Uncovering the Secrets: Linking Mysterious Malware to Russia’s Industrial Cyber Espionage

On May 25th, cybersecurity firm Mandiant released a report detailing the discovery of a rare form of malware, dubbed “CosmicEnergy,” designed to infiltrate and disrupt critical systems that run industrial facilities such as power plants. The malware appears to have been developed by Rostelecom-Solar, a major Russian telecom firm. According to a comment found within the code, it was created for “Solar Polygon,” which was matched only to a Russian government project for an electric power disruption and emergency response exercise and cybersecurity training. While there is no indication whether it was intended for use in a cyberattack or as an internal red-teaming exercise, the discovery of CosmicEnergy adds to the concerns of critical infrastructure operators and organizations that face increasingly sophisticated attacks by criminal and nation-backed hackers.

Unraveling CosmicEnergy

CosmicEnergy joins the pantheon of dangerous malware such as Stuxnet, Industroyer, and Trisis that are purpose-built to target industrial control systems (ICS). CosmicEnergy, unlike previous malware, is in a highly specialized category that is not designed to be discovered or even disclosed to the public, so its discovery by Mandiant is somewhat unusual. Interestingly, it was found through threat hunting, not following an attack on a critical infrastructure system. The use of the malware uploaded to VirusTotal—a service that Google owns that scans URLs and files for malware—was intended to avoid detection, but its tactics were disrupted. While the motivations behind the malicious software are unclear, the use of Russian IP addresses indicates a Russian connection.

CosmicEnergy is an uncomplicated malware despite being a specialized tool. It is written in Python, an easy-to-learn, developer-friendly, yet powerful language that has been found in other industrial malware. CosmicEnergy consists of two tools, Piehope and Lightwork, which cyber attackers can use to carry out attacks. PieHope is a python script that connects to the remote MSSQL server, while Lightwork is a tool written in C++ that enables cyber attackers to send an “on” or “off” command to a remote terminal unit (RTU). RTUs are commonly used in industrial environments and could be used to control something such as a circuit breaker or a power line switch.

By gaining access to the RTU and sending the commands, attackers can instruct the system to turn off and on, but they are doing this in an unexpected way. However, there don’t appear to be any intrusion capabilities in the malware. Therefore, any malicious hackers attempting to use it would still have to find the IP address and credential of the targeted server as well as the IP for the device with the IEC-104 protocol, which is used to send requests for controlling power transmission in grids.

Similarities and Differences of CosmicEnergy with Industroyer and Other Malware

The malware shares some similarities with another recently revealed industrial-focused malware, Industroyer, also known as CrashOverride.V2. Industroyer.V2, a variant of the malware, was used last year during the early days of the Russian invasion of Ukraine. The CosmicEnergy malware is less intricate than the Industroyer, yet it targets a widely used protocol, which is not in a specific proprietary product, giving it additional flexibility. In contrast, other types of malware, such as the code used in the Triton incident in 2017, targeted the safety devices on Schneider Electric products at a Saudi Arabian oil refinery.

It appears likely that Rostelecom-Solar developed the malware, but it is not clear if it was created for red-teaming or to be used as an attack tool. A leak of more than 5,000 documents in March from a Russian IT contractor named NTC Vulkan highlights Russian interest in implementing an operational technology test bed environment for rail and pipeline control systems. Regardless of whether Rostelecom-Solar or any other group created the software for red-teaming or attack purposes, it is not something discovered every day. Its discovery is revealing that developers are growing more proficient when it comes to creating code that is purpose-built to take down the most critical systems.

Implications for Industrial Control Systems Operators

CosmicEnergy’s discovery adds another layer of concern for critical infrastructure operators and organizations that are increasingly targeted by criminal and nation-backed hackers. ICS has been increasingly under attack, and the financial and organizational consequences of successful hacks are potentially catastrophic. In this particular case, the malware’s lack of intrusion capabilities does make attacks more challenging, but the reality is that the landscape of hacking is rapidly evolving, and CosmicEnergy represents a new and dangerous tool in the hands of hackers.

Mandiant noted that CosmicEnergy’s discovery marked the first time it had seen a custom implementation of the MSSQL-based technique to deliver malware via a free web service. Hence, it is essential to underscore the need for security controls, network segmentation, regular security assessments, and threat detection and response operations within the ICS networks and systems.

Conclusion

The discovery of CosmicEnergy is a sobering reminder of the reality and threat that national governments, cyber-criminals, and other malicious actors pose to industrial systems. The discovery of CosmicEnergy suggests that attacks specifically targeting industrial control systems are evolving, and security experts must ensure that they are ready for future attacks with not just existing protection methods but also a deeper understanding of current threat intelligence. As cyber criminals continue to employ the latest technology and techniques to infiltrate and disrupt industrial systems, the most efficient way to secure ICS systems and networks is to recognize the adversaries’ attack styles and proactively defend against them.