HQ/EMEAFind out how we can help your business
A cybercriminal campaign has leveraged the newly discovered COSMICENERGY malware to infiltrate and disrupt systems utilised in critical infrastructures like power grids. An alleged individual from Russia uploaded the malware to VirusTotal in December a couple of years ago.
Based on reports, researchers have classified COSMICENERGY as a red-teaming tool developed by a Russian telecommunication firm to simulate emergency response drills held in October 2021.
The malware’s primary weapon could cause electric power interruption by communicating with IEC 60870-5-104 devices. Users employ These devices like RTUs for electrical transmission and distribution tasks in Asia, Europe, and the Middle East.
Unfortunately, these attacks do not have substantial intrusion and discovery features and require its operations to run an internal reconnaissance of the network to identify the IEC-104 device IP addresses.
The threat actors should first run several chains of activities to deploy the COSMICENERGY malware on its targets.
According to investigations, the threat actors should first compromise a computer inside the targeted network to execute the COSMICENERGY malware attack. Next, the actors should look for MS SQL since it can access the RTUs and collect their credentials.
The attackers should then infect the device with two components (PIEHOP and LIGHTWORK) and a couple of disruption kits coded in C++ and Python to transmit the IEC-104 commands to connect with the industrial equipment.
Hence, the malware operators could send remote commands to change the actuation of power circuit breakers and line switches that end up in power interruption since they have access.
Cybersecurity experts claimed that the COSMICENERGY malware has similarities with Sandworm’s Industroyer tool since both could abuse an industrial communication protocol to relay commands to RTUs.
The emergence of this malware poses an immediate security threat to numerous organisations that employ similar products. Sometimes, the malware exploits the insecure design features of OT landscapes, which take significant hours before getting fixed.
However, once security teams obtain the necessary details of the threats, they could generate mitigation tactics against the malware. Therefore, organisations should be wary of such threats, especially in the industrial sector.
