COSMICENERGY Malware

A newly identified malware known as COSMICENERGY has drawn the attention of cybersecurity researchers. This malware specifically targets Operational Technology (OT) and Industrial Control Systems (ICS), focusing on causing disruptions in electric power infrastructure. It achieves this by exploiting vulnerabilities in IEC 60870-5-104 (IEC-104) devices, particularly Remote Terminal Units (RTUs) commonly utilized in electric transmission and distribution operations across Europe, the Middle East and Asia.

Upon analyzing COSMICENERGY, researchers have discovered that its functionalities closely resemble those observed in previous incidents involving malware, such as INDUSTROYER and INDUSTROYER.V2. These past malware variants were specifically designed to disrupt electricity transmission and distribution systems by exploiting the IEC-104 protocol.

The emergence of COSMICENERGY highlights a concerning trend: the decreasing barriers to entry for developing offensive capabilities in the realm of OT. Evil-minded actors are leveraging knowledge gained from previous attacks to create new and sophisticated malware, posing significant risks to critical infrastructure.

The Intrusive Capabilities of the COSMICENERGY Malware

The COSMICENERGY Malware shares similarities with the 2016 INDUSTROYER incident in terms of its capabilities and attack strategy. In a manner reminiscent of INDUSTROYER, COSMICENERGY utilizes IEC-104 ON/OFF commands to interact with remote terminal units (RTUs), potentially employing an MSSQL server as a conduit system to access operational technology (OT) infrastructure. By gaining this access, an attacker can remotely manipulate power line switches and circuit breakers, leading to power disruptions. COSMICENERGY consists of two primary components: PIEHOP and LIGHTWORK.

PIEHOP, written in Python and packaged with PyInstaller, serves as a disruption tool. It is capable of establishing connections with user-supplied remote MSSQL servers, allowing for file uploads and issuing remote commands to RTUs. PIEHOP relies on LIGHTWORK to send IEC-104 commands, specifically 'ON' or 'OFF,' to the targeted system. After issuing the command, the executable is promptly deleted. However, the obtained sample of PIEHOP exhibits programming logic errors that prevent it from successfully executing its IEC-104 control capabilities. Nonetheless, researchers believe that these errors can be easily rectified by the developers of the threat.

On the other hand, LIGHTWORK, written in C++, functions as a disruption tool that implements the IEC-104 protocol to modify the state of RTUs over TCP. It crafts customizable IEC-104 Application Service Data Unit (ASDU) messages to alter the state of RTU Information Object Addresses (IOAs) to either 'ON' or 'OFF.' LIGHTWORK utilizes positional command line arguments to specify the target device, port, and IEC-104 command.

COSMICENERGY exhibits a notable absence of discovery capabilities, indicating that the malware operator would need to conduct an internal reconnaissance prior to launching a successful attack. This reconnaissance phase involves gathering specific environment information, including MSSQL server IP addresses, MSSQL credentials and the IP addresses of targeted IEC-104 devices.

Similarities between COSMICENERGY and Other Malware Threats

While COSMICENERGY is distinct from known malware families, its capabilities demonstrate notable similarities to those observed in previous incidents. Particularly, researchers note significant resemblances between COSMICENERGY and the INDUSTROYER and INDUSTROYER.V2 malware variants, both of which were previously deployed to disrupt electricity transmission and distribution systems.

In addition to the similarities with INDUSTROYER, COSMICENERGY shares technical characteristics with other families of operational technology (OT) malware. These similarities include the use of Python for development or packaging and the utilization of open-source libraries for implementing OT protocols. Notable OT malware families that exhibit these technical resemblances include IRONGATE, TRITON and INCONTROLLER.

By examining these similarities, security professionals can gain a deeper understanding of the potential origins, techniques, and implications associated with COSMICENERGY.