Mandiant Analyzes New Russia-Linked ICS Malware Designed to Disrupt Electric Grids
On May 25th, 2023, security firm Mandiant revealed its analysis of a new piece of malware specifically targeting industrial computer systems (ICS) and operational technology (OT). The malware, named CosmicEnergy, is believed to be linked to Russia and designed to cause power disruption in electric grids. Mandiant stated that the malware targets IEC 60870-5-104 (IEC-104) devices, a protocol for telecommunication functions for electric power systems. CosmicEnergy is designed to interfere with the actuation of electric power line switches and circuit breakers by sending remote commands to RTUs that may commonly be used in electric transmission and distribution projects across Europe, the Middle East, and other parts of Asia.
The Components of CosmicEnergy
The malware has two components, namely LightWork and PieHop. The former is responsible for generating IEC-104 protocol, which modifies the RTU state to turn on/off. The latter, meanwhile, connects to a specified remote MSSQL server for giving remote commands to an RTU by utilizing LightWork.
Conclusive Evidence Lacking, Inconclusive Data
According to Mandiant’s analysis, CosmicEnergy is incapable of carrying out an attack on its own. An attacker must manually collect IP addresses and credentials. Notably, the malware was uploaded to a malware scanning service by a person from Russia in December 2021. However, the security firm believed the malware could be developed by a Russian contractor at Rostelecom-Solar cybersecurity company as part of a red teaming tool for power disruption and emergency response exercises. In 2019, Rostelecom-Solar gained a subsidy from the Russian government to help train cybersecurity experts and facilitate these exercises. Despite suspicions, conclusive evidence was lacking.
Their Observations and Warnings
Mandiant also made some observations, including that threat actors often used red team tools to facilitate real-world cyberattacks. Threat actors are also known for regularly adapting commercially available exploitation frameworks to carry out targeted threat activity. Previous OT malware families, such as Industroyer and Incontroller, were also designed to cause physical damage or disruption and share similarities with CosmicEnergy. Therefore, Mandiant believes that CosmicEnergy could potentially be used in the future for deleting sensitive files or causing collateral damage.
Editorial on CosmicEnergy
CosmicEnergy is a new piece of malware that does not seem to pose a threat as of now. Despite that, it is important to analyze its capabilities and potential impact on critical infrastructure. The previous widespread cyberattack like NotPetya, which initially began as a ransomware attack but ultimately caused widespread destruction, shows the potential danger of attacks on critical infrastructure. The destruction caused by such attacks can have catastrophic consequences, risking human lives and causing significant financial losses.
Advice to Prevent Cyberattacks on Critical Infrastructure
To avoid catastrophic damages caused by attacks on critical infrastructure, companies need to invest in robust cybersecurity measures that include technical controls, such as firewalls and Intrusion Detection Systems, and human and administrative controls, such as security awareness training and policies. Critical infrastructure must be separated from the public internet and be heavily protected by firewalls, intrusion detection, and prevention systems.
Furthermore, companies must be proactive in network defense and conduct regular security assessments to identify vulnerabilities and reduce the attack surface. Penetration testing must also be prioritized to identify weaknesses in critical infrastructure systems, which can be exploited by malicious actors.
In conclusion, the possibility of cyber threats is real, and it is critical that companies take the necessary precautions to secure their networks and defend against potential cyberattacks on critical infrastructure. Those responsible for critical infrastructure must ensure that their facilities are protected with robust cybersecurity measures and maintain regular security assessment to stay ahead of potential cyber threats.
<< photo by Appolinary Kalashnikova >>
You might want to read !
- “Zyxel’s Security Patch: Urgent Action Required for Firewall and VPN Products”
- “Behind the Scenes of Brazil’s Cybercrime Networks: Insights from ‘Operation Magalenha’”
- Exploring the Security Implications of the Google CloudSQL Service Vulnerability
- Examining the rise of cybersecurity investments: Sekoia.io’s successful $37.5 million fundraising campaign
- “Cynet’s Cybersecurity Solution Saves Hospital from Deadly Infection”
- Uncovering the Latest Iranian Cyber Attack: A Look into the New PowerExchange Backdoor
- “The Implications of Chinese .Gov Hackers’ Targeting of Guam Critical Infrastructure Caught by Microsoft”
- The Dark Side of Language: Inside DarkBERT’s Journey into the Dark Web
- What the Russia-Ukraine Conflict Teaches Us About Cyber Warfare
