A rare form of malicious software designed to infiltrate and disrupt critical systems that run industrial facilities such as power plants has been uncovered and linked to a Russian telecom firm, according to a report released Thursday from the cybersecurity firm Mandiant.
The discovery of the malware dubbed “CosmicEnergy” is somewhat unusual since it was uploaded to VirusTotal — a service that Google owns that scans URLs and files for malware — in December 2021 by a user with a Russian IP address and was found through threat hunting and not following an attack on a critical infrastructure system.
Whatever the motivation for developing it and uploading the code to VirusTotal, CosmicEnegy joins an highly specialized group of malware such as Stuxnet, Industroyer and Trisis that are purpose built for industrial systems. Furthermore, the discovery adds another layer of concern for critical infrastructure operators and organizations that are increasingly targeted by criminal and nation-backed hackers.
Researchers at Mandiant, which is part of Google Cloud, noted that its highly unusual for this type of code to be discovered or even disclosed to the public. Yet, it’s not clear if the malware was intended for use in a cyberattack or it could have been developed for internal red-teaming exercises before the code was released into the wild.
According to Mandiant, there are indications the malware appears to have been developed by Rostelecom-Solar, the cyber arm of the major Russian telecom firm. A comment found within the code noted that it was for “Solar Polygon,” a string that matched only to a Russian government project for an electric power disruption and emergency response exercise and cybersecurity training. Polygon is a term frequently used in Russia to mean a cyber testing bed or a proving ground of sorts, Mandiant noted.
CosmicEnergy also has similarities to another recently revealed industrial-focused malware: Industroyer, also known as CrashOverride.V2. Industroyer.V2 — a variant of the malware Russia deployed to turn off the lights during the 2016 Ukrainian winter — was used last year during the early days of the Russian invasion of Ukraine.
The CosmicEnergy malware itself is actually surprisingly simple, said Daniel Zafra, a Mandiant analyst. For one, it is written in python, an easy to learn, developer-friendly, yet powerful language that has been found in other industrial malware.
Within CosmicEnergy, there are two tools that could be used to carry out attacks: PieHop and Lightwork. PieHop is a python script that connects to the remote MSSQL server, and Lightwork is a tool written in C++ that sends an “on” or “off” command to a remote terminal unit. RTU’s are commonly used in industrial environments and could be used to control something such as a circuit breaker or a power line switch.
“By getting access to the RTU and being able to send the commands, they can just instruct the system to turn on and off,” Zafra said. “The trick is that they’re doing it in an unexpected way.”
However, there don’t appear to be any intrusion capabilities in the malware so any malicious hackers attempting to use it would still have to find the IP address and credential of the targeted server as well as the IP for the device with the IEC-104 protocol, which is used to send requests for controlling power transmission in grids. For industrial hackers, IEC-104 is a familiar protocol that was used targeted in both Industroyer and IndustroyerV2, with V2 only targeting that specific protocol.
The fact that CosmicEnergy can target a widely used protocol and not a specific proprietary product is also a somewhat new trend in industrial-specific malware that gives additional flexibility. Other types of malware such as the code used in the Triton incident in 2017 targeted the safety devices on Schneider Electric products at a Saudi Arabia oil refinery.
While it appears likely that Rostelecom-Solar developed the malware, Mandiant said that it’s possible it was created for something other than a grid security exercise. However, this kind of custom-built software to test an organization’s defenses is somewhat common. A leak of more than 5,000 documents in March from a Russian IT contractor named NTC Vulkan highlights Russian interest in implementing an operational technology test bed environment for rail and pipeline control systems.
Regardless of whether Rostelecom-Solar built the software themselves for red-teaming or hackers pieced it together on their own, it’s “not something we see every day,” said Zafra. And it could signal that developers are growing increasingly savvy when it comes to creating code that’s purpose built to take down the most critical systems.
Correction May 25, 2023: This article has been updated to correct the name of the PieHop script.