/or execution of unauthorized Python-packaged executables (e.g., PyInstaller or Py2Exe) on OT systems or systems with access to OT resources.
  • Monitor systems with access to OT resources for the creation of legitimate temporary folders, files, artifacts, and external libraries required as evidence of the execution of packaged Python scripts, eg. the creation of a temporary “_MEIPASS” PyInstaller folder.
  • Monitor MSSQL Servers with access to OT systems and networks for evidence of: reconnaissance and enumeration activity of MSSQL servers and credentials, unauthorized network connections to MSSQL servers (TCP/1433) and irregular or unauthorized authentication, enablement and usage of SQL extended stored procedures for Windows shell command execution and the transfer, creation, staging, and decoding of base64 encoded executables.

Lucian Constantin is a senior writer at CSO, covering information security, privacy, and data protection.

Copyright © 2023 IDG Communications, Inc.